[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Discussion of the Home/SOHO environment



We must be mindful of the finite timeframe CPE vendors have to adopt any recommendations that come out of the IETF. Remarkably the IPv6 message is sinking into large carriers and timings are being discussed, with ~2010 being the "date" that I have heard used most widely used for commercial service. With larger carriers, many persons are involved to bring a new product to commercial service and this can take up to 6 months, usually with trials prior. My own timelines require IPv6-capable CPE in mid-2009. If we do debate these items I would suggest strict deadlines be imposed. Can others give their views/ opinions on timing?

Managing a transition to a new protocol is going to be difficult, but trying to change the agreed norm 18-months prior to large-scale trials is something that the teams must view with a good appreciation of the risks. Commentary on IPv6 has already labelled it [IPv6] complex and over-engineered, and I do not believe that a protocol-level working group should be trying to address such a large issue as "are firewalls good things"? This is not an IPv6-specific debate, yet I feel it's being captured under the mantra of "do it once, do it right". For the CPE team themselves, do we need all these questions answered to get the firewall design done?


For the other topics, I agree we should throw ideas into the pot and see which float and which sink - let's be sure to work with the other standards bodies such as DSL Forum and CableLabs on some of this? Is there a liaison between IETF and DSLHome/CableHome?

There are existing solutions for some of the questions that have been posed - after all, IPv6 is just a network-layer protocol? The questions posed about home networks are defiantly interesting and useful, groups such as DSLHome and CableHome have created (and deployed) specifications to manage parts of the home network.

Address space stability is imperative from the perspectives of a number of carriers I have spoken with - a by-product of NAT was to allow WAN (carrier assigned) and LAN (customer assigned) to be addressed independently. In IPv6 your LAN addresses are carrier- assigned and this will be one of the most significant shifts from today's IPv4+NAT world. The stability we have advocated is one where you can keep your IPv6 prefix for as long as you remain at your residence even if the ISP network rearranges around you (node splits, BRAS de-loading, etc). This requires a certain amount of pre-planning to avoid RIB blow-outs but can be done. While IPv6 supports it, it would be resource intensive for edge routers to support transitioning from one prefix to another with multiple prefixes simultaneously active.

Name services for IPv6 is somewhere we have already begun looking at. In fact, one reason we are considering the target use of DHCPv6 in the home is to allow a central location of hosts for DNS updating (either through DHCPv6 FQDN option or web-portal). In this model the DHCPv6 server would update the DNS server.


My view is that IPv6 will re-open doors for applications developers that have been long since shut, this will happen gradually and not overnight - after all if you develop an application that leverages IPv6, you need to wonder how many customers you can actually get on the new protocol.

Regards,

-d


On 04/01/2008, at 10:22 AM, Fred Baker wrote:

I am reporting back to the working group on the CPE REquirements design team, and specifically a question Alain raised this afternoon. I think it is something the IPv6 operational community, and by extension the IPv6 community, needs to think about. For context, I have included several emails from the thread including my own, which opened it, Alain's, which asked some very important questions, and my own reply to Alain's note. I have also included a couple of others which I thought were important.

I would like the v6ops community to discuss this and come to some conclusion that can guide the CPE Requirements development. It may be worthwhile documenting that conclusion and the assumptions it is based on in an RFC. We are dealing at least in part with a world view question, and we need a rational and agreed world view.

Begin forwarded message:

From: Fred Baker <fred@cisco.com>
Date: January 3, 2008 12:15:44 PM PST
To: V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com > Cc: v6ops-ads@tools.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se >
Subject: Wondering if we're on the same wavelength

As we're going through this discussion, I'm wondering if we have it structured right. It seems like we are not working on a single set of requirements on which we basically agree, which is characteristic of a design team. Rather, we have a very polarized discussion between two very different sets of people. One set, the folks who make CPEs, are being told in no uncertain terms by their customers that they need to provide firewall functionality, and some customers require NAT functionality for reasons unrelated to firewalling. The other group, which AFAIK have no skin in the CPE game, are (in some cases adamantly) opposed to the deployment of firewalls.

Would we have a more productive discussion if this were separated into two separate teams and resultant documents, each describing and arguing for its version of the universe? If so, who would like to take the lead on the "we don't need no stinkin firewalls" model?



From: Alain Durand <alain_durand@cable.comcast.com>
Date: January 3, 2008 1:22:01 PM PST
To: Fred Baker <fred@cisco.com>, V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com > Cc: <v6ops-ads@tools.ietf.org>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se >
Subject: Re: Wondering if we're on the same wavelength

Fred,

IMHO, what is missing is a broader understanding of what I call the new "social contract" in IPv6 broadband land...

In IPv4 broadband land, there is a pretty well accepted "social contract":

  - Customer get one IPv4 address that can change over time
  - Customer use/rent/own a NAT box to create more address space,
    isolate himself/herself from external IP address change, get
the so-called security benefits of NAT or whatever over local reason - the "security model" is mainly defined as: all devices within the home
    network belong to the customer, are mostly unmanaged and
a security perimeter is defined by the home router to "protect" the
    good inside from the "evil" outside.
- The ISP has very little if any view of the devices in the home south
    of the home gateway
  - There is little DNS in place

Note: all this is a direct consequence of the NAT model

In the brave new world of IPv6, the plethora of address space impose on us to revisit this model, mainly because NAT is not required to connect more than one device. Note that I said not required, which does not mean it will not be part of the picture in one form or another, if only in the NAT v4/v6/v4 that I described last IETF.

So, IMHO, what is needed is for the industry at large (and not just a few experts) to open up a discussion of what this social contract now will look like in IPv6, in other words, what kind of networks and network usage are we looking at, and not just now, but looking ahead...

Essentially, we must *collectively* answer a number of questions:

  - How much space is assigned per customer
    This is the trivial one that is being discussed right now
  - Is there any routing within the home?
  - Is this address space "stable" over time or is it expected
    to be changeable by the ISP? There are huge ramification in the
local routing & provisioning complex depending how you answer this
    question
  - What is(are) the management model(s) of the home?
Is the customer expected to manage alone his network? How can the ISP usefully help? What about in-home devices operated/owned/under contract
    with either the ISP or a 3rd party?
  - What should be the new security model?
  - How to manage the name space?

I'm concerned we will not make much progress on the firewall issue until we have a better understanding of the broader issue I described above. And honestly, I think we are just at the very beginning.

  - Alain.



From: Fred Baker <fred@cisco.com>
Date: January 3, 2008 2:32:46 PM PST
To: Alain Durand <alain_durand@cable.comcast.com>
Cc: V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com >, <v6ops-ads@tools.ietf.org>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se >
Subject: Re: Wondering if we're on the same wavelength

You raise some important questions. I think there are some more you need to ask.

I have attached a network map of my home. It is somewhat out of date; last summer, my folks-in-law moved in with us as as such as now have TV service in the home, and as a result two set-top boxes. They are right now on the TV coax apart from control, which is done via a combination of a direct radio interface and the wifi network, but in the future one might expect them to come onto the IP network in full.

On Jan 3, 2008, at 1:22 PM, Alain Durand wrote:
Fred,

IMHO, what is missing is a broader understanding of what I call the new "social contract" in IPv6 broadband land...

In IPv4 broadband land, there is a pretty well accepted "social contract":

  - Customer get one IPv4 address that can change over time
  - Customer use/rent/own a NAT box to create more address space,
    isolate himself/herself from external IP address change, get
the so-called security benefits of NAT or whatever over local reason - the "security model" is mainly defined as: all devices within the home
    network belong to the customer, are mostly unmanaged and
a security perimeter is defined by the home router to "protect" the
    good inside from the "evil" outside.
- The ISP has very little if any view of the devices in the home south
    of the home gateway
  - There is little DNS in place

Note: all this is a direct consequence of the NAT model

I'll add that they are also consequences of ownership. The ISP, Cox Business Services in my case, supplies the Cable Modem and the set- top box, but apart from that the equipment in my home belongs to me. As a customer, I would be very surprised if my ISP tried to assert any control over anything it didn't own apart from a specific contractual agreement permitting it to do so. It would be enough for me to terminate my contract with the ISP. If my ISP announced to me that it thought there was a new social contract that I as a consumer was supposed to accept but was not a party to, that would likewise be the end of my legal contract. The services my ISP offers in my home are there because I choose them and choose to pay for them, not because the ISP wants them to be there.

In the brave new world of IPv6, the plethora of address space impose on us to revisit this model, mainly because NAT is not required to connect more than one device. Note that I said not required, which does not mean it will not be part of the picture in one form or another, if only in the NAT v4/v6/v4 that I described last IETF.

Certainly, as a customer I expect to have my router obtain an address (ND or DHCP) and other configuration information, including a delegated prefix.

So, IMHO, what is needed is for the industry at large (and not just a few experts) to open up a discussion of what this social contract now will look like in IPv6, in other words, what kind of networks and network usage are we looking at, and not just now, but looking ahead...

Essentially, we must *collectively* answer a number of questions:

  - How much space is assigned per customer
    This is the trivial one that is being discussed right now

yes.

  - Is there any routing within the home?

I suspect that there are multiple classes of home here. In my case, my company's information security policy requires me to have routing in the home - by whatever means, my office equipment is not accessible from the rest of my home.

  - Is this address space "stable" over time or is it expected
    to be changeable by the ISP? There are huge ramification in the
local routing & provisioning complex depending how you answer this
    question

That relates to some of the questions in RRG. If my ISP is designing the network in my home, I guarantee that the home will not be multihomed. Since that is not reality (my home isn't multihomed, but Kurtis' and Jari's are), ergo, the ISP is not designing or managing the network in my home. This in part is the issue being addressed in draft-baker-6man-multiprefix-default- route; if I in fact have multiple prefixes in the home, I want to send my datagrams using an address to the ISP that gave me the address. This is a lot easier with Metro Addressing (the ISPs manage a prefix for the routing domain, which may be similar to a geographical region) or with a GSE-like model such as Christian Vogt suggests.

In any event, if the ISP is provisioning me with a prefix, and I am routing in the home, I expect to have a rational system for using that prefix.

  - What is(are) the management model(s) of the home?
Is the customer expected to manage alone his network? How can the ISP usefully help? What about in-home devices operated/owned/under contract
    with either the ISP or a 3rd party?

I expect the set-top box and other devices supporting services that I contract for to come with instructions for what I am supposed to do with them in my home. The ISP is a guest in my home, or perhaps a servant like the maid or the butler, and will be replaced the instant it forgets that.

  - What should be the new security model?

yes.

  - How to manage the name space?

Why would management of the name space for my home be different for IPv6 than it would be for IPv4? At the end of the day, if I am offering services from my home and using DNS to do them, I would like the fact of getting an A or a AAAA record to be something I only discover after the fact, not something inherent in the name.



From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: January 3, 2008 1:50:43 PM PST
To: Fred Baker <fred@cisco.com>
Cc: V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com >, v6ops-ads@tools.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
Subject: Re: Wondering if we're on the same wavelength

I think there are three universes :

1) all end devices don't do firewalling, so the CPE has to do that for them

2) some end devices don't do firewalling, so the CPE has to do that for them. For the devices do do firewalling, how can we stop the CPE firewall getting in their way

3) all end devices do firewalling, so the CPE shouldn't, because it'll only get in the way

Actually, thats more of a continuum than 3 separate universes.

My argument is that it's trending towards 3. Because IPv6 is new(ish),
it's possible that with IPv6 we might reach 3 much more quicly than
we'll ever reach it in IPv4.

That being said, it has occured to me that we might have overlooked
that there's already lots of IPv6 CPE in Asia, and lots of IPv6 enabled
devices available (STBs, CCTV cameras etc.) Maybe we should find out
how they've approached the problem before we spend time resolving it.

Regards,
Mark.



From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: January 3, 2008 2:15:55 PM PST
To: Alain Durand <alain_durand@cable.comcast.com>
Cc: Fred Baker <fred@cisco.com>, V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com >, <v6ops-ads@tools.ietf.org>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se >
Subject: Re: Wondering if we're on the same wavelength

On 3 jan 2008, at 22:22, Alain Durand wrote:

Essentially, we must *collectively* answer a number of questions:

[...]

I'm concerned we will not make much progress on the firewall issue until we have a better understanding of the broader issue I described above. And
honestly, I think we are just at the very beginning.

I largely agree.

Would it be useful to see if we can define a number of deployment scenarios and then present those to the community at large it/we can reach consensus about which ones we should go forward with?

There are currently many discussions going on about bridging/ routing CPEs, address provisioning, internal subnet allocation etc (and some of those discussions weren't even started by me!). Until we have some industry-wide agreement on this stuff rolling out IPv6 for consumers will be very complex.

As to Fred's question: I think it's useful to hash things out here, ignoring the occassional rant it seems we can find a decent amount of common ground. If we go off in separate groups that only means we'll have to have these fights in public... On the other hand, if the CPE builders feel they can do better work without the firewall skeptics I can live with that.


<Fred_home_network.pdf>