CPEs

[Iljitsch van Beijnum <iljitsch@muada.com>]

Let me tackle three issues related to CPEs in one monster message.  
These issues are:

- firewalling
- address provisioning
- IPv4/IPv6 transition/coexistance

When I say "CPE" that can both mean a cable/DSL modem, a home router  
with integrated cable/DSL modem or a home router with no modem  
functionality. I'll call them CPE(m), CPE(r) or CPE(rm) where  
appropriate. If they're managed by the ISP I may add -ISP, if they're  
managed by the end-user/consumer I may add -USER. Note that all of  
this applies to consumer installations.

First, let me start with a few sentences on my philosophy in this area  
and then a list of issues that we need to figure out so the industry  
can move forward.

CPE philosophy
--------------

Because broadband consumers span the gamut from completely ignorant  
about even the most superficial technical issues to people who  
actually build those CPEs, the most important thing is that a CPE can  
address all reasonable use cases along that gamut. In other words: an  
expert user shouldn't be forced to live with what's best for that  
granny who doesn't even have a PC but does have some IP enabled  
devices such as picture frames or sewing machines, but on the other  
hand, the granny shouldn't be forced to become an expert.

What this means is that the defaults are such that non-expert users  
get the tradeoff between security, usability and other aspects that is  
most appropriate (which would be the default settings), but experts  
get to override these defaults. At the very least, it MUST be possible  
to make the CPE act transparently.

Security

As for security: these days, any IP device MUST be ready to be  
connected to a hostile network, which includes the open internet.  
However, because this wasn't true in the past and because removing a  
layer of "security" is scary, it's not possible to market CPEs that  
don't do any filtering. This means that there must be filtering, but  
since it doesn't do anything useful in practice and it does get in the  
way, this filtering must be the minimum that will be accepted by the  
market. That would almost certainly be the level of filtering that is  
de facto provided in today's IPv4 CPEs, which is: outgoing sessions  
and related return traffic is allowed (stateful filtering) and  
applications get to open up TCP/UDP ports for incoming traffic.

Now obviously it's possible to argue that this isn't a good way of  
filtering (in both directions, it can be too much or too little), but  
since that is what you get with pretty much any current CPE those  
discussions are largely moot. The only changes that are possible are  
those that BOTH improve security AND usability at the same time. Any  
change that improves one over the other will be seen as unacceptable  
by one camp.

Transition

Ideally, a CPE will provide both IPv4 and IPv6 service to hosts  
connected to it, regardless of whether the ISP provides IPv4, IPv6 or  
both. So that probably means: regular IPv4 operation, native IPv6,  
6to4, Teredo, NAT-PT... It would be even better if IPv4 hosts behind  
the CPE could make use of IPv6 services and the other way around.  
(Maybe using an HTTP(S) proxy?)

Multiple CPEs

Obviously if there is a CPE(m) then it should also be possible to add  
a CPE(r), but users may have reasons to have multiple CPE(r)s,  
possibly connected in parallel to a CPE(m) but having one CPE(r)  
connect to the LAN side of another CPE(r) would also be a possibility,  
and even the only possible option if there is a CPE(mr). Although  
security policies may prohibit certain applications to work across a  
CPE(r), service discovery and addressing should be transparent within  
the entire site.

Questions
---------

Security

1. Do we all agree that a model where there is stateful filtering by  
default, but applications can request incoming sessions is what we  
should aim for?

2. Or should the opening up of incoming ports go through the OS,  
rather than be signalled directly from applications to the CPE?

3. Should a host have the option of signalling to a CPE that it  
doesn't require any filtering?

Address provisioning

4. Is implementing DHCPv6 snooping and option insertion, similar to  
what currently happens with DHCP for IPv4, a good option for vendors  
of broadband equipment, or is a provisioning solution where this isn't  
necessary preferable?

5. Can we assume the presence of DHCPv6 prefix delegation in CPEs?

6. Can we assume the presence of DHCPv6 address assignment in clients?  
It's not available in most of them now, so how would we get to such a  
state and how soon?

7. Is the model where there is a CPE with modem functionality but not  
router functionality a reasonable one?

8. Do we want to ISPs to provide RAs to customers in the case where 6  
= no and 7 = yes? If not, then what?

9. If 8, then what is the value of the M and O bits?

10. If 5 and a user adds more than one routing CPE, how does the  
prefix delegation work? The "first" routing CPE requests a prefix from  
the ISP and then provides sub-prefixes to the other CPE(r)s, or does  
each CPE get a prefix from the ISP? In the latter case, how do CPE(r)s  
know what routes to install for prefixes held by other CPE(r)s within  
the site?

11. Do we expect ISPs to provide reachability for a new and old prefix  
concurrently when changing prefixes or do ISPs provide long-time  
stable prefixes to IPv6 customers? If "no" on both, then how do we  
avoid disconnected sessions on prefix changes?

12. How do we avoid problems caused by customer equipment MAC  
addresses clashing with that of other customers?

13. How many devices are allowed to connect to a CPE(m)?

14. What kind of addressing is used between the ISP and the first  
CPE(r)? Global customer specific, global shared between customers,  
link local only?

15. How does DAD work on the subnet between an ISP and customers?  
Should hosts and CPEs ignore their own DAD packets when they loop back  
to them?

DNS

16. How do we expect customer devices to enter into the DNS?

17. If the answer to 16 is dynamic DNS updates, how does the  
authentication work?

18. Should IPv6 hosts be prepared to operate without a working reverse  
DNS entry?

Third party devices

19. How do users authorize third-party devices (ranging from gas  
meters to set top boxes) use of their broadband connection?

20. How can third party devices be prevented from observing both data  
traffic and service discovery?

21. How can third party device traffic be limited and/or given QoS?