[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New (-02) version of IPv6 CPE Router draft is available for review

To: Alain Durand <alain_durand@cable.comcast.com>
Subject: Re: New (-02) version of IPv6 CPE Router draft is available for review
From: EricLKlein@softhome.net
Date: Wed, 23 Jul 2008 09:31:08 -0600
Cc: v6ops@ops.ietf.org
In-reply-to: <C4ACB53F.147FB%alain_durand@cable.comcast.com>
References: <C4ACB53F.147FB%alain_durand@cable.comcast.com>

Alain Durand writes:

The problem with addressing this problem with a service discovery protocol
is that it will not meet the requirement of what to do when the router is
the only service and is in need of initial configuration. In the past Cisco
mandated that the console port was the way to do this while others have gone
for a direct connect USB, but in a wireless situation there is no physical

port to connect to while configuring the CPE.

So unless you want to replace a "well known IP address" with a "well known
ULA" then we need to find another solution. Or are you proposing that we
make the discovery protocol enable a "find and configure CPE/router" option?
If so I have a problem with the security implications of such a wide open
configuration requirement.

Eric,From a security perspective, what is the difference between:

A) a router listening on 10.0.0.1 and allocating DHCPv4 address in a similar
range, asking people to configure it using http://[10.0.0.1]
B) the same thing using link local address, with the router being configured
using fe80::1 and asking people to configure it using http://[fe80::1]
C) the same replacing link local by ULA
D) having the router advertizing itself as a router using a service

discovery protocol a la Apple Bonjour?

In all those case, a 'bad guy' can easily impersonate the router.

Alain,Your example B is exactly what I am suggesting, a it is identical to A in anIPV6 world.

C link local is going to be a new option for people.

D sounds like a problem to me as you don't want to advertise a "comeconfigure me" service. This is the one I am most against in my previouse-mail.The if there is a local address to be connected to (either link local or ULAor fixed IP address) then it is possible to fulfill the configuration priorto having an IP address from the ISP scenario.Thus the "bad guys" who are spoofing would need to both know the address(and that works for any fixed predefined address) and admin password (alsousually a default one until changed). And impersonating the router would bemeaningless as it is only the initial configuration that I am addressing andI doubt that someone would set themselves up hoping to catch a new setupthat could happen anytime if at all.

Follow-Ups:
- Re: New (-02) version of IPv6 CPE Router draft is available for review
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: New (-02) version of IPv6 CPE Router draft is available for review
  - From: Alain Durand <alain_durand@cable.comcast.com>

References:
- Re: New (-02) version of IPv6 CPE Router draft is available for review
  - From: Alain Durand <alain_durand@cable.comcast.com>

Prev by Date: Re: New (-02) version of IPv6 CPE Router draft is available for review
Next by Date: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Previous by thread: Re: New (-02) version of IPv6 CPE Router draft is available for review
Next by thread: Re: New (-02) version of IPv6 CPE Router draft is available for review
Index(es):
- Date
- Thread