--On Sunday, 26 August, 2007 12:41 +0100 michael(_dot_)dillon(_at_)bt(_dot_)com
wrote:
The definition of a small network is pretty much "single
subnet". Yes, I understand very well that the average home of
the future will have a mixed wiring. Of course, my own home
does have Ethernet and Wi-Fi. In the not so distant future,
it will have several Wi-Fi networks operating on different
...
You are remarkably trusting. You do all your homebanking on
the same subnet as your teenage children who are studying
Hacking 101 in the privacy of their bedroom? And when guests
come over for dinner, you have no objection to them taking
their laptop to the bathroom in order to surf for child porn
over your wireless network.
The fact is that a lot of people will WANT subnets in the
home. They will want a router/firewall that will isolate each
of the children's bedrooms so that they cannot mess with your
bank account or with their brother's/sister's romantic chat
sessions. Many people will want all wireless access to go
through a router. Many will have an in-law suite, and want to
seamlessly integrate their relative's existing network via a
simple router connection. And the family jewels, that Raid 5
server cluster that holds all the family photos and videos,
will be behind another router/firewall. When the kids host a
LAN party, the gamers will connect to the family network via a
router/firewall with limited Internet access for only the
necessary protocols. Subnets multiply for architectural and
security reasons.
...
Michael,
Assume we agree on the needed functionality. It is hard to
disagree and many of us have seen the need to isolate some
people and apparatus from others, and to assign different
capability to them, for many years.
That still leaves room to ask several questions. I believe
those questions need to be asked, and the relevant technical
work done. And I think one needs to do that work and then
adjust address policy to match, not change address policy
without making corresponding technical/ protocol changes.
Examples:
(1) Unless it was changed when I wasn't looking, there is a rule
in the IPv6 architecture that says that one cannot subnet on a
prefix longer than a /64. That rule appears to be someone
hostile to efficient use of address space at the "small network
with subnets" side of things. Has that rule outlived its
usefulness? If so, how do we go about changing it before IPv6 is
sufficiently widely deployed to make it even more difficult and
disruptive to do so?
(2) The many examples you give seem to be to be associated with
different domains of authorization and privilege for different
groups of people and functions within the home. My impression
of the experience and literature in the field is that almost
every time someone tries to create such a typology, they
conclude that these are much better modeled as
sometimes-overlapping domains rather than as discrete
partitions. The subnet-based model you posit requires that
people or devices switch addresses when they change functions or
activities. Up to a point, one can do it that way (and many of
us have, even with IPv4).
But I suggest that trying to use subnetting as the primary and
only tool to accomplish those functions is architecturally just
wrong, _especially_ for the types of authorization-limitation
cases you list. Wouldn't you rather have mechanisms within your
home network, possibly bound to your switches, that could
associate authorization property lists with each user or device
and then enforce those properties? Kerberos (a very old
protocol by now) took the first steps in that direction by
associating access to server-type functions with authorization
properties rather than physical connectivity. Perhaps it is
time to extend a model of that sort to access to network
resources --such as routing to other addresses both inside and
outside of the home network-- and to think through how it could
be scaled to effective and cost-efficient operation in a
home-sized network.
(3) It may be worth remembering that subnetting was introduced
into the IPv4 architecture partially to deal with routing
isolation and efficiency for LANs based on 10Base10 and 10Base2
Ethernet --backbone-style networks at the LAN, or groups of
LANs, level. While some lazy few of us still have some 10Base2
in our LANs, the move toward LAN segments based on twisted-pair
cabling and fanout switch arrangements creates opportunities we
didn't have when "segment" was a physical property rather than a
logical one. Is it time to review and update the network
architecture to reflect new opportunities in the physical one,
rather than assuming that authorization is necessarily reflected
in subnets?
(4) Which IETF WG is working on these things? :-(
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf