ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IPv6 addresses really are scarce after all

2007-08-27 13:51:47
from [michael.dillon] [Permanent Link] 
(2) The many examples you give seem to be to be associated 
with different domains of authorization and privilege for 
different groups of people and functions within the home.  My 
impression of the experience and literature in the field is 
that almost every time someone tries to create such a 
typology, they conclude that these are much better modeled as 
sometimes-overlapping domains rather than as discrete
partitions.   The subnet-based model you posit requires that
people or devices switch addresses when they change functions 
or activities.  Up to a point, one can do it that way (and 
many of us have, even with IPv4).  


The subtext here is Ethernet. People are talking about home networks
based on Ethernet and whether or not they should be segmented by
routers. In my experience Ethernet bridges and switches are not designed
with security as a goal. When they fail to transmit all incoming frames
on all interfaces, it is to prevent segment overload or broadcast
storms. There are many cases where people have found ways, sometimes
quite simple ways, to receive Ethernet frames that are not addressed to
them. Given this backdrop, I am suggesting that a homeowner may have
several reasons for inserting routers (and router/firewalls) into their
home network, thus requiring the ability to have multiple /64 IPv6
subnets. Architecture aside, this is a pragmatic response to an
information security issue.


But I suggest that trying to use subnetting as the primary 
and only tool to accomplish those functions is 
architecturally just wrong, _especially_ for the types of 
authorization-limitation cases you list.  Wouldn't you rather 
have mechanisms within your home network, possibly bound to 
your switches, that could associate authorization property 
lists with each user or device
and then enforce those properties? 


This would be nice, but I believe this needs more work and not just in
the IETF. Also, I believe that the IETF should tackle the basic
requirements for a home and/or business IPv6 Internet gateway first, and
then go on to the more advanced security issues.


(4) Which IETF WG is working on these things?  :-(


Or failing that, which area does it belong in?

--Michael Dillon

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: one example of an unintended consequence of changing the/48boundary, Hallam-Baker, Phillip
Next by Date:  RE: one example of an unintended consequence of changing the /48boundary, michael.dillon
Previous by Thread:  Re: IPv6 addresses really are scarce after all, Arnt Gulbrandsen
Next by Thread:  Re: [ppml] IPv6 addresses really are scarce after all, Stephen Sprunk
Indexes:  [Date] [Thread] [Top] [All Lists]