[address-policy-wg] Re: IPv6 addresses really are scarce after all

[Keith Moore moore@localhost]

subnets have proven to a useful tool in the past, and may prove so again
in the future, even if the reasons for future use are different than
those for past and present use.  I don't see why we should constrain the
network architecture to deny use of this tool to ordinary users.

Keith

>> Assume we agree on the needed functionality.  It is hard to
>> disagree and many of us have seen the need to isolate some
>> people and apparatus from others, and to assign different
>> capability to them, for many years.
>>     
>
> People want security, and the threats that Michael mention are real:
> children spying on the parent's traffic, guests abusing the access to do
> something illegal on the Internet. But subnets are not a particularly
> efficient way of solving these threats.
>
> Take the issue of guests abusing the privilege and engaging in illegal
> action. The concrete risk is that men in black will knock at your door
> and ask about said actions. Picture yourself arguing that "it obviously
> wasn't me, because the packets come from the network that I provide to
> my guests". The men in black will not be impressed, since you obviously
> have access to all the networks in your house. Your only defense will be
> to rat a specific guest, supposing of course that you are so enclined.
> Subnet or no subnet will no help you do that. Access control and logs
> will help, but these are not tied to subnets.
>
> Consider then the attacks between computers on the same network. Michael
> mentioned traffic snooping. But modern Wi-Fi network are protected
> against that already. They negotiate different per-session keys. Even in
> promiscuous mode, the Wi-Fi card does not see the unicast traffic of the
> other stations in the network. In home networks, the key is derived from
> an initial 4-ways handshake, secured by a pass-phrase. Most deployments
> use a single pass-phrase today, so teenagers could indeed develop tools
> to crack the exchange. But nothing prevents using different pass-phrases
> for different group of users.
>
> The other risk are the active attacks between connected computers.
> However, as John pointed out, there is lot of demand for connectivity
> between computers in the home. Many people have tried to engineer
> network topologies that follow organization or authorization boundaries,
> but the mostly that makes your network expensive to run without really
> solving the issues. 
>
> Also, ultimately, all forms of topology based control rely on the
> security of the home router. Do you really believe that a teenager who
> is clever enough to hack into Wi-Fi access protections will not also be
> able to hack into the home router?
>
> If we want actual protection, it is probably much easier to use end to
> end security. And in your own house, you might consider forms of social
> control, as in "OK, you hacked my computer, give me the keys of your
> car..."
>
> Frankly, I don't see users managing subnets any time soon. 
>
> -- Christian Huitema
>
>
>  
>
>  
>
>  
>
> _______________________________________________
> Ietf mailing list
> Ietf@localhost
> https://www1.ietf.org/mailman/listinfo/ietf
>