About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[address-policy-wg] RE: IPv6 addresses really are scarce after all

  • To: ietf@localhost
  • From: <michael.dillon@localhost
  • Date: Mon, 27 Aug 2007 21:52:48 +0100
  • Cc: ppml@localhost, address-policy-wg@localhost
> (2) The many examples you give seem to be to be associated 
> with different domains of authorization and privilege for 
> different groups of people and functions within the home.  My 
> impression of the experience and literature in the field is 
> that almost every time someone tries to create such a 
> typology, they conclude that these are much better modeled as 
> sometimes-overlapping domains rather than as discrete
> partitions.   The subnet-based model you posit requires that
> people or devices switch addresses when they change functions 
> or activities.  Up to a point, one can do it that way (and 
> many of us have, even with IPv4).  

The subtext here is Ethernet. People are talking about home networks
based on Ethernet and whether or not they should be segmented by
routers. In my experience Ethernet bridges and switches are not designed
with security as a goal. When they fail to transmit all incoming frames
on all interfaces, it is to prevent segment overload or broadcast
storms. There are many cases where people have found ways, sometimes
quite simple ways, to receive Ethernet frames that are not addressed to
them. Given this backdrop, I am suggesting that a homeowner may have
several reasons for inserting routers (and router/firewalls) into their
home network, thus requiring the ability to have multiple /64 IPv6
subnets. Architecture aside, this is a pragmatic response to an
information security issue.

> But I suggest that trying to use subnetting as the primary 
> and only tool to accomplish those functions is 
> architecturally just wrong, _especially_ for the types of 
> authorization-limitation cases you list.  Wouldn't you rather 
> have mechanisms within your home network, possibly bound to 
> your switches, that could associate authorization property 
> lists with each user or device
> and then enforce those properties? 

This would be nice, but I believe this needs more work and not just in
the IETF. Also, I believe that the IETF should tackle the basic
requirements for a home and/or business IPv6 Internet gateway first, and
then go on to the more advanced security issues.

> (4) Which IETF WG is working on these things?  :-(

Or failing that, which area does it belong in?

--Michael Dillon
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community