[ppml] IPv6 addresses really are scarce after all
michael.dillon at bt.com
michael.dillon at bt.com
Mon Aug 27 16:52:48 EDT 2007
> (2) The many examples you give seem to be to be associated
> with different domains of authorization and privilege for
> different groups of people and functions within the home. My
> impression of the experience and literature in the field is
> that almost every time someone tries to create such a
> typology, they conclude that these are much better modeled as
> sometimes-overlapping domains rather than as discrete
> partitions. The subnet-based model you posit requires that
> people or devices switch addresses when they change functions
> or activities. Up to a point, one can do it that way (and
> many of us have, even with IPv4).
The subtext here is Ethernet. People are talking about home networks
based on Ethernet and whether or not they should be segmented by
routers. In my experience Ethernet bridges and switches are not designed
with security as a goal. When they fail to transmit all incoming frames
on all interfaces, it is to prevent segment overload or broadcast
storms. There are many cases where people have found ways, sometimes
quite simple ways, to receive Ethernet frames that are not addressed to
them. Given this backdrop, I am suggesting that a homeowner may have
several reasons for inserting routers (and router/firewalls) into their
home network, thus requiring the ability to have multiple /64 IPv6
subnets. Architecture aside, this is a pragmatic response to an
information security issue.
> But I suggest that trying to use subnetting as the primary
> and only tool to accomplish those functions is
> architecturally just wrong, _especially_ for the types of
> authorization-limitation cases you list. Wouldn't you rather
> have mechanisms within your home network, possibly bound to
> your switches, that could associate authorization property
> lists with each user or device
> and then enforce those properties?
This would be nice, but I believe this needs more work and not just in
the IETF. Also, I believe that the IETF should tackle the basic
requirements for a home and/or business IPv6 Internet gateway first, and
then go on to the more advanced security issues.
> (4) Which IETF WG is working on these things? :-(
Or failing that, which area does it belong in?
--Michael Dillon
More information about the ARIN-PPML
mailing list