headers
Brian E Carpenter | 2 Nov 2009 00:47
Picon

Perry Lorier's comments on CPE drafts

Forwarded with permission.

    Brian

-------- Original Message --------
Subject: Re: [Ipv6-techsig] [spam?] Various IPv6 bits and bobs
Date: Sun, 01 Nov 2009 13:52:29 +1300
From: Perry Lorier <perry@...>
Reply-To: ipv6-techsig@...
To: ipv6-techsig@...
References: <8df701f90910281853m5a0e993ft4438a9cc2d5bd9f4@...>	<4AE8FFAD.4060601@...>

Brian E Carpenter wrote:
> Dave,
>
> Are the vendors aware of the developing specs for CPE functionality
> and security, or are they making it up as they go along?
>
> draft-ietf-v6ops-ipv6-cpe-router
>   

WPD-3: If the delegated prefix is an aggregate route of multiple,
more-specific routes the IPv6 CE router MUST discard packets  that match
the aggregate route, but not any of the more- specific routes.

Not send ICMP6 Destination network unreachable?  I guess they're trying
to stop people from mapping which segments are in use?  But if a network
is in use, but the host isn't there then it's going to reply with ICMP6
Destionation host unreachable when neighbour discovery times out?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hiroki Sato | 2 Nov 2009 16:51

Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

Hi,

Internet-Drafts@... wrote
  in <20091026214501.DF8C23A6950@...>:

In> A New Internet-Draft is available from the on-line Internet-Drafts directories.
In> This draft is a work item of the IPv6 Operations Working Group of the IETF.
In>
In>
In> 	Title           : Requirements for IPv6 Customer Edge Routers
In> 	Author(s)       : H. Singh, et al.
In> 	Filename        : draft-ietf-v6ops-ipv6-cpe-router-02.txt
In> 	Pages           : 14
In> 	Date            : 2009-10-26

(Section 4.1)
 | When the router is attached to the WAN interface link it must act as
 | an IPv6 host for the purposes of IPv6 interface initialisation, ND
 | Router Discovery, Prefix Discovery and interface address assignment
 | ([RFC4861]/[RFC4862]).  The router acts as a requesting router for
 | the purposes of DHCP prefix delegation ([RFC3633]).

 I think this description is unclear whether the router must "act as
 an IPv6 host" on WAN side even after interface initialization or not.
 More specifically, 1) we should set or not the R-bit in Neighbor
 Advertisement messages on WAN side, and 2) the WAN interface can
 respond to Router Solicitation messages or not.

 IMO when the CE router is working as an IPv6 router (IsRouter flag in
 RFC4861 is enabled) after the provisioning, the IPv6 router behavior
(Continue reading)

Permalink | Reply | 4 comments |
headers
Ole Troan | 3 Nov 2009 10:23
Favicon

Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

Hiroki,

> (Section 4.1)
>  | When the router is attached to the WAN interface link it must act as
>  | an IPv6 host for the purposes of IPv6 interface initialisation, ND
>  | Router Discovery, Prefix Discovery and interface address assignment
>  | ([RFC4861]/[RFC4862]).  The router acts as a requesting router for
>  | the purposes of DHCP prefix delegation ([RFC3633]).
>
>  I think this description is unclear whether the router must "act as
>  an IPv6 host" on WAN side even after interface initialization or not.
>  More specifically, 1) we should set or not the R-bit in Neighbor
>  Advertisement messages on WAN side, and 2) the WAN interface can
>  respond to Router Solicitation messages or not.

for the purposes of SLAAC, router discovery etc it should always act
as a host on the WAN interface. it should not reply to RS messages nor
set the R-bit in NAs.
I'll take a stab at better text, but feel free to suggest something.

>  IMO when the CE router is working as an IPv6 router (IsRouter flag in
>  RFC4861 is enabled) after the provisioning, the IPv6 router behavior
>  of Neighbor Discovery makes sense.  If the IP forwarding is disabled
>  for some reason, acting as a host on WAN interface link would be
>  reasonable for re-initialization.

IP forwarding is enabled on the WAN interface. it is only for address
assignment that the host functions of RFC4861/4862 are used. the
interface is acting as _both_ a router and a host on the interface.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Hiroki Sato | 4 Nov 2009 18:17

Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

Ole Troan <otroan@...> wrote
  in <2bbba3c10911030123t66c2d4adi2d8f0fe83a6fbfb7@...>:

ot> Hiroki,
ot> 
ot> > (Section 4.1)
ot> >  | When the router is attached to the WAN interface link it must act as
ot> >  | an IPv6 host for the purposes of IPv6 interface initialisation, ND
ot> >  | Router Discovery, Prefix Discovery and interface address assignment
ot> >  | ([RFC4861]/[RFC4862]).  The router acts as a requesting router for
ot> >  | the purposes of DHCP prefix delegation ([RFC3633]).
ot> >
ot> >  I think this description is unclear whether the router must "act as
ot> >  an IPv6 host" on WAN side even after interface initialization or not.
ot> >  More specifically, 1) we should set or not the R-bit in Neighbor
ot> >  Advertisement messages on WAN side, and 2) the WAN interface can
ot> >  respond to Router Solicitation messages or not.
ot> 
ot> for the purposes of SLAAC, router discovery etc it should always act
ot> as a host on the WAN interface. it should not reply to RS messages nor
ot> set the R-bit in NAs.

 Thank you for the clarification.  Correct me if I am wrong, but in my
 understanding, for router discovery and SLAAC the node must
 accept/process RAs and must discard received RSes.  This means
 "acting as a host", but is there a technical reason to always set
 R-bit in NAs zero?  A CE router has a moment of transition from a
 host to a router (after provisioning, for example) and vice versa as
 viewed from the PE router, so making R-bit depend on whether IP
 forwarding is enabled or not still seems reasonable to me.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Wes Beebee (wbeebee | 4 Nov 2009 19:37
Picon
Favicon

RE: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

> Thank you for the clarification.  Correct me if I am wrong, but in my
understanding, for router
> discovery and SLAAC the node must  accept/process RAs and must discard
received RSes.  This means 
> "acting as a host", but is there a technical reason to always set
R-bit in NAs zero?  A CE router
> has a moment of transition from a  host to a router (after
provisioning, for example) and vice
> versa as  viewed from the PE router, so making R-bit depend on whether
IP  forwarding is enabled
> or not still seems reasonable to me.

-----------------------------------------------------------------------
> When the router is attached to the WAN interface link it must act as 
> an IPv6 host for the purposes of Neighbor Discovery[RFC4861] and IPv6 
> Stateless Address Autoconfiguration[RFC4862].  The router acts as a
requesting router for the purposes of DHCP prefix delegation
([RFC3633]).

And, obviously, the router routes traffic out the WAN interface and does
NOT use the Conceptual Sending Algorithm of Neighbor Discovery to do so,
but rather a proper routing table.  The LAN interface acts as a router
when sending RA's, but both the WAN and LAN act as a host when the
router is being configured (e.g. with SNMP/HTTP).  The LAN port acts as
a router for the purposes of IPv6 SLAAC even though the WAN port acts as
a host.

So, as you can see, a CPE Router is both a router and a host on its WAN
interface.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ole Troan | 4 Nov 2009 21:02
Favicon

Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

Hiroki,

[...]

> ot> for the purposes of SLAAC, router discovery etc it should always act
> ot> as a host on the WAN interface. it should not reply to RS messages nor
> ot> set the R-bit in NAs.
>
>  Thank you for the clarification.  Correct me if I am wrong, but in my
>  understanding, for router discovery and SLAAC the node must
>  accept/process RAs and must discard received RSes.  This means
>  "acting as a host", but is there a technical reason to always set
>  R-bit in NAs zero?  A CE router has a moment of transition from a
>  host to a router (after provisioning, for example) and vice versa as
>  viewed from the PE router, so making R-bit depend on whether IP
>  forwarding is enabled or not still seems reasonable to me.

I don't think you can say that there is a transition from a host to a
router. it is performing functions of both at the same time, all the
time. e.g it will continue to process received RAs as long as the
interface is up...

>  Even if doing so the R-bit should not prevent the CE router from
>  router discovery or SLAAC.  While pretending a host by always setting
>  the R-bit zero would work certainly, to me there is no strong reason
>  to disable the functionality.

to turn the question around, why would you want to enable the flag?
for these types of links it is unlikely to be another host there, even
so I would avoid any situation where a host on the WAN link would end
(Continue reading)

Permalink | Reply | 0 comments |
headers
Francois-Xavier Le Bail | 5 Nov 2009 18:18
Picon
Favicon

Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

Hi,

A CE router often contain a bridge on the LAN side with Ethernet, Wifi interfaces attached to it.

Without MLD snooping [RFC4541] on the LAN bridge, a multicast flow will flood all segments on all interfaces.

Significant bandwidth can be wasted by flooding.

That is why I propose a L-10 requirement:

L-10: If the CE router is build with a bridge on the LAN side, it MUST
      use MLD snooping [RFC4541] to avoid flooding multicast frames on
      all segments.

Best regards,
Francois-Xavier

--- On Mon, 10/26/09, Internet-Drafts@...
<Internet-Drafts@...> wrote:

> From: Internet-Drafts@... <Internet-Drafts@...>
> Subject: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt
> To: i-d-announce@...
> Cc: v6ops@...
> Date: Monday, October 26, 2009, 5:45 PM
> A New Internet-Draft is available
> from the on-line Internet-Drafts directories.
> This draft is a work item of the IPv6 Operations Working
> Group of the IETF.
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Hemant Singh (shemant | 5 Nov 2009 18:58
Picon
Favicon

RE: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-02.txt

Francois-Xavier,

Please note that this version of the CE Rtr draft (-02) which we call as
Phase I does not included any mcast behavior definition.  The SP's
working on the design team could not agree to putting mcast in the Phase
I document.  So when the Phase II gets worked on, as we have discussed
in the v6ops mailer in the past, this bridged mcast will be added as a
requirement in the document.  Do expect such text in the Phase II
document.

Note the Phase II document (after the San Francisco IETF in March 2009)
is the document below.

http://tools.ietf.org/id/draft-wbeebee-v6ops-ipv6-cpe-router-bis-01.txt

Since mcast was moved out of CE Rtr Phase I, it is included as is in the
bis doc above.  "As is" means what we agreed upon in the v6ops mailer
with you on MLDv2 snooping.  This is the text we have

If the CPE Router hardware includes a network bridge between the WAN
interface and the LAN interface(s), then the CPE Router MUST support
MLDv2 snooping as per [RFC4541].

When the design team starts work on Phase II document, this bis version
will also morph into the format being used in the
raft-ietf-v6ops-ipv6-cpe-router-02.txt.

Thanks,

Hemant
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dunn, Jeffrey H. | 6 Nov 2009 00:34
Picon
Favicon

RE: Broadband Forum liaison to IETF on IPv6 security

Colleagues,

 

I may be missing something, but it appears that, in the cases described, the two hosts downstream of two separate cable modems are off link to each other. This brings up the question: Do there two cable modems constitute two virtual interfaces, like two VLANs on the same physical router interface? If so, this is an architectural, rather than an implementation, question. Thoughts?

 

Best Regards,
 
Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.

(301) 448-6965 (mobile)

 

From: ipv6-bounces <at> ietf.org [mailto:ipv6-bounces <at> ietf.org] On Behalf Of Hemant Singh (shemant)
Sent: Thursday, November 05, 2009 5:37 PM
To: Fred Baker (fred); Erik Nordmark; Hesham Soliman; JINMEI Tatuya / 神明達哉; Thomas Narten; Susan Thomson (sethomso); william.allen.simpson <at> gmail.com
Cc: 6man-ads <at> tools.ietf.org; IETF IPv6 Mailing List; savi-ads <at> tools.ietf.org; Robin Mersh; v6ops-ads <at> tools.ietf.org; IPv6 Operations; SAVI Mailing List
Subject: RE: Broadband Forum liaison to IETF on IPv6 security

 

Yes, in a cable deployment even if two cable modems (CM) in two different homes on the same upstream physical layer to the Cable edge router (CMTS) cannot talk directly to each other – they have to send their data to the CMTS who then forwards the data to the other modem.   Still I am not convinced of any implications for DAD in SLAAC?  Without any loss of generality, I will only refer to a CMTS for the rest of the discussion but the same is applicable to a DSLAM (or whatever L3 router sits upstream of the DLAM as the first-hop IPv6 router).  Since the CMTS sees all DAD messages from client in the downstream, if the CMTS detects a dup, the CMTS sends a NA to the client  - problem solved.   Of course, now the CMTS is doing ND Proxy which is already specified in cable standards and implemented on Docsis 3.0 IPv6 CMTS routers.  What did I miss?

 

If the BBF has any new multicast architecture for ND that I have not accounted for, please send me your arch doc and I can look at it and reply to that as well.

 

Hemant

 

From: owner-v6ops <at> ops.ietf.org [mailto:owner-v6ops <at> ops.ietf.org] On Behalf Of Fred Baker (fred)
Sent: Thursday, November 05, 2009 5:18 PM
To: Erik Nordmark; Hesham Soliman; JINMEI Tatuya / 神明達哉; Thomas Narten; Susan Thomson (sethomso); william.allen.simpson <at> gmail.com
Cc: SAVI Mailing List; IETF IPv6 Mailing List; IPv6 Operations; savi-ads <at> tools.ietf.org; v6ops-ads <at> tools.ietf.org; 6man-ads <at> tools.ietf.org; Robin Mersh
Subject: Fwd: Broadband Forum liaison to IETF on IPv6 security

 

Gentlemen:

 

I'm writing to you as the authors of RFCs 4861 and 4862. In a past meeting, I think the one in March, an issue came up in Savi that has now been brought to our attention in a formal manner. The problem is that in certain access network technologies, notably DSL and I believe Cable Modem, the connectivity between the CPE host or router and the ISP's first hop router is siloed - it looks like an Ethernet to the host but in fact is separated into separate channels. The effect is that while the ISP router can speak to and hear all of the CPEs it is connected to, the CPEs cannot hear each other. This has implications for Duplicate Address Detection in SLAAC.

 

We look forward to your advice.

 

Fred Baker

IPv6 Operations

 

Begin forwarded message:

 

Dear colleagues,

 

For your review, please see the liaison from the Broadband Forum attached below.

 

Best regards,

Robin Mersh

COO

The Broadband Forum

phone: +1 336 288 8013

cell: +1 303 596 7448

 

 

Permalink | Reply | 6 comments |
headers
Hemant Singh (shemant | 6 Nov 2009 01:39
Picon
Favicon

RE: Broadband Forum liaison to IETF on IPv6 security

Could be VLAN like one has L2 VPN in the cable specifications.   But L2 VPN will limit one to  1024 max per cable line card on a  CMTS – it’s a very limited for services arch in cable and I don’t think deployed very widely.  The point is a cable modem receiver chip is built to send its upstream data only to the CMTS and likewise receive data from the CMTS – so how can two modems even talk to each other?  

 

The link-local domain on the CMTS is also a well-defined and tied to a virtual L3 network interface that aggregates several physical cable network interfaces and all the modems.  As of Fall 2007, CableLabs in the U.S. that certifies CMTS and CM equipment has certified more than one CMTS vendor for Docsis 3.0 IPv6 with ND Proxy support on the CMTS.

 

I will be in Hiroshima, so if anyone would like to understand the cable and CMTS link-local model and mcast for ND in cable,  please find me – I am hanging out in 6man, v6ops, INT area and the like.

 

Regards,

 

Hemant

 

From: Dunn, Jeffrey H. [mailto:jdunn <at> mitre.org]
Sent: Thursday, November 05, 2009 6:35 PM
To: Hemant Singh (shemant); Fred Baker (fred); Erik Nordmark; Hesham Soliman; JINMEI Tatuya / 神明達哉; Thomas Narten; Susan Thomson (sethomso); william.allen.simpson <at> gmail.com
Cc: 6man-ads <at> tools.ietf.org; IETF IPv6 Mailing List; savi-ads <at> tools.ietf.org; Robin Mersh; v6ops-ads <at> tools.ietf.org; IPv6 Operations; SAVI Mailing List; Dunn, Jeffrey H.
Subject: RE: Broadband Forum liaison to IETF on IPv6 security

 

Colleagues,

 

I may be missing something, but it appears that, in the cases described, the two hosts downstream of two separate cable modems are off link to each other. This brings up the question: Do there two cable modems constitute two virtual interfaces, like two VLANs on the same physical router interface? If so, this is an architectural, rather than an implementation, question. Thoughts?

 

Best Regards,
 
Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.

(301) 448-6965 (mobile)

 

 

Permalink | Reply | 1 comment |

Gmane