Forgot your password?
typodupeerror
Networking The Internet IT Technology

IETF Mulls Working Group For IPv6 Home Networking 104

Posted by timothy
from the router-vendors-salivate-copiously dept.
alphadogg writes "The Internet Engineering Task Force is considering establishing a working group to smooth some of the impending issues around setting up and maintaining IPv6-based Internet connections in homes. 'A collection of protocols needs to be agreed upon, so vendors of equipment used in home networks will have an interoperable suite of protocols available,' said Ralph Droms, a distinguished engineer for Cisco and among those who want to form the IETF working group. Home networking is a fairly new area for the IETF. Many of its standards were designed for large-scale organizational networks, rather than home use."
This discussion has been archived. No new comments can be posted.

IETF Mulls Working Group For IPv6 Home Networking

Comments Filter:
  • by XanC (644172) on Thursday July 07, 2011 @01:29PM (#36685820)

    Having read the article, I remain uninformed about exactly what it is they're talking about standardizing. Also, why does a publication called "Network World" assume that I know zero about networking?

    • Re:Huh? (Score:5, Informative)

      by mellon (7048) on Thursday July 07, 2011 @01:35PM (#36685890) Homepage

      The idea is to come up with a standard for what home routers for IPv6 ought to look like. We'd like to preserve end-to-end transparency, which current home routers break, but at the same time we'd like to avoid creating serious security risks for people who are accustomed to the current home router security model. Support for things like DNSSEC and multihoming are also on the proposed charter.

      Home Networking working group description is here. [ietf.org]

      • Re: (Score:2, Funny)

        by GofG (1288820)

        Readers be aware, please, that the parent has a 4-digit UID and if Appeal to Authority were not fallacious, this user's word would be fact.

        • Hah. that's so old school. I started with a modern, 6-digit UID myself. I understand some really cutting-edge folks use 7-digit ones.

          Back in the 90's, it had become obvious that the 4-digit range was going to run out one day... it was just a matter of time.

          Unlike ipv6, the geniuses at slashdot designed their ID system such that a 6-digit and 4-digit ID can communicate directly!

      • Re:Huh? (Score:4, Informative)

        by TheReaperD (937405) on Thursday July 07, 2011 @01:43PM (#36685986)

        Yes, all of that and one major point you are missing: Doing all of this with as little to no interaction with the user. The current standards assume a network tech to configure the router. With the home user, that is almost never going to happen. They want to create a set of "defaults" that everyone can rely upon for the auto-configuration.

        • by mellon (7048)

          Yup, that's correct.

          • Don't forget, they also need a way to definitively link an IPv6 address with a name, address, home phone number and current drivers license photo.

            • Though being paranoid about such things, especially in the MAFIAA controlled US, never seems to be as tinfoil hat as it should these days, it won't matter. Faking an IPv6 address will be a trivial task for even a script kiddie and won't be to hard for anyone willing to read an article they Google. The stupid will still get caught but, the cops have always enjoyed the low hanging fruit of the criminal world to make it look like they do actual work.

              Before anyone gets offended, I know and have met honest,

        • by jrumney (197329)
          UPNP IGD works over IPv6. Even if you are not NATed, it seems it would be a good idea to block all incoming ports at the router unless a client inside the local subnet specifically asks for it to be forwarded. Apple messed up badly on this one by making their equivalent Bonjour based protocol specific to NAT.
          • by shtrom (1251560)

            Stuart Cheshire, the Apple guy behind the mDNS and DNS-SD (a.k.a. Bonjour) Internet-Drafts, is currently involved in the Port Control Protocol (PCP) Internet Draft: http://tools.ietf.org/html/draft-ietf-pcp-base-13 [ietf.org].

            “The Port Control Protocol allows an IPv6 or IPv4 host to control how
            incoming IPv6 or IPv4 packets are translated and forwarded by a
            network address translator (NAT) or simple firewall, and also allows
            a host to optimize its ou

      • by perlchild (582235)

        It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market. (Some of those risks can be lessened by default configurations, proper web based configurators and the like). And the last slashdot discussion of ipv6 lef me with the certitude that LTE at least, was IPv6 based.

        On the other hand, it could just mean that IPv6 has failed, as it's the first time the IPv6 model has been presented as "not good enough for the

        • by khasim (1285)

          Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

          IPv6 has a section for private use.

          FD00::/8

          So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

          Beyond that, it's just a matter of phrasing.

          • by tlhIngan (30335)

            IPv6 has a section for private use.

            FD00::/8

            So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

            Bingo, you've just hit the major problem with IPv6. Despite NATv6 being proposed, no one really wants to implement it even though it would basically mean a plug-and-play installation - remove your IPv4 only router, put in your new

            • by mikkelm (1000451)

              After all, one of the nice things with NAT is it means my internal network addresses don't change on the whim of my ISP. They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

              If "full" IPv6 is used, then surely your local addressing will be handled using FD00::/8 addresses, and no local issues will arise when you're issue

              • by suutar (1860506)
                or even just the link-local addresses (fe80::/10). They're based on MAC addresses so they should be pretty stable, no?
                • by mikkelm (1000451)

                  If your network will only ever span a single segment, and if you don't plan on connecting via VPN, sure. Link-local addresses don't route, so if you'd need layer 3 forwarding, you'd need FD00::/8 addresses.

                  • by suutar (1860506)
                    Good point. I only have one segment now, and I don't see that changing, but if it did, link local would no longer suffice. (I'm not sure VPN would be helped by FD00::/8, though. Since I'm presumably VPN'ing from outside, wouldn't I need to use a non-private address anyway?)
                    • by mikkelm (1000451)

                      The problem with VPN is that, IIRC, the spec requires that traffic destined for link-local addresses not assigned to an interface on which it is received be dropped. If that's so, a device serving VPN clients should drop any traffic received on a LAN interface with a link-local destination address assigned to a remote VPN client. I'm sure it's possible to find implementations that hack around that issue, but since it's perfectly possible to do it the right way to similar effect (FD00::/8 with EUI-64,) those

                    • by suutar (1860506)
                      Oh, I see. I didn't know that about VPN. Thanks!
        • It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market.

          As far as I know, most of the home routers today are based on open source platforms. [Yes, I know that some models use proprietary operating systems as it allows less RAM to be provided on the box]

          I'm just about to install networked thermostats into my house. The current model is that it connects to a central server somewhere, and, in order to control my thermostat, I also have to connect to that site. This is crazy. I should be able to talk directly to my thermostat (over v6) from my smartphone (without ne

          • by 0123456 (636235)

            The trick is finding a way to make this happen securely and without configuration. On the face of it, this seems like a challenging task.

            Philip

            I believe you mis-spelt 'impossible'.

            Somehow you need to configure your thermostat to tell it which devices to accept connections from, or you have to open it up to everyone. Otherwise you're expecting magic.

            And the last thing I want is random IPV6 devices opening holes in my firewall by themselves; UPnP is a security disaster zone.

          • by sjames (1099)

            It won't happen without a change of firmware on the thermostat. Even starting fresh, there would have to be some configuration, especially since your prefix is subject to change over time.

            As for security, a pairing would be needed. For example, the app on your phone could generate a random key. To pair them, you contact the thermostat with the phone and then approve the connection on the thermostat itself to prove you have physical access.

            • Howsabout a home server that accepts ssh connections (key-only, no passwords to brute-force). Connect the thermostats to your home box as "the central server", and ssh to your server when you want to do stuff.

              • by sjames (1099)

                That's probably still going to be a firmware update to make the central server configurable.

        • by Darinbob (1142669)

          Anywhere that IPv6 is not good enough for the home, IPv4 will also not be good enough.

        • by mellon (7048)

          Eh? The IPv6 model hasn't been presented anywhere as "not good enough for the home." The problem is that IPv4 home gateways evolved kind of in the same way that layers of barnacles evolve, and we'd like it if IPv6 home gateways had a standard they could check off on their feature list that actually meant something. You know, "Supports RFC8192," where RFC8192 specifies behavior that will work well in the home environment, and won't invalidate all the work that's been done to date to make IPv6 an actual

      • Really? That sounds logical and all but it sounds to me more like they just want people to have to get a new phone, laptop, and Xbox when they buy a new router. I don't need IPv6 inside my house. That's pointless and some of my devices don't support it. I'm concerned that my ISP needs to get me a modem that can take an IPv6 address and start issuing them to it but that gets forwarded to the department of not my problem. They're the ones running out of addresses, not me. My home network is doing fine lo
        • by mellon (7048)

          Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity. Anyway, based on your use of idiom, I suspect you live in the U.S., or possibly Canada, so you will be able to continue using IPv4 at least until your current set of networked devices wears out and stops working. The world on th

          • by Obfuscant (592200)

            Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity.

            Which, for most users, is a Good Thing, not A Problem. It allows most users to simply install iTunes on their peecee and turn on sharing so they can access their music library from other peecees without having to worry about someone outside scamming their music. Their "gateway" is keeping the bad guys out by "breaking end to end connectivity", at least when the initiating end is outside the home.

            It is that last item that makes "breaking" a Good Thing.

            Can you give some clues (or even be more explicit) on

            • by mellon (7048)

              There are a number of proposals to solve that problem on the table. Perhaps you should consider participating.

            • Get rid of NAT and the gateway has to work as a real firewall, that is all. That is not some security nightmare, unless companies do not actually put a worthwhile default firewall policy into the gateway. Things like port forwarding would not be needed, but only allowing connections on specific ports could still be controlled pretty well and locked down by default, the gateway just doesn't forward the traffic through to the internal interface. The upside is you could allow multiple devices to be accessed on

        • by tomherbst (888500)
          I expect your house may be either doing or capable of doing a lot of IPv6 if the devices, software, etc are fairly current. Apple and Microsoft both use IPv6 for many functions, transparent to what the user sees. Apple has used IPv6 (linklocal) for configuring their Airport routers, for example. Many of the cloud based services like back to my mac are tunneling IPv6 in IPv4. Microsoft tunnels IPv6 for their cloud services, also.
        • I'm sure some form of v4 service will be maintained for a long time to come. However due to IP shortages some users will not get public v4 IPs, instead their v4 service will will go through a NAT controlled by the ISP. Since the user doesn't control this NAT they will not be able to accept incoming v4 connections. Depending on how the ISP implements that NAT they may or may not be able to use NAT traversal techniques (or they may be able to use them but not reliably). These NATS may well be overloaded in te

      • by TBBle (72184)

        That's last year's similar effort. This article's talking about the new WG proposal under the same name, described at http://www.ietf.org/mail-archive/web/homegate/current/msg00821.html [ietf.org]

    • Just a guess. :)

  • "Home networking is a fairly new area for the IETF." -- this statement does not inspire confidence. The majority of the networks in the world are small NAT based networks. Small businesses based abound a NAT firewall are indistinguishable from these home networks. And now they say they are just getting around to thinking about the vast majority of networks?

    • by Zombie (8332)
      Residential networking has been booming lately, and we're only scratching the surface compared to what's about to come. We want to make sure that the home has all the goodness of properly configured, secure, scalable networking without any of the administration overhead. I may be my family's IT department, but I shouldn't have to be. Stuff should just work. That's what this is about.
    • The thing is with NAT they don't need much thinking about because a NAT box looks like a router with a fixed configuration to it's clients and looks like an end device to the ISP. Therefore no special protocols are needed to make everything work automagically (beyond configuring login details etc if the WAN side is PPP).

      However the powers that be have decided (rightly or wrongly) that NAT is evil and not an option for v6 deployment. In the absense of NAT the task of a home router gets quite a lot more compl

      • by upuv (1201447)

        I honestly can't believe that NAT will not be implemented by vendors of home equipment.

        Of course it will.

        All it will take is a ISP to issue a ridiculously small range to home users and Boom NAT comes into existence as a means of getting around the issue. ISP's are going to try and make money as they do today from issue static ip ranges to users. You can make more money if you make the ranges small. It's obvious that a money grab will cause home NATing.

        Secondly small devices in the home will be connected

  • I've run Cisco SOHO devices such as RV042, RV082, RV016, RVS400, RVL200, and WRV210. In my experience setting up VPNs and firewalls on these devices, they often have interoperability issues between themselves. Also, I've worked with a SRW208 whose web management interface requires you to use IE to manage the device. Based upon these experiences, I'd suggest that Cisco needs to work on interoperability between their own devices before they can provide guidance to others on how to make interoperable devices
    • by Relayman (1068986)
      Isn't it time to look for an alternative to Cisco? I left them after a customer paid $2,500 for a 16-port switch.
  • Get the ISPs to provide IPv6 to their customers.
    • by tftp (111690)

      Get the ISPs to provide IPv6 to their customers.

      That's the chicken's side of the problem, and IETF just suddenly realized that the egg is also somehow involved. ISPs can't deploy IPv6 because:

      1. There are too few managed (or otherwise) routers that they can use to provide dual stack services.
      2. There is no understanding who does what. For example, who provides DNS for my toaster? I'm not going to enter the IPv6 address each time I want to ping it.
      3. Who is doing the IPv6 autoconfiguration?
      4. Finally, how the cu
      • by upuv (1201447)

        How about my ISP providing ipv6 DNS at all. You would be stunned to find out how few actually do.

        Without DNS providing ipv6 addressing ipv6 is a dead end.

        Note DNS for your toaster would most likely have to come from your own personal router. As the toaster would be using your home ipv6 prefix. It only makes sense that with in the address block the sub domain names would be supplied internal to your home. So the name would be like "4slicetoaser.419rigwaystreet.Chicago.us". Where you home domain is "419r

        • by DarkOx (621550)

          Great plan, would be crooks can get a complete inventory of my home electronics, just by doing a zone transfer. This will make burglary sooo much more efficient.

  • Some people seem to live in la-la-land. I don't care about the difference between SPI and NAT, but some people do, all in the interest of "end-to-end connectivity". Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09 [ietf.org]
    > In managed, enterprise networks, virtual private networking tunnels
    > are typically regarded as an additional attack surface. and they are
    > often restricted or prohibited from traversing firewalls for that
    > rea

    • Some people seem to live in la-la-land.

      That's certainly been true of the IETF for NAT (specifically, they're in "la-la-la-I'm-not-listening-la-la-la land"), but also for IPv6.

      Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09 [ietf.org]

      This is now RFC 6092 [ietf.org], but your comments are still valid. It's a pretty scary read, things like:

      By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound SYN packet

      because, you know, port-scanners have to be given a chance too. There's a bunch of other lo

  • I work for a sizeable (> 50K people) distributed organisation. On World IPv6 Day we disabled IPv6 on everything where it could be disabled (which in some cases required re-imaging machines where there was no way to turn it off completely), and disconnected/shut down anything where IPv6 couldn't be disabled. We had absolutely zero problems or incidents during the entire IPv6 day.

    It's so simple when you think about it. I really don't understand what all the fuss is about.

  • let's have Cisco at the table, even if only to act as a moral compass.

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...