IETF Mulls Working Group For IPv6 Home Networking

alphadogg writes "The Internet Engineering Task Force is considering establishing a working group to smooth some of the impending issues around setting up and maintaining IPv6-based Internet connections in homes. 'A collection of protocols needs to be agreed upon, so vendors of equipment used in home networks will have an interoperable suite of protocols available,' said Ralph Droms, a distinguished engineer for Cisco and among those who want to form the IETF working group. Home networking is a fairly new area for the IETF. Many of its standards were designed for large-scale organizational networks, rather than home use."

Huh?

[XanC]

Having read the article, I remain uninformed about exactly what it is they're talking about standardizing. Also, why does a publication called "Network World" assume that I know zero about networking?

Re:Huh?

[mellon]

The idea is to come up with a standard for what home routers for IPv6 ought to look like. We'd like to preserve end-to-end transparency, which current home routers break, but at the same time we'd like to avoid creating serious security risks for people who are accustomed to the current home router security model. Support for things like DNSSEC and multihoming are also on the proposed charter.

Home Networking working group description is here. [ietf.org]

Re:

[GofG]

Readers be aware, please, that the parent has a 4-digit UID and if Appeal to Authority were not fallacious, this user's word would be fact.

Re:

[sonamchauhan]

Hah. that's so old school. I started with a modern, 6-digit UID myself. I understand some really cutting-edge folks use 7-digit ones.

Back in the 90's, it had become obvious that the 4-digit range was going to run out one day... it was just a matter of time.

Unlike ipv6, the geniuses at slashdot designed their ID system such that a 6-digit and 4-digit ID can communicate directly!

Re:

[mellon]

Actually, this builds on a bunch of work done by Apple, who have been shipping IPv6 support for quite a long time. All of your bonjour are belong to IPv6, for example, and if you have a Time Capsule or Airport Extreme, that supports IPv6 as well. Apple got a bit burned a while back because they enabled 6to4 by default, so at this point I'd say they have a fair amount of street cred in the IPv6 home gateway space.

Re:

[XanC]

I wouldn't say they got burned because they enabled 6to4 by default; I'd say they got burned because their desktop systems then preferred to use 6to4 over native IPv4, which they're not supposed to.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Huh?

[TheReaperD]

Yes, all of that and one major point you are missing: Doing all of this with as little to no interaction with the user. The current standards assume a network tech to configure the router. With the home user, that is almost never going to happen. They want to create a set of "defaults" that everyone can rely upon for the auto-configuration.

Re:

[mellon]

Yup, that's correct.

Re:

[davester666]

Don't forget, they also need a way to definitively link an IPv6 address with a name, address, home phone number and current drivers license photo.

Re:

[TheReaperD]

Though being paranoid about such things, especially in the MAFIAA controlled US, never seems to be as tinfoil hat as it should these days, it won't matter. Faking an IPv6 address will be a trivial task for even a script kiddie and won't be to hard for anyone willing to read an article they Google. The stupid will still get caught but, the cops have always enjoyed the low hanging fruit of the criminal world to make it look like they do actual work.

Before anyone gets offended, I know and have met honest,

Re:

[jrumney]

UPNP IGD works over IPv6. Even if you are not NATed, it seems it would be a good idea to block all incoming ports at the router unless a client inside the local subnet specifically asks for it to be forwarded. Apple messed up badly on this one by making their equivalent Bonjour based protocol specific to NAT.

Re:

[shtrom]

Stuart Cheshire, the Apple guy behind the mDNS and DNS-SD (a.k.a. Bonjour) Internet-Drafts, is currently involved in the Port Control Protocol (PCP) Internet Draft: http://tools.ietf.org/html/draft-ietf-pcp-base-13 [ietf.org].

“The Port Control Protocol allows an IPv6 or IPv4 host to control how
incoming IPv6 or IPv4 packets are translated and forwarded by a
network address translator (NAT) or simple firewall, and also allows
a host to optimize its ou

Re:

[perlchild]

It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market. (Some of those risks can be lessened by default configurations, proper web based configurators and the like). And the last slashdot discussion of ipv6 lef me with the certitude that LTE at least, was IPv6 based.

On the other hand, it could just mean that IPv6 has failed, as it's the first time the IPv6 model has been presented as "not good enough for the

Not necessarily "failed".

[khasim]

Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

IPv6 has a section for private use.

FD00::/8

So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

Beyond that, it's just a matter of phrasing.

Re:

[tlhIngan]

IPv6 has a section for private use.

FD00::/8

So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

Bingo, you've just hit the major problem with IPv6. Despite NATv6 being proposed, no one really wants to implement it even though it would basically mean a plug-and-play installation - remove your IPv4 only router, put in your new

Re:

[knorthern knight]

> There's also the possibility that some ISPs might end up giving static IP address blocks
> to all customers. Given the HUGE address space they're being assigned, they have
> plenty of addresses available to do that. There's no longer a justification for dynamic
> addresses (reusing oversubscribed addresses).

That was the thinking when the original internet had /8 addresses handed out. Some people never learn. Fercryinoutloud, a /64 is 2^64 addresses. China's current population is approx 1.4 bil

Re:

[mikkelm]

After all, one of the nice things with NAT is it means my internal network addresses don't change on the whim of my ISP. They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

If "full" IPv6 is used, then surely your local addressing will be handled using FD00::/8 addresses, and no local issues will arise when you're issue

Re:

[suutar]

or even just the link-local addresses (fe80::/10). They're based on MAC addresses so they should be pretty stable, no?

Re:

[mikkelm]

If your network will only ever span a single segment, and if you don't plan on connecting via VPN, sure. Link-local addresses don't route, so if you'd need layer 3 forwarding, you'd need FD00::/8 addresses.

Re:

[suutar]

Good point. I only have one segment now, and I don't see that changing, but if it did, link local would no longer suffice. (I'm not sure VPN would be helped by FD00::/8, though. Since I'm presumably VPN'ing from outside, wouldn't I need to use a non-private address anyway?)

Re:

[mikkelm]

The problem with VPN is that, IIRC, the spec requires that traffic destined for link-local addresses not assigned to an interface on which it is received be dropped. If that's so, a device serving VPN clients should drop any traffic received on a LAN interface with a link-local destination address assigned to a remote VPN client. I'm sure it's possible to find implementations that hack around that issue, but since it's perfectly possible to do it the right way to similar effect (FD00::/8 with EUI-64,) those

Re:

[suutar]

Oh, I see. I didn't know that about VPN. Thanks!

Re:

[Old time hacker]

It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market.

As far as I know, most of the home routers today are based on open source platforms. [Yes, I know that some models use proprietary operating systems as it allows less RAM to be provided on the box]

I'm just about to install networked thermostats into my house. The current model is that it connects to a central server somewhere, and, in order to control my thermostat, I also have to connect to that site. This is crazy. I should be able to talk directly to my thermostat (over v6) from my smartphone (without ne

Re:

[0123456]

The trick is finding a way to make this happen securely and without configuration. On the face of it, this seems like a challenging task.

Philip

I believe you mis-spelt 'impossible'.

Somehow you need to configure your thermostat to tell it which devices to accept connections from, or you have to open it up to everyone. Otherwise you're expecting magic.

And the last thing I want is random IPV6 devices opening holes in my firewall by themselves; UPnP is a security disaster zone.

Re:

[isj]

http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01 [ietf.org] has some interesting ideas. At least it is a starting point - we don't want to end up with the same situation as for IPv4 where everything has to be piggybacked on inside-initiated HTTP connections.

Re:

[sjames]

It won't happen without a change of firmware on the thermostat. Even starting fresh, there would have to be some configuration, especially since your prefix is subject to change over time.

As for security, a pairing would be needed. For example, the app on your phone could generate a random key. To pair them, you contact the thermostat with the phone and then approve the connection on the thermostat itself to prove you have physical access.

Re:

[knorthern knight]

Howsabout a home server that accepts ssh connections (key-only, no passwords to brute-force). Connect the thermostats to your home box as "the central server", and ssh to your server when you want to do stuff.

Re:

[sjames]

That's probably still going to be a firmware update to make the central server configurable.

Re:

[Darinbob]

Anywhere that IPv6 is not good enough for the home, IPv4 will also not be good enough.

Re:

[mellon]

Eh? The IPv6 model hasn't been presented anywhere as "not good enough for the home." The problem is that IPv4 home gateways evolved kind of in the same way that layers of barnacles evolve, and we'd like it if IPv6 home gateways had a standard they could check off on their feature list that actually meant something. You know, "Supports RFC8192," where RFC8192 specifies behavior that will work well in the home environment, and won't invalidate all the work that's been done to date to make IPv6 an actual

Re:

[slashmydots]

Really? That sounds logical and all but it sounds to me more like they just want people to have to get a new phone, laptop, and Xbox when they buy a new router. I don't need IPv6 inside my house. That's pointless and some of my devices don't support it. I'm concerned that my ISP needs to get me a modem that can take an IPv6 address and start issuing them to it but that gets forwarded to the department of not my problem. They're the ones running out of addresses, not me. My home network is doing fine lo

Re:

[mellon]

Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity. Anyway, based on your use of idiom, I suspect you live in the U.S., or possibly Canada, so you will be able to continue using IPv4 at least until your current set of networked devices wears out and stops working. The world on th

Re:

[Obfuscant]

Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity.

Which, for most users, is a Good Thing, not A Problem. It allows most users to simply install iTunes on their peecee and turn on sharing so they can access their music library from other peecees without having to worry about someone outside scamming their music. Their "gateway" is keeping the bad guys out by "breaking end to end connectivity", at least when the initiating end is outside the home.

It is that last item that makes "breaking" a Good Thing.

Can you give some clues (or even be more explicit) on

Re:

[mellon]

There are a number of proposals to solve that problem on the table. Perhaps you should consider participating.

Re:

[Stupendoussteve]

Get rid of NAT and the gateway has to work as a real firewall, that is all. That is not some security nightmare, unless companies do not actually put a worthwhile default firewall policy into the gateway. Things like port forwarding would not be needed, but only allowing connections on specific ports could still be controlled pretty well and locked down by default, the gateway just doesn't forward the traffic through to the internal interface. The upside is you could allow multiple devices to be accessed on

Re:

[tomherbst]

I expect your house may be either doing or capable of doing a lot of IPv6 if the devices, software, etc are fairly current. Apple and Microsoft both use IPv6 for many functions, transparent to what the user sees. Apple has used IPv6 (linklocal) for configuring their Airport routers, for example. Many of the cloud based services like back to my mac are tunneling IPv6 in IPv4. Microsoft tunnels IPv6 for their cloud services, also.

Re:

[petermgreen]

I'm sure some form of v4 service will be maintained for a long time to come. However due to IP shortages some users will not get public v4 IPs, instead their v4 service will will go through a NAT controlled by the ISP. Since the user doesn't control this NAT they will not be able to accept incoming v4 connections. Depending on how the ISP implements that NAT they may or may not be able to use NAT traversal techniques (or they may be able to use them but not reliably). These NATS may well be overloaded in te

Re:

[WaffleMonster]

Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf [minisip.org])

What are the "security reasons" for NAT vs SPI? What is the difference?

Re:

[mellon]

That's because NATs exist to share (not save) addresses. You can get the exact same security characteristics with a firewall, if that's what you want.

Re:

[Stupendoussteve]

The security reasons for using NAT are easily overcome with a real firewall, which at this point is not outside of the processing limits of home routers.

Re:

[asdfghjklqwertyuiop]

The IETF has consistently and adamantly refused to accept that NATs exist for security reasons

And that's because it doesn't.

Re:

[baerm]

Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf [minisip.org])

Perhaps, many within the IETF understand that NATs exist to generate more address space and they also provide some firewall-like security features. Perhaps some of them might even think that when the additional address space needs are unnecessary, the use of NATs as a firewall is also unnecessary. You might even just use, I don't know, something that is explicitly a firewall and not bother NATing.

If you really want security, having a device which functions explicitly for security might be better than, "He

Re:

[TBBle]

That's last year's similar effort. This article's talking about the new WG proposal under the same name, described at http://www.ietf.org/mail-archive/web/homegate/current/msg00821.html [ietf.org]

Because its written for CIOs?

[Marrow]

Just a guess. :)

Re:

[SuricouRaven]

IPv4 should have run out by now, but its dominance is being prolonged by many organisations doing whatever they can to postpone the very difficult and very expensive upgrade process. Eventually there will come a point where the difficulty of continuing to keep IPv4 running through scarce addressing and multi-level NAT will grow so great that switching to IPv6 will seem easier, but that point is many years away. For now, it's always easier to buy time with a little more improvisation.

hardware needs updates for IPV6 and software as we

[Joe_Dragon]

hardware needs updates for IPV6 and software as well.

lot's of routers can't do IPV6 and others say we are working on IPV6 updates.

Re:

[SuricouRaven]

That would be the 'very expensive' part of the upgrade process.

How much of IPv4 is really gone

[billstewart]

• IANA has given out all of its IPv4 space to the Regional Internet Registries (RIRs.)
• Some of the RIRs still have one or two /8s they haven't given out to ISPs and End-Users yet, and APNIC will probably run out this fall; they're all giving it out more slowly now.
• Existing ISPs mostly have some space left to give out to End Users, and maybe they can get a bit more from their RIR, but not much, and small ISPs may be able to get a bit more from their upstream ISPs.
• End Users will have a much harder time getting

Re:

[SuricouRaven]

They can NAT, then double-NAT. If they really need addresses, they can buy from someone else who has some left over. Now that IPv4 addresses are in shortage, they become a commodity.

This does not inspire confidence

[Marrow]

"Home networking is a fairly new area for the IETF." -- this statement does not inspire confidence. The majority of the networks in the world are small NAT based networks. Small businesses based abound a NAT firewall are indistinguishable from these home networks. And now they say they are just getting around to thinking about the vast majority of networks?

Re:

[Zombie]

Residential networking has been booming lately, and we're only scratching the surface compared to what's about to come. We want to make sure that the home has all the goodness of properly configured, secure, scalable networking without any of the administration overhead. I may be my family's IT department, but I shouldn't have to be. Stuff should just work. That's what this is about.

Re:

[petermgreen]

The thing is with NAT they don't need much thinking about because a NAT box looks like a router with a fixed configuration to it's clients and looks like an end device to the ISP. Therefore no special protocols are needed to make everything work automagically (beyond configuring login details etc if the WAN side is PPP).

However the powers that be have decided (rightly or wrongly) that NAT is evil and not an option for v6 deployment. In the absense of NAT the task of a home router gets quite a lot more compl

Re:

[upuv]

I honestly can't believe that NAT will not be implemented by vendors of home equipment.

Of course it will.

All it will take is a ISP to issue a ridiculously small range to home users and Boom NAT comes into existence as a means of getting around the issue. ISP's are going to try and make money as they do today from issue static ip ranges to users. You can make more money if you make the ranges small. It's obvious that a money grab will cause home NATing.

Secondly small devices in the home will be connected

Re:

[0123456]

I think the point is to do away with NAT entirely.

The question is why that's considered to be a good thing. I like the fact that random web site can't tell which device in my house is connecting to it becuase they all have the router's IP address.

Re:

[WaffleMonster]

The question is why that's considered to be a good thing. I like the fact that random web site can't tell which device in my house is connecting to it becuase they all have the router's IP address.

Like web sites have any trouble doing that today with fingerprinting and (flash) cookies.

Re:

[0123456]

Like web sites have any trouble doing that today with fingerprinting and (flash) cookies.

Yeah, because that's so much easier than just looking at the IP address.

Nor will they have a great deal of luck when all the computers in the hosue run the same OS and clear flash crap every time they reboot.

Re:

[WaffleMonster]

Yeah, because that's so much easier than just looking at the IP address.

Site owners use tools written by others who have done all the difficult work for them. They have no reason to care about a distinction between easy and easier.

Nor will they have a great deal of luck when all the computers in the hosue run the same OS and clear flash crap every time they reboot

Do you really clear cookies every time you reboot? Why not just turn on IPv6 privacy extensions?

Re:

[not-my-real-name]

With IPv6, you could have the router come up with a new IP address for each connection. So instead of everything looking like it comes from the same IP address (as with NAT), you could have every connection look like it comes from a different address.

Re:

[cjb658]

I wonder if we'll start seeing ISPs billing you extra for every additional device you connect to your home network.

Re:

[arglebargle_xiv]

I think the point is to do away with NAT entirely.

The question is why that's considered to be a good thing.

It's not a good thing or a bad thing, it's an IETF article of faith. To the IETF, NAT has been an abomination upon the earth for as long as it's existed, to the extent that they've designed some protocols to deliberately break NAT (why do you think IPsec via IKEv1 and AH was so hard to get through a NAT?) in the hope that it would discourage its use (of course the exact opposite happened and NAT discouraged the other protocol's use). To the IETF, NAT doesn't exist, and where they're forced to acknowledge it

Re:

[WaffleMonster]

Why not maintain the IPv4 for the home scale devices (5 port routers) with a IPv6 WAN side connection?

What would the point of that be? Some of us care about using P2P services like Skype and don't particularly want random people on the Internet to be intermediaries for our traffic just because you are adverse to change. The cold hard fact there is zero security difference between SPI and NAT. If you count the crap folks are able to pull off in the state machines of 1:many ALGs SPI is MORE secure.

It seems very overkill to push IPv6 to the home level even with "network light bulbs" how many can one house have?

As many as we fricking want!

Also for a tech perspective can you imagine the support calls with customers rattling of IPv6 addresses all the time?

I can't imagine end users ever needing to. LLMNR, DNS, ND, DHCP autoconfig... I do

Re:why? How can you send to IPv6 from within LAN?

[yoghurt]

Assume that you get an IPv6 address assigned to your router. Assume that a computer on your LAN wants to talk to a internet host with IPv6. The NAT box can translate replies from the internet host to IPv4. But how are you going to talk to the IPv6 host? How can you send a packet to an IPv6 address if all you got is IPv4 on your LAN?

I suppose the NAT box could run DNS and make a look-up table mapping IPv6 internet addresses to IPv4 for your home computer to use. This seems a bit of a kludge and it doesn

Cisco has its own interoperability issues

[linuxwebadmin]

I've run Cisco SOHO devices such as RV042, RV082, RV016, RVS400, RVL200, and WRV210. In my experience setting up VPNs and firewalls on these devices, they often have interoperability issues between themselves. Also, I've worked with a SRW208 whose web management interface requires you to use IE to manage the device. Based upon these experiences, I'd suggest that Cisco needs to work on interoperability between their own devices before they can provide guidance to others on how to make interoperable devices

Re:

[Relayman]

Isn't it time to look for an alternative to Cisco? I left them after a customer paid $2,500 for a 16-port switch.

Issue #1

[Megane]

Get the ISPs to provide IPv6 to their customers.

Re:

[tftp]

Get the ISPs to provide IPv6 to their customers.

That's the chicken's side of the problem, and IETF just suddenly realized that the egg is also somehow involved. ISPs can't deploy IPv6 because:

1. There are too few managed (or otherwise) routers that they can use to provide dual stack services.
2. There is no understanding who does what. For example, who provides DNS for my toaster? I'm not going to enter the IPv6 address each time I want to ping it.
3. Who is doing the IPv6 autoconfiguration?
4. Finally, how the cu

Re:

[upuv]

How about my ISP providing ipv6 DNS at all. You would be stunned to find out how few actually do.

Without DNS providing ipv6 addressing ipv6 is a dead end.

Note DNS for your toaster would most likely have to come from your own personal router. As the toaster would be using your home ipv6 prefix. It only makes sense that with in the address block the sub domain names would be supplied internal to your home. So the name would be like "4slicetoaser.419rigwaystreet.Chicago.us". Where you home domain is "419r

Re:

[DarkOx]

Great plan, would be crooks can get a complete inventory of my home electronics, just by doing a zone transfer. This will make burglary sooo much more efficient.

Re:

[Gerald]

How old is your data? It's about 3.2% on my servers and growing. I'm going to pop open a bottle of champagne when the percentage of IPv6 users exceeds the percentage of IE6 users.

Re:

[ahtnos]

What about the IE6 users coming in over IPv6?

Internet hippies at IETF

[knorthern knight]

Some people seem to live in la-la-land. I don't care about the difference between SPI and NAT, but some people do, all in the interest of "end-to-end connectivity". Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09 [ietf.org]
> In managed, enterprise networks, virtual private networking tunnels
> are typically regarded as an additional attack surface. and they are
> often restricted or prohibited from traversing firewalls for that
> rea

Re:

[arglebargle_xiv]

Some people seem to live in la-la-land.

That's certainly been true of the IETF for NAT (specifically, they're in "la-la-la-I'm-not-listening-la-la-la land"), but also for IPv6.

Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09 [ietf.org]

This is now RFC 6092 [ietf.org], but your comments are still valid. It's a pretty scary read, things like:

By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound SYN packet

because, you know, port-scanners have to be given a chance too. There's a bunch of other lo

IPv6 support is easy if you do it right

[arglebargle_xiv]

I work for a sizeable (> 50K people) distributed organisation. On World IPv6 Day we disabled IPv6 on everything where it could be disabled (which in some cases required re-imaging machines where there was no way to turn it off completely), and disconnected/shut down anything where IPv6 couldn't be disabled. We had absolutely zero problems or incidents during the entire IPv6 day.

It's so simple when you think about it. I really don't understand what all the fuss is about.

Oh by all means

[ThatsNotPudding]

let's have Cisco at the table, even if only to act as a moral compass.