Hey,
Mal here. IETF attendee since 2012 ;)
I have a home networking question with respect to IPv6 standards, I'm hoping to
use you as a sounding board first before I take it to v6ops.
The scenario here is a home / soho network situation where the user wants to
host a service, lets say its a webserver, but really could be any hosted
application, importantly using IPv6. The router is setup to use SLAAC only.
The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" but at
some point in the future it might change (BNG reboot for example), so the user
will use DynDNS provider to provide a stable name for their service, this
sounds OK so far.
The user has to allow the webserver port, 443 in their router GUI firewall to
allow the traffic in, sounds simple enough. Importantly it should be to that
webserver device only.
Now the tricky part....
Since in this scenario the webserver device is using privacy extensions, it has
a bunch of IPv6 GUA addresses and no EUI-64 and
- It has Temporary addressing (which will regularly change)
- It has a "Permanent" address (which is the one the webserver will want to use)
Does this sound reasonable and make sense so far ? Cool.
In the router GUI the user is presented with a list of "devices" for which the
router can open up TCP 443 in the firewall.
It is reasonable to assume the user does not want to type in the Permanent IPv6
address of the device, as it is poor CX and anyway it will change in the future
(possibly due to a network change / BNG restart etc as mentioned)
Current routers on the market I have come across have either:
1. Open the port to the current temporary address only which means that
inbound connections on the port usually fails right away (if the webserver is
not listening on that address) - or fail after the temporary address changes.
2. Opens the port to the correct address (by chance)
* - But then fails at some point in the future when the network prefix
changes (as router drops the rule when the prefix changes).
3. Opens the port to some or ALL addresses currently (& sometimes
historically) associated with the mac address of the device (not great for
security - spoofing? )
* But even that sometimes excludes the permanent address
4. Opens the port to all addresses on LAN (not great for security at all)
* Basically the routers firewall config gui doesn't know reliably which
device address is the permanent one.
* Should there exist a mechanism to signal to the router or the router can
accurately learn which of the devices addresses should be used for
configuration in the firewall ?
Is this a problem - have I missed something - Is it worth fixing ?
Thoughts:
This is probably a strange thing for the user to do (but I have had users
trying to do it). Its usually fixed for a customer by switching off privacy
extensions / using EUI-64 so basically giving the device a single address for
the router gui to identify the device by.
Mal
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
