Your router should be using PCP to allow servers to open ports and should have a GUI to authorize that, or better yet support MUD profiles and use the GUI to control that.
Sent from my iPhone > On Sep 2, 2019, at 11:55, mal.hub...@bt.com wrote: > > > Hey, > > Mal here. IETF attendee since 2012 ;) > > I have a home networking question with respect to IPv6 standards, I’m hoping > to use you as a sounding board first before I take it to v6ops. > > The scenario here is a home / soho network situation where the user wants to > host a service, lets say its a webserver, but really could be any hosted > application, importantly using IPv6. The router is setup to use SLAAC only. > > The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" but at > some point in the future it might change (BNG reboot for example), so the > user will use DynDNS provider to provide a stable name for their service, > this sounds OK so far. > > The user has to allow the webserver port, 443 in their router GUI firewall to > allow the traffic in, sounds simple enough. Importantly it should be to that > webserver device only. > > Now the tricky part…. > > Since in this scenario the webserver device is using privacy extensions, it > has a bunch of IPv6 GUA addresses and no EUI-64 and > - It has Temporary addressing (which will regularly change) > - It has a "Permanent" address (which is the one the webserver will want to > use) > > Does this sound reasonable and make sense so far ? Cool. > > > In the router GUI the user is presented with a list of "devices" for which > the router can open up TCP 443 in the firewall. > > It is reasonable to assume the user does not want to type in the Permanent > IPv6 address of the device, as it is poor CX and anyway it will change in the > future (possibly due to a network change / BNG restart etc as mentioned) > > Current routers on the market I have come across have either: > > Open the port to the current temporary address only which means that inbound > connections on the port usually fails right away (if the webserver is not > listening on that address) – or fail after the temporary address changes. > Opens the port to the correct address (by chance) > - But then fails at some point in the future when the network prefix changes > (as router drops the rule when the prefix changes). > Opens the port to some or ALL addresses currently (& sometimes historically) > associated with the mac address of the device (not great for security – > spoofing? ) > But even that sometimes excludes the permanent address > Opens the port to all addresses on LAN (not great for security at all) > > Basically the routers firewall config gui doesn’t know reliably which device > address is the permanent one. > > Should there exist a mechanism to signal to the router or the router can > accurately learn which of the devices addresses should be used for > configuration in the firewall ? > > Is this a problem – have I missed something – Is it worth fixing ? > > > Thoughts: > This is probably a strange thing for the user to do (but I have had users > trying to do it). Its usually fixed for a customer by switching off privacy > extensions / using EUI-64 so basically giving the device a single address for > the router gui to identify the device by. > > Mal > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet