> (2) The many examples you give seem to be to be associated > with different domains of authorization and privilege for > different groups of people and functions within the home. My > impression of the experience and literature in the field is > that almost every time someone tries to create such a > typology, they conclude that these are much better modeled as > sometimes-overlapping domains rather than as discrete > partitions. The subnet-based model you posit requires that > people or devices switch addresses when they change functions > or activities. Up to a point, one can do it that way (and > many of us have, even with IPv4). The subtext here is Ethernet. People are talking about home networks based on Ethernet and whether or not they should be segmented by routers. In my experience Ethernet bridges and switches are not designed with security as a goal. When they fail to transmit all incoming frames on all interfaces, it is to prevent segment overload or broadcast storms. There are many cases where people have found ways, sometimes quite simple ways, to receive Ethernet frames that are not addressed to them. Given this backdrop, I am suggesting that a homeowner may have several reasons for inserting routers (and router/firewalls) into their home network, thus requiring the ability to have multiple /64 IPv6 subnets. Architecture aside, this is a pragmatic response to an information security issue. > But I suggest that trying to use subnetting as the primary > and only tool to accomplish those functions is > architecturally just wrong, _especially_ for the types of > authorization-limitation cases you list. Wouldn't you rather > have mechanisms within your home network, possibly bound to > your switches, that could associate authorization property > lists with each user or device > and then enforce those properties? This would be nice, but I believe this needs more work and not just in the IETF. Also, I believe that the IETF should tackle the basic requirements for a home and/or business IPv6 Internet gateway first, and then go on to the more advanced security issues. > (4) Which IETF WG is working on these things? :-( Or failing that, which area does it belong in? --Michael Dillon _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf