Hi Barbara,
I agree with your regarding the WPA, not sure to understand the point from Christian.
If a local device is compromised, that happens in the LANs and this will only affect the CE, if the "virus" or "bot" or whatever is able to compromise the CE configuration and then replace some of the settings done by the provisioning system.
This is something that may happen regardless of using DHCP in the WAN or other protocols.
I recall having seen some TR-069 mechanism (maybe it was proprietary) to provide something related to access control security, but if it is not standard, I will remove it. Let's see if someone in the list can provide some info and I will also try to recall what was in the case I've in mind.
Regards,
Jordi
-----Mensaje original-----
De: ietf <ietf-bounces@xxxxxxxx> en nombre de "STARK, BARBARA H" <bs7652@xxxxxxx>
Fecha: lunes, 7 de enero de 2019, 20:20
Para: 'Christian Huitema' <huitema@xxxxxxxxxxx>, JORDI PALET MARTINEZ <jordi.palet@xxxxxxxxxxxxxx>
CC: "v6ops@xxxxxxxx" <v6ops@xxxxxxxx>, "ietf@xxxxxxxx" <ietf@xxxxxxxx>, "secdir@xxxxxxxx" <secdir@xxxxxxxx>
Asunto: RE: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
> From: v6ops <v6ops-bounces@xxxxxxxx> On Behalf Of Christian Huitema
...
> I am not so sure about 802.1x. The routers could of course support a setting
> like that of the IETF network, and that would have some advantage over
> WPA residential, but it would not address an important threat: local device
> compromised by some virus and engaging in DHCP spoofing. DHCP guard or
> RA guard would still be needed.
802.1X is very widely used in GPON and DSL networks and I haven't heard of it having any issues. I'm not understanding the reference to WPA and local devices, since I think we're talking about the WAN and not the LAN interface here?
..........
> > On Jan 7, 2019, at 2:38 AM, JORDI PALET MARTINEZ
...
> > Considering that, networks using DHCPv6, depending on their specific
> > topologies, should consider using authentication mechanisms such as
> > those based on IEEE-802.1X or access control mechanisms such as DHCP
> > snooping, DHCP guard, or TR-069, among other possible choices.
TR-069 is a management protocol (that goes over HTTP, using TLS for security), and not an access control mechanism. I suggest it be removed from this list.
Barbara
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
