On 1/7/2019 11:58 AM, JORDI PALET MARTINEZ wrote: > Hi Barbara, > > I agree with your regarding the WPA, not sure to understand the point from Christian. > > If a local device is compromised, that happens in the LANs and this will only affect the CE, if the "virus" or "bot" or whatever is able to compromise the CE configuration and then replace some of the settings done by the provisioning system. > > This is something that may happen regardless of using DHCP in the WAN or other protocols. > > I recall having seen some TR-069 mechanism (maybe it was proprietary) to provide something related to access control security, but if it is not standard, I will remove it. Let's see if someone in the list can provide some info and I will also try to recall what was in the case I've in mind. Maybe I was not clear. I am not overly concerned with what happens on the WAN side -- I assume that the ISP deploying customer premise devices will find a way to provision them securely. I am concerned that using DHCPv6 to provision networking parameters on the local hosts exposes these hosts to generic DHCP spoofing attacks. To mount the DHCP spoofing attacks, the attacker will need to either gain connectivity to the local network, or gain controlled of a local device. Access control protocols like 802.1x will prevent unauthorized devices from connecting to the local network; they will not close the second avenue of attack, something that solutions like DHCP guard would do. The local router can filter which packets are relayed between Wi-Fi devices, and can filter out spoofed DHCP packets. That's reasonably easy to deploy in small networks, where the only authorized DHCP server is located on the router itself. Of course, the current document is not meant as a general home router requirement draft -- it just specifies the narrow problem of how these routers should facilitate deployment of IPv4 as a service. I do like Jordi's succession to refer to DHCP Guard as a potential mitigation of DHCPv6 issues, because it can be deployed simply and it would thwart a series of potential attacks. I am less enthusiastic about 802.1x, because as I said above it addresses a fraction of the problem, but not the whole problem. Standard deployment of 802.1x requires an authentication server, which currently does not come with small routers. It also requires management of this authentication server, which is a tall order in these small networks. There have been attempts to define a simpler profile of 802.1x, in which all users have the same ID and the same password -- such as what is used in the IETF Wi-Fi networks. This does improve somewhat over the residential version of WPA, in which all users share the same "Wi-Fi password", because it provides better isolation between users. But I would have a hard time recommending 802.1x deployment in residential networks "because of DHCPv6 security". While I do like the "DHCP Guard" class of solutions, I am also concerned that the DHCP Guard concept is only defined by the commercial literature of some vendors -- and the same goes for DHCP Snooping, which could have a variety of meanings. If you want to use that term, then you should add a reference to the paper where this is defined. Or you could use neutral language, like: Considering that, networks using DHCPv6, depending on their specific topologies, should consider using access control mechanisms such as those based on IEEE-802.1X, and DHCPv6 filtering mechanisms designed to prevent forwarding of spoofed DHCPv6 packets through the router, often referred to as "DHCP Guard." I am also skeptical of the mention of "SME" in the last paragraph, in "deployment of IPv4aaS in residential, SOHO and SME networks". The definition of what is a small or medium enterprise varies by countries. In the European Union, it is up to 250 employees. In the US, it is defined by revenues and employees limit, typically fewer than 500 employees. In other part of the world, it can be fewer than 50 employees, or maybe it is just defined by a limit on revenues. In any case, I would personally be reluctant to deploy simple devices like described in the draft in a network with 100 to 200 people, let alone 500. That would be pushing luck a bit too far. The introduction of the draft says "This document defines IPv4 service continuity features over an IPv6-only network, for a residential or small-office router..." I would suggest using exactly the same language, as in: As stated in the introduction, this document addresses deployment of IPv4aaS in residential or small-office networks. Deployment in more challenging environments would require additional security analysis. -- Christian Huitema