IETF 81 Homenet Working Group Minutes ============================= 1300 - 1305 Administrivia ------------------------- The chairs thanked Stuart Cheshire for agreeing to take notes, and Dave Oran for acting as Jabber Scribe. 1305 - 1315 Introduction ------------------------ Slides: http://tools.ietf.org/agenda/81/slides/homenet-2.pdf Mark Townsley gave an introduction to the new Working Group, its history, its charter, and the five key topics to be addressed: 1. Prefix Configuration 2. Routing 3. Name Resolution 4. Service Discovery 5. Network Security 1315 - 1340 Architecture ------------------------ Slides: http://tools.ietf.org/agenda/81/slides/homenet-1.pdf Jari Arkko presented on draft-arkko-townsley-homenet-arch-00 with key topics being: 1. Trends 2. Basic network architectures 3. Functionality 4. Design principles Jari demonstrated how his own home network is already too complicated to manage manually, particularly when his ISP required him to renumber at very short notice. Discussion: Lee Howard: What does "policy" mean in this context? Jari: What traffic can enter and leave your network? Erik Nordmark: How complicated a topology do we want to try to handle? Jari: Maybe handling loops is too ambitious JF Tremblay: Feedback from ISP that sells and supports home routers: Should not try to support excessively complicated topologies Jari: How complicated is too much? JF Tremblay: Supporting multiple subnets is okay; supporting loops is not. Phillip Hallam-Baker: 8-bit processors are more common than ever. We need to think about those devices too. Jari: Even simple devices can implement IP. 1340 - 1415 Prefix Configuration & Managing Routing --------------------------------------------------- Slides: http://tools.ietf.org/agenda/81/slides/homenet-3.pptx http://tools.ietf.org/agenda/81/slides/homenet-4.pptx Fred Baker discussed draft-baker-fun-multi-router-00, on how the SOHO network may have multiple upstream connections, and also the need for inter-segment security within the network. He then presented draft-baker-fun-routing-class-00, on how routing may need to depend on more than just the destination IP address. Discussion: Dave Thaler: Can you clarify the dual-ISP topology in the "typical" Japanese residence? Fred Baker: Two ISPs connect over the same fibre; devices like TV connect to both services Shin Miyakawa: Yes, this is correct Lorenzo Colitti: Today, IPv6 connects only to walled garden Mark Townsley: Some places in Japan are using NAT66 to separate these two traffic classes on the same cable Phillip Hallam-Baker: Generalizing routing is good. We should generalize DNS too. Michael Richardson: To clarify, DNS name lookup should determine routing class for that traffic. Michael Richardson: Are you advocating using layer-2 bridging with spanning tree wherever possible? Mark Townsley: Yes, bridge where you can, route where you can't. Michael Richardson: I disagree. We should prefer routing. What about phone connencted to laptop via IP-over-USB, where both have WiFi? Lorenzo Colitti: I agree. We bridge because routing is hard. Since we have to solve routing problem anyway, let's do that and use it. Lorenzo Colitti: Routing domain boundary provides a convenient logical security boundary too. Lorenzo Colitti: Routing protocol needs to self-assign unique internal subnet numbers automatically Lee Howard: Agree: Need to include complicated topology within charter Pete Resnick: Don't want DNS trickery. Want standard Internet hourglass model. Pascal Thubert: Ripple could solve these problems 1415 - 1435 Network Security ---------------------------- Slides: http://tools.ietf.org/agenda/81/slides/homenet-5.pptx Chris Palmer discussed how end users might control access to systems based on the location of the inbound client. He explained how the MS security model is based on the current location of the system itself (i.e. whether it’s logged into its AD domain, or on a private network, or connected to a public hotspot). Discussion: Lorenzo Colitti: I agree with your assessment. Magic is hard to do. I despise ULAs, but if we route them, it could work. Stuart Cheshire: Even if knowing exactly what is meant by a "local" address is unclear, reducing the attack surface is still very valuable Chris Palmer: Microsoft and Apple agree on this James Woodyatt: OS X Lion now includes a (crude) sysctl setting to limit the entire machine to RFC4193 communication Lorenzo Colitti: NTT walled garden does not firewall between its separate users Geoff Huston: I have evidence of malicious packets flowing between users in NTT's walled garden Erik Nordmark: It's all about how you define the boundary of the network. We need to build up ULA so that it means more than it would otherwise. Unknown: The network is fungible -- topologies change over time. Peter Lothberg: Shouldn't all traffic be encrypted, and then we don't care about boundaries. Stuart Cheshire: Even with strong end-to-end security and good passwords, some software still has buffer overrun bugs. Sadly, limiting the attack population does still have value. 1435 - 1455 Name Resolution --------------------------- Slides: http://tools.ietf.org/agenda/81/slides/homenet-0.pdf Chris Griffiths talked about the challenges around naming of devices within the network, and when wanting to access those devices by name from outside of the network (see draft-cloetens-homenet-dns-delegation – not yet in the I-D database). Discussion: Dave Thaler: Today's home networks use (i) DNS and (ii) things that assume a single subnet (NETBIOS, LLMNR, mDNS, etc.). Are you proposing that we make (i) work and forget about (ii)? How does name resolution work between private LAN and guest LAN? Alain Durand: DNS server is too complex to put on home gateway. Ray Bellis: Interior gateways don't need to have the same capabilities as edge gateways Alain Durand: How do we handle network partitioning? Tim Chown: No one has mentioned multicast. We need multicast within the home, and streaming multicast to outside the home for showing cat video. Tim Chown: What about operation when the ISP connection is down? Jason Livingood: Home network needs to continue to work when disconnected from ISP. Phillip Hallam-Baker: I don't like peer-to-peer DNS because I can't even bring in tools to debug it. Peter Koch: Letting the customer use a sub-domain supplied by the ISP is an interesting idea. 1455 - 1500 Wrap Up ------------------- Mark Townsley called for a show of interest in holding an interim meeting before IETF 82. Around 40 people raised their hands. The meeting was closed.