Re: Homenet

[Xen <list xenhideout nl>]

Op 22-3-2016 om 11:10 schreef Tim Coote:
> > There are further complications arising from ISP disconnection or prefix renumbering. Homenet rfcs discuss 
> > the use of ULAs (similar in concept to rfc 1918 addresses) to handle the startup situation of building a 
> > house before its connected to an ISP, but providing multiple /48 subnets that can be routed between so that 
> > the installed hosts can communicate.  I’d not expected prefixes to change often, but discussion with ISPs 
> > that are rolling out IPv6 show that this will be standard practice. Homenet covers this too, including 
> > automated dns updates.
> >
> > An open issue to me is how the OS apis would need to be changed to work with varying source routeing (each 
> > host will have several IPv6 addresses, with varying latency, bandwidth and monetary costs. I think that the 
> > use of per host certficates will also need some work to avoid spoofing in the face of multiple IP addresses, 
> > while not making it too hard for a consumer to replace a host (e.g. a room thermometer, or the mote 
> > monitoring a tyre on her car).
> >
> > The current state of homenet has no security model, and the general experience of the development of security 
> > models in the computer industry has not been good.

The overlying impression is that they've come up with designs that 
suprised them (themselves) two miles later down the road when many of 
these issues should have been a concern in the first place.

If you get surprised by your own creations, you're not doing it fully 
conscious you know.

It seems like essentials are just left as a worry or exercise for those 
who care after the main architecture has already been completed. "Oh, 
we'll solve that later".

Here is a guy with experience with ULAs: 
https://github.com/sbyx/ohybridproxy/issues/4

The person who responds says it's just a bug and it will get fixed. But 
then the guy says: I do not want any dependence on my ISP whatsoever for 
my homenet routing.

Meaning, he wants his router to generate an ULA and use that for all 
hostname resolution within the network. That also seems to imply that 
any addressing from the outside (the mobile device moving across 
borders) is not going to work when it uses a hostname.

If the designers had no oversight of what they were doing and creating 
when they were creating it, it means nothing is well defined and a 
consistent security model will also not be possible. Of course Homenet 
is just a best practice way to deal with IPv6 in the home right.

It's not the fault of Homenet, it is the fault of IPv6.

Homenet tries to solve these issues. If you start out with a certain 
concept and you can't change it and you have to build on that, you're 
just going to do the best you can and from the looks of it Homenet is 
not even doing such a bad job either.

It's just that local independence from an ISP prefix should be 
MANDATORY. Your prefix should give access to your HOME but not to the 
devices within it.

This is the flawed method of addressing I was discussing:

- the external address of your network, and
- the internal address of your sub-network

should be different and independent numbers.

But both are expected to sit in the same 128 bit field, which is clearly 
impossible unless you forget about the 64-bit prefix and use your own 64 
bits to create your own subnet prefixes as required.

That would imply that addressing in the home should not even USE the 
first 64 bit of the address field. That in turn would imply that the 
network should only have one (external) prefix, or that addressing from 
the outside using that prefix should be uniquely resolvable at all 
times, which means that if different prefixes ARE used, the internal 
host part should still be unique.

All complications.

Bart.