[ipv6hackers] DHCPv6-PD , TR069 and local network security

Schmoll, Carsten carsten.schmoll at fokus.fraunhofer.de
Mon Sep 2 14:01:10 CEST 2013

Dear IPv6 experts,

I am wondering if there already exists a standard-based solution for the following situation:

Assume you are a security-aware DSL customer who can get IPv6 Internet access,
but your provider only sells it to you together with one of its own CPE routers...

(in Germany we call it "Routerzwang", and there is a strong debate around the question,
where the provider network ends and where the customer LAN begins. In this case you
will usually not get any PPPoE "call-in" data, since they are stored in a hidden way in the
provided CPE)

This approach also opens the way to provider-managed CPE by means of TR069.
The latter basically means that an admin of the provider can do many things on your local CPE,
among other things: possibly have a look at your local LAN - which you may want to prohibit.
The setup also usually comes together with the use of DHCPv6-PrefixDelegation.

Now, if I could just dump that provider for another one that allows me to connect my own CPE router, okay...
If not, then I can imagine running another router (or at least packet filter) between the CPE and my end systems,
just like https://tools.ietf.org/html/rfc3633#section-5.1 , but with another "box" in between CPE and the PCs.

To my knowledge, such "extended case" is not envisioned in the DHCPv6-PD use case. Correct?
So, how could I still get my end systems configured with global IPv6 addresses from the delegated prefix space?
(no, I don't want to use a web proxy and ULAs internally - that's like cheating around the problem ;)

Best regards

"With great power comes great responsibility! What power, you ask?  UNIX root privileges."

Carsten Schmoll
Tel: +49 (0) 30 3463-7136
Fax: +49 (0) 30 3463-997136

Fraunhofer FOKUS
Public IT / Öffentliche IT (ÖFIT)
Kaiserin-Augusta-Allee 31
D-10589 Berlin, Germany

More information about the Ipv6hackers mailing list