--On Sunday, 26 August, 2007 12:41 +0100 michael.dillon@bt.com wrote:
The definition of a small network is pretty much "single subnet". Yes, I understand very well that the average home of the future will have a mixed wiring. Of course, my own home does have Ethernet and Wi-Fi. In the not so distant future, it will have several Wi-Fi networks operating on different ... You are remarkably trusting. You do all your homebanking on the same subnet as your teenage children who are studying Hacking 101 in the privacy of their bedroom? And when guests come over for dinner, you have no objection to them taking their laptop to the bathroom in order to surf for child porn over your wireless network.
The fact is that a lot of people will WANT subnets in the home. They will want a router/firewall that will isolate each of the children's bedrooms so that they cannot mess with your bank account or with their brother's/sister's romantic chat sessions. Many people will want all wireless access to go through a router. Many will have an in-law suite, and want to seamlessly integrate their relative's existing network via a simple router connection. And the family jewels, that Raid 5 server cluster that holds all the family photos and videos, will be behind another router/firewall. When the kids host a LAN party, the gamers will connect to the family network via a router/firewall with limited Internet access for only the necessary protocols. Subnets multiply for architectural and security reasons. ...
Michael, Assume we agree on the needed functionality. It is hard to disagree and many of us have seen the need to isolate some people and apparatus from others, and to assign different capability to them, for many years. That still leaves room to ask several questions. I believe those questions need to be asked, and the relevant technical work done. And I think one needs to do that work and then adjust address policy to match, not change address policy without making corresponding technical/ protocol changes. Examples: (1) Unless it was changed when I wasn't looking, there is a rule in the IPv6 architecture that says that one cannot subnet on a prefix longer than a /64. That rule appears to be someone hostile to efficient use of address space at the "small network with subnets" side of things. Has that rule outlived its usefulness? If so, how do we go about changing it before IPv6 is sufficiently widely deployed to make it even more difficult and disruptive to do so? (2) The many examples you give seem to be to be associated with different domains of authorization and privilege for different groups of people and functions within the home. My impression of the experience and literature in the field is that almost every time someone tries to create such a typology, they conclude that these are much better modeled as sometimes-overlapping domains rather than as discrete partitions. The subnet-based model you posit requires that people or devices switch addresses when they change functions or activities. Up to a point, one can do it that way (and many of us have, even with IPv4). But I suggest that trying to use subnetting as the primary and only tool to accomplish those functions is architecturally just wrong, _especially_ for the types of authorization-limitation cases you list. Wouldn't you rather have mechanisms within your home network, possibly bound to your switches, that could associate authorization property lists with each user or device and then enforce those properties? Kerberos (a very old protocol by now) took the first steps in that direction by associating access to server-type functions with authorization properties rather than physical connectivity. Perhaps it is time to extend a model of that sort to access to network resources --such as routing to other addresses both inside and outside of the home network-- and to think through how it could be scaled to effective and cost-efficient operation in a home-sized network. (3) It may be worth remembering that subnetting was introduced into the IPv4 architecture partially to deal with routing isolation and efficiency for LANs based on 10Base10 and 10Base2 Ethernet --backbone-style networks at the LAN, or groups of LANs, level. While some lazy few of us still have some 10Base2 in our LANs, the move toward LAN segments based on twisted-pair cabling and fanout switch arrangements creates opportunities we didn't have when "segment" was a physical property rather than a logical one. Is it time to review and update the network architecture to reflect new opportunities in the physical one, rather than assuming that authorization is necessarily reflected in subnets? (4) Which IETF WG is working on these things? :-( john