Default security functions on an IPv6 CPE

S.P.Zeidler spz at
Thu Jun 2 19:23:55 CEST 2011


Thus wrote Nick Hilliard (nick at

> On 02/06/2011 15:14, S.P.Zeidler wrote:
> >what about, eg, FTP?
> FTP is less of a concern these days than SIP.

FTP is just a rather well know example of the class of problem;
for ftp itself, PASV exists so it's rarely an issue any more. 

> Anyway, it's a good thing that we've learned from this mistake and
> aren't designing any more protocols or protocol extensions which
> encode endpoint identifiers inside the data stream.

Peer to peer filesharing and games are likely to have more of an actual
issue with firewalling like that. Of course they could just send all local
addresses as connection candidates, but that tastes of unneccessary
complication (and requires sending addresses in the data stream).

If an application listens on an address and port, should that not be
pretty good indication that a connection on that address and port
ought to be accepted?

As always, nearly anything can be done as long as it's easy to change,
well documented how to change, and the default is made known in blinking
neon giant letters :] if it may be in any way surprising.

spz at (S.P.Zeidler)

More information about the ipv6-ops mailing list