Default security functions on an IPv6 CPE

Gavin McCullagh gavin.mccullagh at
Fri Jun 3 14:26:42 CEST 2011


On Tue, 31 May 2011, Gavin McCullagh wrote:

> On Tue, 31 May 2011, Tim Chown wrote:
> > Yes, the point is that the privacy address is used for connections the
> > host initiates.  That's been true for any implementation I've seen.
> I wonder if at some point a sensible (desktop) firewall policy might only
> allow incoming connections to the persistent addresses.

Perhaps I might soften that question to wondering will it be feasible to
have services only listen by default on the permanent address :-)

Someone recently observed that log files with live IPv6 addresses might
become valuable commodities to attackers if scanning the IP space isn't
feasible.  By the sounds of it, those IPs will age as reboots happen so
it's already a limited window.  If services don't listen by default on
those addresses, possible attacks would appear quite limited.

FTP, SIP sessions and the like would of course need to be able to listen on
that interface.  They could dynamically open the firewall, but everything
else not listening is certainly cleaner.


More information about the ipv6-ops mailing list