Default security functions on an IPv6 CPE

Gert Doering gert at
Thu May 5 16:39:25 CEST 2011


On Thu, May 05, 2011 at 02:21:16PM +0000, Guillaume.Leclanche at wrote:
> As a service provider, we deliver CPEs to our broadband customers as part of the service. We're currently enabling v6 on our network, and before going into production we have an open question regarding security that we're not able to answer internally, so let's check the community : 
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the same security features as an IPv4 NAPT, should it be turned ON or OFF by default ?
> (and of course it's user configurable afterwards, that's not the question)

I'm not sure whether there is any consensus yet how things *should* be.

What *I personally* would recommend you to do is "make it very obvious
what the default is" - so either

 - leave the firewall open, and put a LARGE sticker somewhere
    "no firewall for IPv6, make sure your personal firewalls are up to date!"


 - close the firewall, and put a LARGE sticker somewhere
    "the firewall for IPv6 is closed, no connections from the outside
     possible unless opened in the admin gui"

or something like that.

For end users these days, especially end users that might have bought
a commercial Windows "personal firewall!" product, it might be prudent
to actually *close* the IPv6 firewall on the box, given that half of the
personal firewall add-ons completely disable(!) the perfectly-working 
built-in windows firewall, and leave IPv6 widely open...

Gert Doering
        -- NetMaster
did you enable IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list