Default security functions on an IPv6 CPE
nick at foobar.org
Thu May 5 16:43:52 CEST 2011
On 05/05/2011 15:21, Guillaume.Leclanche at swisscom.com wrote:
> As a service provider, we deliver CPEs to our broadband customers as
> part of the service. We're currently enabling v6 on our network, and
> before going into production we have an open question regarding security
> that we're not able to answer internally, so let's check the community:
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> same security features as an IPv4 NAPT, should it be turned ON or OFF by
> default ?
> (and of course it's user configurable afterwards, that's not the
This issue was debated endlessly during the creation of rfc6204, which is
well worth reading because it carefully describes what an ipv6 CE router
should look like. The net result was: filtering configuration was not in
scope for the RFC.
However, there were a lot of opinions expressed on the v6ops working group
to the effect that having a stateful firewall enabled by default would be a
very sensible move.
The issue that drives this is whether attackers will be able to guess IPv6
addresses. Given that most people are going to end up with substantially
static IP v6 addresses, it's probably going to happen after a while that
databases of live ipv6 addresses will be built.
Given this, disabling a CPE firewall is likely to increase the amount of
drive-by security issues, which in turn will lead to increased costs from
the point of view of support / helpdesk / ISP side security management,
apart from any nasty security problems for end-users.
On the other hand, if you enable the firewall, you will annoy a small
percentage of power users. However, there's a strong argument to be made
to say that they are generally the sort of people who could log on to the
router and make configuration changes anyway.
So on balance, I would say it was a good idea.
More information about the ipv6-ops