Default security functions on an IPv6 CPE

Nick Hilliard nick at
Thu May 5 16:43:52 CEST 2011

On 05/05/2011 15:21, Guillaume.Leclanche at wrote:
> As a service provider, we deliver CPEs to our broadband customers as
> part of the service. We're currently enabling v6 on our network, and
> before going into production we have an open question regarding security
> that we're not able to answer internally, so let's check the community:
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> same security features as an IPv4 NAPT, should it be turned ON or OFF by
> default ?
> (and of course it's user configurable afterwards, that's not the
> question)

This issue was debated endlessly during the creation of rfc6204, which is 
well worth reading because it carefully describes what an ipv6 CE router 
should look like.  The net result was: filtering configuration was not in 
scope for the RFC.

However, there were a lot of opinions expressed on the v6ops working group 
to the effect that having a stateful firewall enabled by default would be a 
very sensible move.

The issue that drives this is whether attackers will be able to guess IPv6 
addresses.  Given that most people are going to end up with substantially 
static IP v6 addresses, it's probably going to happen after a while that 
databases of live ipv6 addresses will be built.

Given this, disabling a CPE firewall is likely to increase the amount of 
drive-by security issues, which in turn will lead to increased costs from 
the point of view of support / helpdesk / ISP side security management, 
apart from any nasty security problems for end-users.

On the other hand, if you enable the firewall, you will annoy a small 
percentage of power users.  However, there's a strong argument to be made 
to say that they are generally the sort of people who could log on to the 
router and make configuration changes anyway.

So on balance, I would say it was a good idea.


More information about the ipv6-ops mailing list