Default security functions on an IPv6 CPE
remi.despres at free.fr
Thu May 5 17:57:07 CEST 2011
Le 5 mai 2011 à 16:21, <Guillaume.Leclanche at swisscom.com> <Guillaume.Leclanche at swisscom.com> a écrit :
> As a service provider, we deliver CPEs to our broadband customers as part of the service. We're currently enabling v6 on our network, and before going into production we have an open question regarding security that we're not able to answer internally, so let's check the community :
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the same security features as an IPv4 NAPT, should it be turned ON or OFF by default ?
> (and of course it's user configurable afterwards, that's not the question)
RFC 6092 "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" says:
REC-49: Internet gateways with IPv6 simple security capabilities MUST
provide an easily selected configuration option that permits a
"transparent mode" of operation that forwards all unsolicited flows
regardless of forwarding direction, i.e., not to use the IPv6 simple
security capabilities of the gateway. The transparent mode of
operation MAY be the default configuration.
The choice therefore remains open.
a) I have been using the IPv6 of Free.fr since december 2007 without any CPE firewall in IPv6 (and just relying on host firewalls of Windows, OS X, and Linux), and without any identified security problem.
AFAIK, Free.fr has worked since the beginning without IPv6 stateful FW and, after IPv6 had to be consciously activated in the past, their new CPE has by default IPv6 (without stateful FW).
b) One who disables a host FW, globally or partially with a consciously installed add-on, should better know what he does. He should therefore be able to to activate its CPE FW if he wants to.
My recommendation is to let IPv6 work transparently by default.
Thus, ordinary users, those who don't even know how to disable host FW's, won't risk to face connectivity problems they can't understand, in particular with applications using IPv6 referrals.
More information about the ipv6-ops