Default security functions on an IPv6 CPE

Rémi Després remi.despres at
Thu May 5 17:57:07 CEST 2011

Le 5 mai 2011 à 16:21, <Guillaume.Leclanche at> <Guillaume.Leclanche at> a écrit :

> Hello,
> As a service provider, we deliver CPEs to our broadband customers as part of the service. We're currently enabling v6 on our network, and before going into production we have an open question regarding security that we're not able to answer internally, so let's check the community : 
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the same security features as an IPv4 NAPT, should it be turned ON or OFF by default ?
> (and of course it's user configurable afterwards, that's not the question)

RFC 6092 "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" says:

REC-49: Internet gateways with IPv6 simple security capabilities MUST
   provide an easily selected configuration option that permits a
   "transparent mode" of operation that forwards all unsolicited flows
   regardless of forwarding direction, i.e., not to use the IPv6 simple
   security capabilities of the gateway.  The transparent mode of
   operation MAY be the default configuration.

The choice therefore remains open.

a) I have been using the IPv6 of since december 2007 without any CPE firewall in IPv6 (and just relying on host firewalls of Windows, OS X, and Linux), and without any identified security problem.
AFAIK, has worked since the beginning without IPv6 stateful FW and, after IPv6 had to be consciously activated in the past, their new CPE has by default IPv6 (without stateful FW).  
b) One who disables a host FW, globally or partially with a consciously installed add-on, should better know what he does. He should therefore be able to to activate its CPE FW if he wants to.

My recommendation is to let IPv6 work transparently by default.
Thus, ordinary users, those who don't even know how to disable host FW's, won't risk to face connectivity problems they can't understand, in particular with applications using IPv6 referrals.


> Guillaume

More information about the ipv6-ops mailing list