Default security functions on an IPv6 CPE

Seth Mattinen sethm at
Thu May 5 20:56:08 CEST 2011

On 5/5/2011 11:46, Doug Barton wrote:
> +1
> The whole "restore e2e" pipe dream needs to die. The naive user has been
> conditioned by a lifetime of NAT that there should be no access from the
> outside world allowed into his network without explicitly enabling it.
> The fact that I happen to agree with that perspective aside, if the
> firewall for IPv6 defaults to off that same naive user is going to view
> IPv6 as "scary," "dangerous," "less secure," or all of the above. As
> Nick said so elegantly above, anyone who cares can turn it off.

You still get more end to end on IPv6 with a firewall default-enabled
since the ends are going to have unique, routable addresses, not
unroutable potentially overlapping private behind NAT. That alone
eliminates a whole industry of stupid networking tricks.


More information about the ipv6-ops mailing list