Default security functions on an IPv6 CPE
Mikael Abrahamsson
swmike at swm.pp.se
Thu May 5 21:04:58 CEST 2011
On Thu, 5 May 2011, Guillaume.Leclanche at swisscom.com wrote:
> As a service provider, we deliver CPEs to our broadband customers as
> part of the service. We're currently enabling v6 on our network, and
> before going into production we have an open question regarding security
> that we're not able to answer internally, so let's check the community :
>
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> same security features as an IPv4 NAPT, should it be turned ON or OFF by
> default ?
My suggestion is to deliver it with firewall on to disallow incoming
connections to low (<1024) TCP/UDP ports, allow high ones. Most of the
services people leave on by accident live on the old privileged unix ports
under 1024.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops
mailing list