Default security functions on an IPv6 CPE

Mikael Abrahamsson swmike at
Thu May 5 21:04:58 CEST 2011

On Thu, 5 May 2011, Guillaume.Leclanche at wrote:

> As a service provider, we deliver CPEs to our broadband customers as 
> part of the service. We're currently enabling v6 on our network, and 
> before going into production we have an open question regarding security 
> that we're not able to answer internally, so let's check the community :
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the 
> same security features as an IPv4 NAPT, should it be turned ON or OFF by 
> default ?

My suggestion is to deliver it with firewall on to disallow incoming 
connections to low (<1024) TCP/UDP ports, allow high ones. Most of the 
services people leave on by accident live on the old privileged unix ports 
under 1024.

Mikael Abrahamsson    email: swmike at

More information about the ipv6-ops mailing list