Default security functions on an IPv6 CPE

Jon Bane jon at
Thu May 5 22:42:18 CEST 2011

On Thu, May 5, 2011 at 10:21 AM, <Guillaume.Leclanche at> wrote:
> Hello,
> As a service provider, we deliver CPEs to our broadband customers as part of the service. We're currently enabling v6 on our network, and before going into production we have an open question regarding security that we're not able to answer internally, so let's check the community :
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the same security features as an IPv4 NAPT, should it be turned ON or OFF by default ?
> (and of course it's user configurable afterwards, that's not the question)
> Guillaume

Take a look at the UPnP IGD v2 specification.  It includes the
WANIPv6FirewallControl:1 service control which lowers the bar for end
users being impacted by a default on firewall.

As for which position is better, I tend towards on for the simple fact
that the majority of user's PCs will have Netbios and the like exposed
to the world.  However minor you may or may not feel the risk of a
users being 'found' in the fast sea of a /64, overtime methods will be
developed to do just that.

More information about the ipv6-ops mailing list