Default security functions on an IPv6 CPE

Mark Smith nanog at
Thu May 5 23:43:28 CEST 2011

On Thu, 05 May 2011 11:46:12 -0700
Doug Barton <dougb at> wrote:

> On 05/05/2011 07:43, Nick Hilliard wrote:
> > On the other hand, if you enable the firewall, you will annoy a small
> > percentage of power users.  However, there's a strong argument to be
> > made to say that they are generally the sort of people who could log on
> > to the router and make configuration changes anyway.
> +1
> The whole "restore e2e" pipe dream needs to die. 

What needs to die is the the 90s/00s assumption that hosts aren't
protecting themselves.

The hard-shell, gooey centre model started to break when laptops
became popular. Those computers in your pocket or in your carry
bag (a.k.a. "smart phones" or "tablets") are going to finish off the

Security policies without context are likely to be wrong. The context
today of Internet access is common access via mobile devices, which can
easily be moved between different points of attachment. It is not
possible to guarantee those points of attachment will provide any level
of firewalling, so host OS implementors assume and have to assume the
worst case of no network firewalling at all.

This is why the Apple enabled IPv6 by default in IOS 4, and there were
no warnings to it's customers that they must have an upstream IPv6
network firewall before they attach it to an IPv6 network. Even if
those warnings needed to exist, a number of their customers would have
ignored them anyway. So the best way for Apple (and other vendors) to
protect themselves legally is to enable host based IPv6 (and IPv4)
firewalling by default. This also applies to fixed location computers -
vendors can't control whether there is an upstream network firewall, so
they protect desktops by default too.

Now that hosts are protecting themselves, the only useful role for CPE
firewalls to perform as as a security assistant, adding a level of
defence in depth. As an SP you need to work out if enabling it is worth
the trouble of customers complaining that some of their applications
work when they're attached to a foreign network (e.g. "unprotected"
hotspot") but don't work when they're attached at home.

Of course none of this will prevent people from running that malware
attached to an email, or clicking a scam advert on a webpage. The worst
thing you could do is heavily promote enabling the CPE firewall, such
that naive people believe they're now protected from those attacks. A
false sense of security is better than no security at all - at least
with no security you know you don't have any.

More information about the ipv6-ops mailing list