Default security functions on an IPv6 CPE

Tore Anderson tore.anderson at
Fri May 6 07:57:40 CEST 2011

* Guillaume.Leclanche at

> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> same security features as an IPv4 NAPT, should it be turned ON or OFF
> by default ?


The security benefit of IPv4 NAPT is highly questionable, in my opinion.
I think many have not still gotten over the horrible Windows 9x days,
but fortunately, the world has progressed quite a bit since then:

1) Today, portable computing devices like laptops and smartphones are
extremely common - far more common than stationary PCs. People drag
these around and connect them willy-nilly to all sorts of untrusted
networks found in airports, on airplanes, in hotels, at conferences, at
cafés, or simply whatever unsecured wireless network in range that can
be leeched from. The sky isn't falling.

2) Several ISPs are providing IPv4 service without IPv4 NAPT and it's
(perceived) security benefit. I know of two such large ISPs here in
Norway, at least (one xDSL, one cable). The sky is still not falling.

3) The operating systems that could not at all cope with unsolicited
inbound traffic and caused the perceived need for IPv4 NAPT in the first
place (Windows 9x, that is), doesn't even support IPv6 at all. Operating
systems that support IPv6, on the other hand, were designed at a time
when it was well known that not all inbound traffic will be innocent.

4) The only large-scale roll-out of residantal broadband service that is
IPv6-enabled by default to date, namely Free in France (hundreds of
thousands of IPv6-enabled users, if not millions), does *NOT* perform
any IPv6 firewalling by default, according to speakers at the latest
RIPE meeting. In other words, the de-facto standard on the IPv6 internet
today is to not firewall end users. And still, the sky isn't falling.

I therefore you suggest the lead of IPv6 pioneers like Free, don't brood
on the long-past horrors of Windows 9x, and roll out a network that
allows application and service developers to take advantage of true
end-to-end transparency instead of having to restrict their innovation
to only things that fits into a strict client-server thinking.

Best regards,
Tore Anderson
Redpill Linpro AS -
Tel: +47 21 54 41 27

More information about the ipv6-ops mailing list