Default security functions on an IPv6 CPE

Frank Bulk frnkblk at iname.com
Fri May 6 08:18:22 CEST 2011 

Any CPE we buy for our customers will require SPI firewall support.  My current preference is to have it one as it essentially duplicates what customers have today with a default block on incoming traffic.  We may change our approach if I am convinced otherwise -- but at least the CPE will be able to support it.

Frank

-----Original Message-----
From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of Tore Anderson
Sent: Friday, May 06, 2011 12:58 AM
To: Guillaume.Leclanche at swisscom.com
Cc: ipv6-ops at lists.cluenet.de
Subject: Re: Default security functions on an IPv6 CPE

* Guillaume.Leclanche at swisscom.com

> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> same security features as an IPv4 NAPT, should it be turned ON or OFF
> by default ?

Off.

The security benefit of IPv4 NAPT is highly questionable, in my opinion.
I think many have not still gotten over the horrible Windows 9x days,
but fortunately, the world has progressed quite a bit since then:

1) Today, portable computing devices like laptops and smartphones are
extremely common - far more common than stationary PCs. People drag
these around and connect them willy-nilly to all sorts of untrusted
networks found in airports, on airplanes, in hotels, at conferences, at
cafés, or simply whatever unsecured wireless network in range that can
be leeched from. The sky isn't falling.

2) Several ISPs are providing IPv4 service without IPv4 NAPT and it's
(perceived) security benefit. I know of two such large ISPs here in
Norway, at least (one xDSL, one cable). The sky is still not falling.

3) The operating systems that could not at all cope with unsolicited
inbound traffic and caused the perceived need for IPv4 NAPT in the first
place (Windows 9x, that is), doesn't even support IPv6 at all. Operating
systems that support IPv6, on the other hand, were designed at a time
when it was well known that not all inbound traffic will be innocent.

4) The only large-scale roll-out of residantal broadband service that is
IPv6-enabled by default to date, namely Free in France (hundreds of
thousands of IPv6-enabled users, if not millions), does *NOT* perform
any IPv6 firewalling by default, according to speakers at the latest
RIPE meeting. In other words, the de-facto standard on the IPv6 internet
today is to not firewall end users. And still, the sky isn't falling.

I therefore you suggest the lead of IPv6 pioneers like Free, don't brood
on the long-past horrors of Windows 9x, and roll out a network that
allows application and service developers to take advantage of true
end-to-end transparency instead of having to restrict their innovation
to only things that fits into a strict client-server thinking.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27

More information about the ipv6-ops mailing list