Default security functions on an IPv6 CPE

Fri May 6 08:47:47 CEST 2011

I've already stated my opinion and I'm trying really hard to avoid 
repeating myself. However there are so many problems in this post I 
can't help myself.

On 05/05/2011 22:57, Tore Anderson wrote:
> * Guillaume.Leclanche at swisscom.com
>
>> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
>> same security features as an IPv4 NAPT, should it be turned ON or OFF
>> by default ?
>
> Off.
>
> The security benefit of IPv4 NAPT is highly questionable,

Throughout this post you're conflating NAPT and a Stateful Packet 
Inspection Firewall (SPIF). That's a problem for 2 reasons, one is that 
it adds to the confusion about these 2 items (which IMO Guillaume did a 
good job of differentiating) and because you seem to be trying to tar an 
IPv6 SPIF with the negative emotions attached to NAPT.

> in my opinion.
> I think many have not still gotten over the horrible Windows 9x days,
> but fortunately, the world has progressed quite a bit since then:
>
> 1) Today, portable computing devices like laptops and smartphones are
> extremely common - far more common than stationary PCs. People drag
> these around and connect them willy-nilly to all sorts of untrusted
> networks found in airports, on airplanes, in hotels, at conferences, at
> cafés, or simply whatever unsecured wireless network in range that can
> be leeched from. The sky isn't falling.

A) It depends on who you ask. The millions of infected hosts comprising 
the bot armies in the current DDOS wars would seem to argue against your 
point.
B) Even if you're right, doesn't it make sense to do better for the user 
on the network they are paying for?

> 2) Several ISPs are providing IPv4 service without IPv4 NAPT and it's
> (perceived) security benefit. I know of two such large ISPs here in
> Norway, at least (one xDSL, one cable). The sky is still not falling.

I'm not familiar with the data points you're providing, however these 
anecdotes don't advance the discussion. In your mind what problems are 
created by enabling the firewall by default?

> 3) The operating systems that could not at all cope with unsolicited
> inbound traffic and caused the perceived need for IPv4 NAPT in the first
> place

Um, no. NAPT was developed for economic reasons, for the home user to be 
able to run a network in their home without having to pay for extra IP 
addresses. The SPIF-like features were simply a pleasant byproduct.

> (Windows 9x, that is), doesn't even support IPv6 at all.

This is completely irrelevant, given that the market share of Windows 9x 
can be measured with a thimble.

> Operating
> systems that support IPv6, on the other hand, were designed at a time
> when it was well known that not all inbound traffic will be innocent.

Windows XP supports IPv6 (albeit it is not on by default), and it 
certainly was not designed with security in mind. If you put an 
unpatched version of XP on the live, open network it'll be pwned before 
you have a chance to download the first service pack.

> 4) The only large-scale roll-out of residantal broadband service that is
> IPv6-enabled by default to date, namely Free in France (hundreds of
> thousands of IPv6-enabled users, if not millions), does *NOT* perform
> any IPv6 firewalling by default, according to speakers at the latest
> RIPE meeting. In other words, the de-facto standard on the IPv6 internet
> today is to not firewall end users. And still, the sky isn't falling.

A) Again this is anecdotal, and does not take into account firewalls 
that come with user-provided CPEs.
B) It's still incredibly early days, so I for one am not prepared to 
declare anything a BCP.

Meanwhile, you still haven't answered the essential question. What 
problem is created by having the firewall on by default?

Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/