Default security functions on an IPv6 CPE

Tore Anderson tore.anderson at redpill-linpro.com
Fri May 6 09:28:17 CEST 2011 

Hi Doug,

* Doug Barton

> Throughout this post you're conflating NAPT and a Stateful Packet
> Inspection Firewall (SPIF). That's a problem for 2 reasons, one is that
> it adds to the confusion about these 2 items (which IMO Guillaume did a
> good job of differentiating) and because you seem to be trying to tar an
> IPv6 SPIF with the negative emotions attached to NAPT.

Quoting Guillaume:

«a stateful IPv6 firewall providing the same security features as an
IPv4 NAPT»

If this isn't conflating the two, I don't know what is.

>> 1) Today, portable computing devices like laptops and smartphones are
>> extremely common - far more common than stationary PCs. People drag
>> these around and connect them willy-nilly to all sorts of untrusted
>> networks found in airports, on airplanes, in hotels, at conferences, at
>> cafés, or simply whatever unsecured wireless network in range that can
>> be leeched from. The sky isn't falling.
> 
> A) It depends on who you ask. The millions of infected hosts comprising
> the bot armies in the current DDOS wars would seem to argue against your
> point.

And these were all compromised how? I'd be interested in seeing some
real research into how many of these were infected by an attack vector
that a stateful IPv6 firewall or an IPv4 NAPT would close, as opposed to
e-mail attachments, ActiveX controls, malware, browser attacks, USB
sticks, and so on.

> B) Even if you're right, doesn't it make sense to do better for the user
> on the network they are paying for?

Depends on the definition of «better» I guess. I suspect we are in
disagreement...

> In your mind what problems are created by enabling the firewall by default?

By restricting the functionality the network provides to application
developers. A stateful IPv6 firewall, like an IPv4 NAPT, restricts the
applications developers to use a traditional client-server design. Or
else, the user must {forward,open} ports on the {firewall,NAPT} in order
for it to work.

A protocol like BitTorrent were successful because it was so insanely
awesome that sufficient amounts of people were willing to go through the
port opening trouble in order to use it. A less awesome, but still
valuable, service or protocol that requires end-to-end is predisposed to
market failure because of the restrictions imposed by IPv4 NAPT or a
stateful firewall.

IMHO, the more open the network is, the more innovation will take place.
And vice verca. The internet itself is the prime example of this.

Oh, and another thing I've heard folks from the mobile world say is that
NAPT/stateful firewalls require them to send regular keepalives in order
to prevent the state binding from timing out, which in turn is
shortening the battery lifetime of a mobile device.

>> 3) The operating systems that could not at all cope with unsolicited
>> inbound traffic and caused the perceived need for IPv4 NAPT in the first
>> place
> 
> Um, no.

You are right, that was a poor choice of words on my part. I meant to
say «the need for the perceived security features intrinsic to IPv4 NAPT».

>> (Windows 9x, that is), doesn't even support IPv6 at all.
> 
> This is completely irrelevant, given that the market share of Windows 9x
> can be measured with a thimble.

Precicely. It's hardly even there and it doesn't even support IPv6. So
there's no reason to look back at the 90s, remember the Win 9x security
nightmare, and conclude «an IPv6 firewall is necessary», that's my point.

>> 4) The only large-scale roll-out of residantal broadband service that is
>> IPv6-enabled by default to date, namely Free in France (hundreds of
>> thousands of IPv6-enabled users, if not millions), does *NOT* perform
>> any IPv6 firewalling by default, according to speakers at the latest
>> RIPE meeting. In other words, the de-facto standard on the IPv6 internet
>> today is to not firewall end users. And still, the sky isn't falling.
> 
> A) Again this is anecdotal, and does not take into account firewalls
> that come with user-provided CPEs.

Well if a user wants to replace their CPE with their own (or turn a
default-off firewall to on), that's their choice. Not sure how that is
relevant though, as the question was: what should an ISP do by default?

> B) It's still incredibly early days, so I for one am not prepared to
> declare anything a BCP.
> 
> Meanwhile, you still haven't answered the essential question. What
> problem is created by having the firewall on by default?

See above.

If the firewall is off by default, and operational experience turns out
to be that is indeed necessary after all, it is not a difficult job to
change the default accordingly.

On the other hand, if the firewall is on by default, you will never get
the operational experience that would tell you if you made the right
decision or not.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27

More information about the ipv6-ops mailing list