Default security functions on an IPv6 CPE

Cameron Byrne cb.list6 at gmail.com
Fri May 6 16:34:27 CEST 2011


On May 6, 2011 7:24 AM, <Guillaume.Leclanche at swisscom.com> wrote:
>
> > -----Original Message-----
> > From: Mikael Abrahamsson [mailto:swmike at swm.pp.se]
> > Sent: Thursday, May 05, 2011 9:05 PM
> > To: Leclanche Guillaume, SCS-NIT-DEV-NTW-CYC-CTB
> >
> > > ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> > > same security features as an IPv4 NAPT, should it be turned ON or OFF
> > by
> > > default ?
> >
> > My suggestion is to deliver it with firewall on to disallow incoming
> > connections to low (<1024) TCP/UDP ports, allow high ones. Most of the
> > services people leave on by accident live on the old privileged unix
> > ports
> > under 1024.
>
> Thank you all for your answers. The debate reflects almost exactly the
arguments we have internally :)
>
> I like this suggestion from Mike, I believe it sounds like a reasonable
compromise.
>
> What do you all think about the proposal ? (keep in mind we're talking
here only about the default configuration !)
>

The question is one of statefully inspecting or not. If you do it, you break
e2e and require alg

Statefull inspection on a middle box and allowing ports is possibly the
worst of both worlds.

Take a realistic look at home users. They have XP sp2+, osx, vistas, and
win7 ... or something else with a hardened host and fw.

I guess the real place to start is ask what problem are you trying to solve
and how likely is it to occur? The relevant solutions set likely does not
include CPE fw give today's real threat profile.

Cb
> Guillaume
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20110506/b1405172/attachment.htm>


More information about the ipv6-ops mailing list