Default security functions on an IPv6 CPE
Cameron Byrne
cb.list6 at gmail.com
Fri May 6 17:40:43 CEST 2011
On May 6, 2011 7:24 AM, <Guillaume.Leclanche at swisscom.com> wrote:
>
> > -----Original Message-----
> > From: Mikael Abrahamsson [mailto:swmike at swm.pp.se]
> > Sent: Thursday, May 05, 2011 9:05 PM
> > To: Leclanche Guillaume, SCS-NIT-DEV-NTW-CYC-CTB
> >
> > > ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> > > same security features as an IPv4 NAPT, should it be turned ON or OFF
> > by
> > > default ?
> >
> > My suggestion is to deliver it with firewall on to disallow incoming
> > connections to low (<1024) TCP/UDP ports, allow high ones. Most of the
> > services people leave on by accident live on the old privileged unix
> > ports
> > under 1024.
>
> Thank you all for your answers. The debate reflects almost exactly the
arguments we have internally :)
>
> I like this suggestion from Mike, I believe it sounds like a reasonable
compromise.
>
> What do you all think about the proposal ? (keep in mind we're talking
here only about the default configuration !)
>
This also keeps us locked into tcp/udp and breaks sctp and other forward
looking evolutions of ip transport ... also likely broken are multicast,
ipsec, mobile ip, ...
The spi pushers have forced tcp/80 to be THE Internet transport.... and
tcp/80 is now ....too big to fail ...so now the firewall has to do dpi ....
and that is an expensive arms race.
Cb
> Guillaume
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20110506/5c66f6f8/attachment.html
More information about the ipv6-ops
mailing list