Default security functions on an IPv6 CPE
Rémi Després
remi.despres at free.fr
Fri May 6 17:43:50 CEST 2011
Full support.
RD
Le 6 mai 2011 à 07:57, Tore Anderson a écrit :
> * Guillaume.Leclanche at swisscom.com
>
>> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
>> same security features as an IPv4 NAPT, should it be turned ON or OFF
>> by default ?
>
> Off.
>
> The security benefit of IPv4 NAPT is highly questionable, in my opinion.
> I think many have not still gotten over the horrible Windows 9x days,
> but fortunately, the world has progressed quite a bit since then:
>
> 1) Today, portable computing devices like laptops and smartphones are
> extremely common - far more common than stationary PCs. People drag
> these around and connect them willy-nilly to all sorts of untrusted
> networks found in airports, on airplanes, in hotels, at conferences, at
> cafés, or simply whatever unsecured wireless network in range that can
> be leeched from. The sky isn't falling.
>
> 2) Several ISPs are providing IPv4 service without IPv4 NAPT and it's
> (perceived) security benefit. I know of two such large ISPs here in
> Norway, at least (one xDSL, one cable). The sky is still not falling.
>
> 3) The operating systems that could not at all cope with unsolicited
> inbound traffic and caused the perceived need for IPv4 NAPT in the first
> place (Windows 9x, that is), doesn't even support IPv6 at all. Operating
> systems that support IPv6, on the other hand, were designed at a time
> when it was well known that not all inbound traffic will be innocent.
>
> 4) The only large-scale roll-out of residantal broadband service that is
> IPv6-enabled by default to date, namely Free in France (hundreds of
> thousands of IPv6-enabled users, if not millions), does *NOT* perform
> any IPv6 firewalling by default, according to speakers at the latest
> RIPE meeting. In other words, the de-facto standard on the IPv6 internet
> today is to not firewall end users. And still, the sky isn't falling.
>
> I therefore you suggest the lead of IPv6 pioneers like Free, don't brood
> on the long-past horrors of Windows 9x, and roll out a network that
> allows application and service developers to take advantage of true
> end-to-end transparency instead of having to restrict their innovation
> to only things that fits into a strict client-server thinking.
>
> Best regards,
> --
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com
> Tel: +47 21 54 41 27
More information about the ipv6-ops
mailing list