Default security functions on an IPv6 CPE

Rémi Després remi.despres at
Fri May 6 18:09:06 CEST 2011

Le 6 mai 2011 à 08:47, Doug Barton a écrit :
> ...
>> Operating
>> systems that support IPv6, on the other hand, were designed at a time
>> when it was well known that not all inbound traffic will be innocent.
> Windows XP supports IPv6 (albeit it is not on by default), and it certainly was not designed with security in mind. If you put an unpatched version of XP on the live, open network it'll be pwned before you have a chance to download the first service pack.

The ordinary user doesn't use IPv6 if his OS hasn't it by default.
Ìf it has it by default, it also has the host FW.

>> 4) The only large-scale roll-out of residantal broadband service that is
>> IPv6-enabled by default to date, namely Free in France (hundreds of
>> thousands of IPv6-enabled users, if not millions), does *NOT* perform
>> any IPv6 firewalling by default, according to speakers at the latest
>> RIPE meeting. In other words, the de-facto standard on the IPv6 internet
>> today is to not firewall end users. And still, the sky isn't falling.
> A) Again this is anecdotal, and does not take into account firewalls that come with user-provided CPEs.

All customers of Free have their CPE provided by Free.
That's more than anecdotal.

> ... you still haven't answered the essential question. What problem is created by having the firewall on by default?

Ordinary users, when they face connectivity problems, won't be able to understand what happens.
They won't have enough knowledge to understand what is meant by disabling a CPE FW.


More information about the ipv6-ops mailing list