Default security functions on an IPv6 CPE

Ben Jencks ben at bjencks.net
Fri May 6 21:19:48 CEST 2011


On Fri, May 6, 2011 at 15:00, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> On Fri, 6 May 2011, Cameron Byrne wrote:
>
>> This also keeps us locked into tcp/udp and breaks sctp and other forward
>> looking evolutions of ip transport ... also likely broken are multicast,
>> ipsec, mobile ip, ...
>
> Nono, my suggestion is to statefully block incoming connections to low
> tcp/udp ports but allow everything else IPv6.

You might even go so far as to use stateless filters for TCP, just to
remove one more point of failure -- just block inbound SYN (no ACK)
packets to those low ports. You can't really get around needing state
for UDP, though.

My overall opinion is no filtering, for the reasons people have
already given. PCs have to be individually secure anyway, and it makes
the network more amenable to innovation. One obvious application is
home NAS that's accessible anywhere, and most of the ports that would
use are low-numbered (443 for web or webdav, 21, and 22 are likely
candidates).

-Ben



More information about the ipv6-ops mailing list