Default security functions on an IPv6 CPE

MarcoH - lists mch-v6ops at xs4all.nl
Sat May 7 14:19:31 CEST 2011 

On 5 mei 2011, at 16:21, <Guillaume.Leclanche at swisscom.com> <Guillaume.Leclanche at swisscom.com> wrote:

> Hello,
> 
> As a service provider, we deliver CPEs to our broadband customers as part of the service. We're currently enabling v6 on our network, and before going into production we have an open question regarding security that we're not able to answer internally, so let's check the community : 
> 
> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the same security features as an IPv4 NAPT, should it be turned ON or OFF by default ?


Just to add some statistics to this discussion. We are currently running a survey on IPv6 capable home devices, the results so far (94 responses) indicate that most devices have firewall (or packet filter) capabilities.

- On the question wether the system supports firewall or filtering?

	Yes					86%
	No					10%
	Don't know or n/a		4%

- Is this system turned on by default?

	Yes					45%
	No					39%
	Don't know			11 %
	n/a					5%

- Does the system allow you to configure these filters?

	Yes					79%
	No					13%
	Don't know			3%
	n/a					5%

(Note some of these users are reporting a system which is 'locked down' by their ISP)

Further 20% of the users indicate they can't insert subnet specific rules, 63% say they can. Regarding host specific filters these are 74% against 12% who say it's impossible. Protocol specific filters can be set by 79% of the users.

Overall rating they give to the firewall part of the device:

	Very poor		7%
	Poor			7%
	Fair				20%
	Good			32%
	Excellent		32%

On the vendor side of things these answers include all the major consumer brands (AVM, D-Link, Apple, Netgear) as well as more upmarket devices such as Juniper Netscreen and Cisco 8xx series. 20% of the users report Cisco, AVM, D-link and Apple are at 8 ~ 10 % each so these in total make up half the survey. Some users indicate they run homemade devices based on Linux/BSD.

For more info and a link to the survey please have a look at http://labs.ripe.net/Members/marco/ipv6-cpe-survey-please-participate

Grtx,

MarcoH

-- 
"Good tests kill flawed theories; we remain alive to guess again"

More information about the ipv6-ops mailing list