Default security functions on an IPv6 CPE
remi.despres at free.fr
Wed May 11 19:05:12 CEST 2011
Le 6 mai 2011 à 16:24, <Guillaume.Leclanche at swisscom.com> <Guillaume.Leclanche at swisscom.com> a écrit :
>> My suggestion is to deliver it with firewall on to disallow incoming
>> connections to low (<1024) TCP/UDP ports, allow high ones. Most of the
>> services people leave on by accident live on the old privileged unix
>> under 1024.
> Thank you all for your answers. The debate reflects almost exactly the arguments we have internally :)
> I like this suggestion from Mike, I believe it sounds like a reasonable compromise.
> What do you all think about the proposal ? (keep in mind we're talking here only about the default configuration !)
I don't think there is, on this subject, a need to compromise .
- Hosts that have IPv6 enabled having also their internal firewalls enabled, the practical danger of CPE transparency to IPv6 is inexistent in unmanaged residential sites.
- Now, grandma's CPE should be plug and play, including when some applications start taking advantage of the e2e transparency IPv6 has restored.
In my understanding, residential CPE's should be left transparent to IPv6 by default.
More information about the ipv6-ops