Default security functions on an IPv6 CPE

Jon Bane jon at
Wed May 11 23:29:41 CEST 2011

> - Hosts that have IPv6 enabled having also their internal firewalls enabled, the practical danger of CPE transparency to IPv6 is inexistent in unmanaged residential sites.

I really do not understand this conclusion.  Vista/Win7 do have
firewalls enabled by default, but the first time the machine detects
it is connected to a new network it asks what kind of network you are
on.  The options being Public, Home or Work.  If the user choses
"Home" the firewall is effectively disabled as all of the SMB/NBT
ports are opened up, as well as several ports for media sharing.
Ubuntu, does not have the firewall turned on by default and OS X
doesn't either.  Arguably, they aren't the concern.

So, while all of the modern and most prevalent OSes do have firewalls,
they are either disabled or are likely to be opened up by default.

> - Now, grandma's CPE should be plug and play, including when some applications start taking advantage of the e2e transparency IPv6 has restored.

Transparency can be achieved easily with the use of the UPnP IGD v6
firewall spec.  While many on this list probably groan at this idea,
UPnP is already integrated into just about every home device and is
the mechanism used to create the little e2e transparency we have
today.  It is already the norm for how the masses get ports opened and
forwarded in the v4 world.

e2e is an ideal state.  It is also a blue skies kind of desire.
Exposing your average end user to the internet at large will only
invite the resurgence of the easy, direct attacks.  Phishing is a lot
more complicated than pointing metasploit at an IP.  For those arguing
that a host will be in a sea of billions of addresses in a /64, it is
trivial to harvest valid addresses by simply pulling logs from a
website.   If those IPs are unprotected at the gateway, it falls on
the user to react appropriately and we know that for the most they
will not.


More information about the ipv6-ops mailing list