Default security functions on an IPv6 CPE

Mark Smith nanog at
Thu May 12 00:06:12 CEST 2011

On Wed, 11 May 2011 17:29:41 -0400
Jon Bane <jon at> wrote:

> > - Hosts that have IPv6 enabled having also their internal firewalls enabled, the practical danger of CPE transparency to IPv6 is inexistent in unmanaged residential sites.
> I really do not understand this conclusion.  Vista/Win7 do have
> firewalls enabled by default, but the first time the machine detects
> it is connected to a new network it asks what kind of network you are
> on.  The options being Public, Home or Work.  If the user choses
> "Home" the firewall is effectively disabled as all of the SMB/NBT
> ports are opened up, as well as several ports for media sharing.

Fundamentally you're stating that users of computers are so stupid that
they can't tell the difference between their home and somewhere that
isn't their home. If that is the case, then their computer's security
is likely to be one of their lesser problems - they're also probably
not competent to cross the road by themselves.

> Ubuntu, does not have the firewall turned on by default and OS X
> doesn't either.  Arguably, they aren't the concern.
> So, while all of the modern and most prevalent OSes do have firewalls,
> they are either disabled or are likely to be opened up by default.

Fundamentally you're stating that Ubunto and Mac OS X should
never be plugged into the Internet in their default configuration
because their firewalls are "either disabled or are likely to be opened
up by default." Have you actually tested this hypothesis? 

Last time I ran Ubunto, about 7 or more years ago, out of
the box any daemons only listened on So it doesn't need "a
firewall", because there is nothing facing the network. I'd be highly
surprised if things are functionally any different today. 

> > - Now, grandma's CPE should be plug and play, including when some applications start taking advantage of the e2e
transparency IPv6 has restored.
> Transparency can be achieved easily with the use of the UPnP IGD v6
> firewall spec.  While many on this list probably groan at this idea,
> UPnP is already integrated into just about every home device and is
> the mechanism used to create the little e2e transparency we have
> today.  It is already the norm for how the masses get ports opened and
> forwarded in the v4 world.

What if the user installs an application that opens up all the ports
via UPnP IGD v6? Perhaps carriers should step in and stop people
installing and running applications on their own computers because they
might run malicious ones.

> e2e is an ideal state.  It is also a blue skies kind of desire.
> Exposing your average end user to the internet at large will only
> invite the resurgence of the easy, direct attacks.

That horse has already bolted. Their doing it themselves with 3G,
tethering, wifi hotspots etc.

>  Phishing is a lot
> more complicated than pointing metasploit at an IP. 
> For those arguing
> that a host will be in a sea of billions of addresses in a /64, it is
> trivial to harvest valid addresses by simply pulling logs from a
> website.   If those IPs are unprotected at the gateway, it falls on
> the user to react appropriately and we know that for the most they
> will not.
> -Jon

More information about the ipv6-ops mailing list