Default security functions on an IPv6 CPE

Ted Mittelstaedt tedm at
Thu May 12 11:14:24 CEST 2011

On 5/12/2011 1:54 AM, Mikael Abrahamsson wrote:
> On Thu, 12 May 2011, Ted Mittelstaedt wrote:
> We had an argument here at the office regarding firewall in CPE, and my
> opinion was that since UNPNv6 isn't really supported anywhere, IPv6 with
> deny new sessions might even be worse in practice than NAT44 with UPNP.
> It seems Windows 7 does support UPNPv6, but I have yet to locate
> information regarding support in shipping software for IPv6 enabled CPEs.
> So I would like to withdraw my recommendation before about low-ports
> closed but high-ports open. I now believe that it's better to have a
> permit ESTABLISHED firewall as default cpe behaviour, and let the
> clients request policy changes from the gateway if they want other
> behaviour.
> We have a social contract with users to have the CPE act the same way it
> did with NAT, because that's all users know. So for initial deployment
> the firewall in the CPE should act the same way the state machine in NAT
> does, but of course have UPNPv6 support so as programs get this, they
> will be able to interact with the FW.
> I realise this will limit deployment of true e2e applications,

I don't see why it would.  Any e2e application written with any
modicum of regard for the user is going to be done in such a way that
the "receiving" user will be requested whether or not they want to
receive incoming traffic from the other end.  When they indicate yes
then their client can issue a UPNPv6 request to the firewall.

The only e2e apps I can imagine that would benefit from truly
unrestricted access would be the fabled "enough to assign an IP address 
to your refrigerator" comeback to the joke "how many IP addresses are
in IPv6" type of applications.

And if I was ever daft enough to assign an IPv6 address to my
refrigerator I certainly would not want the dozen or so local grocery 
stores poking around in it uninvited looking at milk and orange juice 
levels for an opportunity to spam my inbox with reminders to go shopping
and e-coupons.

The biggest proponents of e2e apps I've ever read all seem to come
from marketing companies.  They must have wet dreams about IPv6 at
night, just thinking about all of the automobiles, refrigerators,
televisions, lawnmowers and god-knows-what-else that are gonna get
IP addresses assigned to them that are reachable from the Internet,
just so they can snoop around in our stuff without our permission.

With e2e they won't even have to go to the bother of calling us
during the dinner hour and asking us to take a "survey" so they
can stuff our mailbox with "offers".  They will just go ask our
car/tv/whatever-has-an-IP-address-on-it to rat our buying preferences
out to them.

You think I'm joking?  Yeah you probably think the ethernet jack on
your Blue Ray player is just for updates, too!!!  ;-)


but I
> believe this is unfortunately needed.

More information about the ipv6-ops mailing list