Default security functions on an IPv6 CPE

Rémi Després remi.despres at
Thu May 12 12:32:13 CEST 2011

Le 12 mai 2011 à 10:54, Mikael Abrahamsson a écrit :

> On Thu, 12 May 2011, Ted Mittelstaedt wrote:
> We had an argument here at the office regarding firewall in CPE, and my opinion was that since UNPNv6 isn't really supported anywhere, IPv6 with deny new sessions might even be worse in practice than NAT44 with UPNP. It seems Windows 7 does support UPNPv6, but I have yet to locate information regarding support in shipping software for IPv6 enabled CPEs.
> So I would like to withdraw my recommendation before about low-ports closed but high-ports open. I now believe that it's better to have a permit ESTABLISHED firewall as default cpe behaviour, and let the clients request policy changes from the gateway if they want other behaviour.

> We have a social contract with users to have the CPE act the same way it did with NAT, because that's all users know.

May I challenge this?
Ordinary users need plug-and-play and backward compatibility, nothing more.
They don't ask for NAT compatibility for the simple reason that they don't know what a NAT is. (User's of Free haven't asked for anything like it.)

Now, an ordinary customer whose laptop works at home may not work the same in his friend's home if this friend has a FW on by default.
Having to debug such a problem without a site manager in either site is IMHO to be avoided.


> So for initial deployment the firewall in the CPE should act the same way the state machine in NAT does, but of course have UPNPv6 support so as programs get this, they will be able to interact with the FW.
> I realise this will limit deployment of true e2e applications, but I believe this is unfortunately needed.
> -- 
> Mikael Abrahamsson    email: swmike at

More information about the ipv6-ops mailing list