Default security functions on an IPv6 CPE

Ted Mittelstaedt tedm at
Fri May 13 07:16:23 CEST 2011

On 5/12/2011 9:01 AM, Rémi Després wrote:
> Le 12 mai 2011 à 12:53, Ted Mittelstaedt a écrit :
>> On 5/12/2011 3:32 AM, Rémi Després wrote:
>>> Le 12 mai 2011 à 10:54, Mikael Abrahamsson a écrit :
>>>> On Thu, 12 May 2011, Ted Mittelstaedt wrote:
>>>> We had an argument here at the office regarding firewall in
>>>> CPE, and my opinion was that since UNPNv6 isn't really
>>>> supported anywhere, IPv6 with deny new sessions might even be
>>>> worse in practice than NAT44 with UPNP. It seems Windows 7 does
>>>> support UPNPv6, but I have yet to locate information regarding
>>>> support in shipping software for IPv6 enabled CPEs.
>>>> So I would like to withdraw my recommendation before about
>>>> low-ports closed but high-ports open. I now believe that it's
>>>> better to have a permit ESTABLISHED firewall as default cpe
>>>> behaviour, and let the clients request policy changes from the
>>>> gateway if they want other behaviour.
>>>> We have a social contract with users to have the CPE act the
>>>> same way it did with NAT, because that's all users know.
>>> May I challenge this? Ordinary users need plug-and-play and
>>> backward compatibility, nothing more.They don't ask for NAT
>>> compatibility for the simple reason that they don't know what a
>>> NAT is. (User's of Free haven't asked for anything like it.)
>>> Now, an ordinary customer whose laptop works at home may not work
>>> the same in his friend's home if this friend has a FW on by
>>> default. Having to debug such a problem without a site manager in
>>> either site is IMHO to be avoided.
>> I don't know how it is in your neck of the woods but here, the end
>> users call the ISP first.  Even if the problem isn't the ISP
> Exactly. Free had no problem with CPE's being transparent to IPv6.
> Breaking this transparency in sites where there is no competent site
> administrator, this is IMHO bound to create many hotline calls.
>> I estimate that 80% of our phone support time is wasted on
>> explaining to the customer that they have a virus, or their hard
>> drive is screwed, or whatever.
>> Back in 2002 I inserted a bit of doggerl code into our mailserver
>> that changed all instances of a period in any attachment filename
>> to a tilde.  That is all it did.
>> This increased our e-mail support call time about 20% for about a
>> month as people found that when they went to save an attachment
>> file that they couldn't open it, they had to rename it.
>> It decreased our virus-related support call time by about 60%.
>> Our typical virus-related support call lasted about 20 minutes,
>> half of it pretending to sympathize with the customer while they
>> railed against Microsoft for making a cruddy OS because they were
>> now going to have to pay lots of money to take the machine
>> somewhere and have it cleaned.
>> Our typical explain-about-the-tilde-thing call lasted about 5
>> minutes and usually the customer thanked us for watching out for
>> them after we got finished educating them about why clicking on a
>> file named isn't a good idea.
>> And after the customers learned about the tilde thing they never
>> called back.
>> After the customers got their virus-laden system put back together
>> they always called back to get configured again - and of course we
>> got to once again pretend to be interested in another 15 minute
>> tirade against Microsoft.
>> This is the reality of ISP support.
> No disagreement on what you have seen.
>> That is why ISPs aren't going to ship CPEs that are hanging wide
>> open.
> Remember that: - Free has successfully shipped for more than 3 years
> CPE's that are fully transparent to IPv6 (of course without being
> "wide open" in IPv4). - This discussion started with an ISP that
> hadn't decided yet.
>> The support calls from people unfamiliar with the technology are
>> always cheaper than the support calls from people unfamiliar with
>> the technology who have just been gunned.
> Again, that's my point. Many users of IPv6 will call hotlines when
> some applications that work in some homes don't work in some others.


> The ISP that gunned applications that take advantage of e2e address
> transparency in IPv6 may be surprised to be called, but the
> responsibility is its own.

The ISP will get called no matter what.

They will get called when the end user wants to open a hole in their 
IPv6 firewall

They will get called when the end user wants to make sure there are
no holes in their IPv6 firewall and close all of them.

Either way you setup the CPE the ISP will get called.

But, the users who got an open IPv6 firewall and as a result got
their machine rooted, when their calls come in they will take a lot
more time and be much more costly.


> RD

More information about the ipv6-ops mailing list