Default security functions on an IPv6 CPE

Jon Bane jon at
Fri May 13 15:31:23 CEST 2011

On Fri, May 13, 2011 at 3:21 AM, Mark Smith <msmith at> wrote:
> On 13/05/2011 4:34 PM, S.P.Zeidler wrote:
>>> Still think address scanning is going to be a useful technique under
>>> IPv6?
>> As has been mentioned in this thread, you do not need to scan addresses
>> when you can harvest active addresses from connects to a hacked webserver
>> or even from blog comments (and a million other places).
> So tell me how a host based firewall isn't going to prevent that attack,
> which therefore makes a CPE firewall absolutely necessary (which is the
> argument in question)?

It is pretty simple actually.  Look at how applications currently poke
holes in the host firewall.  They are simple allow statements with no
consideration for source.  Take a PC used for a year by a typical end
user and look at the types of ports/protocols/services that will be
wide open.  You have have multiple applications which were developed
with zero effort towards security and in many cases these will never
be patched.

A freshly installed OS 'might' be OK.  A PC that is used by the masses
will develop a larger attack area over time.

More information about the ipv6-ops mailing list