A challenge (was Re: Default security functions on an IPv6 CPE)
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Wed May 18 14:13:17 CEST 2011
On Wed, 18 May 2011 11:57:25 +0200
Yann GAUTERON <yann at gauteron.me> wrote:
> 2011/5/5 Thomas Schäfer <thomas at cis.uni-muenchen.de>
> > Am 05.05.2011 16:21, schrieb Guillaume.Leclanche at swisscom.com:
> >> ** A SP deliver the CPEs with a stateful IPv6 firewall providing the
> >> same security features as an IPv4 NAPT, should it be turned ON or OFF
> >> by default ?
> > It means only traffic (answers) asked by the user is allowed.
> > I vote for ON.
> Consider that the vast majority of your end users will be unexperienced
Have you got a smart phone? Have you ever connected it to the
Internet where there wasn't likely to be an upstream network firewall
e.g. a public wifi access point? Did you check if your smartphone had a
firewall on it before you did so? If you didn't, then you've just been
as "unexperienced" as the users you're thinking you represent.
What saved your smartphone from being hacked?
> But leave the possibility to power users to configure the firewall as
> they want.
More information about the ipv6-ops