A challenge (was Re: Default security functions on an IPv6 CPE)

S.P.Zeidler spz at serpens.de
Thu May 19 08:24:02 CEST 2011

Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):

> The part of the threat model that people are using to justify IPv6 CPE
> firewalling is invalid, because it is based on the invalid assumptions
> that:
> o  IPv6's address space is the same size as IPv4's
> o  that inbound unsolicited address scanning is the most likely attack
> vector.

No. There are other ways to get at addresses but scanning, as has been
mentioned several times. I do not agree with Ted on just shutting down
inbound completely, but -this- is a strawman, and I dislike fud.

spz at serpens.de (S.P.Zeidler)

More information about the ipv6-ops mailing list