A challenge (was Re: Default security functions on an IPv6 CPE)

Mark Smith msmith at internode.com.au
Thu May 19 09:40:20 CEST 2011

On 19/05/2011 4:54 PM, Frank Bulk - iName.com wrote:
> And providing CPE that's totally unsecured lessens business risk?

I'm pretty sure this is not about whether or not the CPE is protecting 
itself, it is whether or not it passes traffic from the Internet towards 
the end-nodes behind it or not in an unrestricted manner. I'd interpret 
"totally" unsecured to mean that the CPE doesn't protect itself either. 
The CPE should protect itself - the CPE in this sense is a host, and is 
performing host based firewalling.


> Frank
> -----Original Message-----
> From: Mark Smith [mailto:msmith at internode.com.au]
> Sent: Wednesday, May 18, 2011 11:44 PM
> To: ipv6-ops at lists.cluenet.de; cb.list6 at gmail.com; Frank Bulk
> Subject: Re: A challenge (was Re: Default security functions on an IPv6 CPE)
> On 19/05/2011 2:03 PM, Cameron Byrne wrote:
>> On Wed, May 18, 2011 at 9:24 PM, Frank Bulk<fbulk at mypremieronline.com>
> wrote:
>>> The typical customer cares only about security when their computer
> becomes unusable because it's so infected with malware.  99.9% of SP
> customers won't care or remember if I tell them that host-based security is
> their responsibility when they use IPv6.  If anything, that's a deterrent to
> consumer adoption of IPv6.  Subscriber talks to friend, "My ISP tells me
> that I have to buy a new router to use this thing they call eye-pea-vee-6,
> but that I will have to take extra steps to secure my PC.  Seems like too
> much cost and work for me."
>>> As much as IPv6 gives us a less scannable address space and typically
> runs on Microsoft computers with a firewall, I'd rather keep my customers on
> the side of caution.  If they want to turn off their router's IPv6 firewall
> now or in the future, they're free to do so, but it was an active choice on
> their part making it their responsibility.
>> Slippery slope.  Host security is always the responsibility of the
>> subscriber, no?
>> If you are making security decisions for the subscriber, are you now
>> responsible when things go wrong?  Private data was exposed?
> +1
> Even if you disclaim that responsibility and state its limits when you
> chose to provide one limited component of the "security solution" , if a
> customer has a perception that you are taking complete responsibility,
> and they get breached, they can waste your time and money by taking you
> to court, encourage a class action against you etc. IOW, doing a small
> amount of limited security on your customers behalf creates an increased
> business risk.
>> CB
>>> Frank
>>> -----Original Message-----
>>> From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
> [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
> Mark Smith
>>> Sent: Wednesday, May 18, 2011 4:50 PM
>>> To: Jon Bane
>>> Cc: ipv6-ops at lists.cluenet.de
>>> Subject: Re: A challenge (was Re: Default security functions on an IPv6
> CPE)
>>> <snip>
>>> That's debatable. The lack of recognition of the recognition of IPv6
>>> security can mean that people have been lax about it, making it a more
>>> interesting target.
>>> Even then, how is a IPv6 CPE firewall going to protect users when it is
>>> at home and they've got their laptop at the local cafe - both now and
>>> in 5 years time? If you tell your SP customers that you've enabled IPv6
>>> firewalling for them, isn't there a risk that they won't exactly
>>> understand what you're saying, and believe that they're protected where
>>> every they access the IPv6 Internet? While typical SP customers won't
>>> understand security measures, what they do, and where they apply, they
>>> are far more likely to understand if you tell them you're not providing
>>> them with any and that it is completely their responsibility.
>>> Regards,
>>> Mark.
>>>> -Jon

More information about the ipv6-ops mailing list