A challenge (was Re: Default security functions on an IPv6 CPE)

Mark Smith msmith at internode.com.au
Thu May 19 10:08:20 CEST 2011 

On 19/05/2011 5:15 PM, S.P.Zeidler wrote:
> Thus wrote Mark Smith (msmith at internode.com.au):
>
>> On 19/05/2011 3:54 PM, S.P.Zeidler wrote:
>>> Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):
>>>
>>>> The part of the threat model that people are using to justify IPv6 CPE
>>>> firewalling is invalid, because it is based on the invalid assumptions
>>>> that:
>>>>
>>>> o  IPv6's address space is the same size as IPv4's
>>> [...]
>>>> o  that inbound unsolicited address scanning is the most likely attack
>>>> vector.
>>>
>>> No. There are other ways to get at addresses but scanning, as has been
>>> mentioned several times.
>>
>> The original question was whether to enable a CPE firewall by
>> default. The discussion is therefore constrained to threats for
>> which a CPE firewall is a possible mitigation.
>
> So you are assuming that the ONLY thing a CPE firewall EVER could do is
> prevent an address scan?
>

I have for this discussion. The OP didn't specify what specific 
functions the CPE firewall function was performing, so I'll assume the 
common and least function case of no more than a stateful packet filter, 
with inbound to outbound traffic creating the packet filter state. 
That's the typical firewall functionality in common (and low end) 
IPv4/IPv6 CPE.

> Your argument "CPE firewalls / extra device firewalls are useless with
> IPv6 because you can't scan for addresses with IPv6" makes not a
> particular amount of sense, if you do admit that inside addresses may
> be known by other means.
>
> "address scanning" IMHO is entirely irrelevant to the discussion, and
> only serves to cloud the issues that actually -are- there.

Completely agree - address scanning is not a threat under IPv6 like it 
is under IPv4. So what are the threats under IPv6 (which may or may not 
be the same under IPv4), what mitigation are there for them, and as an 
SP, should you take responsibility for implementing them and maintaining 
them? If you choose to take on that responsibility, what are the 
possible negative consequences you might suffer from as an SP should 
there be a security breach of one or more customers?

  Not all of
> your points are bad, but this one is.
>


Regards,
Mark.

More information about the ipv6-ops mailing list