A challenge (was Re: Default security functions on an IPv6 CPE)

Andrew Yourtchenko ayourtch at gmail.com
Thu May 19 11:47:47 CEST 2011

On Thu, May 19, 2011 at 10:12 AM, Mark Smith <msmith at internode.com.au> wrote:
> On 19/05/2011 5:36 PM, Frank Bulk - iName.com wrote:
>> If the end-user's IPv6 address is known, a CPE with a firewall is an
>> effective means against unsolicited connection attempts.
> Yet no more effective than the firewall residing on the end-host, and
> potentially less - the end-host knows what applications it is running, so it
> can make more informed decisions about what it's firewall will allow to pass
> or not.

Taking a look at the vectors mentioned here:


If the info in the above article is correct, for me it puts the
security value of blocking the ports at this point in time somewhere
between the value of having to take off the shoes at the airport
checkpoints and the value of the restriction on bringing liquids
within the hand luggage.

It *certainly* covers plausible (and used in the past) attack
scenarios, makes everyone feel better (because they've done something
to help!), and is easy to do.


> Regards,
> Mark.
>> Frank
>> -----Original Message-----
>> From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
>> [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
>> Mark Smith
>> Sent: Thursday, May 19, 2011 2:17 AM
>> To: ipv6-ops at lists.cluenet.de
>> Subject: Re: A challenge (was Re: Default security functions on an IPv6
>> CPE)
>> <snip>
>> The original question was whether to enable a CPE firewall by default.
>> The discussion is therefore constrained to threats for which a CPE
>> firewall is a possible mitigation. As a CPE firewall is not effective
>> mitigations against those other threats, those other threats are
>> irrelevant to the discussion as to whether to enable a CPE firewall by
>> default or not.
>> If people want to expand the scope of the discussion to other threats,
>> then by all means do so. That is the only way to be sure that all
>> threats have been considered and mitigated, if necessary, by appropriate
>> security measures.
>>> I do not agree with Ted on just shutting down
>>> inbound completely, but -this- is a strawman, and I dislike fud.
>> So they can correct me on their assumptions if they're different to what
>> I stated.
>> FUD is not realising that Internet security landscape has changed in the
>> last 10 years, and believing that the threats to IPv6 are both  exactly
>> the same types and likelihoods as those to IPv4.
>> Regards,
>> Mark.

More information about the ipv6-ops mailing list