A challenge (was Re: Default security functions on an IPv6 CPE)
Brian E Carpenter
brian.e.carpenter at gmail.com
Thu May 19 22:36:09 CEST 2011
On 2011-05-19 16:27, Frank Bulk wrote:
> The typical customer cares only about security when their computer becomes
> unusable because it's so infected with malware. 99.9% of SP customers won't
> care or remember if I tell them that host-based security is their
> responsibility when they use IPv6. If anything, that's a deterrent to
> consumer adoption of IPv6. Subscriber talks to friend, "My ISP tells me
> that I have to buy a new router to use this thing they call eye-pea-vee-6,
> but that I will have to take extra steps to secure my PC. Seems like too
> much cost and work for me."
>
> As much as IPv6 gives us a less scannable address space and typically runs
> on Microsoft computers with a firewall, I'd rather keep my customers on the
> side of caution. If they want to turn off their router's IPv6 firewall now
> or in the future, they're free to do so, but it was an active choice on
> their part making it their responsibility.
Why are we even discussing this? It's a policy decision for each vendor
and each provider. The arguments are different in different legal, political
and social environments, and they are not specific to IPv6.
There are of course recommended defaults in RFC 6092 and more coming
in draft-ietf-v6ops-ipv6-cpe-router-bis.
Hopefully every provider states what they are doing, as per RFC 4084.
Brian
More information about the ipv6-ops
mailing list