A challenge (was Re: Default security functions on an IPv6 CPE)

Guillaume.Leclanche at swisscom.com Guillaume.Leclanche at swisscom.com
Fri May 20 10:48:33 CEST 2011

> Why are we even discussing this? It's a policy decision for each vendor
> and each provider. The arguments are different in different legal,
> political
> and social environments, and they are not specific to IPv6.

The reason here of my initial request was that we couldn't agree internally. We have no legal obligation to provide any kind of security for forwarded packets on the CPE. But we want to make it right, and one of the ways to do so is to take the pulse of the community. Since this thread has started, I read all advices and I religiously wrote down arguments. It has become clear that the initial question was in fact way too simple and that the correct answer is, as usual somewhere in the middle.

The solution I will be proposing to my colleagues (as a DEFAULT behaviour) will therefore be a port per port policy, depending if the well known service running behind this port is supposed to be open on LAN only (ntp, netbios are good examples here) or if it clearly has to be reachable from anywhere (IPSec has been evocated rightfully in the thread). In case there's a doubt, then I bet we'll consider it as LAN and be conservative (DNS, SSH, FTP for example).

Once we have a meaningful policy, we'll document it and share it so that others can use it.

Please keep debating :)


More information about the ipv6-ops mailing list