A challenge (was Re: Default security functions on an IPv6 CPE)

Mark Smith nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Fri May 20 17:19:26 CEST 2011


On Fri, 20 May 2011 08:48:33 +0000
<Guillaume.Leclanche at swisscom.com> wrote:

> > Why are we even discussing this? It's a policy decision for each vendor
> > and each provider. The arguments are different in different legal,
> > political
> > and social environments, and they are not specific to IPv6.
> 
> The reason here of my initial request was that we couldn't agree internally. We have no legal obligation to provide any kind of security for forwarded packets on the CPE. But we want to make it right, and one of the ways to do so is to take the pulse of the community. Since this thread has started, I read all advices and I religiously wrote down arguments. It has become clear that the initial question was in fact way too simple and that the correct answer is, as usual somewhere in the middle.
> 
> The solution I will be proposing to my colleagues (as a DEFAULT behaviour) will therefore be a port per port policy, depending if the well known service running behind this port is supposed to be open on LAN only (ntp, netbios are good examples here) or if it clearly has to be reachable from anywhere (IPSec has been evocated rightfully in the thread). In case there's a doubt, then I bet we'll consider it as LAN and be conservative (DNS, SSH, FTP for example).
> 

Just make sure you don't get in the way of what your customers are
trying to achieve with their Internet connection.

> Once we have a meaningful policy, we'll document it and share it so that others can use it.
> 
> Please keep debating :)
> 
> Guillaume



More information about the ipv6-ops mailing list