A challenge (was Re: Default security functions on an IPv6 CPE)

S.P.Zeidler spz at serpens.de
Fri May 20 18:14:41 CEST 2011

Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):

> On Fri, 20 May 2011 17:31:18 +0200
> "S.P.Zeidler" <spz at serpens.de> wrote:
> > Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):
> > 
> > > Just make sure you don't get in the way of what your customers are
> > > trying to achieve with their Internet connection.
> > 
> > I think noone proposed to put filter rules on a device that could not be
> > changed. All we are discussing is a sane initial config.
> > 
> A default the customer isn't expecting, and that an application has to

Imagine that the box the router came in had "security filters enabled, see
http://yourprovider/filterfaq on how to adjust to your needs" in neon green.
It should not come as a surprise.

> Customers just expect the applications they install on their
> end-nodes. If SPs put barriers in place to stop that, application
           ^to work?

> developers will actively spend time on working around those barriers.

They could f.e. write documentation? "Please change your personal
and CPE firewalls to allow packets on port N through".
The on-host firewall would not be worth a cent if it let any old virus
disable it in any way the software pleased, so you need to do something
there already. In contrast to NAT, in this case end users -can- change
what connectivity they get, and hopefully even easily and conveniently.

> Networked application developers have every incentive to work around
> constraints in the network layer - the more barriers an SP puts up, the
> harder the application developer will work to punch through them.

I disagree. Virus and malware programmers have that incentive. Honest
programmers have an incentive to write useful documentation, because the
user will want their product to work and can make it work without them
playing silly games.

spz at serpens.de (S.P.Zeidler)

More information about the ipv6-ops mailing list