A challenge (was Re: Default security functions on an IPv6 CPE)
Siegfried.Loeffler at technicolor.com
Mon May 23 11:13:21 CEST 2011
<Guillaume.Leclanche at swisscom.com> wrote:
> > Why are we even discussing this? It's a policy decision for each vendor
> > and each provider. The arguments are different in different legal,
> > political
> > and social environments, and they are not specific to IPv6.
> The reason here of my initial request was that we couldn't agree internally. We have no legal obligation to provide any kind of security for forwarded packets on the CPE. But we want to make it right, and one of the ways to do so is to take the pulse of the community. Since this thread has started, I read all advices and I religiously wrote down arguments. It has become clear that the initial question was in fact way too simple and that the correct answer is, as usual somewhere in the middle.
> The solution I will be proposing to my colleagues (as a DEFAULT behaviour) will therefore be a port per port policy, depending if the well known service running behind this port is supposed to be open on LAN only (ntp, netbios are good examples here) or if it clearly has to be reachable from anywhere (IPSec has been evocated rightfully in the thread). In case there's a doubt, then I bet we'll consider it as LAN and be conservative (DNS, SSH, FTP for example).
Working for Technicolor, I am very interested in this discussion. We want to make sure that the gateway devices we are developing will fit with your needs.
Our view so far is that:
1) We need to have "application aware" policies applicable for both IPv4 and IPv6.
(e.g. we think the end user should be able to define a rule to open the firewall for something like "incoming telnet connections" regardless of whether IPv4 or IPv6 will be used.)
2) In addition there will be a need to define "IPv6 specific policies", for example for controlling IPv6 specific applications (router advertisements etc.)
> Once we have a meaningful policy, we'll document it and share it so that others can use it.
> Please keep debating :)
Such a document would be highly appreciated indeed.
In particular, what is your view on the GUI / web interface that end customers should get for controlling this?
More information about the ipv6-ops