IPv6 Firewall on CPEs - Default on or off
Fernando Gont
fernando at gont.com.ar
Sat Dec 1 05:48:21 CET 2012
On 11/26/2012 02:35 PM, Doug Barton wrote:
>
> You've hit the nail right on the head here.
>
> 1. Customers have the expectation that there will be "protection" at the
> router, even if they can't articulate what/why.
> 2. The fact that there is little/no exploitation of inbound v6 by
> attackers currently does not mean that there will not be any in the
> future. In fact, the opposite is true. As v6 deployments become more
> popular, with firewalls default off, that will become a more popular
> attack vector.
> 3. If v6 develops the reputation of being a security vulnerability it
> will be devastating to long-term deployment.
>
> The answer to UPnP not supporting v6 properly is to fix it, not to
> pretend it isn't necessary.
>
> I get that the v6 literati want to restore the end-to-end model, but
> that's not a goal that most customers share. Having the _ability_ to
> make/use direct connections is a good thing, and something that I
> believe customers will come to value once they have it. But enabling it
> by default is a bad idea.
So well said that I'll just say "+1". :-)
Also, as already noted by others, not all devices are mobile: THink
about Smart TVs, and others.
And, as a datapoint, IIRC Comcast enables a firewall at the border
router (and only allows "outgoing connections") by default -- mostly for
reasons 2-3 above.
Cheers,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the ipv6-ops
mailing list