IPv6 Firewall on CPEs - Default on or off

Shane Amante shane at castlepoint.net
Sat Dec 1 18:02:49 CET 2012 

Jumping in randomly to this thread.

I'd certainly advocate a default of a CPE-based FW being completely disabled/off as my primary recommendation, for all of the good reasons many people have articulated in other messages.

However, *if* you're obligated to implement *any* form of firewall capability in, say, a CPE router, etc., then I think you are /also/ obligated to implement whatever the appropriate protocol(s) are to allow hosts behind this firewall to request *inbound* pinholes be dynamically opened on that upstream FW.  I am not following those protocols closely, so others on this list should speak up, but this would mean the CPE firewall device must implement one, or more, of: NAT-PMP, UPNP-IGD and/or PCP.

-shane


On Nov 30, 2012, at 1:51 PM, Cameron Byrne <cb.list6 at gmail.com> wrote:
> 
> Sent from ipv6-only Android
> On Nov 30, 2012 2:50 AM, <Guillaume.Leclanche at swisscom.com> wrote:
> >
> > > I have my personal and clear opinion about the matter, which is off. To be
> > > able to uphold the true end to end connectivity it must obviously be off. I
> > > think the application firewall on the new OS's that support IPv6 are more
> > > than good enough, and a firewall in the CPE is redundant.
> > >
> > > However, the arguments against is that the customer is used to having a
> > > security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6
> > > unprotected into the customers LAN.
> >
> > I have not read the whole thread, so somebody might have answered already.
> >
> > One year ago, we had the exact same problem (Swiss incumbent, 6rd). And we asked the exact same question on this list.
> >
> > We finally agreed with our CPE vendors to implement a 3 -level firewall for IPv6:
> > - off => no firewall at all -- except sanity filters from RFC
> > - low => a list of 60 well-known ports is blocked in incoming direction (things like ssh, telnet, remote desktop, vnc, etc.). Some are blocked both ways (mdns, dhcpv6, ipp, NetBIOS, SQL, etc.). Everything else is open both ways.
> > - high => All incoming new connections are blocked, firewall is stateful (simulated IPv4 NAT44 security)
> >
> > In addition, the firewall can be tuned as much as desired by the customer.
> >
> > You guessed it, default is "low", and it makes both marketing and engineering happy. We started the deployment one year ago and we have now almost 100'000 residential connections with IPv6 enabled, and counting. I've not heard of any complaints.
> >
> 
> I like your approach.  I think it is a solid balance of marketing cya and  technically sound stateless security controls at "low" that are default.
> 
> Great data point. Thanks for sharing.  Do you have details somewhere published of exactly what is covered in "low"
> 
> CB
> 
> > On the other hand, Free in France doesn't have any firewall and I don't think anybody complained either.
> >
> > Best regards,
> > Guillaume
> >
> >

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121201/446de8f6/attachment.html

More information about the ipv6-ops mailing list