IPv6 Firewall on CPEs - Default on or off

Tore Anderson tore at fud.no
Tue Dec 4 13:58:39 CET 2012 

* Martin Millnert

> On Tue, 2012-12-04 at 11:21 +0000, Benedikt Stockebrand wrote:
>> I like that analogy, but still it doesn't really hold at this point in
>> time.  Right now, people who don't understand any of the technese
>> we're writing here do have a certain expectation on how "their
>> Internet" works.  Give it another two years or so that expectation has
>> changed sufficiently to warrant an "all open" default setting, but
>> right now I'd consider that a bad move. 
> 
> I disagree with this.  Or rather, I see two completely different things:
> 
>  1)  Customer keeps same CPE and does no change themselves.  Changing
> some feature can quite possibly cause customer feedback, but enabling
> IPv6 without firewall may not be one of them.
> 
>  2) Customer gets a new CPE for some reason (new customer at ISP,
> changes CPE at same ISP):  Here there are very few expectations on
> "their" internet, because they just got a new one.
> 
> At least from Swedish expectations, where fixed ethernet to the home is
> very common, there is extremely little expectation among people that the
> outlet in the wall has some sort of firewall.

+1

> There may be a little bit more expectation that a "box" has some
> firewall, but this also implies the expectation on a firewall is coupled
> with a certain box. This is wide open for change now, especially with
> new customers.

The ISP I have at home, Get, gave me a CPE. A Cisco EPC3010, for what
it's worth. It contains no firewall, no NAT44, no "diode", no nothing.
Not for IPv4 nor for IPv6.

I'm betting that most ordinary users regard it simply as an "internet
box". Just as the Swedish ETTH users regards their wall socket as the
"internet plug". If they have any expectation that their "internet box"
contains any firewall/NAT44/"diode" feature they're quite simply dead wrong.

However, I'm pretty sure that most ordinary users have no expectation
that their "internet box" (or "internet plug") contains, or does not
contain, such a feature. They wouldn't know what a NAT44 or a "diode
firewall" even is. Their expectation is to get access to the internet,
and that's it.

So really, tying the question on whether or not the industry should
firewall IPv6 subscribers by default to the inclusion of a CPE in the
internet service, makes no sense at all. There is no such connection in
the IPv4 world, so why should there be in IPv6?

If, and only if, a certain ISP has historically supplied NAT44 or a
"diode" firewall by default to all its IPv4 subscribers (and it does not
matter one bit whether it was implemented in a CPE or elsewhere), does
it make some sense for that ISP to consider continuing this practice in
IPv6 for the sake of consistency - especially if it has been marketed as
a security feature, rather than an address sharing feature (or not at all).

-- 
Tore Anderson

More information about the ipv6-ops mailing list