IPv6 Firewall on CPEs - Default on or off

Anfinsen, Ragnar Ragnar.Anfinsen at altibox.no
Wed Dec 5 01:09:14 CET 2012


On 04.12.12 13:58, "Tore Anderson" <tore at fud.no> wrote:


Sorry for not coming back earlier, but it is a very interesting discussion.

>* Martin Millnert
>
><snip>
>> There may be a little bit more expectation that a "box" has some
>> firewall, but this also implies the expectation on a firewall is coupled
>> with a certain box. This is wide open for change now, especially with
>> new customers.
>
><snip>
>If, and only if, a certain ISP has historically supplied NAT44 or a
>"diode" firewall by default to all its IPv4 subscribers (and it does not
>matter one bit whether it was implemented in a CPE or elsewhere), does
>it make some sense for that ISP to consider continuing this practice in
>IPv6 for the sake of consistency - especially if it has been marketed as
>a security feature, rather than an address sharing feature (or not at
>all).

We do supply the CPE too the customer, and it is marketed as a
firewall/port-forwarding unit. So basically we are marketing it as both a
security feature and a address sharing feature.

I have been thinking and discussing the topic internally as well, and we
are moving towards the solution Swisscom is using; Off, Low (default), On
(diode style), where Low is a set of well known ports to be blocked,
anything else is allowed. I think this gives the end user the necessary
security (as they have come to expect) but keeping the end to end
connectivity for all other ports.

The Low feature needs to be defined, but that is doable. Perhaps a draft
in can be written and submitted to IETF as a "IPv6 Security Best Practices
for Access  Networks" as Cameron Byrne suggested.

/Ragnar




More information about the ipv6-ops mailing list