IPv6 Firewall on CPEs - Default on or off

Benedikt Stockebrand me at benedikt-stockebrand.de
Wed Dec 5 12:48:49 CET 2012 

Hi Martin and list,

Martin Millnert <martin at millnert.se> writes:

> On Tue, 2012-12-04 at 11:21 +0000, Benedikt Stockebrand wrote:
>> I like that analogy, but still it doesn't really hold at this point in
>> time.  Right now, people who don't understand any of the technese
>> we're writing here do have a certain expectation on how "their
>> Internet" works.  Give it another two years or so that expectation has
>> changed sufficiently to warrant an "all open" default setting, but
>> right now I'd consider that a bad move. 
>
> I disagree with this.  Or rather, I see two completely different things:
>
>  1)  Customer keeps same CPE and does no change themselves.  Changing
> some feature can quite possibly cause customer feedback, but enabling
> IPv6 without firewall may not be one of them.

as you explain further below you assume that customers don't have a
NAT/diode style functionality on their current IPv4 setup.  For the
most of us, the situation is seriously different, and in these cases
the reaction I worry about is "you changed something, and because you
did you are responsible".

The easy way to solve this is to provide some sort of "opt in"
feature; if people want the extra functionality, then they can have
it, but it's on their own initiative and as such they are at least
some more aware that they are assuming responsibility on that action.

>  2) Customer gets a new CPE for some reason (new customer at ISP,
> changes CPE at same ISP):  Here there are very few expectations on
> "their" internet, because they just got a new one.

That's right, basically for the very same reason, but with roles
swapped.  When consumers replace their CPE, or switch ISP, they assume
way more psychological responsibility for their action.

Actually, when dealing with new customers, then going without a
default diode configuration is actually an approach worth some
thought.

> At least from Swedish expectations, where fixed ethernet to the home is
> very common, there is extremely little expectation among people that the
> outlet in the wall has some sort of firewall.

In that case, your "usual" setup is significantly different from the
DSL (with NAT on the CPE, managed by the user) you commonly find here
in Germany and, as I understand Ragnar, in his particular setup.

Basically, my point is "don't spring any (ugly) surprises on your
customers".  If they don't expect you to provide with some diode
configuration, or even full-blown firewalls (which you sometimes see
for small to medium business customers), then your reasoning is quite
correct.


Cheers,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/

More information about the ipv6-ops mailing list