IPv6 Firewall on CPEs - Default on or off

Tore Anderson tore.anderson at redpill-linpro.com
Mon Nov 26 11:28:43 CET 2012 

* Anfinsen, Ragnar

> We are preparing to roll IPv6 out to customers with the latest and
> greatest CPEs we supply, which is great.

Hooray! Can't wait to see my IPv6 graphs skyrocket. :-)

> However, our marketing guys have now started to question whether the
> IPv6 firewall function should be on or off by default. I know there
> are as many opinions as people on this list, but I am looking for
> arguments from both camps.
> 
> I have my personal and clear opinion about the matter, which is off.
> To be able to uphold the true end to end connectivity it must
> obviously be off. I think the application firewall on the new OS's
> that support IPv6 are more than good enough, and a firewall in the
> CPE is redundant.
> 
> However, the arguments against is that the customer is used to having
> a security layer on IPv4 in the CPE (NAT), and it would be bad to
> allow IPv6 unprotected into the customers LAN.

My personal opinion is to leave it default off.

Some of the reasons why I think there's no point or benefit in enabling
such a firewall in the first place:

- These days, people lug around their computing devices all the time,
connecting them indiscriminately to various public wireless networks and
so on. A NAT/FW function in their home CPE cannot possibly protect them
when they are not at home, so its really pointless - the hosts need to
be able to protect themselves in any case.

- The operating systems that were notorious for being vulnerable to
worms and other traffic from the internet, simply do not support IPv6.
I'm thinking about stuff like Windows 95/98/ME here. The operating
systems that do actually support IPv6 and enable it by default, have
«grown up in the jungle» as Ole Trøan once put it, come with host-based
security, and have a generally distrusting view of the external network.

- By doing firewalling as a default service, you are implicitly taking
on responsibility for your user's IT security. Is that a responsibility
that you really want? How will you respond to complaints from users that
ended up infected in spite of your firewalling efforts? Since NAT44 is
primarily an address sharing mechanism, not a security mechanism, this
is not a responsibility you can be said to have had before.

- Several production deployments of IPv6 so far have not done any
firewalling, and as far as I've heard, this has not been problematic for
them. (Please correct me if I'm wrong,) I'm thinking of ISPs such as
Free, Kabel Deutschland, and Comcast here.

- The majority of attacks these days come through other channels than
direct inbound connections. E-mail, PDFs, MS Office documents, Java
vulnerabilities, Flash, phishing sites, WiFi sniffing, and the list goes
on and on. Firewalling in the CPE is likely about as effective a
protection as a single bag of sand in front of Fukushima would have been.

- The sparse address space in IPv6 makes the "flooding" type of worm
much more difficult to implement in an efficient manner. I'm not saying
it's impossible, and if you have a determined attacker specifically
targeting one of your customers it's certainly quite feasible, but I
believe it's much more likely that automated large-scale attacks will
continue to use other channels as described above. Also, a determined
attacker is probably not going to be very hindered by a CPE firewall anyway.

So all in all I think the actual security benefit of an IPv6 CPE
firewall amounts to snake oil. If you want to help your users out with
security, I think it would be much more efficient to partner up with
some security company and hand out free licences for personal firewall
and/or host-based firewall software.

Furthermore, there's also disadvantages with firewalling, as I'm sure
you're aware:

- Allowing for easy end-to-end connectivity helps innovation and growth
of new applications. For example, BitTorrent was such an amazing
protocol that it was a success *in spite* of the proliferation of NAT44,
it was certainly not helped by it. How many other inventions just died
because they could not cope with NAT44, and didn't happen to be quite as
awesome as BitTorrent, so that enough users didn't bother do jump
through the port-forwarding hoops to allow it to work?

- Your firewalling CPEs needs to maintain state for all IPv6 flows. Ugh,
state. That's a performance killer. And you're doing fibre, no?

-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com

More information about the ipv6-ops mailing list