IPv6 Firewall on CPEs - Default on or off

Erik Kline ek at google.com
Mon Nov 26 11:29:22 CET 2012


> However, our marketing guys have now started to question whether the IPv6 firewall function should be on or off by default. I know there are as many opinions as people on this list, but I am looking for arguments from both camps.

I don't know how much luck you'll have in your internal discussions,
but if it helps perhaps you might refer them to the last paragraph of
section 5.2.4 of "Your Botnet is My Botnet: Analysis of a Botnet
Takeover":

    http://www.cs.ucsb.edu/~rgilbert/pubs/torpig_ccs09.pdf

They claim that about 78% of the botnet had RFC 1918 addresses [1].

Also, you might point out that so many devices are mobile these days
and any one of them is subject to a variety of unknown environments
each time they attach to a wifi hotspot or plug into a hotel LAN port
or...  Any infection in these environments can then trivially be
brought back home, so even the non-mobile nodes can subsequently be
attacked by an infected mobile node that has returned to the home
network.

Good luck,
-Erik

[1]  Quoting:

"""
The information provided in the Torpig headers also allows us
to estimate the impact of NAT, which is commonly used to enable shared
Internet access for an entire private network through
a single public access (masquerading). This technique reduces the
number of IPs observed at the C&C server, since all the infected
machines in the masqueraded network would count as one. By
looking at the IP addresses in the Torpig headers we are able to
determine that 144,236 (78.9%) of the infected machines were behind a
NAT, VPN, proxy, or firewall. We identified these hosts by
using the non-publicly routable IP addresses listed in RFC 1918:
10/8, 192.168/16, and 172.16-172.31/16. We observed 9,336 distinct
bots for 2,753 IP addresses from these infected machines on
private networks. Therefore, if the IP address count was used to
determine the number of hosts it would underestimate the infection
count by a factor of more than 3 times.
"""



More information about the ipv6-ops mailing list