IPv6 Firewall on CPEs - Default on or off
mark at exonetric.com
Mon Nov 26 13:46:44 CET 2012
On 26 Nov 2012, at 12:33, Mark Townsley <mark at townsley.net> wrote:
> On Nov 26, 2012, at 1:23 PM, Mark Blackman wrote:
>> On 26 Nov 2012, at 09:02, "Anfinsen, Ragnar" <Ragnar.Anfinsen at altibox.no> wrote:
>>> Hi all.
>>> We are preparing to roll IPv6 out to customers with the latest and greatest CPEs we supply, which is great. We have chosen to use 6rd, due to lack of support in our access platform.
>>> However, our marketing guys have now started to question whether the IPv6 firewall function should be on or off by default. I know there are as many opinions as people on this list, but I am looking for arguments from both camps.
>>> I have my personal and clear opinion about the matter, which is off. To be able to uphold the true end to end connectivity it must obviously be off. I think the application firewall on the new OS's that support IPv6 are more than good enough, and a firewall in the CPE is redundant.
>>> However, the arguments against is that the customer is used to having a security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6 unprotected into the customers LAN.
>>> I would really appreciate any comments and thoughts.
>> I suggest default IPv6 packet filter is on for inbound IPv6 session initiation traffic,
>> but all outbound session initiation traffic should be permitted.
> That's even more strict than RFC 6092. e.g., RFC 6092 allows inbound IPsec (IKE) by default.
Ah yes, RFC 6092 looks like the best starting point for that CPE configuration. I had no idea there
was a nicely packaged RFC for it already.
More information about the ipv6-ops