IPv6 Firewall on CPEs - Default on or off

Eric Vyncke (evyncke) evyncke at cisco.com
Mon Nov 26 14:38:30 CET 2012


I should monitor this mailing list more often as I missed a fun discussion.

Yes, disable firewall for BOTH IPv4 and IPv6 (of course keep NAT44) as previously written the killing arguments IMHO are:
- hosts are mobile anyway and won't always be protected by your CPE
- malware comes over subscriber-initiated connections, so, a pure L3-L4 firewall is pretty useless (cfr Erik's referenced paper)
- only valid protection used by serious people is at least UTM (containing a basic malware detection based on signatures à la IPS or anti-virus -- cfr adv-security draft at the IETF)


> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Anfinsen, Ragnar
> Sent: lundi 26 novembre 2012 10:02
> To: ipv6-ops at lists.cluenet.de
> Subject: IPv6 Firewall on CPEs - Default on or off
> Hi all.
> We are preparing to roll IPv6 out to customers with the latest and greatest
> CPEs we supply, which is great. We have chosen to use 6rd, due to lack of
> support in our access platform.
> However, our marketing guys have now started to question whether the IPv6
> firewall function should be on or off by default. I know there are as many
> opinions as people on this list, but I am looking for arguments from both
> camps.
> I have my personal and clear opinion about the matter, which is off. To be
> able to uphold the true end to end connectivity it must obviously be off. I
> think the application firewall on the new OS's that support IPv6 are more
> than good enough, and a firewall in the CPE is redundant.
> However, the arguments against is that the customer is used to having a
> security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6
> unprotected into the customers LAN.
> I would really appreciate any comments and thoughts.
> Best Regards
> Ragnar Anfinsen
> Senior Architect CPE
> IPv6 Architect
> Netinfrastructure
> Technology and Innovation
> Altibox AS

More information about the ipv6-ops mailing list