IPv6 Firewall on CPEs - Default on or off

Michael Adams madams at netcologne.de
Mon Nov 26 15:00:19 CET 2012

Hi Eric

Am 26.11.2012 14:38, schrieb Eric Vyncke (evyncke):

> Yes, disable firewall for BOTH IPv4 and IPv6 (of course keep NAT44) as previously written the killing arguments IMHO are:
> - hosts are mobile anyway and won't always be protected by your CPE

I disagree in some points. My desktop PC, my fridge and my TV aren't mobile.
And I'm not sure if I would like to have to configure host security on every device.
Even if possible. Ok, my fridge is not v6 capable right now :) The point is security
for a host and for a network are two different things. At least in my opinion.

I think (our) residential custumers are expecting a CPE to do some kind of network
protection. Either by NAT or a firewall. Yes, NAT is not a firewall. But in customers
mind it keeps thing outside.

> - malware comes over subscriber-initiated connections, so, a pure L3-L4 firewall is pretty useless (cfr Erik's referenced paper)
> - only valid protection used by serious people is at least UTM (containing a basic malware detection based on signatures à la IPS or
anti-virus -- cfr adv-security draft at the IETF)

In my opinion a CPE firewall is not a replacement for host security. One has to do
both if necessary.

So I would enable a v6 firewall by default where v4 NAT is enabled by default.
As fas as I know this is what AVM CPE's are doing.


More information about the ipv6-ops mailing list