IPv6 Firewall on CPEs - Default on or off

Cameron Byrne cb.list6 at gmail.com
Mon Nov 26 16:23:25 CET 2012 

Sent from ipv6-only Android
On Nov 26, 2012 5:38 AM, "Eric Vyncke (evyncke)" <evyncke at cisco.com> wrote:
>
> Ragnar,
>
> I should monitor this mailing list more often as I missed a fun
discussion.
>
> Yes, disable firewall for BOTH IPv4 and IPv6 (of course keep NAT44) as
previously written the killing arguments IMHO are:
> - hosts are mobile anyway and won't always be protected by your CPE
> - malware comes over subscriber-initiated connections, so, a pure L3-L4
firewall is pretty useless (cfr Erik's referenced paper)
> - only valid protection used by serious people is at least UTM
(containing a basic malware detection based on signatures à la IPS or
anti-virus -- cfr adv-security draft at the IETF)
>

+1 for these thoughts to have fw off.

Stateful packet inspection (SPI) requires ALGs in many cases and this is a
symptom of a failed Internet and broken end to end.

Also, SPI is its own attack vector (session dos) and ALGs are very fragile
( do a bug search for sip or rtsp on your favorite fw vendor)

CB

> -éric
>
> > -----Original Message-----
> > From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:
ipv6-ops-
> > bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Anfinsen,
Ragnar
> > Sent: lundi 26 novembre 2012 10:02
> > To: ipv6-ops at lists.cluenet.de
> > Subject: IPv6 Firewall on CPEs - Default on or off
> >
> > Hi all.
> >
> > We are preparing to roll IPv6 out to customers with the latest and
greatest
> > CPEs we supply, which is great. We have chosen to use 6rd, due to lack
of
> > support in our access platform.
> >
> > However, our marketing guys have now started to question whether the
IPv6
> > firewall function should be on or off by default. I know there are as
many
> > opinions as people on this list, but I am looking for arguments from
both
> > camps.
> >
> > I have my personal and clear opinion about the matter, which is off. To
be
> > able to uphold the true end to end connectivity it must obviously be
off. I
> > think the application firewall on the new OS's that support IPv6 are
more
> > than good enough, and a firewall in the CPE is redundant.
> >
> > However, the arguments against is that the customer is used to having a
> > security layer on IPv4 in the CPE (NAT), and it would be bad to allow
IPv6
> > unprotected into the customers LAN.
> >
> > I would really appreciate any comments and thoughts.
> >
> >
> > Best Regards
> > Ragnar Anfinsen
> >
> > Senior Architect CPE
> > IPv6 Architect
> > Netinfrastructure
> > Technology and Innovation
> > Altibox AS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121126/e116f72c/attachment.html

More information about the ipv6-ops mailing list