IPv6 Firewall on CPEs - Default on or off

Doug Barton dougb at dougbarton.us
Mon Nov 26 18:35:24 CET 2012


On 11/26/2012 03:02 AM, Anfinsen, Ragnar wrote:
> However, the arguments against is that the customer is used to having a security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6 unprotected into the customers LAN.

You've hit the nail right on the head here.

1. Customers have the expectation that there will be "protection" at the
router, even if they can't articulate what/why.
2. The fact that there is little/no exploitation of inbound v6 by
attackers currently does not mean that there will not be any in the
future. In fact, the opposite is true. As v6 deployments become more
popular, with firewalls default off, that will become a more popular
attack vector.
3. If v6 develops the reputation of being a security vulnerability it
will be devastating to long-term deployment.

The answer to UPnP not supporting v6 properly is to fix it, not to
pretend it isn't necessary.

I get that the v6 literati want to restore the end-to-end model, but
that's not a goal that most customers share. Having the _ability_ to
make/use direct connections is a good thing, and something that I
believe customers will come to value once they have it. But enabling it
by default is a bad idea.

Doug




More information about the ipv6-ops mailing list