IPv6 Firewall on CPEs - Default on or off

Anfinsen, Ragnar Ragnar.Anfinsen at altibox.no
Mon Nov 26 19:04:05 CET 2012

On 26.11.12 11:28, "Tore Anderson" <tore.anderson at redpill-linpro.com>

>Hooray! Can't wait to see my IPv6 graphs skyrocket. :-)

Lets hopeŠ :)

>- By doing firewalling as a default service, you are implicitly taking
>on responsibility for your user's IT security. Is that a responsibility
>that you really want? How will you respond to complaints from users that
>ended up infected in spite of your firewalling efforts? Since NAT44 is
>primarily an address sharing mechanism, not a security mechanism, this
>is not a responsibility you can be said to have had before.

Well, the customer already have a firewall/port-forwaring on IPv4. We can
call it whatever we want, but in the end of the day, the customer
perceives the NAT44 as a firewall/security barrier. So in that
perspective, we already supply a firewall to the customer, hence we
already take the responsibility of the for the customer, as you put it,
even though we are clear in our ULA that the firewall settings is the
customers own responsibility.

>- Several production deployments of IPv6 so far have not done any
>firewalling, and as far as I've heard, this has not been problematic for
>them. (Please correct me if I'm wrong,) I'm thinking of ISPs such as
>Free, Kabel Deutschland, and Comcast here.

Afaik, AT&T use a firewall as default on their 6rd deployment.

>So all in all I think the actual security benefit of an IPv6 CPE
>firewall amounts to snake oil. If you want to help your users out with
>security, I think it would be much more efficient to partner up with
>some security company and hand out free licences for personal firewall
>and/or host-based firewall software.

This we already do, so then it would be a matter of informing the
customer, and ensuring the the Norman Security Suite supports IPv6.

>- Your firewalling CPEs needs to maintain state for all IPv6 flows. Ugh,
>state. That's a performance killer. And you're doing fibre, no?

Well, the ZyXEL P2812 actually have great performance numbers, where we do
IPv4 NAT44, 6rd with Firewall at 1Gbps. I don't think that IPv6 will
increase the average traffic the customers uses, it will only shift from
IPv4 to IPv6 over time. Obviously the traffic will grow in total, but that
has been designed into the solution.


More information about the ipv6-ops mailing list