IPv6 Firewall on CPEs - Default on or off

Anfinsen, Ragnar Ragnar.Anfinsen at altibox.no
Mon Nov 26 20:13:28 CET 2012


On 26.11.12 14:38, "Eric Vyncke (evyncke)" <evyncke at cisco.com> wrote:


>I should monitor this mailing list more often as I missed a fun
>discussion.

You should. This is my first post hereŠ ;)

>Yes, disable firewall for BOTH IPv4 and IPv6 (of course keep NAT44) as
>previously written the killing arguments IMHO are:
>- hosts are mobile anyway and won't always be protected by your CPE
>- malware comes over subscriber-initiated connections, so, a pure L3-L4
>firewall is pretty useless (cfr Erik's referenced paper)
>- only valid protection used by serious people is at least UTM
>(containing a basic malware detection based on signatures à la IPS or
>anti-virus -- cfr adv-security draft at the IETF)

Fully agree, and your points is part of my argument list. I value that you
take time to comment, Eric. This will weight a lot in favor of default off.

/Ragnar




More information about the ipv6-ops mailing list