IPv6 Firewall on CPEs - Default on or off

[Dan Wing]

> -----Original Message-----
> From: ipv6-ops-bounces+dwing=cisco.com at lists.cluenet.de [mailto:ipv6-
> ops-bounces+dwing=cisco.com at lists.cluenet.de] On Behalf Of Anfinsen,
> Ragnar
> Sent: Monday, November 26, 2012 1:02 AM
> To: ipv6-ops at lists.cluenet.de
> Subject: IPv6 Firewall on CPEs - Default on or off
> 
> Hi all.
> 
> We are preparing to roll IPv6 out to customers with the latest and
> greatest CPEs we supply, which is great. We have chosen to use 6rd, due
> to lack of support in our access platform.
> 
> However, our marketing guys have now started to question whether the
> IPv6 firewall function should be on or off by default. I know there are
> as many opinions as people on this list, but I am looking for arguments
> from both camps.

As others mentioned, RFC6092 recommends unsolicited inbound packets be 
dropped, but allow unsolicited IPsec-related packets.  It is my 
understanding that Apple ships their IPv6-capable CPE that way.  Linksys 
ships their IPv6-capable CPE to block unsolicited inbound packets, but 
I believe has no exception to allow IPsec-related packets.

Desires to allow unsolicited inbound IPv6 packets sound great until
the fridge is hacked and the beer is too warm to drink.  The blame for
the warm beer will be placed on IPv6.

-d


> I have my personal and clear opinion about the matter, which is off. To
> be able to uphold the true end to end connectivity it must obviously be
> off. I think the application firewall on the new OS's that support IPv6
> are more than good enough, and a firewall in the CPE is redundant.
> 
> However, the arguments against is that the customer is used to having a
> security layer on IPv4 in the CPE (NAT), and it would be bad to allow
> IPv6 unprotected into the customers LAN.
> 
> I would really appreciate any comments and thoughts.
> 
> 
> Best Regards
> Ragnar Anfinsen
> 
> Senior Architect CPE
> IPv6 Architect
> Netinfrastructure
> Technology and Innovation
> Altibox AS