IPv6 Firewall on CPEs - Default on or off
mohacsi at niif.hu
Tue Nov 27 09:17:05 CET 2012
On Mon, 26 Nov 2012, Doug Barton wrote:
> On 11/26/2012 03:02 AM, Anfinsen, Ragnar wrote:
>> However, the arguments against is that the customer is used to having a security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6 unprotected into the customers LAN.
> You've hit the nail right on the head here.
> 1. Customers have the expectation that there will be "protection" at the
> router, even if they can't articulate what/why.
> 2. The fact that there is little/no exploitation of inbound v6 by
> attackers currently does not mean that there will not be any in the
> future. In fact, the opposite is true. As v6 deployments become more
> popular, with firewalls default off, that will become a more popular
> attack vector.
> 3. If v6 develops the reputation of being a security vulnerability it
> will be devastating to long-term deployment.
> The answer to UPnP not supporting v6 properly is to fix it, not to
> pretend it isn't necessary.
I agree with Doug. The current IPv4 users are get used to some sort of
firewall protection in their home-gateway. The IPv6 capable home-gateway
should not change this behaviour, unless there is a big warning message in
the packaging box and installation guide, that IPv6 firewall switched by
default. In my opinion for satisfying the requirements of both camps there
should be a big option switch available on security setting
configuration page in the ipv6 capable home routers: switch on/off IPv6
firewall. The user guide supplied by the router vendor should clearly
state if IPv6 firewall is on or off by default, and clearly describing
advantages and disadvantages of IPv6 firewall on or off.
This is the principle of least astonishment (POLA/PLA).
If UPnP is not supporting IPv6 properly, the standard has to be improved,
or replaced with better suiting standard.
> I get that the v6 literati want to restore the end-to-end model, but
> that's not a goal that most customers share. Having the _ability_ to
> make/use direct connections is a good thing, and something that I
> believe customers will come to value once they have it. But enabling it
> by default is a bad idea.
More information about the ipv6-ops