IPv6 Firewall on CPEs - Default on or off

Lorenzo Colitti lorenzo at google.com
Tue Nov 27 09:30:13 CET 2012


On Tue, Nov 27, 2012 at 7:44 AM, Dan Wing <dwing at cisco.com> wrote:

> Desires to allow unsolicited inbound IPv6 packets sound great until
> the fridge is hacked and the beer is too warm to drink.  The blame for
> the warm beer will be placed on IPv6.
>

Well, but isn't that a little like saying that the blame for the accident
will be placed on the faster car the customer has bought instead of the
carelessness of the driver? I mean, what the question boils down to is:

- In most cases (not always - for example when you plug your computer
directly into the cable modem, when you're at a coffee shop or university
network, etc. etc.), today's Internet connections offer restricted
connectivity because of NAT
- IPv6 removes that restriction and allows full connectivity
- What should we do? Should we allow this new capability, or should we turn
it off because with great power comes great responsibility and we're afraid
we might get hurt by it?

In other words, should we take something that was originally a restriction
imposed by lack of address space and (permanently?) apply that same
restriction to a network that does not have that restriction?

There is a cost to NATs and ALGs. The session timeouts suck, the lack of
inbound reachability sucks, the call setup latency sucks, the lack of
support for new apps sucks, the session scaling sucks, and so on.
Peer-to-peer apps like skype sort of work behind NATs, but at the cost of a
loss of quality (e.g., when you have to go through a third-party supernode
and your call quality goes down the drain). In IPv4, NATs and ALGs are all
we have, but in IPv6 we have the option of doing better.

There's also a security advantage, but as others have said, the security
advantage provided by NATs has eroded over time. Attacks and malware moved
away from port scans and connection attempts a very long time ago. They now
reside at the application layer, conveniently protected by HTTPS, where no
network firewall will ever find them. (That's Erik's 80% number.)

So at the end of the day it comes down to what you think your customers
would want the extra aggravation in exchange for the extra security. If you
asked the customer "would you like your skype calls and video chats to work
better, or would you like a double layer of protection from some attacks
that aren't really today's main focus?", what would the answer be? Can you
give the customer that choice, or are you obliged to pick one answer for
everybody?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121127/a6330d5d/attachment.htm>


More information about the ipv6-ops mailing list