IPv6 Firewall on CPEs - Default on or off

Nick Hilliard nick at foobar.org
Tue Nov 27 11:07:33 CET 2012

On 27/11/2012 08:30, Lorenzo Colitti wrote:
> Well, but isn't that a little like saying that the blame for the accident
> will be placed on the faster car the customer has bought instead of the
> carelessness of the driver? I mean, what the question boils down to is:

That doesn't mean that it's bad to have:

- air bags
- seat belts
- abs brakes
- crumple zones
- smart frame design
- extensive crash testing
- etc

> - What should we do? Should we allow this new capability, or should we turn
> it off because with great power comes great responsibility and we're afraid
> we might get hurt by it?

It's a default.  If the user wants to change it, they can.

> There's also a security advantage, but as others have said, the security
> advantage provided by NATs has eroded over time. Attacks and malware moved
> away from port scans and connection attempts a very long time ago. 

they moved away because it became impossible to directly address the end
host.  If we create a default which allows attackers/malware to directly
contact the end host again, then they'll move back to that method because
it's easier than the other way around.


More information about the ipv6-ops mailing list