IPv6 Firewall on CPEs - Default on or off

Ignatios Souvatzis ignatios at cs.uni-bonn.de
Tue Nov 27 11:31:17 CET 2012


On Tue, Nov 27, 2012 at 10:36:19AM +0100, Gert Doering wrote:
> On Tue, Nov 27, 2012 at 10:30:40AM +0100, Ignatios Souvatzis wrote:
> > Another data point: the first Spambot mail I got via IPv6 was from
> > the French residential IPv6 deployment which happens to use 6rd.
> Not actually a data point unless you know how the bot got onto the
> machine...

On Tue, Nov 27, 2012 at 10:36:26AM +0100, Mikael Abrahamsson wrote:
[about the same line]
> What do you feel this data point indicates?

Well, it demonstrates that IPv6-CPE connected machines are not magically
bullet-proof. Thanks to the rough firewalling brought by the NATing of
most network customers, the prevalent attack vectors might be higher level
nowadays, but the others will reappear when a relevant number or machines
are directly reachable.

So - I'm afraid I'd vote for default-incoming-blocked (not blackholed; I
hate that abomination with vengeance) and give the customer a method to
(selectively if possible) switch on.


More information about the ipv6-ops mailing list