IPv6 Firewall on CPEs - Default on or off

Mikael Abrahamsson swmike at swm.pp.se
Tue Nov 27 12:12:36 CET 2012


On Tue, 27 Nov 2012, Ignatios Souvatzis wrote:

> Well, it demonstrates that IPv6-CPE connected machines are not magically 
> bullet-proof. Thanks to the rough firewalling brought by the NATing of 
> most network customers, the prevalent attack vectors might be higher 
> level nowadays, but the others will reappear when a relevant number or 
> machines are directly reachable.

I worry less about remote exploits (they are not that common) but for 
services the customers have on their home lan where they have easy or no 
passwords for access, and they expect the Internet not to reach these. We 
saw this in ~2000, where people had file shares open, and they 
connected their computer directly to the LAN ETTH connection and then 
someone "stole" their pictures. There were articles in the press about how 
easy neighbours could see each others files. So even though I hate it, I 
would probably at minimum block certain "low tcp/udp ports" by default. 
The ideas floating about having two LANs, one Internet and one "secure", 
also has merit.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se



More information about the ipv6-ops mailing list