IPv6 Firewall on CPEs - Default on or off
Yannis Nikolopoulos
dez at otenet.gr
Tue Nov 27 14:36:54 CET 2012
On 11/27/2012 12:41 AM, Mark Townsley wrote:
>
> What about something like what Eric Vyncke and I proposed here then?
>
> http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01
>
> It's not as far out as one might think, and casts a balance between the blunt instrument of a NAT44-like firewall (or even RFC 6092), and the notion that the user has "no line of defense".
>
>
> - Mark
>
Unfortunately, this draft (to me) sounded and still sounds like wishful
thinking. Try fitting an IPS into a cheap xDSL CPE...
2-3 years ago, we included IPv6 security-related specs for our CPE
tenders. The only requirement was the ability to apply stateless
filters, none configured by default though. Some vendors complied, some
didn't.
After rfc6092 was finalized, we revisited the security specs, trying to
incorporate some of the logic. Right now, we require a default ruleset
(ip6tables-formatted) to be applied on the WAN. In a nutshell, allow all
outgoing and certain incoming: link-local ICMPv6, multicast, certain non
link-local ICMPv6 (as per rfc4890). We've yet to incorporate rules for
IPsec and mobility.
Still though, we don't feel like this issue is closed. We're still
considering a "default-allow" policy with some basic sanitation checks
in place
regards,
Yannis
More information about the ipv6-ops
mailing list