IPv6 Firewall on CPEs - Default on or off

Yannis Nikolopoulos dez at otenet.gr
Tue Nov 27 14:36:54 CET 2012


On 11/27/2012 12:41 AM, Mark Townsley wrote:
>
> What about something like what Eric Vyncke and I proposed here then?
>
> http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01
>
> It's not as far out as one might think, and casts a balance between the blunt instrument of a NAT44-like firewall (or even RFC 6092), and the notion that the user has "no line of defense".
>
>
> - Mark
>
Unfortunately, this draft (to me) sounded and still sounds like wishful 
thinking. Try fitting an IPS into a cheap xDSL CPE...

2-3 years ago, we included IPv6 security-related specs for our CPE 
tenders. The only requirement was the ability to apply stateless 
filters, none configured by default though. Some vendors complied, some 
didn't.

After rfc6092 was finalized, we revisited the security specs, trying to 
incorporate some of the logic. Right now, we require a default ruleset 
(ip6tables-formatted) to be applied on the WAN. In a nutshell, allow all 
outgoing and certain incoming: link-local ICMPv6, multicast, certain non 
link-local ICMPv6 (as per rfc4890). We've yet to incorporate rules for 
IPsec and mobility.

Still though, we don't feel like this issue is closed. We're still 
considering a "default-allow" policy with some basic sanitation checks 
in place

regards,
Yannis




More information about the ipv6-ops mailing list