IPv6 Firewall on CPEs - Default on or off

Seth Mos seth.mos at dds.nl
Tue Nov 27 15:15:46 CET 2012


Op 27-11-2012 15:08, Tore Anderson schreef:
> * Mikael Abrahamsson
> 
>> Well, initially we disabled broadcast capability between customers which
>> meant they couldn't see each other in "my network neighbourhood" (direct
>> access still worked, but people generally didn't do that), and then we
>> blocked "windows ports" later. A lot of deployments I know of still
>> today block whatever ports windows uses in 135-139 and 445 for this reason.
> 
> So NAT44 or other kind of CPE with firewalling wasn't part of the solution.
> 
> Then why does it need to be for IPv6?
> 
> I would have much less issue with the ISP blocking known Windows
> LAN-only service ports like the ones you're mentioning, plus L2
> isolation of individual subscribers, than a "drop all inbound"
> firewalling solution enabled by default.
> 

I can see this taking shape in the form of blocking port 25, 80 and 443
inbound to sell "business". Maybe not quite the open internet we once
envisioned.

Worse yet, I can't even get a open port 500 for working IPsec on 3G. If
that mindset continues to prevail there is much work to be done still...

There is a thin line between security and functionality here, and
conflicting interests.

Cheers,
Seth


More information about the ipv6-ops mailing list