IPv6 Firewall on CPEs - Default on or off
Seth Mos
seth.mos at dds.nl
Tue Nov 27 15:15:46 CET 2012
Op 27-11-2012 15:08, Tore Anderson schreef:
> * Mikael Abrahamsson
>
>> Well, initially we disabled broadcast capability between customers which
>> meant they couldn't see each other in "my network neighbourhood" (direct
>> access still worked, but people generally didn't do that), and then we
>> blocked "windows ports" later. A lot of deployments I know of still
>> today block whatever ports windows uses in 135-139 and 445 for this reason.
>
> So NAT44 or other kind of CPE with firewalling wasn't part of the solution.
>
> Then why does it need to be for IPv6?
>
> I would have much less issue with the ISP blocking known Windows
> LAN-only service ports like the ones you're mentioning, plus L2
> isolation of individual subscribers, than a "drop all inbound"
> firewalling solution enabled by default.
>
I can see this taking shape in the form of blocking port 25, 80 and 443
inbound to sell "business". Maybe not quite the open internet we once
envisioned.
Worse yet, I can't even get a open port 500 for working IPsec on 3G. If
that mindset continues to prevail there is much work to be done still...
There is a thin line between security and functionality here, and
conflicting interests.
Cheers,
Seth
More information about the ipv6-ops
mailing list