IPv6 Firewall on CPEs - Default on or off
ben at bjencks.net
Tue Nov 27 17:59:33 CET 2012
On 11/27/2012 03:30 AM, Lorenzo Colitti wrote:
> So at the end of the day it comes down to what you think your customers
> would want the extra aggravation in exchange for the extra security. If
> you asked the customer "would you like your skype calls and video chats
> to work better, or would you like a double layer of protection from some
> attacks that aren't really today's main focus?", what would the answer
> be? Can you give the customer that choice, or are you obliged to pick
> one answer for everybody?
Just about everyone seems to agree it should be configurable, but most
(90%? 95%?) users won't ever change it from the default. Your employer
appears to have chosen a diode configuration by default:
and on top of that has put the option in an "advanced configuration"
section that requires the user to jump through some complicated hoops to
So, for data points we have:
* Free has open access
* Google has a diode-style firewall enabled
* Most American ISPs (Comcast, AT&T, Verizon) are bring-your-own CPE, so
they don't set policy.
Any other large deployments with a policy?
Personally, I'm on the open access side, for all the reasons outlined so
More information about the ipv6-ops