IPv6 Firewall on CPEs - Default on or off
Ben Jencks
ben at bjencks.net
Tue Nov 27 17:59:33 CET 2012
On 11/27/2012 03:30 AM, Lorenzo Colitti wrote:
>
> So at the end of the day it comes down to what you think your customers
> would want the extra aggravation in exchange for the extra security. If
> you asked the customer "would you like your skype calls and video chats
> to work better, or would you like a double layer of protection from some
> attacks that aren't really today's main focus?", what would the answer
> be? Can you give the customer that choice, or are you obliged to pick
> one answer for everybody?
Just about everyone seems to agree it should be configurable, but most
(90%? 95%?) users won't ever change it from the default. Your employer
appears to have chosen a diode configuration by default:
http://support.google.com/fiber/bin/answer.py?hl=en&answer=2731923
and on top of that has put the option in an "advanced configuration"
section that requires the user to jump through some complicated hoops to
get to:
http://support.google.com/fiber/bin/answer.py?hl=en&answer=2810892
So, for data points we have:
* Free has open access
* Google has a diode-style firewall enabled
* Most American ISPs (Comcast, AT&T, Verizon) are bring-your-own CPE, so
they don't set policy.
Any other large deployments with a policy?
Personally, I'm on the open access side, for all the reasons outlined so
far.
-Ben
More information about the ipv6-ops
mailing list