IPv6 Firewall on CPEs - Default on or off

Ben Jencks ben at bjencks.net
Tue Nov 27 17:59:33 CET 2012


On 11/27/2012 03:30 AM, Lorenzo Colitti wrote:
>
> So at the end of the day it comes down to what you think your customers
> would want the extra aggravation in exchange for the extra security. If
> you asked the customer "would you like your skype calls and video chats
> to work better, or would you like a double layer of protection from some
> attacks that aren't really today's main focus?", what would the answer
> be? Can you give the customer that choice, or are you obliged to pick
> one answer for everybody?

Just about everyone seems to agree it should be configurable, but most
(90%? 95%?) users won't ever change it from the default. Your employer
appears to have chosen a diode configuration by default:

http://support.google.com/fiber/bin/answer.py?hl=en&answer=2731923

and on top of that has put the option in an "advanced configuration"
section that requires the user to jump through some complicated hoops to
get to:

http://support.google.com/fiber/bin/answer.py?hl=en&answer=2810892

So, for data points we have:
* Free has open access
* Google has a diode-style firewall enabled
* Most American ISPs (Comcast, AT&T, Verizon) are bring-your-own CPE, so
they don't set policy.
Any other large deployments with a policy?

Personally, I'm on the open access side, for all the reasons outlined so
far.

-Ben



More information about the ipv6-ops mailing list