IPv6 Firewall on CPEs - Default on or off

Cameron Byrne cb.list6 at gmail.com
Tue Nov 27 18:04:29 CET 2012

On Tue, Nov 27, 2012 at 8:59 AM, Ben Jencks <ben at bjencks.net> wrote:
> On 11/27/2012 03:30 AM, Lorenzo Colitti wrote:
>> So at the end of the day it comes down to what you think your customers
>> would want the extra aggravation in exchange for the extra security. If
>> you asked the customer "would you like your skype calls and video chats
>> to work better, or would you like a double layer of protection from some
>> attacks that aren't really today's main focus?", what would the answer
>> be? Can you give the customer that choice, or are you obliged to pick
>> one answer for everybody?
> Just about everyone seems to agree it should be configurable, but most
> (90%? 95%?) users won't ever change it from the default. Your employer
> appears to have chosen a diode configuration by default:
> http://support.google.com/fiber/bin/answer.py?hl=en&answer=2731923
> and on top of that has put the option in an "advanced configuration"
> section that requires the user to jump through some complicated hoops to
> get to:
> http://support.google.com/fiber/bin/answer.py?hl=en&answer=2810892
> So, for data points we have:
> * Free has open access
> * Google has a diode-style firewall enabled
> * Most American ISPs (Comcast, AT&T, Verizon) are bring-your-own CPE, so
> they don't set policy.
> Any other large deployments with a policy?

FYI, T-Mobile USA has open access for IPv6 (inbound ICMP Echo Request
are blocked) for it's IPv6 offering


> Personally, I'm on the open access side, for all the reasons outlined so
> far.
> -Ben

More information about the ipv6-ops mailing list