IPv6 Firewall on CPEs - Default on or off

Philipp Kern phil at philkern.de
Tue Nov 27 18:17:49 CET 2012 

On Tue, Nov 27, 2012 at 04:38:08PM +0000, Benedikt Stockebrand wrote:
> Nonono, you've got that the wrong way around.  If you provide people
> with IPv6 as a new feature, then they have to address some new
> security concerns.  The best approach to do so is to provide default
> settings that change as little as possible for them and then let them
> change the settings whenever they want.
> 
> Some subthreads here have diverted into the different issue of
> *forcing* these settings on people, so let me reiterate that I am only
> talking about *default* settings here.  Beyond the default setting I'd
> consider any IPv6 service that denies me the possibility to make my
> machines accessible from outside broken deficient.

The annoying thing is that you shove another stateful box into the path.
At a university deployment I've got a proprietary firewall that does NAT
for all the students.  It does barely manage the bandwidth that's
available[1]. For IPv6 I'm now faced with the requirement imposed by
some that we "of course" need stateful firewalling (despite the fact
that the mechanisms to whitelist yourself are not in place). There are
no CPEs, it's all just Ethernet.

If I pipe it across the firewall IPv6 is not more performant than IPv4,
while it could be, given that there's no requirement for NAT. For the
eyeballs there would be a *reason* to switch to IPv6 given that you
avoid the crowded NAT.  (And IPv6 transit is basically free, still.)

So I'd really want to avoid a firewall at all costs and try to find
arguments. Some were already presented on this list. Obviously I cannot
skip the arguments of the other side entirely. But feelings don't really
help me. I also have the feeling that such firewalls don't buy us much
given the vast amount of other vectors. (Which is the same feeling I
have with IPSes.) But I cannot quantify a feeling.

Firewalls do have additional costs. Why do I have to bear them as an
transit provider that happens to do NAT because of IPv4 address
exhaustion? (I cannot shove that responsibility down to the "customers"
either.) It was once said that IPv6 would be performant because it would
skip the requirement to pass a CGN[2] box. Now we are adding a stateful
firewall, which I find a bit tragic. Then we could also stick to the CGN
alone, especially if the customers don't have an easy way to unblock
them because you cannot pin such rules to, say, a MAC address. (Privacy
extensions, MAC addresses not being available at the firewalling point,
etc.)

Kind regards
Philipp Kern

[1] Ok, not really. 1.2 Gbps in total while 1G/1G would be available, making
    the link highly asymmetric.
[2] If it would be carrier-grade it would cope with the bandwidth
    requirements, but bigger boxes of the same vendor were out of question
    budget-wise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121127/0df3e1ab/attachment.bin

More information about the ipv6-ops mailing list