IPv6 Firewall on CPEs - Default on or off
me at benedikt-stockebrand.de
Tue Nov 27 21:06:55 CET 2012
Hi Philipp and list,
Philipp Kern <phil at philkern.de> writes:
> On Tue, Nov 27, 2012 at 04:38:08PM +0000, Benedikt Stockebrand wrote:
>> Some subthreads here have diverted into the different issue of
>> *forcing* these settings on people, so let me reiterate that I am only
>> talking about *default* settings here. Beyond the default setting I'd
>> consider any IPv6 service that denies me the possibility to make my
>> machines accessible from outside broken deficient.
> The annoying thing is that you shove another stateful box into the path.
to get this absolutely straight: If the filtering is done at the CPE,
and if it can be turned off, why do I "shove another stateful box into
> At a university deployment I've got a proprietary firewall that does NAT
> for all the students. It does barely manage the bandwidth that's
What *exactly* do you mean with "firewall" in this context?
Comparing a packet filter/application level gateway/packet filter
cascade with a minimalistic packet filter configuration (where TCP
enters the game it might even be sufficient to filter SYN packets
without maintaining state) doesn't make sense.
> For IPv6 I'm now faced with the requirement imposed by some that we
> "of course" need stateful firewalling (despite the fact that the
> mechanisms to whitelist yourself are not in place).
So, your reason to have a configurable diode style setup disabled by
default at some other place is because at your place they didn't
make it configurable at all?
Sorry, but this is ridiculous.
> There are no CPEs, it's all just Ethernet.
Maybe you should have a bit of a talk with the people in charge at the
local university data center about the reasons why they actually
bother to set up a firewall at all.
I've been dealing with a few of these people over the years, and
considering the peculiarities of academic environments in general and
student dormitories in particular I consider their approach
heavy-handed (because it's not configurable) but generally prudent.
> If I pipe it across the firewall IPv6 is not more performant than IPv4,
> while it could be, given that there's no requirement for NAT. For the
> eyeballs there would be a *reason* to switch to IPv6 given that you
> avoid the crowded NAT. (And IPv6 transit is basically free, still.)
So how much of an impact does NAT, or in that case a simple two-rule
(depending on the implementation used) filter rule on a CPE, actually
have? I haven't managed to measure any.
CGN at carrier grade bandwidths is an entirely different league in
pretty much any respect.
> Firewalls do have additional costs. Why do I have to bear them as an
> transit provider that happens to do NAT because of IPv4 address
Once again: You don't have to if they can be turned off.
And to my understanding transit providers don't do CGN; it's the ISPs.
> (I cannot shove that responsibility down to the "customers" either.)
I really don't understand what you want to say here. Sorry.
> It was once said that IPv6 would be performant because it would
> skip the requirement to pass a CGN box. Now we are adding a stateful
> firewall, which I find a bit tragic. Then we could also stick to the CGN
Now, I know that a lot of sales people have tried to peddle CPE
routers as security devices because the do NAT, but that doesn't make
claiming that CGN is a substitute for a stateful firewall any better.
> especially if the customers don't have an easy way to unblock
> them because you cannot pin such rules to, say, a MAC address.
I know a bit about the situation in German university dormitory
networks and the problems they have with historic flat network
topologies---and occasionally the staff running them---but maybe you
should check out IEEE 802.1x for example. Just because they don't
deploy a solution, for whatever reason, doesn't mean there isn't any.
And beyond that, there's also an option to actually clean up the
network topology and provide all rooms/students with individual
subnets. Puts some extra load on the routing engines (the in-house
traffic between students), but that's all it takes.
> (Privacy extensions, MAC addresses not being available at the
> firewalling point, etc.)
Filtering by MAC addresses isn't particularly clever, either.
*Especially* not when students with some technical affinity are
Business Grade IPv6
Consulting, Training, Projects
Benedikt Stockebrand, Dipl.-Inform. http://www.benedikt-stockebrand.de/
More information about the ipv6-ops