IPv6 Firewall on CPEs - Default on or off

Benedikt Stockebrand me at benedikt-stockebrand.de
Tue Nov 27 21:06:55 CET 2012

Hi Philipp and list,

Philipp Kern <phil at philkern.de> writes:

> On Tue, Nov 27, 2012 at 04:38:08PM +0000, Benedikt Stockebrand wrote:
>> Some subthreads here have diverted into the different issue of
>> *forcing* these settings on people, so let me reiterate that I am only
>> talking about *default* settings here.  Beyond the default setting I'd
>> consider any IPv6 service that denies me the possibility to make my
>> machines accessible from outside broken deficient.
> The annoying thing is that you shove another stateful box into the path.

to get this absolutely straight: If the filtering is done at the CPE,
and if it can be turned off, why do I "shove another stateful box into
the path"?

> At a university deployment I've got a proprietary firewall that does NAT
> for all the students.  It does barely manage the bandwidth that's
> available[1]. 

What *exactly* do you mean with "firewall" in this context?

Comparing a packet filter/application level gateway/packet filter
cascade with a minimalistic packet filter configuration (where TCP
enters the game it might even be sufficient to filter SYN packets
without maintaining state) doesn't make sense.

> For IPv6 I'm now faced with the requirement imposed by some that we
> "of course" need stateful firewalling (despite the fact that the
> mechanisms to whitelist yourself are not in place).

So, your reason to have a configurable diode style setup disabled by
default at some other place is because at your place they didn't
make it configurable at all?

Sorry, but this is ridiculous.

> There are no CPEs, it's all just Ethernet.

Maybe you should have a bit of a talk with the people in charge at the
local university data center about the reasons why they actually
bother to set up a firewall at all.

I've been dealing with a few of these people over the years, and
considering the peculiarities of academic environments in general and
student dormitories in particular I consider their approach
heavy-handed (because it's not configurable) but generally prudent.

> If I pipe it across the firewall IPv6 is not more performant than IPv4,
> while it could be, given that there's no requirement for NAT. For the
> eyeballs there would be a *reason* to switch to IPv6 given that you
> avoid the crowded NAT.  (And IPv6 transit is basically free, still.)

So how much of an impact does NAT, or in that case a simple two-rule
(depending on the implementation used) filter rule on a CPE, actually
have?  I haven't managed to measure any.

CGN at carrier grade bandwidths is an entirely different league in
pretty much any respect.

> Firewalls do have additional costs. Why do I have to bear them as an
> transit provider that happens to do NAT because of IPv4 address
> exhaustion?

Once again: You don't have to if they can be turned off.

And to my understanding transit providers don't do CGN; it's the ISPs.

> (I cannot shove that responsibility down to the "customers" either.)

I really don't understand what you want to say here.  Sorry.

> It was once said that IPv6 would be performant because it would
> skip the requirement to pass a CGN[2] box. Now we are adding a stateful
> firewall, which I find a bit tragic. Then we could also stick to the CGN
> alone,

Now, I know that a lot of sales people have tried to peddle CPE
routers as security devices because the do NAT, but that doesn't make
claiming that CGN is a substitute for a stateful firewall any better.

> especially if the customers don't have an easy way to unblock
> them because you cannot pin such rules to, say, a MAC address.

I know a bit about the situation in German university dormitory
networks and the problems they have with historic flat network
topologies---and occasionally the staff running them---but maybe you
should check out IEEE 802.1x for example.  Just because they don't
deploy a solution, for whatever reason, doesn't mean there isn't any.

And beyond that, there's also an option to actually clean up the
network topology and provide all rooms/students with individual
subnets.  Puts some extra load on the routing engines (the in-house
traffic between students), but that's all it takes.

> (Privacy extensions, MAC addresses not being available at the
> firewalling point, etc.)

Filtering by MAC addresses isn't particularly clever, either.
*Especially* not when students with some technical affinity are



			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/

More information about the ipv6-ops mailing list