IPv6 Firewall on CPEs - Default on or off

Wade Roberts ipv6-ops at acquired-taste.net
Wed Nov 28 13:42:57 CET 2012

I'm firmly in the 'off by default camp', but might I suggest an experiment.

Set the default to randomly enable or disable the firewall at boot. If a customer finds it inconvenient they can permanently disable it. If they're paranoid, they can opt to keep it on.

Figure out a mechanism to capture the firewall state of supplied devices 3, 6 and 12 months after deployment, input that data into your long-term decision tree.


On 2012-11-28, at 23:27, Tore Anderson <tore.anderson at redpill-linpro.com> wrote:

> * sthaug at nethelp.no
>>> Why would a CPE-less user be any less needing of a firewall than
>>> one who was provided with a CPE?
>> Maybe because that's how it works for lots of DSL users today?
>> (ObDisclaimer: My employer has been in the DSL business for around 10
>> years. What's typically sold is a DSL connection which is simply 
>> terminated in a bridge type "modem" - usually with one DSL port and 
>> one Ethernet port. No firewall whatsoever.)
> It was a rhethorical question.
> I mean, there's no reason why you would start firewalling the inbound
> IPv6 traffic to your customers by default, just because you happened to
> provide them with a CPE?
> It would be terribly inconsistent, in my opinion, to claim that "the
> users need to have all inbound IPv6 traffic firewalled for their own
> protection", but at the same time claim that CPE-less customers have no
> need for such protection. Either they all do, or they all don't.
>> My experience is that a product which includes firewalling is
>> usually *sold* specifically as such.
> Yep.
> -- 
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com/

More information about the ipv6-ops mailing list