IPv6 Firewall on CPEs - Default on or off

Eric Vyncke (evyncke) evyncke at cisco.com
Wed Nov 28 14:43:27 CET 2012

This must be beer-time in some random place on this planet... the discussions rat-holing as predicted...

Just to add more topics (and you can guess that I am on off-by-default camp for residential users):

PCP or UPnP are routinely used by IPv4 nodes to punch holes in NAT, which also means that any malware can also punch holes in NAT => NAT is useless in this case

Last time I checked (with my European engineer glasses) an ISP is providing Internet service, I would be surprise whether any ISP contract would include a by default security with SLA. When I connect to some random hotspot, I must sometime accept AUP where the hotspot declines all security issues... MSSP (Managed Security Service Providers) are different beasts of course. In the same reasoning, which electrical utility has been sued (even in US :-P) for killing someone inside the home?

Side notes (about Lorrenzo I think), yes, indeed blocking outbound TCP/25 from residential users is commonly used to reduce spam. I hate it (as subscriber) but I understand the logic behind. Same applies for inbound TCP/445 (Windows issue). Also, HTTPS does indeed protect the malware from common/old generation IPS; this is why the I-D about advanced security wants to do SSL man in the middle to inspect the payload (which is routinely done by several of our employers BTW).

The more I think about it, the default setting should be kept off-by-default but perhaps adding a captive portal like function on the first HTTP connection to ask the question...


> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Michael Adams
> Sent: lundi 26 novembre 2012 15:00
> To: ipv6-ops at lists.cluenet.de
> Subject: Re: IPv6 Firewall on CPEs - Default on or off
> Hi Eric
> Am 26.11.2012 14:38, schrieb Eric Vyncke (evyncke):
> > Yes, disable firewall for BOTH IPv4 and IPv6 (of course keep NAT44) as
> previously written the killing arguments IMHO are:
> > - hosts are mobile anyway and won't always be protected by your CPE
> I disagree in some points. My desktop PC, my fridge and my TV aren't mobile.
> And I'm not sure if I would like to have to configure host security on every
> device.
> Even if possible. Ok, my fridge is not v6 capable right now :) The point is
> security for a host and for a network are two different things. At least in
> my opinion.
> I think (our) residential custumers are expecting a CPE to do some kind of
> network protection. Either by NAT or a firewall. Yes, NAT is not a firewall.
> But in customers mind it keeps thing outside.
> > - malware comes over subscriber-initiated connections, so, a pure
> > L3-L4 firewall is pretty useless (cfr Erik's referenced paper)
> > - only valid protection used by serious people is at least UTM
> > (containing a basic malware detection based on signatures à la IPS or
> anti-virus -- cfr adv-security draft at the IETF)
> In my opinion a CPE firewall is not a replacement for host security. One has
> to do both if necessary.
> So I would enable a v6 firewall by default where v4 NAT is enabled by
> default.
> As fas as I know this is what AVM CPE's are doing.
> Michael

More information about the ipv6-ops mailing list