IPv6 Firewall on CPEs - Default on or off

Guillaume.Leclanche at swisscom.com Guillaume.Leclanche at swisscom.com
Fri Nov 30 11:50:10 CET 2012

> I have my personal and clear opinion about the matter, which is off. To be
> able to uphold the true end to end connectivity it must obviously be off. I
> think the application firewall on the new OS's that support IPv6 are more
> than good enough, and a firewall in the CPE is redundant.
> However, the arguments against is that the customer is used to having a
> security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6
> unprotected into the customers LAN.

I have not read the whole thread, so somebody might have answered already.

One year ago, we had the exact same problem (Swiss incumbent, 6rd). And we asked the exact same question on this list.

We finally agreed with our CPE vendors to implement a 3 -level firewall for IPv6:
- off => no firewall at all -- except sanity filters from RFC
- low => a list of 60 well-known ports is blocked in incoming direction (things like ssh, telnet, remote desktop, vnc, etc.). Some are blocked both ways (mdns, dhcpv6, ipp, NetBIOS, SQL, etc.). Everything else is open both ways.
- high => All incoming new connections are blocked, firewall is stateful (simulated IPv4 NAT44 security)

In addition, the firewall can be tuned as much as desired by the customer.

You guessed it, default is "low", and it makes both marketing and engineering happy. We started the deployment one year ago and we have now almost 100'000 residential connections with IPv6 enabled, and counting. I've not heard of any complaints.

On the other hand, Free in France doesn't have any firewall and I don't think anybody complained either.

Best regards,

More information about the ipv6-ops mailing list