IPv6 Firewall on CPEs - Default on or off

Andre Tomt andre at tomt.net
Fri Nov 30 13:28:46 CET 2012


On 30. nov. 2012 11:50, Bjørn Mork wrote:
> Andre Tomt <andre at tomt.net> writes:
>> Drop all by default, allow incoming and outgoing for addresses in
>> DHCPv6 lease database. This is not without drawbacks (breaks static
>> addressing),
>
> It also breaks SLAAC.  That's something you may choose to do on your own network, but 
certainly not an option for a mass market deployment.

I agree, the stateless option (on IP/protocol layer) of this solution of 
sorts is no good for service provider mass deployment.

Adding stateful firewall however restores static addressing and SLAAC. 
But .. you have to keep state, ugh.. Then again you probably do that for 
IPv4 already (for the NAT), and the traffic just shifts, so not a huge 
extra burden.

It would work as today most of the time; only DHCPv6 managed addresses, 
randomly generated on lease-start, gets the better, full two-way 
experience, because they have good hard to guess addresses. You could 
even skip tracking connection state for them, which is useful.

Keep in mind though, I do propose this as an alternative to firewalling, 
as a in-between firewall everything!! and no firewall solution.

I do wish the ND table issue was nonexistent and SLAAC assigned 
random-but-persistent addresses (there is an RFC for it, I think), but 
alas, here we are, in the real world, deploying IPv6 today..

-- 
André Tomt


More information about the ipv6-ops mailing list