IPv6 Firewall on CPEs - Default on or off
Andre Tomt
andre at tomt.net
Fri Nov 30 13:28:46 CET 2012
On 30. nov. 2012 11:50, Bjørn Mork wrote:
> Andre Tomt <andre at tomt.net> writes:
>> Drop all by default, allow incoming and outgoing for addresses in
>> DHCPv6 lease database. This is not without drawbacks (breaks static
>> addressing),
>
> It also breaks SLAAC. That's something you may choose to do on your own network, but
certainly not an option for a mass market deployment.
I agree, the stateless option (on IP/protocol layer) of this solution of
sorts is no good for service provider mass deployment.
Adding stateful firewall however restores static addressing and SLAAC.
But .. you have to keep state, ugh.. Then again you probably do that for
IPv4 already (for the NAT), and the traffic just shifts, so not a huge
extra burden.
It would work as today most of the time; only DHCPv6 managed addresses,
randomly generated on lease-start, gets the better, full two-way
experience, because they have good hard to guess addresses. You could
even skip tracking connection state for them, which is useful.
Keep in mind though, I do propose this as an alternative to firewalling,
as a in-between firewall everything!! and no firewall solution.
I do wish the ND table issue was nonexistent and SLAAC assigned
random-but-persistent addresses (there is an RFC for it, I think), but
alas, here we are, in the real world, deploying IPv6 today..
--
André Tomt
More information about the ipv6-ops
mailing list