IPv6 Firewall on CPEs - Default on or off

Cameron Byrne cb.list6 at gmail.com
Fri Nov 30 21:51:32 CET 2012


Sent from ipv6-only Android
On Nov 30, 2012 2:50 AM, <Guillaume.Leclanche at swisscom.com> wrote:
>
> > I have my personal and clear opinion about the matter, which is off. To
be
> > able to uphold the true end to end connectivity it must obviously be
off. I
> > think the application firewall on the new OS's that support IPv6 are
more
> > than good enough, and a firewall in the CPE is redundant.
> >
> > However, the arguments against is that the customer is used to having a
> > security layer on IPv4 in the CPE (NAT), and it would be bad to allow
IPv6
> > unprotected into the customers LAN.
>
> I have not read the whole thread, so somebody might have answered already.
>
> One year ago, we had the exact same problem (Swiss incumbent, 6rd). And
we asked the exact same question on this list.
>
> We finally agreed with our CPE vendors to implement a 3 -level firewall
for IPv6:
> - off => no firewall at all -- except sanity filters from RFC
> - low => a list of 60 well-known ports is blocked in incoming direction
(things like ssh, telnet, remote desktop, vnc, etc.). Some are blocked both
ways (mdns, dhcpv6, ipp, NetBIOS, SQL, etc.). Everything else is open both
ways.
> - high => All incoming new connections are blocked, firewall is stateful
(simulated IPv4 NAT44 security)
>
> In addition, the firewall can be tuned as much as desired by the customer.
>
> You guessed it, default is "low", and it makes both marketing and
engineering happy. We started the deployment one year ago and we have now
almost 100'000 residential connections with IPv6 enabled, and counting.
I've not heard of any complaints.
>

I like your approach.  I think it is a solid balance of marketing cya and
technically sound stateless security controls at "low" that are default.

Great data point. Thanks for sharing.  Do you have details somewhere
published of exactly what is covered in "low"

CB

> On the other hand, Free in France doesn't have any firewall and I don't
think anybody complained either.
>
> Best regards,
> Guillaume
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121130/6ffc8ec8/attachment.htm>


More information about the ipv6-ops mailing list