CPE Residential IPv6 Security Poll

Ted Mittelstaedt tedm at ipinc.net
Mon Sep 19 20:17:51 CEST 2016

When we were still doing DSL I brought IPv6 online, but the only way our
customers could access it was to have the DSL modem/CPE in bridged mode,
and run their own router which was IPv6 compliant.  Thus the "CPE" 
security policy was whatever the router vendor defaulted.   Our 
observation was that the customers who didn't understand routing and
firewalling tended to buy lower-end routers that defaulted to blocking
any inbound traffic trying to initiate a connection, while the customers
who did understand it tended to buy Cisco routers and other higher-end
routers that defaulted to permit any any both directions - but since 
they knew what they were doing, they would install their own security

IMHO a CPE that supports IPv6 should be designed to default to a 
blocking inbound traffic on IPv6 but contain a provision for disabling
that AND a provision for disabling the entire CPE and the customer using
their own gear.

That way, you are not screwing over your ignorant customers by leaving
their networks wide open, and you are not screwing over your advanced
customers who want to use their own gear and/or provide IPv6-enabled
services on the Internet.

This kind of mirrors the "default" security policy on IPv4 CPEs (since
those CPE's have NAT automatically turned on which creates a "block in,
permit out" kind of approach.) so I'm not sure why you would want to
default it to being different for IPv6.


On 9/19/2016 5:32 AM, Anfinsen, Ragnar wrote:
> Hi all.
> In light of a new discussion blossoming in Norway, we are curious about the IPv6 security policy different ISP’s has adopted. So it would be very helpful if you could do a quick response, either here or directly to me, on the following question:
> Which security policy are you using for you residential IPv6 enabled CPE’s? (RFC6092, fully open, balanced or other)
> Why did you adopt this policy?
> Any good or not so good experience with the choice?
> All answers are very much appreciated, and I will post the results here after a week or so. Thank you very much.
> Best Regards
> Ragnar Anfinsen
> Chief Architect CPE
> IP Address Architect
> Infrastructure
> Technology
> Altibox AS
> E-mail: ragnar.anfinsen at altibox.no
> www.altibox.no<http://www.altibox.no/>
> [cid:image001.png at 01D21282.A1DD77A0]
>    [cid:image002.png at 01D21282.A1DD77A0]<http://facebook.altibox.no/>  [cid:image003.png at 01D21282.A1DD77A0]<http://twitter.altibox.no/>
> The content of this e-mail is intended solely for the use of the individual or entity to whom it is addressed. If you have received this communication in error, be aware that forwarding it, copying it, or in any way disclosing its content to any other person, is strictly prohibited. If you have received this communication in error, please notify the author by replying to this e-mail immediately, deleting this message and destruct all received documents.

This email has been checked for viruses by Avast antivirus software.

More information about the ipv6-ops mailing list