CPE Residential IPv6 Security Poll

Bjørn Mork bjorn at mork.no
Mon Sep 19 22:29:57 CEST 2016

Ted Mittelstaedt <tedm at ipinc.net> writes:

> This kind of mirrors the "default" security policy on IPv4 CPEs (since
> those CPE's have NAT automatically turned on which creates a "block in,
> permit out" kind of approach.) so I'm not sure why you would want to
> default it to being different for IPv6.

I was explained one reason today: No CPEs implement UPnP support for
IPv6 [1].

This makes the effect of the similar IPv4 and IPv6 policies quite
different.  UPnP aware applications will set up the necessary NAT rules
for IPv4, allowing inbound connections etc. But if you want the same
applications to work over IPv6, then the policy must be more open by
default. Letting the user disable IPv6 filtering is not going to help
the masses I'm afraid...

So the question remains: What do ISPs actually do to
 - allow IPv6, and
 - secure the end users' networks, and
 - not break dual stack applications wanting incoming connections

all at the same time?  Looks like a classical "pick any two".


[1] I'm sure someone will come up with an obscure and expensive example
 of the contrary - the point is that IPv6 UPnP support is not readily
 available in the residential CPE market.

More information about the ipv6-ops mailing list