CPE Residential IPv6 Security Poll

Ted Mittelstaedt tedm at ipinc.net
Mon Sep 19 23:23:01 CEST 2016

I can tell you that -today- in my location both CenturyLink and Comcast 
(giant ISPs) supply IPv6 by default on their residential CPEs - and both 
of those CPEs have "inbound block outbound allow" on by default on IPv6. 
  As far as I know neither support UPnP on IPv6

I think you are overthinking this.  If a CPE has no IPv6 support but it
has UPnP support over IPv4 then things "work"   If a CPE has IPv6 
support but no UPnP support over IPv6, then things are also going to
"work" - on IPv4.  They may break on IPv6 with a "block everything" IPv6 
rule in which case the end user is undoubtedly going to complain to the 
toaster manufacturer not you, and that toaster maker is either
going to tell their customer "disable ipv6 on your ISP CPE" or they are 
going to fix their toaster so that it doesn't try using UPnP over IPv6,
only IPv4.

Your job is to not assume your customers are all morons.  It is to make 
it safe for the ones who are, and make it usable for the ones who aren't 
and want to run their own show.  Provide the needed buttons in the CPE 
to enable or disable IPv6 and to allow your customers to shut off your 
CPE's interference and be done with it.

As an ISP you of all people should understand how powerful the Internet 
is.  If you make your stuff configurable for power users, and document
it, then the Ma & Pa Kettle customers are going to engage their friend's
son who IS a power user and can search the Internet and follow simple
directions and fix their problem with their web cam or whatever it is
that is demanding UPnP.

If however you default to open, then when Ma & Pa Kettle eventually get
cracked, and call in the power user, that power user is going to 
discover your default firewall on IPv6 is open and realize that you
created a huge whole bunch of work for him since he will now have to
put back together a PC for the morons.   He isn't going to appreciate 
that and will badmouth you online.

Nobody with brains is going to go online and badmouth an ISP that
supplies a CPE that has defaults that error on the side of 
protection-of-morons.   But they are going to badmouth an ISP that 
supplies a CPE
that has defaults that allow morons to get easily broken into - because
it's them who are going to be sucked into putting those systems back
together.  And they are really going to badmouth an ISP that supplies a
CPE that can't have it's internal firewall turned off.


On 9/19/2016 1:29 PM, Bjørn Mork wrote:
> Ted Mittelstaedt<tedm at ipinc.net>  writes:
>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>> those CPE's have NAT automatically turned on which creates a "block in,
>> permit out" kind of approach.) so I'm not sure why you would want to
>> default it to being different for IPv6.
> I was explained one reason today: No CPEs implement UPnP support for
> IPv6 [1].
> This makes the effect of the similar IPv4 and IPv6 policies quite
> different.  UPnP aware applications will set up the necessary NAT rules
> for IPv4, allowing inbound connections etc. But if you want the same
> applications to work over IPv6, then the policy must be more open by
> default. Letting the user disable IPv6 filtering is not going to help
> the masses I'm afraid...
> So the question remains: What do ISPs actually do to
>   - allow IPv6, and
>   - secure the end users' networks, and
>   - not break dual stack applications wanting incoming connections
> all at the same time?  Looks like a classical "pick any two".
> Bjørn
> [1] I'm sure someone will come up with an obscure and expensive example
>   of the contrary - the point is that IPv6 UPnP support is not readily
>   available in the residential CPE market.

This email has been checked for viruses by Avast antivirus software.

More information about the ipv6-ops mailing list