CPE Residential IPv6 Security Poll

[Tore Anderson]

* Ted Mittelstaedt

> This kind of mirrors the "default" security policy on IPv4 CPEs (since
> those CPE's have NAT automatically turned on which creates a "block
> in, permit out" kind of approach.) so I'm not sure why you would want
> to default it to being different for IPv6.

There are a gazillion pages out there on the Internet where you'll find
people trying to figure out how to open ports in their router, make
their PlayStation or Xbox online gaming Just Work instead of
complaining about NAT problems, and so on. And this is mostly regarding
IPv4, where we've already have a solution in the form of UPnP (a
security nightmare in its own right).

The situation is not exactly user friendly. The IPv4 NATs are making
applications suffer and people are strugging or failing to work around
them. We now have the opportunity to do better with IPv6, and I'm
hoping the ISPs will carefully consider doing so, instead of just
defaulting to whatever looks the most similar to what they've were
forced to do for IPv4.

[I say «forced», because NAT and its intrinsic «drop all inbound» policy
came about as a way of conserving scarce IPv4 addresses, not as a
security mechanism. This is obviously not an issue for IPv6.]

So it'd be interesting to see some solid empirical data that explained
to what extent a default-drop-inbound firewall really increases
security, and to what extent it impairs applications and thus makes
users unhappy.

For what it's worth, the Swisscom approach seems sensible to me. At
least if I understand it correctly, in that they by default only block
ports associated with application protocols known to be insecure, meant
for home network use only, etc. All other ports and protocols not on
the blacklist are let through in both directions. As far as I know this
has been working out fine for them.

Tore