<p><br>
On May 6, 2011 7:24 AM, <<a href="mailto:Guillaume.Leclanche@swisscom.com">Guillaume.Leclanche@swisscom.com</a>> wrote:<br>
><br>
> > -----Original Message-----<br>
> > From: Mikael Abrahamsson [mailto:<a href="mailto:swmike@swm.pp.se">swmike@swm.pp.se</a>]<br>
> > Sent: Thursday, May 05, 2011 9:05 PM<br>
> > To: Leclanche Guillaume, SCS-NIT-DEV-NTW-CYC-CTB<br>
> ><br>
> > > ** A SP deliver the CPEs with a stateful IPv6 firewall providing the<br>
> > > same security features as an IPv4 NAPT, should it be turned ON or OFF<br>
> > by<br>
> > > default ?<br>
> ><br>
> > My suggestion is to deliver it with firewall on to disallow incoming<br>
> > connections to low (<1024) TCP/UDP ports, allow high ones. Most of the<br>
> > services people leave on by accident live on the old privileged unix<br>
> > ports<br>
> > under 1024.<br>
><br>
> Thank you all for your answers. The debate reflects almost exactly the arguments we have internally :)<br>
><br>
> I like this suggestion from Mike, I believe it sounds like a reasonable compromise.<br>
><br>
> What do you all think about the proposal ? (keep in mind we're talking here only about the default configuration !)<br>
></p>
<p>This also keeps us locked into tcp/udp and breaks sctp and other forward looking evolutions of ip transport ... also likely broken are multicast, ipsec, mobile ip, ...</p>
<p>The spi pushers have forced tcp/80 to be THE Internet transport.... and tcp/80 is now ....too big to fail ...so now the firewall has to do dpi .... and that is an expensive arms race. </p>
<p>Cb<br>
> Guillaume<br>
</p>