<p><br>
On May 6, 2011 7:24 AM, <<a href="mailto:Guillaume.Leclanche@swisscom.com">Guillaume.Leclanche@swisscom.com</a>> wrote:<br>
><br>
> > -----Original Message-----<br>
> > From: Mikael Abrahamsson [mailto:<a href="mailto:swmike@swm.pp.se">swmike@swm.pp.se</a>]<br>
> > Sent: Thursday, May 05, 2011 9:05 PM<br>
> > To: Leclanche Guillaume, SCS-NIT-DEV-NTW-CYC-CTB<br>
> ><br>
> > > ** A SP deliver the CPEs with a stateful IPv6 firewall providing the<br>
> > > same security features as an IPv4 NAPT, should it be turned ON or OFF<br>
> > by<br>
> > > default ?<br>
> ><br>
> > My suggestion is to deliver it with firewall on to disallow incoming<br>
> > connections to low (<1024) TCP/UDP ports, allow high ones. Most of the<br>
> > services people leave on by accident live on the old privileged unix<br>
> > ports<br>
> > under 1024.<br>
><br>
> Thank you all for your answers. The debate reflects almost exactly the arguments we have internally :)<br>
><br>
> I like this suggestion from Mike, I believe it sounds like a reasonable compromise.<br>
><br>
> What do you all think about the proposal ? (keep in mind we're talking here only about the default configuration !)<br>
></p>
<p>The question is one of statefully inspecting or not. If you do it, you break e2e and require alg</p>
<p>Statefull inspection on a middle box and allowing ports is possibly the worst of both worlds.</p>
<p>Take a realistic look at home users. They have XP sp2+, osx, vistas, and win7 ... or something else with a hardened host and fw.<br></p>
<p>I guess the real place to start is ask what problem are you trying to solve and how likely is it to occur? The relevant solutions set likely does not include CPE fw give today's real threat profile. </p>
<p>Cb<br>
> Guillaume<br>
</p>