CPE firewalls
Alan Batie
alan.batie at peakinternet.com
Fri Sep 4 02:53:31 CEST 2009
Bjørn Mork wrote:
> Right. Thanks for the idea. I do have a few places where I can push
> things like that. This is maybe something for
> http://www.ietf.org/id/draft-ietf-v6ops-ipv6-cpe-router-01.txt
After reading this draft, I sent a request to the authors to include a
firewall addition to the effect of "a CPE Router SHOULD default to
blocking incoming TCP connection requests and incoming UDP packets". In
essence, the router should provide the same basic default firewall
capability that NAT gives now.
While not full security, it at least provides network protection at the
same level users have now, and without this default state or NAT6x,
users are going to be highly vulnerable. There is a big difference
between "I forgot to configure the router" or "I configured it wrong
accidentally" and "I decided to make changes from the default and
accidentally opened a hole".
More information about the ipv6-ops
mailing list