<p dir="ltr"></p>
<p dir="ltr">Sent from ipv6-only Android<br>
On Nov 26, 2012 5:38 AM, "Eric Vyncke (evyncke)" <<a href="mailto:evyncke@cisco.com">evyncke@cisco.com</a>> wrote:<br>
><br>
> Ragnar,<br>
><br>
> I should monitor this mailing list more often as I missed a fun discussion.<br>
><br>
> Yes, disable firewall for BOTH IPv4 and IPv6 (of course keep NAT44) as previously written the killing arguments IMHO are:<br>
> - hosts are mobile anyway and won't always be protected by your CPE<br>
> - malware comes over subscriber-initiated connections, so, a pure L3-L4 firewall is pretty useless (cfr Erik's referenced paper)<br>
> - only valid protection used by serious people is at least UTM (containing a basic malware detection based on signatures ŕ la IPS or anti-virus -- cfr adv-security draft at the IETF)<br>
></p>
<p dir="ltr">+1 for these thoughts to have fw off.</p>
<p dir="ltr">Stateful packet inspection (SPI) requires ALGs in many cases and this is a symptom of a failed Internet and broken end to end.</p>
<p dir="ltr">Also, SPI is its own attack vector (session dos) and ALGs are very fragile ( do a bug search for sip or rtsp on your favorite fw vendor)</p>
<p dir="ltr">CB</p>
<p dir="ltr">> -éric<br>
><br>
> > -----Original Message-----<br>
> > From: ipv6-ops-bounces+evyncke=<a href="mailto:cisco.com@lists.cluenet.de">cisco.com@lists.cluenet.de</a> [mailto:<a href="mailto:ipv6-ops-">ipv6-ops-</a><br>
> > bounces+evyncke=<a href="mailto:cisco.com@lists.cluenet.de">cisco.com@lists.cluenet.de</a>] On Behalf Of Anfinsen, Ragnar<br>
> > Sent: lundi 26 novembre 2012 10:02<br>
> > To: <a href="mailto:ipv6-ops@lists.cluenet.de">ipv6-ops@lists.cluenet.de</a><br>
> > Subject: IPv6 Firewall on CPEs - Default on or off<br>
> ><br>
> > Hi all.<br>
> ><br>
> > We are preparing to roll IPv6 out to customers with the latest and greatest<br>
> > CPEs we supply, which is great. We have chosen to use 6rd, due to lack of<br>
> > support in our access platform.<br>
> ><br>
> > However, our marketing guys have now started to question whether the IPv6<br>
> > firewall function should be on or off by default. I know there are as many<br>
> > opinions as people on this list, but I am looking for arguments from both<br>
> > camps.<br>
> ><br>
> > I have my personal and clear opinion about the matter, which is off. To be<br>
> > able to uphold the true end to end connectivity it must obviously be off. I<br>
> > think the application firewall on the new OS's that support IPv6 are more<br>
> > than good enough, and a firewall in the CPE is redundant.<br>
> ><br>
> > However, the arguments against is that the customer is used to having a<br>
> > security layer on IPv4 in the CPE (NAT), and it would be bad to allow IPv6<br>
> > unprotected into the customers LAN.<br>
> ><br>
> > I would really appreciate any comments and thoughts.<br>
> ><br>
> ><br>
> > Best Regards<br>
> > Ragnar Anfinsen<br>
> ><br>
> > Senior Architect CPE<br>
> > IPv6 Architect<br>
> > Netinfrastructure<br>
> > Technology and Innovation<br>
> > Altibox AS<br>
</p>