When we were still doing DSL I brought IPv6 online, but the only way our
customers could access it was to have the DSL modem/CPE in bridged mode,
and run their own router which was IPv6 compliant. Thus the "CPE" security policy was whatever the router vendor defaulted. Our observation was that the customers who didn't understand routing and
firewalling tended to buy lower-end routers that defaulted to blocking
any inbound traffic trying to initiate a connection, while the customers
who did understand it tended to buy Cisco routers and other higher-end
routers that defaulted to permit any any both directions - but since they knew what they were doing, they would install their own security
policy.

IMHO a CPE that supports IPv6 should be designed to default to a blocking inbound traffic on IPv6 but contain a provision for disabling
that AND a provision for disabling the entire CPE and the customer using
their own gear.

That way, you are not screwing over your ignorant customers by leaving
their networks wide open, and you are not screwing over your advanced
customers who want to use their own gear and/or provide IPv6-enabled
services on the Internet.

This kind of mirrors the "default" security policy on IPv4 CPEs (since
those CPE's have NAT automatically turned on which creates a "block in,
permit out" kind of approach.) so I'm not sure why you would want to
default it to being different for IPv6.

Ted

On 9/19/2016 5:32 AM, Anfinsen, Ragnar wrote:
Hi all.

In light of a new discussion blossoming in Norway, we are curious about the 
IPv6 security policy different ISP’s has adopted. So it would be very helpful 
if you could do a quick response, either here or directly to me, on the 
following question:

Which security policy are you using for you residential IPv6 enabled CPE’s? 
(RFC6092, fully open, balanced or other)

Why did you adopt this policy?

Any good or not so good experience with the choice?

All answers are very much appreciated, and I will post the results here after a 
week or so. Thank you very much.

Best Regards
Ragnar Anfinsen

Chief Architect CPE
IP Address Architect
Infrastructure
Technology
Altibox AS

E-mail: ragnar.anfin...@altibox.no
www.altibox.no<http://www.altibox.no/>

[cid:image001.png@01D21282.A1DD77A0]
   [cid:image002.png@01D21282.A1DD77A0]<http://facebook.altibox.no/>  
[cid:image003.png@01D21282.A1DD77A0]<http://twitter.altibox.no/>
CONFIDENTIAL
The content of this e-mail is intended solely for the use of the individual or 
entity to whom it is addressed. If you have received this communication in 
error, be aware that forwarding it, copying it, or in any way disclosing its 
content to any other person, is strictly prohibited. If you have received this 
communication in error, please notify the author by replying to this e-mail 
immediately, deleting this message and destruct all received documents.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Reply via email to