Hello NANOG, We are discussing internally and wanted to get more opinions and especially more data on what are people actually doing. We are running an ISP network with about 150K fixed broadband users, running dual stack (IPv4 behind CGNAT). On the ISP network IPv6 is simply routed, and is firewalled on the CPE.
This network added mobile services about a year ago, also dual stack (we have no control on the mobile devices so we were too concerned to choose IPv6 only access). We have an ongoing discussion about Gi firewall (adding a firewall between the subscribers and the internet, allowing only subscriber initiated connections), for the IPv6 traffic. The firewall is doing very little security, the ruleset is very basic, allowing anything from subscribers to the internet and blocking all traffic from the internet towards the subscribers. We have a few rules to limit the number of connections per subscriber (to a relatively high number) and that is it. One of the arguments in favor of having the firewall is that unsolicited traffic from the internet can “wake” idle mobile devices, and create signaling (paging) storms as well as drain user batteries. On the other hand, allowing only subscriber initiated traffic is mostly achievable using ACLs on the mobile core facing routers, or is it with the growing percentage of UDP traffic ? BTW – I don’t mention IPv4 traffic on the mobile network as it’s all behind CGNAT which don’t allow internet initiated connections. Anyway, we are very interested to know hear more opinions, and especially to hear what are other mobile operators do. Regards Amos
