[AusNOG] Globally Routed IPv6 and Windows Firewall

[James Andrewartha]

On Fri, 25 Jul 2014, Greg Anderson wrote:

> I am not aware of any home router that out of the box has a firewall enabled for clients out of the box with IPv4.  I generally
> expect that clients are (badly) protected because there is no NAT unless specified by an end user or UPNP.  On many you can
> enable firewalls for the clients but they are usually for outbound traffic, or only inbound for a (usually single) DMZ type
> device that nearly all ports are forwarded to.

Apple shipped an Airport base station with no IPv6 firewall and got 
soundly spanked for doing so, back in 2007 (see CVE-2007-1338). See the 
IETF homenet working group mailing list archives for many discussions 
about the death of the end to end principle, and RFC 6092.

> My expectation for IPv6 would be pretty similar, unless there is a UPNP implementation which I have seen very little of.  But
> why use UPNP when you can just have the local firewall pop up and ask the user if they want to permit the traffic locally?

The standardised equivalent of UPnP-IGD is the Port Control Protocol, RFC 
6887. Oddly the first implementations were in CGNAT products.

-- 
# TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member     http://trs80.ucc.asn.au/ #|  what squirrels do best     |
[ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
[  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /