[AusNOG] IPv6 excuses

Mark Newton newton at atdot.dotat.org
Fri May 27 15:23:29 EST 2016


On May 27, 2016, at 2:55 PM, Philip Loenneker <Philip.Loenneker at tasmanet.com.au> wrote:

> I'm curious to know if/how providers that have enabled IPv6 are protecting users after the introduction of IPv6. The majority of end users are not capable, and probably should not be expected to be capable, of maintaining a suitable firewall.

This is unfounded superstition. CPE which supports IPv6 generally has filtering functionality which mirrors its IPv4 capabilities; and host-based firewalls (which are preferred anyway in an IPv6 environment) are on by default.

Users who bother to change firewall rules probably won’t have any detailed awareness of whether the rules are applying to IPv6 traffic, IPv4 traffic, or both. The firewall admin interfaces are application-based, not protocol-based (as well they should be)

> The wide variety of routers available would offer an equally wide variety of protection to IPv6 clients. 
> 
> Despite all the shortcomings, NAT provides a very convenient barrier between the Internet and customer internal networks. 

Not against any of the realistic threat models that actually exist on the as-built internet. To the extent that NAT accomplishes this, it clearly doesn’t meaningfully matter.

  - mark




More information about the AusNOG mailing list