Ted Mittelstaedt <t...@ipinc.net> writes: > This kind of mirrors the "default" security policy on IPv4 CPEs (since > those CPE's have NAT automatically turned on which creates a "block in, > permit out" kind of approach.) so I'm not sure why you would want to > default it to being different for IPv6.
I was explained one reason today: No CPEs implement UPnP support for IPv6 [1]. This makes the effect of the similar IPv4 and IPv6 policies quite different. UPnP aware applications will set up the necessary NAT rules for IPv4, allowing inbound connections etc. But if you want the same applications to work over IPv6, then the policy must be more open by default. Letting the user disable IPv6 filtering is not going to help the masses I'm afraid... So the question remains: What do ISPs actually do to - allow IPv6, and - secure the end users' networks, and - not break dual stack applications wanting incoming connections all at the same time? Looks like a classical "pick any two". Bjørn [1] I'm sure someone will come up with an obscure and expensive example of the contrary - the point is that IPv6 UPnP support is not readily available in the residential CPE market.