There was some discussion on arin-ppml regarding ULA-C which led to talking about NAT and it's role.
One point that rose out of that discussion is that most consumers will presume, because they have NAT today, some kind of stateful firewall in their shiny new IPv6 router. Section 3.1 of the current draft discusses current NAT behavior in IPv4 routers, but the draft in its current form doesn't describe a CPE feature that provides similar functionality in an IPv6 CPE router. For that reason (with assistance from Michael Dillon), I would like to suggest the following be placed in section 4.2, perhaps as W-4. All IPv6 CPE should include a stateful firewall, enabled by default, to give end user networks some of the benefits that they gain from the stateful firewall behavior that is part of most IPv4 NAT implementations. The firewall should support the configuration of a DMZ on a certain IPv6 address or prefix. It should include support inbound access control lists and may include support for outbound access control lists. Without this behavior these IPv6 routers will be just that, routers, and unnecessarily expose broadband customer hosts to Internet-based probing and attacks. A stateful firewall for IPv6 traffic would provide some beneficial functional consistency between the two IP versions. With the existence of several *nix-based open source firewall packages, implementation would not be burdensome. Perhaps some of you feel strongly enough about this you would change the "should" to "must". I'm OK with that, but that might set the bar too high. Kind regards, Frank Bulk -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------