Frank, You obviously haven't been tracking the current discussion on draft-ietf-v6ops-cpe-simple-security on the v6ops list, which is where the cpe-router draft belongs anyway.
I suggest that you read that thread. Regards Brian Carpenter On 2010-03-26 18:25, Frank Bulk wrote: > There was some discussion on arin-ppml regarding ULA-C which led to talking > about NAT and it's role. > > One point that rose out of that discussion is that most consumers will > presume, because they have NAT today, some kind of stateful firewall in > their shiny new IPv6 router. Section 3.1 of the current draft discusses > current NAT behavior in IPv4 routers, but the draft in its current form > doesn't describe a CPE feature that provides similar functionality in an > IPv6 CPE router. > > For that reason (with assistance from Michael Dillon), I would like to > suggest the following be placed in section 4.2, perhaps as W-4. > > All IPv6 CPE should include a stateful firewall, > enabled by default, to give end user networks > some of the benefits that they gain from the > stateful firewall behavior that is part of most > IPv4 NAT implementations. The firewall should > support the configuration of a DMZ on a certain > IPv6 address or prefix. It should include > support inbound access control lists and may > include support for outbound access control lists. > > Without this behavior these IPv6 routers will be just that, routers, and > unnecessarily expose broadband customer hosts to Internet-based probing and > attacks. A stateful firewall for IPv6 traffic would provide some beneficial > functional consistency between the two IP versions. > > With the existence of several *nix-based open source firewall packages, > implementation would not be burdensome. > > Perhaps some of you feel strongly enough about this you would change the > "should" to "must". I'm OK with that, but that might set the bar too high. > > Kind regards, > > Frank Bulk > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
