‹ Back
Deploy360 25 January 2013

New Internet-Draft: Balanced IPv6 Security for Residential CPE

Dan York
By Dan YorkDirector, Online Content

What should the appropriate IPv6 security policy be for residential customers?  How can they get the benefits of IPv6 while still ensuring that their home networks are secure?  These are the questions pursued in a new Internet-Draft available today:

The abstract and introduction explain quite well how this applies to “customer premise equipment (CPE)”:

Internet access in residential IPv4 deployments generally consist of a single IPv4 address provided by the service provider for each home. Residential CPE then translates the single address into multiple private IPv4 addresses allowing more than one device in the home, but at the cost of losing end-to-end reachability.  IPv6 allows all devices to have a unique, global, IP address, restoring end-to-end reachability directly between any device.  Such reachability is very powerful for ubiquitous global connectivity, and is often heralded as one of the significant advantages to IPv6 over IPv4.  Despite this, concern about exposure to inbound packets from the IPv6 Internet (which would otherwise be dropped by the address translation function if they had been sent from the IPv4 Internet) remain.  This document describes firewall functionality for an IPv6 CPE which departs from the “simple security” model described in [RFC6092] .  The intention is to provide an example of a security model which allows most traffic, including incoming unsolicited packets and connections, to traverse the CPE unless the CPE identifies the traffic as potentially harmful based on a set of rules.  This model has been deployed successfully in Switzerland by Swisscom without any known security incident.

This document is applicable to off-the-shelves CPE as well to managed
Service Provider CPE.

The authors welcome comments to the draft and their email addresses can be found at the end of the document. It’s definitely a worthwhile contribution to the IPv6 security discussion and could provide useful guidance to operators seeking to understand how they should configure customer equipment to allow IPv6 yet still remain secure.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Rough Guide to IETF 88: All About IPv6
IPv631 October 2013

Rough Guide to IETF 88: All About IPv6

The Internet relies on a single addressing framework to have global reach and integrity. IPv4 address space is insufficient, and...

12 Steps to enable IPv6 in an ISP Network
Deploy3608 June 2017

12 Steps to enable IPv6 in an ISP Network

Here's an quick guide on how to enable IPv6 in an ISP from Jordi Palet (Consulintel), that's just been published by...

Rough Guide to IETF 99: IPv6
IETF13 July 2017

Rough Guide to IETF 99: IPv6

In this post for the Internet Society Rough Guide to IETF 99, I’m reviewing what’ll be happening at IETF 99...

Join the conversation with Internet Society members around the world