Abstract
This document describes how an IPv6 residential Customer Premise
Equipment (CPE) can have a balanced security policy that allows for a
mostly end-to-end connectivity while keeping the major threats
outside of the home. It is based on an actual IPv6 deployment by
Swisscom and proposes to allow all packets inbound/outbound EXCEPT
for some layer-4 ports where attacks and vulnerabilities (such as
weak passwords) are well-known.
1. Introduction
Internet access in residential IPv4 deployments generally consist of
a single IPv4 address provided by the service provider for each home.
Residential CPE then translates the single address into multiple
private IPv4 addresses allowing more than one device in the home, but
at the cost of losing end-to-end reachability. IPv6 allows all
devices to have a unique, global, IP address, restoring end-to-end
reachability directly between any device. Such reachability is very
powerful for ubiquitous global connectivity, and is often heralded as
one of the significant advantages to IPv6 over IPv4. Despite this,
concern about exposure to inbound packets from the IPv6 Internet
(which would otherwise be dropped by the address translation function
if they had been sent from the IPv4 Internet) remain. This document
describes firewall functionality for an IPv6 CPE which departs from
the "simple security" model described in [RFC6092] . The intention
is to provide an example of a security model which allows most
traffic, including incoming unsolicited packets and connections, to
traverse the CPE unless the CPE identifies the traffic as potentially
harmful based on a set of rules. This model has been deployed
successfully in Switzerland by Swisscom without any known security
incident.
This document is applicable to off-the-shelves CPE as well to managed
Service Provider CPE.
read more.....http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security-00