Le 27 juin 09 à 17:22, Christian Huitema a écrit :
I'd certainly want my CPE to have an option to switch off all firewall behaviour.Agreed, provided the default behavior of unmanaged CPEs remains with a minimal security provision for IPv6.
If the users says "off", that ought to mean "off". Period. Not some kind of halfway on.
Sure. (I have nothing to say to the contrary.) Brian asks for a way to "switch off" firewall behaviors. I do APPROVE the proposal.My point is that, for completely UNMANAGED operation (turning an option is a management action), CPEs should have the following minimal IPv6 security :
***An incoming IPv6 packet MUST BE REJECTED if its destination port is a well known or registered port that has not been authorized for IPv4 port forwarding.***
This IPv6 rule is stateless and extremely simple to implement.In my understanding, it provides in IPv6 a protection that is similar to that implicitly provided by IPv4 NATs and that, with computer OSes as they are, is needed in some cases (as documented in a previous mail).
Comments on what this minimal protection would be missing for typical unmanaged sites (or comments of support) would be constructive... and very welcome.
Regards, RD