IPv6 Operations M. Gysi
Internet-Draft Swisscom
Intended status: Informational G. Leclanche
Expires: June 8, 2014 Viagenie
E. Vyncke, Ed.
Cisco Systems
R. Anfinsen
Altibox
December 05, 2013
Balanced Security for IPv6 Residential CPE
draft-ietf-v6ops-balanced-ipv6-security-01
Abstract
This document describes how an IPv6 residential Customer Premise
Equipment (CPE) can have a balanced security policy that allows for a
mostly end-to-end connectivity while keeping the major threats
outside of the home. It is documenting an existing IPv6 deployment
by Swisscom and allows all packets inbound/outbound EXCEPT for some
layer-4 ports where attacks and vulnerabilities (such as weak
passwords) are well-known. The policy is a proposed set of rules
that can be used as a default setting. The set of blocked inbound
and outbound ports is expected to be updated as threats come and go.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 8, 2014.
Gysi, et al. Expires June 8, 2014 [Page 1]Internet-Draft Balanced-CPEv6-security December 2013Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Rules for Balanced Security Policy . . . . . . . . . . . 4
3.2. Rules Example for Layer-4 Protection: Swisscom
Implementation . . . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
7. Informative References . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Internet access in residential IPv4 deployments generally consists of
a single IPv4 address provided by the service provider for each home.
The residential CPE then translates the single address into multiple
private IPv4 addresses allowing more than one device in the home, but
at the cost of losing end-to-end reachability. IPv6 allows all
devices to have a globally unique IP address, restoring end-to-end
reachability directly between any device. Such reachability is very
powerful for ubiquitous global connectivity, and is often heralded as
one of the significant advantages to IPv6 over IPv4. Despite this,
concern about exposure to inbound packets from the IPv6 Internet
(which would otherwise be dropped by the address translation function
if they had been sent from the IPv4 Internet) remain.
This difference in residential default internet protection between
IPv4 and IPv6 is a major concern to a sizable number of ISPs and the
security policy described in this document addresses this concern
datatracker.ietf.org