* Ted Mittelstaedt > This kind of mirrors the "default" security policy on IPv4 CPEs (since > those CPE's have NAT automatically turned on which creates a "block > in, permit out" kind of approach.) so I'm not sure why you would want > to default it to being different for IPv6.
There are a gazillion pages out there on the Internet where you'll find people trying to figure out how to open ports in their router, make their PlayStation or Xbox online gaming Just Work instead of complaining about NAT problems, and so on. And this is mostly regarding IPv4, where we've already have a solution in the form of UPnP (a security nightmare in its own right). The situation is not exactly user friendly. The IPv4 NATs are making applications suffer and people are strugging or failing to work around them. We now have the opportunity to do better with IPv6, and I'm hoping the ISPs will carefully consider doing so, instead of just defaulting to whatever looks the most similar to what they've were forced to do for IPv4. [I say «forced», because NAT and its intrinsic «drop all inbound» policy came about as a way of conserving scarce IPv4 addresses, not as a security mechanism. This is obviously not an issue for IPv6.] So it'd be interesting to see some solid empirical data that explained to what extent a default-drop-inbound firewall really increases security, and to what extent it impairs applications and thus makes users unhappy. For what it's worth, the Swisscom approach seems sensible to me. At least if I understand it correctly, in that they by default only block ports associated with application protocols known to be insecure, meant for home network use only, etc. All other ports and protocols not on the blacklist are let through in both directions. As far as I know this has been working out fine for them. Tore
