Balanced Security for IPv6 Residential CPE

Document Type Expired Internet-Draft (v6ops WG)
Authors Martin Gysi , Guillaume Leclanche  , Éric Vyncke  , Ragnar Anfinsen
Last updated 2014-06-09 (latest revision 2013-12-06)
Replaces draft-v6ops-vyncke-balanced-ipv6-security
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Expired & archived
plain text xml pdf htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes how an IPv6 residential Customer Premise Equipment (CPE) can have a balanced security policy that allows for a mostly end-to-end connectivity while keeping the major threats outside of the home. It is documenting an existing IPv6 deployment by Swisscom and allows all packets inbound/outbound EXCEPT for some layer-4 ports where attacks and vulnerabilities (such as weak passwords) are well-known. The policy is a proposed set of rules that can be used as a default setting. The set of blocked inbound and outbound ports is expected to be updated as threats come and go.


Martin Gysi (
Guillaume Leclanche (
Éric Vyncke (
Ragnar Anfinsen (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)