Skip to main content

Balanced Security for IPv6 Residential CPE

Document Type Expired Internet-Draft (v6ops WG)
Expired & archived
Authors Martin Gysi, Guillaume Leclanche , Éric Vyncke , Ragnar Anfinsen
Last updated 2014-06-09 (Latest revision 2013-12-06)
Replaces draft-v6ops-vyncke-balanced-ipv6-security
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes how an IPv6 residential Customer Premise Equipment (CPE) can have a balanced security policy that allows for a mostly end-to-end connectivity while keeping the major threats outside of the home. It is documenting an existing IPv6 deployment by Swisscom and allows all packets inbound/outbound EXCEPT for some layer-4 ports where attacks and vulnerabilities (such as weak passwords) are well-known. The policy is a proposed set of rules that can be used as a default setting. The set of blocked inbound and outbound ports is expected to be updated as threats come and go.


Martin Gysi
Guillaume Leclanche
Éric Vyncke
Ragnar Anfinsen

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)