Skip to main content

Balanced Security for IPv6 CPE

Document Type Replaced Internet-Draft (individual)
Expired & archived
Authors Martin Gysi, Guillaume Leclanche , Éric Vyncke , Ragnar Anfinsen
Last updated 2013-10-21 (Latest revision 2013-07-15)
Replaced by draft-ietf-v6ops-balanced-ipv6-security
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-v6ops-balanced-ipv6-security
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes how an IPv6 residential Customer Premise Equipment (CPE) can have a balanced security policy that allows for a mostly end-to-end connectivity while keeping the major threats outside of the home. It is based on an actual IPv6 deployment by Swisscom and proposes to allow all packets inbound/outbound EXCEPT for some layer-4 ports where attacks and vulnerabilities (such as weak passwords) are well-known.


Martin Gysi
Guillaume Leclanche
Éric Vyncke
Ragnar Anfinsen

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)