Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

Consumer Grade - IPV6 Enabled Router Firewalls.

 

 

First page Previous page 1 2 3 4 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


cmadams at hiwaay

Dec 10, 2009, 8:08 PM

Post #51 of 98 (4978 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Once upon a time, Owen DeLong <owen [at] delong> said:
> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>
> You don't need UPnP if you'r not doing NAT.

You need UPnP for a stateful firewall, whether it is mangling packets
with NAT or not. I have an Xbox 360 behind an SSG-5 with no NAT, and I
can't play some on-line games unless I open up the Xbox IP in the SSG.

You can debate whether UPnP is the correct solution, but some solution
is needed (even with IPv6) as long as stateful firewalls exist.
--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


newton at internode

Dec 11, 2009, 12:09 AM

Post #52 of 98 (4964 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On 11/12/2009, at 1:14 PM, Owen DeLong wrote:
>
> You don't need UPnP if you'r not doing NAT.

You kinda do if you're using a stateful firewall with a "deny
everything that shouldn't be accepted" policy. UPnP (or something
like it) would have to tell the firewall what should be accepted.


- mark

--
Mark Newton Email: newton [at] internode (W)
Network Engineer Email: newton [at] atdot (H)
Internode Pty Ltd Desk: +61-8-82282999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223


simon.perreault at viagenie

Dec 11, 2009, 4:41 AM

Post #53 of 98 (4971 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Mark Newton wrote, on 2009-12-11 03:09:
> You kinda do if you're using a stateful firewall with a "deny
> everything that shouldn't be accepted" policy. UPnP (or something
> like it) would have to tell the firewall what should be accepted.

That's putting the firewall at the mercy of viruses, worms, etc. The firewall
shouldn't trust anything else to tell it what is good and bad traffic.

Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org


Valdis.Kletnieks at vt

Dec 11, 2009, 5:06 AM

Post #54 of 98 (4966 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
> Mark Newton wrote, on 2009-12-11 03:09:
> > You kinda do if you're using a stateful firewall with a "deny
> > everything that shouldn't be accepted" policy. UPnP (or something
> > like it) would have to tell the firewall what should be accepted.
>
> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
> shouldn't trust anything else to tell it what is good and bad traffic.

What you suggest? Manual configuration? We *know* that if a worm puts up
a popup that says "Enable port 33493 on your firewall for naked pics of.."
that port 33493 will get opened anyhow, so we may as well automate the
process and save everybody the effort.

Redesigning the security so that human intervention is required isn't worth
the effort, because the black hats are much better at convincing people to
do something than the white hats are at teaching them why they shouldn't do it.
Probably because we don't teach with naked pics of...


simon.perreault at viagenie

Dec 11, 2009, 5:26 AM

Post #55 of 98 (4967 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Valdis.Kletnieks [at] vt wrote, on 2009-12-11 08:06:
> On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
>> Mark Newton wrote, on 2009-12-11 03:09:
>>> You kinda do if you're using a stateful firewall with a "deny
>>> everything that shouldn't be accepted" policy. UPnP (or something
>>> like it) would have to tell the firewall what should be accepted.
>>
>> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
>> shouldn't trust anything else to tell it what is good and bad traffic.
>
> What you suggest?

That depends on the circumstances. UPnP is fine in some circumstances and wrong
in others.

> We *know* that if a worm puts up
> a popup that says "Enable port 33493 on your firewall for naked pics of.."
> that port 33493 will get opened anyhow, so we may as well automate the
> process and save everybody the effort.

Not if the victim doesn't have rights on the firewall (e.g. enterprise).

Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org


jgreco at ns

Dec 11, 2009, 5:36 AM

Post #56 of 98 (4973 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

> Mark Newton wrote, on 2009-12-11 03:09:
> > You kinda do if you're using a stateful firewall with a "deny
> > everything that shouldn't be accepted" policy. UPnP (or something
> > like it) would have to tell the firewall what should be accepted.
>
> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
> shouldn't trust anything else to tell it what is good and bad traffic.

Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally. There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.

If you make it "smart" (i.e. UPnP) then it will of course autoconfigure
itself for an appropriate virus.

However, your average home user often doesn't change their $FOOGEAR
password from the default of 1234, and it is reasonable to assume that
at some point, viruses will ship with some minimal knowledge of how to
"manually" fix their networking environment. Or better yet? Runs a
password cracker until it figures it out, since the admin interfaces
on these things are rarely hardened.

If you actually /do/ a really good firewall, then of course users find
it "hard to use" and your company takes a support hit, maybe gets a
bad reputation, etc.

There's no winning.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


simon.perreault at viagenie

Dec 11, 2009, 5:41 AM

Post #57 of 98 (4974 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Joe Greco wrote, on 2009-12-11 08:36:
> Everyone knows a NAT gateway isn't really a firewall, except more or less
> accidentally. There's no good way to provide a hardware firewall in an
> average residential environment that is not a disaster waiting to happen.
>
> If you make it "smart" (i.e. UPnP) then it will of course autoconfigure
> itself for an appropriate virus.
>
> However, your average home user often doesn't change their $FOOGEAR
> password from the default of 1234, and it is reasonable to assume that
> at some point, viruses will ship with some minimal knowledge of how to
> "manually" fix their networking environment. Or better yet? Runs a
> password cracker until it figures it out, since the admin interfaces
> on these things are rarely hardened.
>
> If you actually /do/ a really good firewall, then of course users find
> it "hard to use" and your company takes a support hit, maybe gets a
> bad reputation, etc.
>
> There's no winning.

Agreed.

We have thus come to the conclusion that there shouldn't be a NAT-like firewall
in IPv6 home routers.

Thanks,
Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org


swmike at swm

Dec 11, 2009, 6:10 AM

Post #58 of 98 (4974 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On Fri, 11 Dec 2009, Simon Perreault wrote:

> We have thus come to the conclusion that there shouldn't be a NAT-like
> firewall in IPv6 home routers.

No, the conclusion is that for IPv6 there should be something that behaves
much like current IPv4 NAT boxes, ie do stateful firewalling and only let
internal computers initiate conenctions outgoing, do protocol sniffing for
allowing incoming new connections, and use some uPNP like method to do
temporary firewall openings.

This is the social contract of the current home gateway ecosystem, and
intiially IPv6 devices need to replicate this.

Last I checked, this was the conclusion of multiple IPv6 related
IETF working groups, check out "homegate" and "v6ops" WGs for instance.

--
Mikael Abrahamsson email: swmike [at] swm


cmadams at hiwaay

Dec 11, 2009, 6:10 AM

Post #59 of 98 (4970 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Once upon a time, Joe Greco <jgreco [at] ns> said:
> Everyone knows a NAT gateway isn't really a firewall, except more or less
> accidentally. There's no good way to provide a hardware firewall in an
> average residential environment that is not a disaster waiting to happen.

I don't think hardware vs. software makes a "real" firewall. A NAT
gateway has to have all the basic functionality of a stateful firewall,
plus packet mangling. Typical home NAT gateways don't have all the
configurability of an SSG or such, but the same basic functionality is
there.

--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


jgreco at ns

Dec 11, 2009, 6:34 AM

Post #60 of 98 (4971 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

> Once upon a time, Joe Greco <jgreco [at] ns> said:
> > Everyone knows a NAT gateway isn't really a firewall, except more or less
> > accidentally. There's no good way to provide a hardware firewall in an
> > average residential environment that is not a disaster waiting to happen.
>
> I don't think hardware vs. software makes a "real" firewall. A NAT
> gateway has to have all the basic functionality of a stateful firewall,
> plus packet mangling. Typical home NAT gateways don't have all the
> configurability of an SSG or such, but the same basic functionality is
> there.

You can blow away the firmware of your NAT gateway and load something
like DD-WRT. This gives you a hardware firewall (an external hardware
device that acts as a deliberate firewall; i.e. you can firewall 1.2.3.4
from 5.6.7.8). It is not filtering packets in silicon, which is an
alternate definition for "hardware firewall" that many in this group
could use, but in common usage, it is the distinctness from the protected
host(s) and the ability to implement typical firewalling rules and
methods, with or _without_ NAT, that makes it a "hardware firewall."

Your existing NAT gateway firmware may well be based on Linux and may
have portions implemented by a Linux firewalling subsystem, but in most
cases, you cannot really drill down to any significant level of detail,
and quite frequently the main "anti-forwarding" protection offered is
simply the difficulty in surmounting the artificial barrier created by
the NAT addressing discontinuity. While this might technically count as
"the same basic functionality," functionality that cannot be accessed or
used might as well not be there for the purposes of this discussion. So
I'll pass on considering your average NAT gateway as a "hardware
firewall."

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


marquis at roble

Dec 11, 2009, 9:45 PM

Post #61 of 98 (4955 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Joe Greco wrote:
> Everyone knows a NAT gateway isn't really a firewall, except more or less
> accidentally. There's no good way to provide a hardware firewall in an
> average residential environment that is not a disaster waiting to happen.

Gotta love it. A proven technology, successfully implemented on millions
of residential firewalls "isn't really a firewall, but rather "a disaster
waiting to happen". Make you wonder what disaster and when exactly it's
going to happen?

Simon Perreault wrote:
> We have thus come to the conclusion that there shouldn't be a
> NAT-like firewall in IPv6 home routers.

And that, in a nutshell, is why IPv6 is not going to become widely
feasible any time soon.

Whether or not there should be NAT in IPv6 is a purely rhetorical
argument. The markets have spoken, and they demand NAT.

Is there a natophobe in the house who thinks there shouldn't be stateful
inspection in IPv6? If not then could you explain what overhead NAT
requires that stateful inspection hasn't already taken care of?

Far from the issue some try to make it out to be, NAT is really just a
component of stateful inspection. If you're going to implement
statefulness there is no technical downside to implementing NAT as well.
No downside, plenty of upsides, no brainer...

Roger Marquis


mohacsi at niif

Dec 11, 2009, 10:55 PM

Post #62 of 98 (4958 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On Fri, 11 Dec 2009, Roger Marquis wrote:

> Joe Greco wrote:
>> Everyone knows a NAT gateway isn't really a firewall, except more or less
>> accidentally. There's no good way to provide a hardware firewall in an
>> average residential environment that is not a disaster waiting to happen.
>
> Gotta love it. A proven technology, successfully implemented on millions
> of residential firewalls "isn't really a firewall, but rather "a disaster
> waiting to happen". Make you wonder what disaster and when exactly it's
> going to happen?
>
> Simon Perreault wrote:
>> We have thus come to the conclusion that there shouldn't be a
>> NAT-like firewall in IPv6 home routers.
>
> And that, in a nutshell, is why IPv6 is not going to become widely
> feasible any time soon.
>
> Whether or not there should be NAT in IPv6 is a purely rhetorical
> argument. The markets have spoken, and they demand NAT.
>
> Is there a natophobe in the house who thinks there shouldn't be stateful
> inspection in IPv6? If not then could you explain what overhead NAT
> requires that stateful inspection hasn't already taken care of?
>
> Far from the issue some try to make it out to be, NAT is really just a
> component of stateful inspection. If you're going to implement
> statefulness there is no technical downside to implementing NAT as well.
> No downside, plenty of upsides, no brainer...



Nobodoy thinks that statefull firewall is not necessary for IPv6. If you
want to particiapte the discussion then comment the IETF v6ops document:
http://www.ietf.org/id/draft-ietf-v6ops-cpe-simple-security-08.txt

Best Regards,
Janos Mohacsi


newton at internode

Dec 11, 2009, 10:55 PM

Post #63 of 98 (4976 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On 11/12/2009, at 11:56 PM, Simon Perreault wrote:

>> We *know* that if a worm puts up
>> a popup that says "Enable port 33493 on your firewall for naked pics of.."
>> that port 33493 will get opened anyhow, so we may as well automate the
>> process and save everybody the effort.
>
> Not if the victim doesn't have rights on the firewall (e.g. enterprise).

Would you be using "Consumer Grade - IPV6 Enabled Router Firewalls" in the
enterprise? 'cos if you would, I think I might have entered the wrong
thread :)

- mark

--
Mark Newton Email: newton [at] internode (W)
Network Engineer Email: newton [at] atdot (H)
Internode Pty Ltd Desk: +61-8-82282999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223


newton at internode

Dec 11, 2009, 11:09 PM

Post #64 of 98 (4967 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On 12/12/2009, at 12:11 AM, Simon Perreault wrote:

> We have thus come to the conclusion that there shouldn't be a NAT-like firewall
> in IPv6 home routers.

Eh? What does NAT have to do with anything? We already know that IPv6
residential firewalls won't do NAT, so why bring it into this discussion
at all?

Some of us are trying to formulate and offer real-life IPv6 services
to our marketplaces before IPv4 runs out, and the vendors simply
aren't interested in being there to help us out. Pointless distractions
about orthogonal issues that don't matter (e.g., NAT) don't help at
all.

FWIW, I asked Fred Baker about this at the IPv6 Forum meeting in
Australia this week. He'd just handled another question about
the memory requirements required for burgeoning routing table growth
by saying that if routers need extra RAM then routers with extra RAM
will appear on the market, because "if you're prepared to pay money
for it, we'll try to sell it to you."

So I asked, "I'm prepared to pay money for IPv6-capable ADSL2+ CPE.
Are you prepared to sell it to me?" and he said, "Yes, just not with
our firmware."

Which I thought was a bit of a cop-out, given that it was one of our
customers who developed the IPv6 openwrt support in the first place,
with zero support from Fred's employer, after we'd spent two years
hassling them about their lack of action.

... and this is in the same week when, in the context of IPv6, someone
else asked me how many units of their gear we'd ship ("Zero. You don't
have a product with the features we need so we'll use one of your
competitors instead. Lets revisit this when you're prepared to have
a conversation that doesn't include `lack of market demand' as a
reason for not doing it.")

Argh. Disillusionment, much?

- mark

--
Mark Newton Email: newton [at] internode (W)
Network Engineer Email: newton [at] atdot (H)
Internode Pty Ltd Desk: +61-8-82282999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223


newton at internode

Dec 11, 2009, 11:13 PM

Post #65 of 98 (4950 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On 12/12/2009, at 4:15 PM, Roger Marquis wrote:

> Is there a natophobe in the house who thinks there shouldn't be stateful
> inspection in IPv6? If not then could you explain what overhead NAT
> requires that stateful inspection hasn't already taken care of?

I handwave past all that by pointing out (as you have) that
stateful inspection is just a subset of NAT, where the inside
address and the outside address happen to be the same.

(in the same way that the SHIM6 middleware boxes which were
proposed but never built were /also/ just subsets of NAT, with
the translation rules controlled by the SHIM6 protocol layers
on the hosts... but we weren't allowed to call them NAT gateways,
because IPv6 isn't supposed to have any NAT in it :)

- mark

--
Mark Newton Email: newton [at] internode (W)
Network Engineer Email: newton [at] atdot (H)
Internode Pty Ltd Desk: +61-8-82282999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223


kauer at biplane

Dec 12, 2009, 3:29 AM

Post #66 of 98 (4965 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On Fri, 2009-12-11 at 21:45 -0800, Roger Marquis wrote:
> If you're going to implement
> statefulness there is no technical downside to implementing NAT as well.
> No downside, plenty of upsides, no brainer...

Of course there are downsides to implementing NAT - adding any feature
to a device increases its complexity and affects its expense, time to
market, MTBF etc. And there is certainly a downside to *deploying* NAT:
NAT removes end-to-end transparency.

Gotta keep those SOHO users in their cages, don't want them becoming
independent producers of digital value, no sir!

Seriously - by all means keep NAT as a technology for those who want to
deploy it; we can't uninvent it anyway. It just shouldn't be imposed on
others.

I would argue that an ISP requiring of a customer that they use a NATted
solution with IPv6 *is* imposing it on others.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer [at] biplane) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
Attachments: signature.asc (0.19 KB)


simon.perreault at viagenie

Dec 12, 2009, 4:42 AM

Post #67 of 98 (4944 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On 12/12/2009 01:55 AM, Mark Newton wrote:
> Would you be using "Consumer Grade - IPV6 Enabled Router Firewalls" in the
> enterprise? 'cos if you would, I think I might have entered the wrong
> thread :)

Yeah, I think I did. Sorry for the noise.

Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org


alexandru.petrescu at gmail

Dec 12, 2009, 6:44 AM

Post #68 of 98 (4958 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Frank Bulk a écrit :
> I think they're (all) listed here:
> http://www.getipv6.info/index.php/Broadband_CPE

And from an operators perspective (not manufacturer):

Free ISP ADSL (and fiber) operator in France does IPv6 natively to the
end user with Router Advertisement since 2 years now. I think these
"CPE" (Customer Premises Equipment) are called simply "box" in France
(freebox, livebox, dartybox, and more). Between the Free box and the
core network there is proprietary IPv6-in-IPv4 encapsualtion, not 6to4.
No DHCPv6-PD, which I feel as a big restriction.

Plans for livebox and 9box IPv6 do exist if not already deployed.

Spanish FON Fonera based on openwrt, when I checked 2008, did IPv6
somehow, not sure whether natively.
http://boards.fon.com/viewtopic.php?f=1&t=4532&view=previous

From memory, at least one Japanese residential operator did IPv6 to the
home several years ago, with explicit IPv6 advertisement on TV during
prime time.

Alex

>
> Frank
>
> -----Original Message-----
> From: Wade Peacock [mailto:wade.peacock [at] sunwave]
> Sent: Wednesday, December 02, 2009 5:16 PM
> To: nanog [at] nanog
> Subject: Consumer Grade - IPV6 Enabled Router Firewalls.
>
> We had a discussion today about IPv6 today. During our open thinking the
> topic of client equipment came up.
> We all commented that we have not seen any consumer grade IPv6 enable
> internet gateways (routers/firewalls), a
> kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
>
> Does anyone have any leads to information about such products (In production
> or planned production)?
>
> We are thinking that most vendors are going to wait until Ma and Pa home
> user are screaming for them.
>
> Thoughts?
>
>


alexandru.petrescu at gmail

Dec 12, 2009, 6:44 AM

Post #69 of 98 (4943 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Mohacsi Janos a écrit :
>
>
>
> On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
>
>>
>>
>> Mohacsi Janos wrote:
>>>
>>>
>>> According to Apple the latest Apple Airport Extreme does support
>>> DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
>> Airports don't support DHCPv6 PD yet. I'm led to believe that they
>> may in the future from my Apple friends but not yet.
>
> It does in a limited extent:
> http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html

Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't
seem to say so. If it is it would be wonderful.

> I will check soon the hardware.

Great, please report, thanks,

Alex

>
>
> Best Regards,
> Janos Mohacsi
>
>
>


rubensk at gmail

Dec 12, 2009, 10:26 AM

Post #70 of 98 (4939 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

>> You're correct, out of the box there aren't many.  The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
>
> The Apple products do 6to4 out of the box, but don't support v6 natively.
>
> Apple seems to have ideological objections to DHCPv6, so at the moment
> there's little hope at all that prefix delegation will work on any of their
> CPE products.

Can Airport relay the DHCPv6 request to the service provider ?


Rubens


rubensk at gmail

Dec 12, 2009, 10:48 AM

Post #71 of 98 (4956 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

> I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest.   None of the major CPE vendors appear to have a v6 plan despite your claims.   We have an IPv6 dual stack trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_.

I've saw some ADSL CPEs that could bridge specific frame types. It
would be feasible to think of an ADSL CPE that would simply bridge
IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the
users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another
VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC.

In an IPv6 world where NAT is not a requirement (paranoids are welcome
to buy their own IPv6 firewalls), bridging with some L4 intelligence
might be all that a CPE needs to do. The IPv6 idea of letting
end-nodes have more work and intermediate nodes have less work also
applies to CPEs.


Rubens


frnkblk at iname

Dec 12, 2009, 3:40 PM

Post #72 of 98 (4945 views)
Permalink
RE: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Unless I haven't put the full picture together, yet, but for my PPPoA/E
environment I would like a DSL CPE that:
- on the WAN interface does IPv4 (with NAT support) and IPv6 over PPPoE
combined with DHCP-PD (with a stateful firewall).
- on the LAN interface does the regular IPv4 stuff, Link-Local only, static
IPv6, and stateful and stateless DHCPv6.
- allows me to run IPv4, IPv6, or both

For my bridged environments (whether that be DSL or FTTH) I would like a CPE
that
- on the WAN interface does IPv4 (with NAT support), IPv6 with Link-Local
only, static IPv6, and IPv6 with DHCP-PD (with a stateful firewall).
- on the LAN interface does the regular IPv4 stuff, Link-Local only, static
IPv6, and stateful and stateless DHCPv6.
- allows me to run IPv4, IPv6, or both

While the support burden will be raised, I think the network needs to be
dual-stack from end-to-end if SPs want to keep middle-boxes out. But for
those who really do run out of IPv4 addresses, I'm not sure how middle-boxes
can be avoided. Kind of hard to tell customer n+1 that they can only visit
the IPv6 part of the web. Perhaps new customers will have to use a service
provider's CGN and share IPv4 addresses until enough of the internet is
dual-stack.

Frank

-----Original Message-----
From: Rubens Kuhl [mailto:rubensk [at] gmail]
Sent: Saturday, December 12, 2009 12:48 PM
To: nanog [at] nanog
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.

> I challenge the usual suspects to deliver actual working dual stack IPv6
ADSL CPE rather than feigning interest.   None of the major CPE vendors
appear to have a v6 plan despite your claims.   We have an IPv6 dual stack
trial for ADSL going on and not a single CPE from the _major consumer CPE
vendors_.

I've saw some ADSL CPEs that could bridge specific frame types. It
would be feasible to think of an ADSL CPE that would simply bridge
IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the
users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another
VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC.

In an IPv6 world where NAT is not a requirement (paranoids are welcome
to buy their own IPv6 firewalls), bridging with some L4 intelligence
might be all that a CPE needs to do. The IPv6 idea of letting
end-nodes have more work and intermediate nodes have less work also
applies to CPEs.


Rubens


mohacsi at niif

Dec 13, 2009, 1:22 AM

Post #73 of 98 (4943 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On Sat, 12 Dec 2009, Alexandru Petrescu wrote:

> Frank Bulk a écrit :
>> I think they're (all) listed here:
>> http://www.getipv6.info/index.php/Broadband_CPE
>
> And from an operators perspective (not manufacturer):
>
> Free ISP ADSL (and fiber) operator in France does IPv6 natively to the end
> user with Router Advertisement since 2 years now. I think these "CPE"
> (Customer Premises Equipment) are called simply "box" in France (freebox,
> livebox, dartybox, and more). Between the Free box and the core network
> there is proprietary IPv6-in-IPv4 encapsualtion, not 6to4. No DHCPv6-PD,
> which I feel as a big restriction.


implementing 6rd (which is used by Free) also a big restriction.

>
> Plans for livebox and 9box IPv6 do exist if not already deployed.
>
> Spanish FON Fonera based on openwrt, when I checked 2008, did IPv6 somehow,
> not sure whether natively.
> http://boards.fon.com/viewtopic.php?f=1&t=4532&view=previous
>
> From memory, at least one Japanese residential operator did IPv6 to the home
> several years ago, with explicit IPv6 advertisement on TV during prime time.
>
> Alex
>
>>
>> Frank
>>
>> -----Original Message-----
>> From: Wade Peacock [mailto:wade.peacock [at] sunwave] Sent: Wednesday,
>> December 02, 2009 5:16 PM
>> To: nanog [at] nanog
>> Subject: Consumer Grade - IPV6 Enabled Router Firewalls.
>>
>> We had a discussion today about IPv6 today. During our open thinking the
>> topic of client equipment came up.
>> We all commented that we have not seen any consumer grade IPv6 enable
>> internet gateways (routers/firewalls), a kin to the ever popular Linksys
>> 54G series, DLinks , SMCs or Netgears.
>>
>> Does anyone have any leads to information about such products (In
>> production
>> or planned production)?
>>
>> We are thinking that most vendors are going to wait until Ma and Pa home
>> user are screaming for them.
>>
>> Thoughts?
>>
>>
>
>
>


mohacsi at niif

Dec 13, 2009, 1:24 AM

Post #74 of 98 (4935 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

On Sat, 12 Dec 2009, Alexandru Petrescu wrote:

> Mohacsi Janos a écrit :
>>
>>
>>
>> On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
>>
>>>
>>>
>>> Mohacsi Janos wrote:
>>>>
>>>>
>>>> According to Apple the latest Apple Airport Extreme does support DHCPv6
>>>> prefix delegation and native IPv6 uplink not only 6to4.
>>> Airports don't support DHCPv6 PD yet. I'm led to believe that they may
>>> in the future from my Apple friends but not yet.
>>
>> It does in a limited extent:
>> http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
>
> Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem
> to say so. If it is it would be wonderful.

They do:
"DHCP6 client requests prefix delegation, advertised on LAN bridge"

Best Regards,
Janos Mohacsi


joelja at bogus

Dec 13, 2009, 9:17 AM

Post #75 of 98 (4921 views)
Permalink
Re: Consumer Grade - IPV6 Enabled Router Firewalls. [In reply to]

Owen DeLong wrote:
>
> On Dec 10, 2009, at 4:56 PM, Michael Loftis wrote:
>
>>
>>
>> --On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin
>> <mehmet [at] akcin> wrote:
>>
>>> Would you consider Juniper SSG5 as a Consumer Grade router?
>>>
>>> They do IPv6 and they are pretty good in general, and cheap as well.
>>>
>>
>> Not as usable in the consumer space due to lack of UPnP (and Juniper
>> is NOT interested in implementing it). They also lack some other
>> customer friendly features.
>>
> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>
> You don't need UPnP if you'r not doing NAT.

wishful thinking.

you're likely to still have a staeful firewall and in the consumer space
someone is likely to want to punch holes in it.

>> Price point is also probably 3x-5x what most are willing to pay for CPE.
>
> Yep.
>
> Side-note, SRX-100 is the new SSG-5 equivalent and it's JunOS instead of
> ScreenOS. Nice box.
>
> Owen
>
>

First page Previous page 1 2 3 4 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.