Consumer Grade - IPV6 Enabled Router Firewalls.
Frank Bulk
frnkblk at iname.com
Sat Dec 12 23:40:23 UTC 2009
Unless I haven't put the full picture together, yet, but for my PPPoA/E
environment I would like a DSL CPE that:
- on the WAN interface does IPv4 (with NAT support) and IPv6 over PPPoE
combined with DHCP-PD (with a stateful firewall).
- on the LAN interface does the regular IPv4 stuff, Link-Local only, static
IPv6, and stateful and stateless DHCPv6.
- allows me to run IPv4, IPv6, or both
For my bridged environments (whether that be DSL or FTTH) I would like a CPE
that
- on the WAN interface does IPv4 (with NAT support), IPv6 with Link-Local
only, static IPv6, and IPv6 with DHCP-PD (with a stateful firewall).
- on the LAN interface does the regular IPv4 stuff, Link-Local only, static
IPv6, and stateful and stateless DHCPv6.
- allows me to run IPv4, IPv6, or both
While the support burden will be raised, I think the network needs to be
dual-stack from end-to-end if SPs want to keep middle-boxes out. But for
those who really do run out of IPv4 addresses, I'm not sure how middle-boxes
can be avoided. Kind of hard to tell customer n+1 that they can only visit
the IPv6 part of the web. Perhaps new customers will have to use a service
provider's CGN and share IPv4 addresses until enough of the internet is
dual-stack.
Frank
-----Original Message-----
From: Rubens Kuhl [mailto:rubensk at gmail.com]
Sent: Saturday, December 12, 2009 12:48 PM
To: nanog at nanog.org
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.
> I challenge the usual suspects to deliver actual working dual stack IPv6
ADSL CPE rather than feigning interest. None of the major CPE vendors
appear to have a v6 plan despite your claims. We have an IPv6 dual stack
trial for ADSL going on and not a single CPE from the _major consumer CPE
vendors_.
I've saw some ADSL CPEs that could bridge specific frame types. It
would be feasible to think of an ADSL CPE that would simply bridge
IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the
users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another
VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC.
In an IPv6 world where NAT is not a requirement (paranoids are welcome
to buy their own IPv6 firewalls), bridging with some L4 intelligence
might be all that a CPE needs to do. The IPv6 idea of letting
end-nodes have more work and intermediate nodes have less work also
applies to CPEs.
Rubens
More information about the NANOG
mailing list