Consumer Grade - IPV6 Enabled Router Firewalls.

Frank Bulk frnkblk at iname.com
Sat Dec 12 23:40:23 UTC 2009


Unless I haven't put the full picture together, yet, but for my PPPoA/E
environment I would like a DSL CPE that:
- on the WAN interface does IPv4 (with NAT support) and IPv6 over PPPoE
combined with DHCP-PD (with a stateful firewall).  
- on the LAN interface does the regular IPv4 stuff, Link-Local only, static
IPv6, and stateful and stateless DHCPv6.  
- allows me to run IPv4, IPv6, or both

For my bridged environments (whether that be DSL or FTTH) I would like a CPE
that 
- on the WAN interface does IPv4 (with NAT support), IPv6 with Link-Local
only, static IPv6, and IPv6 with DHCP-PD (with a stateful firewall).  
- on the LAN interface does the regular IPv4 stuff, Link-Local only, static
IPv6, and stateful and stateless DHCPv6.  
- allows me to run IPv4, IPv6, or both

While the support burden will be raised, I think the network needs to be
dual-stack from end-to-end if SPs want to keep middle-boxes out.  But for
those who really do run out of IPv4 addresses, I'm not sure how middle-boxes
can be avoided.  Kind of hard to tell customer n+1 that they can only visit
the IPv6 part of the web.  Perhaps new customers will have to use a service
provider's CGN and share IPv4 addresses until enough of the internet is
dual-stack.

Frank

-----Original Message-----
From: Rubens Kuhl [mailto:rubensk at gmail.com] 
Sent: Saturday, December 12, 2009 12:48 PM
To: nanog at nanog.org
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.

> I challenge the usual suspects to deliver actual working dual stack IPv6
ADSL CPE rather than feigning interest.   None of the major CPE vendors
appear to have a v6 plan despite your claims.   We have an IPv6 dual stack
trial for ADSL going on and not a single CPE from the _major consumer CPE
vendors_.

I've saw some ADSL CPEs that could bridge specific frame types. It
would be feasible to think of an ADSL CPE that would simply bridge
IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the
users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another
VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC.

In an IPv6 world where NAT is not a requirement (paranoids are welcome
to buy their own IPv6 firewalls), bridging with some L4 intelligence
might be all that a CPE needs to do. The IPv6 idea of letting
end-nodes have more work and intermediate nodes have less work also
applies to CPEs.


Rubens





More information about the NANOG mailing list