IPv6 firewall support

michael.dillon at bt.com michael.dillon at bt.com
Fri Oct 26 21:04:58 UTC 2007


Some people have claimed that they cannot yet sell
IPv6 Internet access because there is no IPv6 firewall
support. According to this ICANN study:
http://www.icann.org/committees/security/sac021.pdf
this is not quite true. At least 30% of the 42 vendors
surveyed, had IPv6 support.

According to this talk 
<http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECA-I6-Status
-IPv6-Firewalling-PeterBieringer-Talk.pdf> 
many open-source and commercial firewalls supporting IPv6 are available.

IPCop is based on Linux
<http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopScreenshots>

m0n0wall is based on FreeBSD
<http://m0n0.ch/wall/screenshots.php>

pfSense is also based on FreeBSD
<http://pfsense.com/index.php?id=26>

FWBuilder is a management tool that builds filter setups for 
several different firewalls.
<http://www.fwbuilder.org/archives/cat_screenshots.html>

Checkpoint FW1 NGX R65 on SecurePlatform supports IPv6

FortiGate supports IPv6 in FortiOS 3.0 and up.

Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up.

Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up.

I suspect that the people complaining about IPv6 support are 
partially complaining because they have older hardware that 
the vendor does not plan to upgrade to IPv6 support until 
they have all features implemented in their newer products, 
and partially complaining because their vendor has not 
implemented some feature which they happen to use.

Commercial firewall support may be lagging behind OS and 
router support, but not by much. And if commercial vendors 
are not responsive, maybe you should try pricing out an open 
source solution with a consultant. I believe there is a gap 
here that startup firewall companies could fill if they 
understand the enterprise market.

--Michael Dillon



More information about the NANOG mailing list