Requirements for IPv6 Firewalls
Dustin Jurman
dustin at rseng.net
Thu Apr 17 18:04:56 UTC 2014
Always interesting responding to a NANOG thread.
- the approach is from an end user than service provider. The firewall operator would be more interested in identifying PPS for attacks / compromised hosts VS QOS but I supposed it could be used for QOS as well. (Not my intent) So today we have NAT'd firewalls that overload a particular interface, IMHO since properly implemented V6 should not use NAT I would want my FW vendor to allow me to see what's going on PPS wise via the dashboard function. Most V4 firewalls do this today at an interface level.
- Average packet size for all hosts would allow operator to make a determination and set thresholds for new forms of attacks and exploits. (Thinking forward once applications take advantage of V6)
- MTU Negotiated Between Hosts - Since this happens between endpoints in v6 this could be help identify tunnels in the network / changes in WAN topology.. Not like we haven't seen that before. While a change in flight should create a drop.. when the session reestablishes it could resize.
Dustin jurman
-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins at arbor.net]
Sent: Thursday, April 17, 2014 8:51 AM
To: NANOG
Subject: Re: Requirements for IPv6 Firewalls
On Apr 17, 2014, at 7:35 PM, Dustin Jurman <dustin at rseng.net> wrote:
> - packets per second
> - Firewall Level
> - Hosts level
This is getting into QoS territory . . .
> - packet size information
Concur - packet-length.
> - Average for FW of all Network hosts
This isn't very operationally useful, IMHO.
> - Negotiated Between Hosts
I'm not sure what this means?
But classifiers for everything in the IP, TCP, UDP, and ICMP headers, along with packet length, makes a lot of sense.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the NANOG
mailing list