Requirements for IPv6 Firewalls

Thu Apr 17 18:04:56 UTC 2014

Always interesting responding to a NANOG thread.  

- the approach is from an end user than service provider. The firewall operator would be more interested in identifying PPS for attacks / compromised hosts VS QOS but I supposed it could be used for QOS as well.  (Not my intent) So today we have NAT'd firewalls that overload a particular interface, IMHO since properly implemented V6 should not use NAT I would want my FW vendor to allow me to see what's going on PPS wise via the dashboard function.  Most V4 firewalls do this today at an interface level. 

- Average packet size for all hosts would allow operator to make a determination and set thresholds for new forms of attacks and exploits.  (Thinking forward once applications take advantage of V6)  

- MTU Negotiated Between Hosts - Since this happens between endpoints in v6 this could be help identify tunnels in the network / changes in WAN topology..  Not like we haven't seen that before.  While a change in flight should create a drop.. when the session reestablishes it could resize.  

Dustin jurman

-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins at arbor.net] 
Sent: Thursday, April 17, 2014 8:51 AM
To: NANOG
Subject: Re: Requirements for IPv6 Firewalls

On Apr 17, 2014, at 7:35 PM, Dustin Jurman <dustin at rseng.net> wrote:

> - packets per second
> 	- Firewall Level
> 	- Hosts level

This is getting into QoS territory . . .

> - packet size information

Concur - packet-length.

> 	- Average for FW of all Network hosts

This isn't very operationally useful, IMHO.

> 	- Negotiated Between Hosts  

I'm not sure what this means?

But classifiers for everything in the IP, TCP, UDP, and ICMP headers, along with packet length, makes a lot of sense.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton