NG Firewalls & IPv6
Jean | ddostest.me
jean at ddostest.me
Tue Apr 3 10:45:02 UTC 2018
If by NextGen you meant performance, then I recommend to have a look at
kipfw over Netmap driver on a FreeBSD 11 box. You buy a couple of
Chelsio 40 Gbps or 100 Gbps NIC and you are in business.
It was mentioned here in NANOG couple of years ago. Very good stuff, but
you will need to invest a bit of time in writing your own scripts.
It's a kind of bridging firewall though, so you can't route through it IIRC.
If by NextGen you meant features riched, then don't go this way. ;)
On 04/03/2018 06:16 AM, Saku Ytti wrote:
> Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with
> dynamic routing, but only under extreme duress, like I'm sure everyone
> who is forced to touch stateful firewalls. Send help.
> Seems to me this has mostly worked for over decade, worked in context
> where stateful FW can be said to work at all. Of course like in every
> other context, IPv6 is second class citizen, so you're going to find
> more bugs, as less people are using the feature, there are less people
> doing bug scrubbing and fewer people bridging feature gaps. This isn't
> going to go away any time soon.
> On 3 April 2018 at 03:28, David Hubbard <dhubbard at dino.hostasaurus.com> wrote:
>> I’ve been doing dual stack through Fortinet products for many years without issue. Well, no issue from a technical perspective. Sometimes you have to dig for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI stuff missing that requires CLI where the v4 equivalent didn’t, but not a bad experience overall. Does v6 vpn’s great too. Haven’t delved into dynamic routing protocols on them so can’t speak to that. Happy to answer questions.
>> From: NANOG <nanog-bounces at nanog.org> on behalf of Joe Klein <jsklein at gmail.com>
>> Sent: Monday, April 2, 2018 6:58:14 PM
>> To: NANOG list
>> Subject: NG Firewalls & IPv6
>> At security and network tradeshows over the last 15 years, I have asked
>> companies if their products supported "IPv6". They all claimed they did,
>> but were unable to verify any successful installations. Later they told me
>> it was on their "Roadmap" but were unable to provide an estimated year,
>> because it was a trade secret.
>> Starting this last year at BlackHat US, I again visited every product
>> booth, asking if their products supported dual-stack or IPv6 only
>> operations. Receiving only the same unsupported answers, I decided to focus
>> on one product category.
>> To the gurus of the NANOG community, What are your experiences with
>> installing and managing Next Generations firewalls? Do they support IPv6
>> only environments? Details? Stories?
>> If you prefer not to disparage those poor product companies, please contact
>> me off the list.
>> Joe Klein
>> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
>> PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
More information about the NANOG