[120241] in North American Network Operators' Group
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Frank Bulk)
Sat Dec 12 18:41:33 2009
From: "Frank Bulk" <frnkblk@iname.com>
To: <nanog@nanog.org>
In-Reply-To: <6bb5f5b10912121048n2c163556kd991d8e775d0597@mail.gmail.com>
Date: Sat, 12 Dec 2009 17:40:23 -0600
Reply-To: frnkblk@iname.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Unless I haven't put the full picture together, yet, but for my PPPoA/E
environment I would like a DSL CPE that:
- on the WAN interface does IPv4 (with NAT support) and IPv6 over PPPoE
combined with DHCP-PD (with a stateful firewall). =20
- on the LAN interface does the regular IPv4 stuff, Link-Local only, =
static
IPv6, and stateful and stateless DHCPv6. =20
- allows me to run IPv4, IPv6, or both
For my bridged environments (whether that be DSL or FTTH) I would like a =
CPE
that=20
- on the WAN interface does IPv4 (with NAT support), IPv6 with =
Link-Local
only, static IPv6, and IPv6 with DHCP-PD (with a stateful firewall). =20
- on the LAN interface does the regular IPv4 stuff, Link-Local only, =
static
IPv6, and stateful and stateless DHCPv6. =20
- allows me to run IPv4, IPv6, or both
While the support burden will be raised, I think the network needs to be
dual-stack from end-to-end if SPs want to keep middle-boxes out. But =
for
those who really do run out of IPv4 addresses, I'm not sure how =
middle-boxes
can be avoided. Kind of hard to tell customer n+1 that they can only =
visit
the IPv6 part of the web. Perhaps new customers will have to use a =
service
provider's CGN and share IPv4 addresses until enough of the internet is
dual-stack.
Frank
-----Original Message-----
From: Rubens Kuhl [mailto:rubensk@gmail.com]=20
Sent: Saturday, December 12, 2009 12:48 PM
To: nanog@nanog.org
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.
> I challenge the usual suspects to deliver actual working dual stack =
IPv6
ADSL CPE rather than feigning interest. =A0 None of the major CPE =
vendors
appear to have a v6 plan despite your claims. =A0 We have an IPv6 dual =
stack
trial for ADSL going on and not a single CPE from the _major consumer =
CPE
vendors_.
I've saw some ADSL CPEs that could bridge specific frame types. It
would be feasible to think of an ADSL CPE that would simply bridge
IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the
users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another
VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC.
In an IPv6 world where NAT is not a requirement (paranoids are welcome
to buy their own IPv6 firewalls), bridging with some L4 intelligence
might be all that a CPE needs to do. The IPv6 idea of letting
end-nodes have more work and intermediate nodes have less work also
applies to CPEs.
Rubens
