[171070] in North American Network Operators' Group
RE: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Dustin Jurman)
Thu Apr 17 14:05:41 2014
From: Dustin Jurman <dustin@rseng.net>
To: "Dobbins, Roland" <rdobbins@arbor.net>, NANOG <nanog@nanog.org>
Date: Thu, 17 Apr 2014 18:04:56 +0000
In-Reply-To: <4FC140D7-7464-4BDA-9562-A79A37F1458F@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Always interesting responding to a NANOG thread. =20
- the approach is from an end user than service provider. The firewall oper=
ator would be more interested in identifying PPS for attacks / compromised =
hosts VS QOS but I supposed it could be used for QOS as well. (Not my inte=
nt) So today we have NAT'd firewalls that overload a particular interface, =
IMHO since properly implemented V6 should not use NAT I would want my FW ve=
ndor to allow me to see what's going on PPS wise via the dashboard function=
. Most V4 firewalls do this today at an interface level.=20
- Average packet size for all hosts would allow operator to make a determin=
ation and set thresholds for new forms of attacks and exploits. (Thinking =
forward once applications take advantage of V6) =20
- MTU Negotiated Between Hosts - Since this happens between endpoints in v6=
this could be help identify tunnels in the network / changes in WAN topolo=
gy.. Not like we haven't seen that before. While a change in flight shoul=
d create a drop.. when the session reestablishes it could resize. =20
Dustin jurman
=20
-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins@arbor.net]=20
Sent: Thursday, April 17, 2014 8:51 AM
To: NANOG
Subject: Re: Requirements for IPv6 Firewalls
On Apr 17, 2014, at 7:35 PM, Dustin Jurman <dustin@rseng.net> wrote:
> - packets per second
> - Firewall Level
> - Hosts level
This is getting into QoS territory . . .
> - packet size information
Concur - packet-length.
> - Average for FW of all Network hosts
This isn't very operationally useful, IMHO.
> - Negotiated Between Hosts =20
I'm not sure what this means?
But classifiers for everything in the IP, TCP, UDP, and ICMP headers, along=
with packet length, makes a lot of sense.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
