[171079] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Thu Apr 17 17:01:38 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG <nanog@nanog.org>
Date: Thu, 17 Apr 2014 21:00:54 +0000
In-Reply-To: <D512B70CB42ED047A05A7AC11DF0C9C80572B160@Westshore-EX1.rseng.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 18, 2014, at 1:04 AM, Dustin Jurman <dustin@rseng.net> wrote:
> - the approach is from an end user than service provider. The firewall op=
erator would be more interested in identifying PPS for attacks / compromise=
d hosts VS QOS but I supposed it could be used for QOS as well. (Not my in=
tent) So today we have NAT'd firewalls that overload a particular interface=
, IMHO since properly implemented V6 should not use NAT I would want my FW =
vendor to allow me to see what's going on PPS wise via the dashboard functi=
on. Most V4 firewalls do this today at an interface level.=20
This is a telemetry function (separately, I noted IPFIX functionality shoul=
d be included).
> - Average packet size for all hosts would allow operator to make a determ=
ination and set thresholds for new forms of attacks and exploits. (Thinkin=
g forward once applications take advantage of V6) =20
Again, this is a telemetry function, not a policy function.
> - MTU Negotiated Between Hosts - Since this happens between endpoints in =
v6 this could be help identify tunnels in the network / changes in WAN topo=
logy.. Not like we haven't seen that before. While a change in flight shou=
ld create a drop.. when the session reestablishes it could resize. =20
Yet again, a telemetry function. The MTU negotiation itself is irrelevant;=
the resultant packet-size is relevant, from a classification point of view=
.=20
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
