RE: Consumer Grade - IPV6 Enabled Router Firewalls.
Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s). This is good news. Frank -Original Message- From: Alexandru Petrescu [mailto:alexandru.petre...@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos a écrit : On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote: Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful. I will check soon the hardware. Great, please report, thanks, Alex Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Modula the lack of pd, I found the ipv6 support for the dir-825 (along with the other things it does well) to be rather decent. If people need gig-e simultaneous dual band abgn home routers for ~$130 you should check the thing out. On 02/27/2010 08:59 AM, Frank Bulk wrote: Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s). This is good news. Frank -Original Message- From: Alexandru Petrescu [mailto:alexandru.petre...@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos a écrit : On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote: Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful. I will check soon the hardware. Great, please report, thanks, Alex Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface. I am also working with Netgear and several others to ensure similar functionality is supported. John On 2/27/10 11:59 AM, Frank Bulk frnk...@iname.com wrote: Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s). This is good news. Frank -Original Message- From: Alexandru Petrescu [mailto:alexandru.petre...@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos a écrit : On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote: Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful. I will check soon the hardware. Great, please report, thanks, Alex Best Regards, Janos Mohacsi = John Jason Brzozowski Comcast Cable e) mailto:john_brzozow...@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 27 Feb 2010, at 20:58, John Jason Brzozowski wrote: Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface. Is that latest hardware releases or software releases? Are they going to backport to earlier hardware if it is only software releases currently? f
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I am testing with the latest hardware which I assume was released with a new firmware. On 2/27/10 4:02 PM, Fearghas McKay fm-li...@st-kilda.org wrote: On 27 Feb 2010, at 20:58, John Jason Brzozowski wrote: Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface. Is that latest hardware releases or software releases? Are they going to backport to earlier hardware if it is only software releases currently? f = John Jason Brzozowski Comcast Cable e) mailto:john_brzozow...@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 02/27/10 13:17, John Jason Brzozowski wrote: I am testing with the latest hardware which I assume was released with a new firmware. That is not in any way a safe assumption. -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I can't say for the WAN interface, but, it doesn't give any controls for delegating stuff to the LAN interface(s) and doesn't provide visible indication of DHCP support on IPv6 in any configuration options. Additionally, I've found their IPv6 implementation to be rather broken in a number of interesting ways where the combination of IPv6 and IPv4 configuration choices results in several possible useful configurations that simply don't do IPv6 even though they should. Owen On Feb 27, 2010, at 12:58 PM, John Jason Brzozowski wrote: Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface. I am also working with Netgear and several others to ensure similar functionality is supported. John On 2/27/10 11:59 AM, Frank Bulk frnk...@iname.com wrote: Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s). This is good news. Frank -Original Message- From: Alexandru Petrescu [mailto:alexandru.petre...@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos a écrit : On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote: Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful. I will check soon the hardware. Great, please report, thanks, Alex Best Regards, Janos Mohacsi = John Jason Brzozowski Comcast Cable e) mailto:john_brzozow...@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
* Mark Newton (new...@internode.com.au) wrote: On 15/12/2009, at 11:19 PM, Joakim Aronius wrote: So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) Hasn't essentially every ISP on the planet been doing that for years, only without the disclaimer? It's not like we're talking about creating UPnP from whole cloth. We're discussing a replacement of like-for-like, updating existing capabilities to support IPv6. As was mentioned earlier the end-user is mostly clueless and 'just want things to work'(tm). They do not know/care enough to make wise decissions when it comes to security and they cant identify the absence of security features. Personally I only have rudimentary knowledge of UPnP and UPnP forum but there are real security issues with the protocol and no(?) effort to fix them, current security specs are from 2003. (and varying degree of implementation in products of the security features that actually are in the standard) In the last years the security problems in e.g. Microsoft products have gotten a lot of press and even Joe Sixpack has a hunch that he ought to get an anti-virus program. With the increasingly complex home network environment we will likely see more advanced attacks including UPnP. Then we have a situation with embedded devices with more and more functionality which are hard to patch, that run insecure protocols and it will end up in a real mess. I basically agree with you, adding IPv6 would be a like-for-like replacement. But one difference is that there is an increased attack vector with a higher degree of connectivity (no NAT) and more complex and less mature IP implementations in devices. UPnP might still be the the way to go as it is already there, 'it works' etc. But not working actively with the security issues in the standards is plain stupid. The standard and the functionality of the CPE is the responsibility of the CPE manufacturer. An I guess that the responsibility of the ISP is to provision its customers with as good and secure CPEs that the market provide (and if the s*** hits the fan, point at the CPE manufacturer). Regards, /Joakim
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
* Steven Bellovin (s...@cs.columbia.edu) wrote: On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote: Owen DeLong wrote: Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care. Precisely. And if you want to get picky, remember that availability is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives. No, I'm not saying that this is good. I am saying that in the real world, it *will* happen. So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) /jkm
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 15/12/2009, at 11:19 PM, Joakim Aronius wrote: So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) Hasn't essentially every ISP on the planet been doing that for years, only without the disclaimer? It's not like we're talking about creating UPnP from whole cloth. We're discussing a replacement of like-for-like, updating existing capabilities to support IPv6. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Dec 15, 2009, at 4:49 AM, Joakim Aronius wrote: * Steven Bellovin (s...@cs.columbia.edu) wrote: On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote: Owen DeLong wrote: Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care. Precisely. And if you want to get picky, remember that availability is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives. No, I'm not saying that this is good. I am saying that in the real world, it *will* happen. So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) /jkm Personally, I think that CPE should come up relatively braindead except on the interior wired ethernet interfaces and require creating an SSID and suggesting creating a password (regardless of whether TKIM, WEP, WPA, etc, at least something) before enabling any wireless. It should require the user to create their own administrative password before being able to enable any other features on the box. If CPE manufacturers did this, it would remove a great many vulnerabilities in the world without making it particularly harder for the average end-user. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports. If the addresses of your gaming machines are no longer dynamic and their ports are no longer getting dynamically remapped, why do you need that instead of a way to tell the firewall that X machine is allowed to receive packets on Y ports from Z hostlist (where X,Z can be wildcarded, and, Y can be some form of list, range, or list of ranges)? No, IPv6 is not a panacea. However, IPv6 does eliminate the need for rapidly changing addresses on hosts that need to accept inbound connections, which makes it possible to define policy for those hosts rather than just trusting unauthenticated arbitrary applications to amend your security policy at your border. UPnP is the firewall equivalent of having US CBP admit any person who has someone in the US say that they should be admitted. While I do support some level of immigration reform and more open borders than has been the trend of late, even I would not go that far. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Mon, 2009-12-14 at 00:58 -0800, Owen DeLong wrote: However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Well, for many years I've argued (since I read an early draft of the proposal for uPnP ) that it really stood for Unstoppable-Peek-and-Poke. It scares the hell outta me, full stop, way more than the users themselves - and they scare me a lot anyways. Seems a good time to ask while everyone's thinking about it: I wonder if anyone actually has first-hand experience of any el-cheapo plastic home user routers (say sub-50$US) that are worth a look at for low-end system trials? Zyxel maybe? I see Andrews Arnold (in the UK) sell them and seem to rate them quite highly, yet the price is, frankly, a giveaway. Any thoughts? Ignoring, of course, the sad and embarassing fact that much of the UK's national telco backbone isn't v6 capable - a long (and buggy) story in itself, once you start trying to implement practical v6 end-to-end ) Gord
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Once upon a time, Owen DeLong o...@delong.com said: I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Well, any applet a user clicks on should not have permission to talk to random devices on the network (for example, Java applets can't do that), so I don't think it quite as bad as you make it out to be. I also don't really find the computer is already compromised case all that interesting, as at that point, all bets are off (since with CC servers, compromised computers are already accessible to the outside world without UPnP). A firewall protects against unwanted inbound connections to things like file/print sharing, DNS proxies, etc. You also don't get port scans and such (even with a few open ports, the majority being drop slows down scanners significantly). You can also configure it to prevent certain outbound connections (e.g. connecting to random mail servers from desktop PCs). I would hope that you can configure firewall rules to override UPnP requests. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Mon, 14 Dec 2009, Owen DeLong wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a stateful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? Because of the least surprise principle: Users get used to have NAT ~ they expect similar stateful firewall in IPv6. They get used to use UPnP in IPv4 ~ they expect something similar in IPv6. I don't think this is good, but bad engineering decision of UPnP cannot replaced with better ones overnight. Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Owen DeLong wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem. As a consumer my preferences for a security posture to the extent that I have one are: don't hose me don't make my life any more complicated than necessary I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote: Owen DeLong wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem. As a consumer my preferences for a security posture to the extent that I have one are: don't hose me don't make my life any more complicated than necessary I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care. Precisely. And if you want to get picky, remember that availability is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives. No, I'm not saying that this is good. I am saying that in the real world, it *will* happen. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Sat, 12 Dec 2009, Alexandru Petrescu wrote: Frank Bulk a écrit : I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE And from an operators perspective (not manufacturer): Free ISP ADSL (and fiber) operator in France does IPv6 natively to the end user with Router Advertisement since 2 years now. I think these CPE (Customer Premises Equipment) are called simply box in France (freebox, livebox, dartybox, and more). Between the Free box and the core network there is proprietary IPv6-in-IPv4 encapsualtion, not 6to4. No DHCPv6-PD, which I feel as a big restriction. implementing 6rd (which is used by Free) also a big restriction. Plans for livebox and 9box IPv6 do exist if not already deployed. Spanish FON Fonera based on openwrt, when I checked 2008, did IPv6 somehow, not sure whether natively. http://boards.fon.com/viewtopic.php?f=1t=4532view=previous From memory, at least one Japanese residential operator did IPv6 to the home several years ago, with explicit IPv6 advertisement on TV during prime time. Alex Frank -Original Message- From: Wade Peacock [mailto:wade.peac...@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts?
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 13/12/2009, at 10:10 AM, Frank Bulk wrote: While the support burden will be raised, I think the network needs to be dual-stack from end-to-end if SPs want to keep middle-boxes out. But for those who really do run out of IPv4 addresses, I'm not sure how middle-boxes can be avoided. Kind of hard to tell customer n+1 that they can only visit the IPv6 part of the web. Perhaps new customers will have to use a service provider's CGN and share IPv4 addresses until enough of the internet is dual-stack. The most likely outcome I can see is that customers on services which feature dynamic IPv4 addresses (mostly residential) will end up behind a CGN on a dual stack service. I fully expect the CGN to suck mightily, mitigated somewhat by the fact that the customer would also happen to have a non-NATted IPv6 address if they upgrade their CPE to take advantage of it. Despite the suckage, as long as email, web and VoIP keeps working I think most residential customers wouldn't notice the CGN imposition at all. The act of putting those customers behind a CGN would immediately free up enough IPv4 addresses that the ISP concerned would have a virtually limitless supply for fixed-IP business-grade services -- virtually limitless in the sense that there'd be enough to feed those services with new addresses for however much time it takes to complete an IPv6 transition. How long will that take? I don't think it'll be anywhere near as long as most people appear to be expecting. Sure, there'll be a large installed base of printers and home entertainment devices running legacy IPv4-only software, but by and large they either don't need Internet access at all or are quite happy talking to the world through NAT, and can be mostly ignored for the purpose of a discussion about transition durations (in the same way that we ignored all the HP JetDirect cards when we talked about how long it took to turn the Internet classless). I reckon CGNs will be so bad, with so many bugs and so much support overhead that service providers and customers alike will want to move past them as quickly as humanly possible, and the whole transition will be all done and dusted in a few years from their implementation. It's going to be a total and absolute disaster, and the only way out of it will be to move forward. Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment. If there's one thing I've learned from all of this it's that roadmap announcements aren't worth anything, and that if the vendors ever do actually manage to get around to shipping something it'll be so poorly thought out that it's impractical to use in a service provider environment until version 2 -- which, in the case of CGN, will be too late. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
--On Sunday, December 13, 2009 9:17 AM -0800 Joel Jaeggli joe...@bogus.com wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Amen indeed. Consumers do not care if its a good idea or not. And honestly in a home network, well, its not as frightening. In a business of any kind (including home based) it is bad. You should have a DMZ with carefully controlled open ports lists. But that's preaching to the choir here. IPv6 doesn't magically negate the need for UPnP, UPnP is not tied to NAT. It's a way for applications to ask the firewall to selectively open ports up to them. Intelligent stateful firewalls can do that for limited applications, perhaps with some sort of policy control even. Though Joe/Jill Gamer (which is what UPnP is for) won't know anything about any of that. They define a gateway as functioning or not. I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
In message d73fdb46-bf23-4825-89c6-51601d622...@internode.com.au, Mark Newton writes: Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment. Comcast commissioned ISC to develop a working CGN. We are in the final release stages of our CGN product, AFTR. https://www.isc.org/software/aftr You can go and download it now it you want. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
Thanks for the link. The most obvious question to me is scalability. What box is going to be running AFTR to do all this translation? It looks like the B4 part is running on the customer's CPE, but if we need to move hundreds of Mbps, if not Gbps, wouldn't that require some C/J/F class type of box? Frank -Original Message- From: ma...@isc.org [mailto:ma...@isc.org] Sent: Sunday, December 13, 2009 4:14 PM To: Mark Newton Cc: frnk...@iname.com; nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. In message d73fdb46-bf23-4825-89c6-51601d622...@internode.com.au, Mark Newton writes: Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment. Comcast commissioned ISC to develop a working CGN. We are in the final release stages of our CGN product, AFTR. https://www.isc.org/software/aftr You can go and download it now it you want. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 14/12/2009, at 9:38 AM, Frank Bulk wrote: I hope you're right. I really hope that there's this phenomenal transition in 2011 of content from 0.1% IPv6-accessible to 99% IPv6-accessible. Forget content, they're just along for the ride. When most service providers have eye-wateringly shite CGNs acting as intermediaries between eyeballs and content, the content providers will be motivated to move to v6 even if only as a means of damage control. And not even by node count, but by percentage of traffic. And pain is one way to get there. Every few months I think of the number of truck rolls we'll need to do to swap out DSL modems and SOHO routers with their IPv6 equivalents. Ah, that's something we don't have. Our customers own their own (which has its own slew of problems: I can't make them upgrade, and if I tell them they'll have to spend a hundred bucks to restore the functionality I broke for them last week I'll have a revolt on my hands...) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, 2009-12-11 at 21:45 -0800, Roger Marquis wrote: If you're going to implement statefulness there is no technical downside to implementing NAT as well. No downside, plenty of upsides, no brainer... Of course there are downsides to implementing NAT - adding any feature to a device increases its complexity and affects its expense, time to market, MTBF etc. And there is certainly a downside to *deploying* NAT: NAT removes end-to-end transparency. Gotta keep those SOHO users in their cages, don't want them becoming independent producers of digital value, no sir! Seriously - by all means keep NAT as a technology for those who want to deploy it; we can't uninvent it anyway. It just shouldn't be imposed on others. I would argue that an ISP requiring of a customer that they use a NATted solution with IPv6 *is* imposing it on others. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 12/12/2009 01:55 AM, Mark Newton wrote: Would you be using Consumer Grade - IPV6 Enabled Router Firewalls in the enterprise? 'cos if you would, I think I might have entered the wrong thread :) Yeah, I think I did. Sorry for the noise. Simon -- DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Frank Bulk a écrit : I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE And from an operators perspective (not manufacturer): Free ISP ADSL (and fiber) operator in France does IPv6 natively to the end user with Router Advertisement since 2 years now. I think these CPE (Customer Premises Equipment) are called simply box in France (freebox, livebox, dartybox, and more). Between the Free box and the core network there is proprietary IPv6-in-IPv4 encapsualtion, not 6to4. No DHCPv6-PD, which I feel as a big restriction. Plans for livebox and 9box IPv6 do exist if not already deployed. Spanish FON Fonera based on openwrt, when I checked 2008, did IPv6 somehow, not sure whether natively. http://boards.fon.com/viewtopic.php?f=1t=4532view=previous From memory, at least one Japanese residential operator did IPv6 to the home several years ago, with explicit IPv6 advertisement on TV during prime time. Alex Frank -Original Message- From: Wade Peacock [mailto:wade.peac...@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts?
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mohacsi Janos a écrit : On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote: Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful. I will check soon the hardware. Great, please report, thanks, Alex Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. Can Airport relay the DHCPv6 request to the service provider ? Rubens
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest. None of the major CPE vendors appear to have a v6 plan despite your claims. We have an IPv6 dual stack trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_. I've saw some ADSL CPEs that could bridge specific frame types. It would be feasible to think of an ADSL CPE that would simply bridge IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC. In an IPv6 world where NAT is not a requirement (paranoids are welcome to buy their own IPv6 firewalls), bridging with some L4 intelligence might be all that a CPE needs to do. The IPv6 idea of letting end-nodes have more work and intermediate nodes have less work also applies to CPEs. Rubens
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
Unless I haven't put the full picture together, yet, but for my PPPoA/E environment I would like a DSL CPE that: - on the WAN interface does IPv4 (with NAT support) and IPv6 over PPPoE combined with DHCP-PD (with a stateful firewall). - on the LAN interface does the regular IPv4 stuff, Link-Local only, static IPv6, and stateful and stateless DHCPv6. - allows me to run IPv4, IPv6, or both For my bridged environments (whether that be DSL or FTTH) I would like a CPE that - on the WAN interface does IPv4 (with NAT support), IPv6 with Link-Local only, static IPv6, and IPv6 with DHCP-PD (with a stateful firewall). - on the LAN interface does the regular IPv4 stuff, Link-Local only, static IPv6, and stateful and stateless DHCPv6. - allows me to run IPv4, IPv6, or both While the support burden will be raised, I think the network needs to be dual-stack from end-to-end if SPs want to keep middle-boxes out. But for those who really do run out of IPv4 addresses, I'm not sure how middle-boxes can be avoided. Kind of hard to tell customer n+1 that they can only visit the IPv6 part of the web. Perhaps new customers will have to use a service provider's CGN and share IPv4 addresses until enough of the internet is dual-stack. Frank -Original Message- From: Rubens Kuhl [mailto:rube...@gmail.com] Sent: Saturday, December 12, 2009 12:48 PM To: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest. None of the major CPE vendors appear to have a v6 plan despite your claims. We have an IPv6 dual stack trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_. I've saw some ADSL CPEs that could bridge specific frame types. It would be feasible to think of an ADSL CPE that would simply bridge IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC. In an IPv6 world where NAT is not a requirement (paranoids are welcome to buy their own IPv6 firewalls), bridging with some L4 intelligence might be all that a CPE needs to do. The IPv6 idea of letting end-nodes have more work and intermediate nodes have less work also applies to CPEs. Rubens
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 11/12/2009, at 1:14 PM, Owen DeLong wrote: You don't need UPnP if you'r not doing NAT. You kinda do if you're using a stateful firewall with a deny everything that shouldn't be accepted policy. UPnP (or something like it) would have to tell the firewall what should be accepted. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mark Newton wrote, on 2009-12-11 03:09: You kinda do if you're using a stateful firewall with a deny everything that shouldn't be accepted policy. UPnP (or something like it) would have to tell the firewall what should be accepted. That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic. Simon -- DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said: Mark Newton wrote, on 2009-12-11 03:09: You kinda do if you're using a stateful firewall with a deny everything that shouldn't be accepted policy. UPnP (or something like it) would have to tell the firewall what should be accepted. That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic. What you suggest? Manual configuration? We *know* that if a worm puts up a popup that says Enable port 33493 on your firewall for naked pics of.. that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort. Redesigning the security so that human intervention is required isn't worth the effort, because the black hats are much better at convincing people to do something than the white hats are at teaching them why they shouldn't do it. Probably because we don't teach with naked pics of... pgpuopTCoZnJe.pgp Description: PGP signature
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
valdis.kletni...@vt.edu wrote, on 2009-12-11 08:06: On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said: Mark Newton wrote, on 2009-12-11 03:09: You kinda do if you're using a stateful firewall with a deny everything that shouldn't be accepted policy. UPnP (or something like it) would have to tell the firewall what should be accepted. That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic. What you suggest? That depends on the circumstances. UPnP is fine in some circumstances and wrong in others. We *know* that if a worm puts up a popup that says Enable port 33493 on your firewall for naked pics of.. that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort. Not if the victim doesn't have rights on the firewall (e.g. enterprise). Simon -- DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Joe Greco wrote, on 2009-12-11 08:36: Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. If you make it smart (i.e. UPnP) then it will of course autoconfigure itself for an appropriate virus. However, your average home user often doesn't change their $FOOGEAR password from the default of 1234, and it is reasonable to assume that at some point, viruses will ship with some minimal knowledge of how to manually fix their networking environment. Or better yet? Runs a password cracker until it figures it out, since the admin interfaces on these things are rarely hardened. If you actually /do/ a really good firewall, then of course users find it hard to use and your company takes a support hit, maybe gets a bad reputation, etc. There's no winning. Agreed. We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. Thanks, Simon -- DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, 11 Dec 2009, Simon Perreault wrote: We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. No, the conclusion is that for IPv6 there should be something that behaves much like current IPv4 NAT boxes, ie do stateful firewalling and only let internal computers initiate conenctions outgoing, do protocol sniffing for allowing incoming new connections, and use some uPNP like method to do temporary firewall openings. This is the social contract of the current home gateway ecosystem, and intiially IPv6 devices need to replicate this. Last I checked, this was the conclusion of multiple IPv6 related IETF working groups, check out homegate and v6ops WGs for instance. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Once upon a time, Joe Greco jgr...@ns.sol.net said: Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. I don't think hardware vs. software makes a real firewall. A NAT gateway has to have all the basic functionality of a stateful firewall, plus packet mangling. Typical home NAT gateways don't have all the configurability of an SSG or such, but the same basic functionality is there. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Once upon a time, Joe Greco jgr...@ns.sol.net said: Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. I don't think hardware vs. software makes a real firewall. A NAT gateway has to have all the basic functionality of a stateful firewall, plus packet mangling. Typical home NAT gateways don't have all the configurability of an SSG or such, but the same basic functionality is there. You can blow away the firmware of your NAT gateway and load something like DD-WRT. This gives you a hardware firewall (an external hardware device that acts as a deliberate firewall; i.e. you can firewall 1.2.3.4 from 5.6.7.8). It is not filtering packets in silicon, which is an alternate definition for hardware firewall that many in this group could use, but in common usage, it is the distinctness from the protected host(s) and the ability to implement typical firewalling rules and methods, with or _without_ NAT, that makes it a hardware firewall. Your existing NAT gateway firmware may well be based on Linux and may have portions implemented by a Linux firewalling subsystem, but in most cases, you cannot really drill down to any significant level of detail, and quite frequently the main anti-forwarding protection offered is simply the difficulty in surmounting the artificial barrier created by the NAT addressing discontinuity. While this might technically count as the same basic functionality, functionality that cannot be accessed or used might as well not be there for the purposes of this discussion. So I'll pass on considering your average NAT gateway as a hardware firewall. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Joe Greco wrote: Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. Gotta love it. A proven technology, successfully implemented on millions of residential firewalls isn't really a firewall, but rather a disaster waiting to happen. Make you wonder what disaster and when exactly it's going to happen? Simon Perreault wrote: We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. And that, in a nutshell, is why IPv6 is not going to become widely feasible any time soon. Whether or not there should be NAT in IPv6 is a purely rhetorical argument. The markets have spoken, and they demand NAT. Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of? Far from the issue some try to make it out to be, NAT is really just a component of stateful inspection. If you're going to implement statefulness there is no technical downside to implementing NAT as well. No downside, plenty of upsides, no brainer... Roger Marquis
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, 11 Dec 2009, Roger Marquis wrote: Joe Greco wrote: Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. Gotta love it. A proven technology, successfully implemented on millions of residential firewalls isn't really a firewall, but rather a disaster waiting to happen. Make you wonder what disaster and when exactly it's going to happen? Simon Perreault wrote: We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. And that, in a nutshell, is why IPv6 is not going to become widely feasible any time soon. Whether or not there should be NAT in IPv6 is a purely rhetorical argument. The markets have spoken, and they demand NAT. Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of? Far from the issue some try to make it out to be, NAT is really just a component of stateful inspection. If you're going to implement statefulness there is no technical downside to implementing NAT as well. No downside, plenty of upsides, no brainer... Nobodoy thinks that statefull firewall is not necessary for IPv6. If you want to particiapte the discussion then comment the IETF v6ops document: http://www.ietf.org/id/draft-ietf-v6ops-cpe-simple-security-08.txt Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 11/12/2009, at 11:56 PM, Simon Perreault wrote: We *know* that if a worm puts up a popup that says Enable port 33493 on your firewall for naked pics of.. that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort. Not if the victim doesn't have rights on the firewall (e.g. enterprise). Would you be using Consumer Grade - IPV6 Enabled Router Firewalls in the enterprise? 'cos if you would, I think I might have entered the wrong thread :) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 12/12/2009, at 12:11 AM, Simon Perreault wrote: We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. Eh? What does NAT have to do with anything? We already know that IPv6 residential firewalls won't do NAT, so why bring it into this discussion at all? Some of us are trying to formulate and offer real-life IPv6 services to our marketplaces before IPv4 runs out, and the vendors simply aren't interested in being there to help us out. Pointless distractions about orthogonal issues that don't matter (e.g., NAT) don't help at all. FWIW, I asked Fred Baker about this at the IPv6 Forum meeting in Australia this week. He'd just handled another question about the memory requirements required for burgeoning routing table growth by saying that if routers need extra RAM then routers with extra RAM will appear on the market, because if you're prepared to pay money for it, we'll try to sell it to you. So I asked, I'm prepared to pay money for IPv6-capable ADSL2+ CPE. Are you prepared to sell it to me? and he said, Yes, just not with our firmware. Which I thought was a bit of a cop-out, given that it was one of our customers who developed the IPv6 openwrt support in the first place, with zero support from Fred's employer, after we'd spent two years hassling them about their lack of action. ... and this is in the same week when, in the context of IPv6, someone else asked me how many units of their gear we'd ship (Zero. You don't have a product with the features we need so we'll use one of your competitors instead. Lets revisit this when you're prepared to have a conversation that doesn't include `lack of market demand' as a reason for not doing it.) Argh. Disillusionment, much? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 12/12/2009, at 4:15 PM, Roger Marquis wrote: Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of? I handwave past all that by pointing out (as you have) that stateful inspection is just a subset of NAT, where the inside address and the outside address happen to be the same. (in the same way that the SHIM6 middleware boxes which were proposed but never built were /also/ just subsets of NAT, with the translation rules controlled by the SHIM6 protocol layers on the hosts... but we weren't allowed to call them NAT gateways, because IPv6 isn't supposed to have any NAT in it :) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
--On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin meh...@akcin.net wrote: Would you consider Juniper SSG5 as a Consumer Grade router? They do IPv6 and they are pretty good in general, and cheap as well. Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT interested in implementing it). They also lack some other customer friendly features. Price point is also probably 3x-5x what most are willing to pay for CPE.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Dec 10, 2009, at 4:56 PM, Michael Loftis wrote: --On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin meh...@akcin.net wrote: Would you consider Juniper SSG5 as a Consumer Grade router? They do IPv6 and they are pretty good in general, and cheap as well. Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT interested in implementing it). They also lack some other customer friendly features. UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. Price point is also probably 3x-5x what most are willing to pay for CPE. Yep. Side-note, SRX-100 is the new SSG-5 equivalent and it's JunOS instead of ScreenOS. Nice box. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Once upon a time, Owen DeLong o...@delong.com said: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. You need UPnP for a stateful firewall, whether it is mangling packets with NAT or not. I have an Xbox 360 behind an SSG-5 with no NAT, and I can't play some on-line games unless I open up the Xbox IP in the SSG. You can debate whether UPnP is the correct solution, but some solution is needed (even with IPv6) as long as stateful firewalls exist. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Jorge Amodio jmamo...@gmail.com writes: I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Once you find the right IOS version they are working great. ;-) I had to upgrade my router @home in order to use IPv6 on the wireless lan. Interface configuration wasn't accepting any ipv6 commands. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Brandon Ewing nicot...@warningg.com writes: Can you comment on what version you got it to work on? I haven't futzed with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on the wireless subinterface. I tried putting it on a BVI interface, but didn't have much luck. Version 12.4(20)T1 works interface Dot11Radio0 ! ipv6 address 2001:db8:9F6B:2::1/64 ipv6 enable ipv6 nd prefix 2001:db8:9F6B:2::/64 cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Regards Jorge
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
They work pretty well. They're one of the few that you can buy which supports DSL and they work. IPv6 support on the WIFI interfaces is IOS version dependent. They support DHCPv6 PD etc. I'm using one right now with v6. MMC On 04/12/2009, at 10:41 PM, Jorge Amodio wrote: I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Regards Jorge -- Matthew Moyle-Croft Peering Manager and Team Lead - Commercial and DSLAMs Internode /Agile
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, 4 Dec 2009, Jorge Amodio wrote: I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Some 800's are supporting IPv6 very well even DHCPv6-PD. We tested 83x, 87x, 88x. No IPv6 support however for 80x and 85x series. We also tested Juniper Netscreen - they are also very capable devices. Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, Dec 04, 2009 at 10:59:49PM +1030, Matthew Moyle-Croft wrote: They work pretty well. They're one of the few that you can buy which supports DSL and they work. IPv6 support on the WIFI interfaces is IOS version dependent. They support DHCPv6 PD etc. I'm using one right now with v6. MMC Can you comment on what version you got it to work on? I haven't futzed with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on the wireless subinterface. I tried putting it on a BVI interface, but didn't have much luck. -- Brandon Ewing(nicot...@warningg.com) pgpilnIUlILxp.pgp Description: PGP signature
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Thu, 3 Dec 2009, Mark Newton wrote: On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Best Regards, Janos Mohacsi
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Do you have an apple airport extreme or a linksys wrt610n? the WRTs of the world all 40 or so of the variants of that thing that have ever existed are rather old and in many cases bizarrely resource limited. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Vendors are in business of stimulating the replacement cycle by adding features... right now the magic words are gigabit ethernet and 802.11n. Chances are ma and pa won't even know they device they has ipv6 (do they know it has ipv4?) unless it has a big-ass sticker on the outside of the box. like this i/o data ap from 2006... http://akiba-pc.watch.impress.co.jp/hotline/20060923/image/m060920r34.html Thoughts? you next wirelss ap has 2-6 radio phys an 800mhz mips processor and 64MB of ram, there's a lot of thing it can do that your old one can't
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. MMC
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
A list of CPEs, routers, firewalls and other hardware and software are at http://www.ipv6-to-standard.org/ César Olvera -Original Message- From: Wade Peacock [mailto:wade.peac...@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd ** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote: Mohacsi Janos wrote: According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet. It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html I will check soon the hardware. Best Regards, Janos Mohacsi
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Mark Newton [mailto:new...@internode.com.au] On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by default. In fact, I am not sure you can turn it off ... /TJ
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 22:46, TJ trej...@gmail.com wrote: From: Mark Newton [mailto:new...@internode.com.au] On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by default. In fact, I am not sure you can turn it off .. Yep -- which is worse than useless in the presence of a service provider that's already offering dual-stack service. Here! Have a v6 address. We'll even give you a moderately large prefix if you run a DHCPv6-PD client... Oh, what? You're going to ignore all that and use a 6to4 gateway and pessimize the v6 routing decisions we've made? And live in one /64 even though every man and his dog reckons service providers ought to be handing out /56's or / 48's? Gee, glad we went to the effort... Sadly the easiest way for residential subscribers to get IPv6 on PPPoE in 2009 is to put their CPE into bridge mode and run the PPPoE client on a PC. The vendors have really dropped the ball on this. (glares at Cisco/Linksys) - mark
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mark Newton wrote: The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
One of the better/only decent implementations I have run across in the retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem (found this on an encap at Fry's and nobody in the department knew what IPv6 was) on the front of the box for easy recognition although there are other modems with RevC (think Rev_B works as well) firmware that don't have the label but work as well. The major feature missing is DHCPv6 IA_PD but you won't find this on any retail router that I am aware of today. What you will find though is WAN interface config via static, stateful or stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN interfaces to boot. I am not sure if this product was built for the Japanese market and is now being released here to determine interest from the retail sector but it is useful for a trial lab or for testing at home. The major caveat of course is that all the IPv6 configs are done in Advanced Config mode and hence not designed for plug-and-play for your average home user. Jason From: Jack Bates [jba...@brightok.net] Sent: Thursday, December 03, 2009 7:06 PM To: Mark Newton Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton wrote: The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
Give their emulator a try: http://support.dlink.com/emulators/dir615_revC/310NA/login.htm Perhaps this is a dumb question, but without DHCPv6 IA_PD support, how are other large service providers rolling out IPv6 for their cable broadband, xDSL, BWA, and FTTH customers? 100% SLAAC? Frank -Original Message- From: jason.w...@cox.com [mailto:jason.w...@cox.com] Sent: Thursday, December 03, 2009 8:54 PM To: jba...@brightok.net; new...@internode.com.au Cc: nanog@nanog.org Subject: RE: Consumer Grade - IPV6 Enabled Router Firewalls. One of the better/only decent implementations I have run across in the retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem (found this on an encap at Fry's and nobody in the department knew what IPv6 was) on the front of the box for easy recognition although there are other modems with RevC (think Rev_B works as well) firmware that don't have the label but work as well. The major feature missing is DHCPv6 IA_PD but you won't find this on any retail router that I am aware of today. What you will find though is WAN interface config via static, stateful or stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN interfaces to boot. I am not sure if this product was built for the Japanese market and is now being released here to determine interest from the retail sector but it is useful for a trial lab or for testing at home. The major caveat of course is that all the IPv6 configs are done in Advanced Config mode and hence not designed for plug-and-play for your average home user. Jason From: Jack Bates [jba...@brightok.net] Sent: Thursday, December 03, 2009 7:06 PM To: Mark Newton Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton wrote: The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
DHCPv6 PD is pretty crucial. I'd love to see the code in an ADSL box (hint hint hint DLINK). MMC Frank Bulk wrote: Give their emulator a try: http://support.dlink.com/emulators/dir615_revC/310NA/login.htm Perhaps this is a dumb question, but without DHCPv6 IA_PD support, how are other large service providers rolling out IPv6 for their cable broadband, xDSL, BWA, and FTTH customers? 100% SLAAC? Frank -Original Message- From: jason.w...@cox.com [mailto:jason.w...@cox.com] Sent: Thursday, December 03, 2009 8:54 PM To: jba...@brightok.net; new...@internode.com.au Cc: nanog@nanog.org Subject: RE: Consumer Grade - IPV6 Enabled Router Firewalls. One of the better/only decent implementations I have run across in the retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem (found this on an encap at Fry's and nobody in the department knew what IPv6 was) on the front of the box for easy recognition although there are other modems with RevC (think Rev_B works as well) firmware that don't have the label but work as well. The major feature missing is DHCPv6 IA_PD but you won't find this on any retail router that I am aware of today. What you will find though is WAN interface config via static, stateful or stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN interfaces to boot. I am not sure if this product was built for the Japanese market and is now being released here to determine interest from the retail sector but it is useful for a trial lab or for testing at home. The major caveat of course is that all the IPv6 configs are done in Advanced Config mode and hence not designed for plug-and-play for your average home user. Jason From: Jack Bates [jba...@brightok.net] Sent: Thursday, December 03, 2009 7:06 PM To: Mark Newton Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton wrote: The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
Consumer Grade - IPV6 Enabled Router Firewalls.
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd attachment: wade_peacock.vcf
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
Biased opinion because we distribute/sell Tilgin related products, but they are supposed to do IPv6 Having said that, we have not lab tested them ourselves and plan to early next year Paul -Original Message- From: Wade Peacock [mailto:wade.peac...@sunwave.net] Sent: December-02-09 6:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Matthew Dodd wrote: Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically. By 4to6 to you mean IPv4 on the inside and IPv6 on the outside? Wade Peacock Sun Country Cablevision Ltd attachment: wade_peacock.vcf
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 3/12/2009, at 12:44 PM, Wade Peacock wrote: Matthew Dodd wrote: Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically. By 4to6 to you mean IPv4 on the inside and IPv6 on the outside? He is confused, and means 6to4. Also the airport extreme does not do DHCPv6-PD or anything (as far as I know, they certainly did not last time I tried), so I don't know that we'd really call them an IPv6 CPE in the way that I suspect Wade means. -- Nathan Ward
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I meant to say 6to4, sorry about that. Nothing special there. -Matt On Dec 2, 2009, at 6:44 PM, Wade Peacock wade.peac...@sunwave.net wrote: Matthew Dodd wrote: Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically. By 4to6 to you mean IPv4 on the inside and IPv6 on the outside? Wade Peacock Sun Country Cablevision Ltd wade_peacock.vcf
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Wed, Dec 2, 2009 at 5:52 PM, Matthew Dodd md...@doddserver.com wrote: I meant to say 6to4, sorry about that. Nothing special there. -Matt 4to6 would be a mighty nice feature on a CPE =) -- Brandon Galbraith Mobile: 630.400.6992 FNAL: 630.840.2141
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 12/2/09 7:24 PM, Brandon Galbraith brandon.galbra...@gmail.com wrote: On Wed, Dec 2, 2009 at 5:52 PM, Matthew Dodd md...@doddserver.com wrote: I meant to say 6to4, sorry about that. Nothing special there. -Matt 4to6 would be a mighty nice feature on a CPE =) === If you are thinking about only giving a v6 address to a CPE and still offering a v4 service, there is a technology for that, it is called dual-stack lite. See http://www.ietf.org/id/draft-ietf-softwire-dual-stack-lite-02.txt - Alain.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
There are specifications for them being developed in the IETF, BBF, and Cable Labs. Basically, all of the usual suspects are interested in having product that meets needs. On Dec 2, 2009, at 3:16 PM, Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd wade_peacock.vcf
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 11:24 AM, Fred Baker wrote: There are specifications for them being developed in the IETF, BBF, and Cable Labs. Basically, all of the usual suspects are interested in having product that meets needs. I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest. None of the major CPE vendors appear to have a v6 plan despite your claims. We have an IPv6 dual stack trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_. Come on CPE vendors - most of your run Linux in your CPEs these days. How hard is it to make it work? Someone got an image working for us with OpenWRT in his spare time in a week, surely you CPE vendors can cobble something together for people to try out in a real piece of ADSL CPE I can buy at a shop? I don't mean 6to4 or pseudo dual stack stuff. I mean real ADSL CPE with dual stack PPP and DHCPv6 in one box. MMC
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
There are specifications for them being developed in the IETF, BBF, and Cable Labs. Basically, all of the usual suspects are interested in having product that meets needs. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. fred. check your mail system. it is regurgitating email from 2001, except it is modifying the headers to have current dates. randy
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Would you consider Juniper SSG5 as a Consumer Grade router? They do IPv6 and they are pretty good in general, and cheap as well. Mehmet On Dec 2, 2009, at 3:16 PM, Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd wade_peacock.vcf
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. For ADSL, we've been punting Ovislink gear for a few years. In the past, I've had very good results with having feature requests implemented by the firmware developers (sometimes while I'm on the phone with them, literally). I haven't pushed the v6 thing too hard yet, as our DSL is wholesale'd out, and the wholesaler(s), unlike myself, don't do IPv6. I will gladly rekindle the relationship with the Ovislink dev contacts regarding IPv6, as I'm sure they will respond if there is a show of potential hardware sales to a few ISPs larger than I am. Steve
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 12:45 PM, Matthew Moyle-Croft wrote: Come on CPE vendors - most of your run Linux in your CPEs these days. How hard is it to make it work? Someone got an image working for us with OpenWRT in his spare time in a week, surely you CPE vendors can cobble something together for people to try out in a real piece of ADSL CPE I can buy at a shop? The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. There's obviously no technical barrier whatsoever (otherwise, again, OpenWRT wouldn't work). If it can be done in a week of developer time there's barely even an economic barrier. It's just disinterest. Linksys, being owned by the world's largest router vendor and being confronted with actual independently-developed working code for their hardware platforms, have the least excuse out of any of them. Years and years of talk, and no customer-visible action whatsoever. What an exceptionally ordinary performance. See you in Melbourne next week, Fred :) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote: Would you consider Juniper SSG5 as a Consumer Grade router? Depends. Can I get one at Frys for $69.95 and set it up with a web browser? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Wed, Dec 2, 2009 at 18:23, Mehmet Akcin meh...@akcin.net wrote: Would you consider Juniper SSG5 as a Consumer Grade router? No. Way too expensive and virtually 100% of consumers would not be able to install it on their own.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Wed, Dec 2, 2009 at 8:30 PM, Mark Newton new...@internode.com.au wrote: On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote: Would you consider Juniper SSG5 as a Consumer Grade router? Depends. Can I get one at Frys for $69.95 and set it up with a web browser? That would be cool, a nice box running JUNOS for seventy bucks, gimme two !! Cheers Jorge
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Dec 2, 2009, at 6:53 PM, Jorge Amodio wrote: On Wed, Dec 2, 2009 at 8:30 PM, Mark Newton new...@internode.com.au wrote: On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote: Would you consider Juniper SSG5 as a Consumer Grade router? Depends. Can I get one at Frys for $69.95 and set it up with a web browser? That would be cool, a nice box running JUNOS for seventy bucks, gimme two !! Noted on the christmas tree for santa ;) let's see if it will happen.. SSG5s are still on ScreenOS and going to be..., SRX series run JunOS but little too pricey for a home router :) Cheers Jorge
RE: Consumer Grade - IPV6 Enabled Router Firewalls.
I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE Frank -Original Message- From: Wade Peacock [mailto:wade.peac...@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Bill Fehring wrote: On Wed, Dec 2, 2009 at 18:23, Mehmet Akcin meh...@akcin.net wrote: Would you consider Juniper SSG5 as a Consumer Grade router? No. Way too expensive and virtually 100% of consumers would not be able to install it on their own. If they can't plug it in (that's a huge task on its own for many people) and it just works, it's not consumer grade. Yes, even if that means a billion linksys SSIDs on channel 6. ~Seth
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I note that a lot of those have IPv6 support because of 3rd party DDWRT images :-) A lot of them support 6to4 only - and often quite poorly. MMC On 03/12/2009, at 1:27 PM, Frank Bulk wrote: I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE Frank -Original Message- From: Wade Peacock [mailto:wade.peac...@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd -- Matthew Moyle-Croft Peering Manager and Team Lead - Commercial and DSLAMs Internode /Agile Level 5, 162 Grenfell Street, Adelaide, SA 5000 Australia Email: m...@internode.com.auWeb: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999Fax: +61-8-8235-6909
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
A Mikrotik Routerboard supports IPv6. Fairly cheap, under $100. But not easy enough for a novice home user to configure on their own. Could be a good cpe if it was pre-configured from the service provider though. I use a MT box at home which serves as my router, dual stack, and then set's up an IPv6 tunnel to SIXXS. Very stable platform. Only drawback is the lack of support for IPv6 over PPP. -- Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP Iron Mountain, MI 49801 Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts?
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Once upon a time, Mehmet Akcin meh...@akcin.net said: Noted on the christmas tree for santa ;) let's see if it will happen.. SSG5s are still on ScreenOS and going to be..., SRX series run JunOS but little too pricey for a home router :) I think the SRX100 is the intended replacement for the SSG5. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I believe that the Fritz box and the Apple Airport series gateways both qualify, although there is a price difference on the Apple gear. I am not sure about the price of the Fritz. Owen On Dec 2, 2009, at 3:16 PM, Wade Peacock wrote: We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd wade_peacock.vcf
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Dec 2, 2009, at 6:41 PM, Mark Newton wrote: On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. What do you mean they don't support v6 native? I am running my Time Capsule in v6 native. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Probably the same time they'll figure out the over-3-yrs-old IGMP ver3 support (for a *multimedia-oriented* company, multicast seem to still be foreign ... oh, well...) ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius On Wed, Dec 2, 2009 at 10:56 PM, Owen DeLong o...@delong.com wrote: On Dec 2, 2009, at 6:41 PM, Mark Newton wrote: On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. What do you mean they don't support v6 native? I am running my Time Capsule in v6 native. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 3:26 PM, Owen DeLong wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. What do you mean they don't support v6 native? I am running my Time Capsule in v6 native. Okay, let me rephrase that. I can't run a PPPoE client on an Airport Express which will give me native dual-stack Internet access. Yes, I can talk to the Airport Express with v6, no debate there. And yes, if it sees an RA message it'll configure itself with the appropriate prefix EUI64 itself an address. But unless there's some configuration knob I haven't found, off-LAN v6 access requires either some other v6-capable CPE to act as the interface to the service provider, or it runs over 6to4. True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue. Currently the Snow Leopard kernel panics if you turn on the net.inet6.ip6.accept_rtadv sysctl and start a PPPoE session which negotiates IP6CP. (I have a bug open with them, and I'm confident that it'll be fixed... but c'mon...!) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223