About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[ipv6-wg] Re: [address-policy-wg] Commercial IPv6 firewall support

  • To: michael.dillon@localhost
  • From: Nick Hilliard nick@localhost
  • Date: Sat, 27 Oct 2007 15:25:41 +0100
  • Cc: address-policy-wg@localhost, ipv6-wg@localhost
> Some people have claimed that they cannot yet sell
> IPv6 Internet access because there is no IPv6 firewall
> support. According to this ICANN study:
> http://www.icann.org/committees/security/sac021.pdf
> this is not quite true. At least 30% of the 42 vendors
> surveyed, had IPv6 support.

There is, of course, "support" and support when talking about any feature,
whether ipv6 related or not.

As a useful example of what "support" implies, the "support" from one of my
firewall vendors includes basic support for ipv6 packet forwarding and
filtering, but no support for configuring this from the GUI.  And no support
for failover / failback on ipv6.  And no support for ospfv3.  Or DHCPv6.  Or
v6 support for VPNs.  And so on - you get the idea.  There are piles more
features which just aren't there if you use v6.  In fact, I would suggest
that there is such a large functionality gap between their ipv4 and ipv6
support right now, that even if they invested heavily between now and the
current expected dates for ipv4 exhaustion, I seriously doubt that they
would achieve feature parity, not to mind stability parity for these
features.

I have talked to them about this, and their opinion is that there is no
commercial demand for ipv6, and therefore ipv6 feature parity is on the
feature roadmap.  And indeed, it is difficult for the organisation I work
for to demand ipv6 support, when other companies can talk to their vendors
with a EUR100m firewall / networking contract going a-begging.  I have
little doubt that this is the reason that MOP got re-enabled by default on a
certain router vendor's products.


Them:   "We have EUR200m to spend and we want MOP enabled by default".
Vendor: "Three bags full, sir".

Me:     "I want to you spend $50m in development costs to support ipv6, and
        then i'll buy some low end kit from you"
Vendor: <laughs hysterically>

Open source solutions tend to fare better in this regard.  Lots of people
may end up using them in a future ipv6 world, but you're not going to end up
seeing F500 companies stampeding to replace their current high-end solutions
with m0n0wall installations, just because they have more-or-less parity
support for ipv4 and ipv6.

There's a more interesting discussion of this of this linked from:

http://www.arin.net/meetings/minutes/ARIN_XX/ppm.html

See the talk entitled "IPv6 Support Among Commercial Firewalls", by Dave
Piscitello.

Nick

-- 
Network Ability Ltd. | Technical Operations    | Tel: +353 1 6169698
3 Westland Square    | INEX - Internet Neutral | Fax: +353 1 6041981
Dublin 2, Ireland    | Exchange Association    | Email: nick@localhost
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community