Some people have claimed that they cannot yet sell IPv6 Internet access because there is no IPv6 firewall support. According to this ICANN study: http://www.icann.org/committees/security/sac021.pdf this is not quite true. At least 30% of the 42 vendors surveyed, had IPv6 support. According to this talk <http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECA-I6-Status -IPv6-Firewalling-PeterBieringer-Talk.pdf> many open-source and commercial firewalls supporting IPv6 are available. IPCop is based on Linux <http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopScreenshots> m0n0wall is based on FreeBSD <http://m0n0.ch/wall/screenshots.php> pfSense is also based on FreeBSD <http://pfsense.com/index.php?id=26> FWBuilder is a management tool that builds filter setups for several different firewalls. <http://www.fwbuilder.org/archives/cat_screenshots.html> Checkpoint FW1 NGX R65 on SecurePlatform supports IPv6 FortiGate supports IPv6 in FortiOS 3.0 and up. Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up. Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up. I suspect that the people complaining about IPv6 support are partially complaining because they have older hardware that the vendor does not plan to upgrade to IPv6 support until they have all features implemented in their newer products, and partially complaining because their vendor has not implemented some feature which they happen to use. Commercial firewall support may be lagging behind OS and router support, but not by much. And if commercial vendors are not responsive, maybe you should try pricing out an open source solution with a consultant. I believe there is a gap here that startup firewall companies could fill if they understand the enterprise market. --Michael Dillon
On Fri, Oct 26, 2007 at 10:04:58PM +0100, michael.dillon@bt.com wrote:
Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up.
Support for IPv6 was actually introduced in the 5.4 line of ScreenOS. This is a fairly notable difference, as 5.4 runs on legacy Netscreen platforms (NS25/50, NS5GT, etc), where as ScreenOS 6.0 is only SSG/ISG. I have enabled the dual-stack support and played with it; it works. Have never used the IPv6 stack in production. -- Ross Vandegrift ross@kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
Once upon a time, Ross Vandegrift <ross@kallisti.us> said:
On Fri, Oct 26, 2007 at 10:04:58PM +0100, michael.dillon@bt.com wrote:
Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up.
Support for IPv6 was actually introduced in the 5.4 line of ScreenOS. This is a fairly notable difference, as 5.4 runs on legacy Netscreen platforms (NS25/50, NS5GT, etc), where as ScreenOS 6.0 is only SSG/ISG.
IPv6 is in ScreeOS 5.4 for only a couple of platforms. ScreenOS 6.0 adds support for a few more. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Fri Oct 26, 2007 at 10:04:58PM +0100, michael.dillon@bt.com wrote:
Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up.
Have they actually made it useable yet? Last time I looked, if you had a pair of PIX in failover mode, you couldn't use IPv6 - it put the same IP on both firewalls at the same time, along with a message saying IPv6 wasn't supported in standby mode. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *
Simon Lockhart wrote:
On Fri Oct 26, 2007 at 10:04:58PM +0100, michael.dillon@bt.com wrote:
Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up.
Have they actually made it useable yet? Last time I looked, if you had a pair of PIX in failover mode, you couldn't use IPv6 - it put the same IP on both firewalls at the same time, along with a message saying IPv6 wasn't supported in standby mode.
I know a network where they use Cisco PIX's in failover mode, there was indeed some issue with it at one point, but they now seem to work fine since, I think, at least about 2 years already. Greets, Jeroen
On Sat Oct 27, 2007 at 01:57:53PM +0200, Jeroen Massar wrote:
Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up.
Have they actually made it useable yet? Last time I looked, if you had a pair of PIX in failover mode, you couldn't use IPv6 - it put the same IP on both firewalls at the same time, along with a message saying IPv6 wasn't supported in standby mode.
I know a network where they use Cisco PIX's in failover mode, there was indeed some issue with it at one point, but they now seem to work fine since, I think, at least about 2 years already.
Cool - I've got a pair of PIXen that I need to put live soon, so I'll test the latest software on them to see if it has improved. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *
On Fri, 26 Oct 2007, michael.dillon@bt.com wrote: ...
Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up. ...
FWIW, there are typically notable differences in v6 feature parity vs v4. So for those folks that are actually using this stuff "supports v6 -- check!" isn't good enough and may result in some nasty surprises later on. For example, Netscreens cannot presently filter IPv6 in transparent (bridged) mode, only in routed mode. The feature is AFAIK in the roadmap but over a year away. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
michael.dillon@bt.com wrote:
I suspect that the people complaining about IPv6 support are partially complaining because they have older hardware that the vendor does not plan to upgrade to IPv6 support until they have all features implemented in their newer products, and partially complaining because their vendor has not implemented some feature which they happen to use.
People who are complaining and have tried the platforms that claim to support IPv6 generally find that feature parity with IPv4 doesn't exist, which still makes it difficult to deploy. Vendors claiming IPv6 support and systems actually providing an IPv6 based solution are two entirely different beasts. If you need IPv6 then don't believe the vendor propaganda, test the box and then prepare to complain to the vendor :) Mark.
trolls can blather on, and of course will. but for the best work to date on this subject, see dave piscitello's preso from arin, <http://www.arin.net/meetings/minutes/ARIN_XX/PDF/thursday/Firewalls_Piscitello.pdf>. Mark Prior wrote:
If you need IPv6 then don't believe the vendor propaganda, test the box and then prepare to complain to the vendor :)
there is a too lightly spoken problem under this, a lack of good test suites, environments, platforms for ipv6. this serious gap extends from routers' control and data planes, to security products, to the myriad of applications. so the vendors can say pretty much anything, and it's very hard to actually learn the reality until it fails in your network. of course, if you have not been prone to testing in ipv4, this will not be a major change for you. :) randy
Have to say, using screenOS 5.4 on our juniper kit and relatively happy. Elsewhere, if you just want a packet filter, v6 ACLs are fine, depending of course whether they are done in hardware or software and if this is appropriate for your application (i.e , ACL in software path is perfectly appropriate in a number of scenarios where you have dedicated router and low traffic environment....) Dave. michael.dillon@bt.com wrote:
Some people have claimed that they cannot yet sell IPv6 Internet access because there is no IPv6 firewall support. According to this ICANN study: http://www.icann.org/committees/security/sac021.pdf this is not quite true. At least 30% of the 42 vendors surveyed, had IPv6 support.
According to this talk <http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECA-I6-Status -IPv6-Firewalling-PeterBieringer-Talk.pdf> many open-source and commercial firewalls supporting IPv6 are available.
IPCop is based on Linux <http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopScreenshots>
m0n0wall is based on FreeBSD <http://m0n0.ch/wall/screenshots.php>
pfSense is also based on FreeBSD <http://pfsense.com/index.php?id=26>
FWBuilder is a management tool that builds filter setups for several different firewalls. <http://www.fwbuilder.org/archives/cat_screenshots.html>
Checkpoint FW1 NGX R65 on SecurePlatform supports IPv6
FortiGate supports IPv6 in FortiOS 3.0 and up.
Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up.
Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up.
I suspect that the people complaining about IPv6 support are partially complaining because they have older hardware that the vendor does not plan to upgrade to IPv6 support until they have all features implemented in their newer products, and partially complaining because their vendor has not implemented some feature which they happen to use.
Commercial firewall support may be lagging behind OS and router support, but not by much. And if commercial vendors are not responsive, maybe you should try pricing out an open source solution with a consultant. I believe there is a gap here that startup firewall companies could fill if they understand the enterprise market.
--Michael Dillon
participants (9)
-
Chris Adams
-
David Freedman
-
Jeroen Massar
-
Mark Prior
-
michael.dillon@bt.com
-
Pekka Savola
-
Randy Bush
-
Ross Vandegrift
-
Simon Lockhart