We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd
Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On Dec 2, 2009, at 6:41 PM, Mark Newton wrote:
On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
What do you mean they don't support v6 native? I am running my Time Capsule in v6 native.
Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products.
True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue. Owen
Probably the same time they'll figure out the over-3-yrs-old IGMP ver3 support (for a *multimedia-oriented* company, multicast seem to still be foreign ... oh, well...) ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius On Wed, Dec 2, 2009 at 10:56 PM, Owen DeLong <owen@delong.com> wrote:
On Dec 2, 2009, at 6:41 PM, Mark Newton wrote:
On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
You're correct, out of the box there aren't many. The first couple that
come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
What do you mean they don't support v6 native?
I am running my Time Capsule in v6 native.
Apple seems to have ideological objections to DHCPv6, so at the moment
there's little hope at all that prefix delegation will work on any of their CPE products.
True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue.
Owen
On 03/12/2009, at 3:26 PM, Owen DeLong wrote:
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
What do you mean they don't support v6 native? I am running my Time Capsule in v6 native.
Okay, let me rephrase that. I can't run a PPPoE client on an Airport Express which will give me native dual-stack Internet access. Yes, I can talk to the Airport Express with v6, no debate there. And yes, if it sees an RA message it'll configure itself with the appropriate prefix EUI64 itself an address. But unless there's some configuration knob I haven't found, off-LAN v6 access requires either some other v6-capable CPE to act as the interface to the service provider, or it runs over 6to4.
True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue.
Currently the Snow Leopard kernel panics if you turn on the net.inet6.ip6.accept_rtadv sysctl and start a PPPoE session which negotiates IP6CP. (I have a bug open with them, and I'm confident that it'll be fixed... but c'mon...!) - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On Thu, 3 Dec 2009, Mark Newton wrote:
On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products.
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4. Best Regards, Janos Mohacsi
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html I will check soon the hardware. Best Regards, Janos Mohacsi
Mohacsi Janos a écrit :
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful.
I will check soon the hardware.
Great, please report, thanks, Alex
Best Regards, Janos Mohacsi
On Sat, 12 Dec 2009, Alexandru Petrescu wrote:
Mohacsi Janos a écrit :
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful.
They do: "DHCP6 client requests prefix delegation, advertised on LAN bridge" Best Regards, Janos Mohacsi
Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s). This is good news. Frank -----Original Message----- From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos a écrit :
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful.
I will check soon the hardware.
Great, please report, thanks, Alex
Best Regards, Janos Mohacsi
Modula the lack of pd, I found the ipv6 support for the dir-825 (along with the other things it does well) to be rather decent. If people need gig-e simultaneous dual band abgn home routers for ~$130 you should check the thing out. On 02/27/2010 08:59 AM, Frank Bulk wrote:
Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s).
This is good news.
Frank
-----Original Message----- From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mohacsi Janos a écrit :
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful.
I will check soon the hardware.
Great, please report, thanks,
Alex
Best Regards, Janos Mohacsi
Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface. I am also working with Netgear and several others to ensure similar functionality is supported. John On 2/27/10 11:59 AM, "Frank Bulk" <frnkblk@iname.com> wrote:
Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s).
This is good news.
Frank
-----Original Message----- From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mohacsi Janos a écrit :
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful.
I will check soon the hardware.
Great, please report, thanks,
Alex
Best Regards, Janos Mohacsi
========================================= John Jason Brzozowski Comcast Cable e) mailto:john_brzozowski@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =========================================
On 27 Feb 2010, at 20:58, John Jason Brzozowski wrote:
Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface.
Is that latest hardware releases or software releases? Are they going to backport to earlier hardware if it is only software releases currently? f
I am testing with the latest hardware which I assume was released with a new firmware. On 2/27/10 4:02 PM, "Fearghas McKay" <fm-lists@st-kilda.org> wrote:
On 27 Feb 2010, at 20:58, John Jason Brzozowski wrote:
Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface.
Is that latest hardware releases or software releases?
Are they going to backport to earlier hardware if it is only software releases currently?
f
========================================= John Jason Brzozowski Comcast Cable e) mailto:john_brzozowski@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =========================================
On 02/27/10 13:17, John Jason Brzozowski wrote:
I am testing with the latest hardware which I assume was released with a new firmware.
That is not in any way a safe assumption. -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/
I can't say for the WAN interface, but, it doesn't give any controls for delegating stuff to the LAN interface(s) and doesn't provide visible indication of DHCP support on IPv6 in any configuration options. Additionally, I've found their IPv6 implementation to be rather broken in a number of "interesting" ways where the combination of IPv6 and IPv4 configuration choices results in several possible useful configurations that simply don't do IPv6 even though they should. Owen On Feb 27, 2010, at 12:58 PM, John Jason Brzozowski wrote:
Related to the comment below the latest release of the Apple Airport Extremes and Time Capsules support IPv6 including prefix delegation and stateful DHCPv6 on the WAN interface.
I am also working with Netgear and several others to ensure similar functionality is supported.
John
On 2/27/10 11:59 AM, "Frank Bulk" <frnkblk@iname.com> wrote:
Heard from a D-Link product manager that code that supports DHCPv6-PD will be available in the next month or two. I had asked about the DIR-615 and DIR-825, but he didn't mention which platform(s).
This is good news.
Frank
-----Original Message----- From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] Sent: Saturday, December 12, 2009 8:44 AM To: Mohacsi Janos Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mohacsi Janos a écrit :
On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:
Mohacsi Janos wrote:
According to Apple the latest Apple Airport Extreme does support DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet. I'm led to believe that they may in the future from my Apple friends but not yet.
It does in a limited extent: http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html
Not sure that is DHCPv6 PD (Prefix Delegation), the discussion doesn't seem to say so. If it is it would be wonderful.
I will check soon the hardware.
Great, please report, thanks,
Alex
Best Regards, Janos Mohacsi
========================================= John Jason Brzozowski Comcast Cable e) mailto:john_brzozowski@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =========================================
From: Mark Newton [mailto:newton@internode.com.au] On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by default. In fact, I am not sure you can turn it off ... /TJ
On 03/12/2009, at 22:46, "TJ" <trejrco@gmail.com> wrote:
From: Mark Newton [mailto:newton@internode.com.au] On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by default. In fact, I am not sure you can turn it off ..
Yep -- which is worse than useless in the presence of a service provider that's already offering dual-stack service. "Here! Have a v6 address. We'll even give you a moderately large prefix if you run a DHCPv6-PD client... Oh, what? You're going to ignore all that and use a 6to4 gateway and pessimize the v6 routing decisions we've made? And live in one /64 even though every man and his dog reckons service providers ought to be handing out /56's or / 48's? Gee, glad we went to the effort..." Sadly the easiest way for residential subscribers to get IPv6 on PPPoE in 2009 is to put their CPE into "bridge" mode and run the PPPoE client on a PC. The vendors have really dropped the ball on this. (glares at Cisco/Linksys) - mark
From: Mark Newton [mailto:newton@internode.com.au]
FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by default. In fact, I am not sure you can turn it off ..
Yep -- which is worse than useless in the presence of a service provider that's already offering dual-stack service.
I might agree, if my provider offered native IPv6. They don't, so this minimal level of IPv6 is much better than nothing.
(glares at Cisco/Linksys)
Don't restrict yourself to just Cisco/Linksys - glare at all of the vendors, and the providers for that matter. :) And don't just glare, poke them insistently / incessantly! /TJ
You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box.
The Apple products do 6to4 out of the box, but don't support v6 natively.
Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products.
Can Airport relay the DHCPv6 request to the service provider ? Rubens
Biased opinion because we distribute/sell Tilgin related products, but they are supposed to do IPv6.... Having said that, we have not lab tested them ourselves and plan to early next year.... Paul -----Original Message----- From: Wade Peacock [mailto:wade.peacock@sunwave.net] Sent: December-02-09 6:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically. -Matt Dodd On Dec 2, 2009, at 6:16 PM, Wade Peacock <wade.peacock@sunwave.net> wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
-- Wade Peacock Sun Country Cablevision Ltd <wade_peacock.vcf>
Matthew Dodd wrote:
Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically.
By 4to6 to you mean IPv4 on the inside and IPv6 on the outside? Wade Peacock Sun Country Cablevision Ltd
On 3/12/2009, at 12:44 PM, Wade Peacock wrote:
Matthew Dodd wrote:
Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically.
By 4to6 to you mean IPv4 on the inside and IPv6 on the outside?
He is confused, and means 6to4. Also the airport extreme does not do DHCPv6-PD or anything (as far as I know, they certainly did not last time I tried), so I don't know that we'd really call them an IPv6 CPE in the way that I suspect Wade means. -- Nathan Ward
I meant to say 6to4, sorry about that. Nothing special there. -Matt On Dec 2, 2009, at 6:44 PM, Wade Peacock <wade.peacock@sunwave.net> wrote:
Matthew Dodd wrote:
Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically.
By 4to6 to you mean IPv4 on the inside and IPv6 on the outside?
Wade Peacock Sun Country Cablevision Ltd
<wade_peacock.vcf>
On 12/2/09 7:24 PM, "Brandon Galbraith" <brandon.galbraith@gmail.com> wrote:
On Wed, Dec 2, 2009 at 5:52 PM, Matthew Dodd <mdodd@doddserver.com> wrote:
I meant to say 6to4, sorry about that. Nothing special there.
-Matt
4to6 would be a mighty nice feature on a CPE =)
===> If you are thinking about only giving a v6 address to a CPE and still offering a v4 service, there is a technology for that, it is called dual-stack lite. See http://www.ietf.org/id/draft-ietf-softwire-dual-stack-lite-02.txt - Alain.
Wade Peacock <wade.peacock@sunwave.net> wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
The AVM FRITZ!Box series that is very popular in Germany has gained initial IPv6 support on their largest box (7270) in a lab firmware some time ago http://www.avm.de/en/news/artikel/IPv6_Lab.html Regards, Bernhard
There are specifications for them being developed in the IETF, BBF, and Cable Labs. Basically, all of the usual suspects are interested in having product that meets needs. On Dec 2, 2009, at 3:16 PM, Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
-- Wade Peacock Sun Country Cablevision Ltd <wade_peacock.vcf>
On 03/12/2009, at 11:24 AM, Fred Baker wrote:
There are specifications for them being developed in the IETF, BBF, and Cable Labs. Basically, all of the usual suspects are interested in having product that meets needs.
I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest. None of the major CPE vendors appear to have a v6 plan despite your claims. We have an IPv6 dual stack trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_. Come on CPE vendors - most of your run Linux in your CPEs these days. How hard is it to make it work? Someone got an image working for us with OpenWRT in his spare time in a week, surely you CPE vendors can cobble something together for people to try out in a real piece of ADSL CPE I can buy at a shop? I don't mean 6to4 or pseudo dual stack stuff. I mean real ADSL CPE with dual stack PPP and DHCPv6 in one box. MMC
On 03/12/2009, at 12:45 PM, Matthew Moyle-Croft wrote:
Come on CPE vendors - most of your run Linux in your CPEs these days. How hard is it to make it work? Someone got an image working for us with OpenWRT in his spare time in a week, surely you CPE vendors can cobble something together for people to try out in a real piece of ADSL CPE I can buy at a shop?
The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. There's obviously no technical barrier whatsoever (otherwise, again, OpenWRT wouldn't work). If it can be done in a week of developer time there's barely even an economic barrier. It's just disinterest. Linksys, being owned by the world's largest router vendor and being confronted with actual independently-developed working code for their hardware platforms, have the least excuse out of any of them. Years and years of talk, and no customer-visible action whatsoever. What an exceptionally ordinary performance. See you in Melbourne next week, Fred :) - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
Mark Newton wrote:
The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less.
I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
One of the better/only decent implementations I have run across in the retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem (found this on an encap at Fry's and nobody in the department knew what IPv6 was) on the front of the box for easy recognition although there are other modems with RevC (think Rev_B works as well) firmware that don't have the label but work as well. The major feature missing is DHCPv6 IA_PD but you won't find this on any retail router that I am aware of today. What you will find though is WAN interface config via static, stateful or stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN interfaces to boot. I am not sure if this product was built for the Japanese market and is now being released here to determine interest from the retail sector but it is useful for a trial lab or for testing at home. The major caveat of course is that all the IPv6 configs are done in Advanced Config mode and hence not designed for plug-and-play for your average home user. Jason ________________________________________ From: Jack Bates [jbates@brightok.net] Sent: Thursday, December 03, 2009 7:06 PM To: Mark Newton Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton wrote:
The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less.
I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
Give their emulator a try: http://support.dlink.com/emulators/dir615_revC/310NA/login.htm Perhaps this is a dumb question, but without DHCPv6 IA_PD support, how are "other" large service providers rolling out IPv6 for their cable broadband, xDSL, BWA, and FTTH customers? 100% SLAAC? Frank -----Original Message----- From: Jason.Weil@cox.com [mailto:Jason.Weil@cox.com] Sent: Thursday, December 03, 2009 8:54 PM To: jbates@brightok.net; newton@internode.com.au Cc: nanog@nanog.org Subject: RE: Consumer Grade - IPV6 Enabled Router Firewalls. One of the better/only decent implementations I have run across in the retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem (found this on an encap at Fry's and nobody in the department knew what IPv6 was) on the front of the box for easy recognition although there are other modems with RevC (think Rev_B works as well) firmware that don't have the label but work as well. The major feature missing is DHCPv6 IA_PD but you won't find this on any retail router that I am aware of today. What you will find though is WAN interface config via static, stateful or stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN interfaces to boot. I am not sure if this product was built for the Japanese market and is now being released here to determine interest from the retail sector but it is useful for a trial lab or for testing at home. The major caveat of course is that all the IPv6 configs are done in Advanced Config mode and hence not designed for plug-and-play for your average home user. Jason ________________________________________ From: Jack Bates [jbates@brightok.net] Sent: Thursday, December 03, 2009 7:06 PM To: Mark Newton Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton wrote:
The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less.
I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother. Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code. Jack (sick, so if it doesn't make sense, sorry)
DHCPv6 PD is pretty crucial. I'd love to see the code in an ADSL box (hint hint hint DLINK). MMC Frank Bulk wrote:
Give their emulator a try: http://support.dlink.com/emulators/dir615_revC/310NA/login.htm
Perhaps this is a dumb question, but without DHCPv6 IA_PD support, how are "other" large service providers rolling out IPv6 for their cable broadband, xDSL, BWA, and FTTH customers? 100% SLAAC?
Frank
-----Original Message----- From: Jason.Weil@cox.com [mailto:Jason.Weil@cox.com] Sent: Thursday, December 03, 2009 8:54 PM To: jbates@brightok.net; newton@internode.com.au Cc: nanog@nanog.org Subject: RE: Consumer Grade - IPV6 Enabled Router Firewalls.
One of the better/only decent implementations I have run across in the retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem (found this on an encap at Fry's and nobody in the department knew what IPv6 was) on the front of the box for easy recognition although there are other modems with RevC (think Rev_B works as well) firmware that don't have the label but work as well. The major feature missing is DHCPv6 IA_PD but you won't find this on any retail router that I am aware of today. What you will find though is WAN interface config via static, stateful or stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN interfaces to boot.
I am not sure if this product was built for the Japanese market and is now being released here to determine interest from the retail sector but it is useful for a trial lab or for testing at home. The major caveat of course is that all the IPv6 configs are done in Advanced Config mode and hence not designed for plug-and-play for your average home user.
Jason ________________________________________ From: Jack Bates [jbates@brightok.net] Sent: Thursday, December 03, 2009 7:06 PM To: Mark Newton Cc: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Mark Newton wrote:
The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less.
I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues with the dhcp client that comes with it in the past, though I've had an ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, although the devs really should look at better support on the automatic address assignment model and support for PD issued from PD. Of course, I suspect there's just not enough interest in the linux dev community to bother.
Finally, one of the home router firmware companies (which I believe linksys used when they didn't use linux) has had IPv6 support in their codebase for a year now. See nanog history. The manufacturers that use their code don't seem to have implemented the new IPv6 code.
Jack (sick, so if it doesn't make sense, sorry)
I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest. None of the major CPE vendors appear to have a v6 plan despite your claims. We have an IPv6 dual stack trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_.
I've saw some ADSL CPEs that could bridge specific frame types. It would be feasible to think of an ADSL CPE that would simply bridge IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC. In an IPv6 world where NAT is not a requirement (paranoids are welcome to buy their own IPv6 firewalls), bridging with some L4 intelligence might be all that a CPE needs to do. The IPv6 idea of letting end-nodes have more work and intermediate nodes have less work also applies to CPEs. Rubens
I challenge the usual suspects to deliver actual working dual stack IPv6 ADSL CPE rather than feigning interest. None of the major CPE vendors appear to have a v6 plan despite your claims. We have an IPv6 dual stack
Unless I haven't put the full picture together, yet, but for my PPPoA/E environment I would like a DSL CPE that: - on the WAN interface does IPv4 (with NAT support) and IPv6 over PPPoE combined with DHCP-PD (with a stateful firewall). - on the LAN interface does the regular IPv4 stuff, Link-Local only, static IPv6, and stateful and stateless DHCPv6. - allows me to run IPv4, IPv6, or both For my bridged environments (whether that be DSL or FTTH) I would like a CPE that - on the WAN interface does IPv4 (with NAT support), IPv6 with Link-Local only, static IPv6, and IPv6 with DHCP-PD (with a stateful firewall). - on the LAN interface does the regular IPv4 stuff, Link-Local only, static IPv6, and stateful and stateless DHCPv6. - allows me to run IPv4, IPv6, or both While the support burden will be raised, I think the network needs to be dual-stack from end-to-end if SPs want to keep middle-boxes out. But for those who really do run out of IPv4 addresses, I'm not sure how middle-boxes can be avoided. Kind of hard to tell customer n+1 that they can only visit the IPv6 part of the web. Perhaps new customers will have to use a service provider's CGN and share IPv4 addresses until enough of the internet is dual-stack. Frank -----Original Message----- From: Rubens Kuhl [mailto:rubensk@gmail.com] Sent: Saturday, December 12, 2009 12:48 PM To: nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. trial for ADSL going on and not a single CPE from the _major consumer CPE vendors_. I've saw some ADSL CPEs that could bridge specific frame types. It would be feasible to think of an ADSL CPE that would simply bridge IPv4/ARP and IPv6 ethertypes and have a dual-stack BRAS service the users, or bridge IPv4/ARP to a VC(Virtual Circuit) and IPv6 to another VC, or NAT+Route IPv4 to a VC and bridge IPv6 to other VC. In an IPv6 world where NAT is not a requirement (paranoids are welcome to buy their own IPv6 firewalls), bridging with some L4 intelligence might be all that a CPE needs to do. The IPv6 idea of letting end-nodes have more work and intermediate nodes have less work also applies to CPEs. Rubens
On 13/12/2009, at 10:10 AM, Frank Bulk wrote:
While the support burden will be raised, I think the network needs to be dual-stack from end-to-end if SPs want to keep middle-boxes out. But for those who really do run out of IPv4 addresses, I'm not sure how middle-boxes can be avoided. Kind of hard to tell customer n+1 that they can only visit the IPv6 part of the web. Perhaps new customers will have to use a service provider's CGN and share IPv4 addresses until enough of the internet is dual-stack.
The most likely outcome I can see is that customers on services which feature dynamic IPv4 addresses (mostly residential) will end up behind a CGN on a dual stack service. I fully expect the CGN to suck mightily, mitigated somewhat by the fact that the customer would also happen to have a non-NATted IPv6 address if they upgrade their CPE to take advantage of it. Despite the suckage, as long as email, web and VoIP keeps working I think most residential customers wouldn't notice the CGN imposition at all. The act of putting those customers behind a CGN would immediately free up enough IPv4 addresses that the ISP concerned would have a virtually limitless supply for fixed-IP business-grade services -- "virtually" limitless in the sense that there'd be enough to feed those services with new addresses for however much time it takes to complete an IPv6 transition. How long will that take? I don't think it'll be anywhere near as long as most people appear to be expecting. Sure, there'll be a large installed base of printers and home entertainment devices running legacy IPv4-only software, but by and large they either don't need Internet access at all or are quite happy talking to the world through NAT, and can be mostly ignored for the purpose of a discussion about transition durations (in the same way that we ignored all the HP JetDirect cards when we talked about how long it took to turn the Internet classless). I reckon CGNs will be so bad, with so many bugs and so much support overhead that service providers and customers alike will want to move past them as quickly as humanly possible, and the whole transition will be all done and dusted in a few years from their implementation. It's going to be a total and absolute disaster, and the only way out of it will be to move forward. Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment. If there's one thing I've learned from all of this it's that roadmap announcements aren't worth anything, and that if the vendors ever do actually manage to get around to shipping something it'll be so poorly thought out that it's impractical to use in a service provider environment until version 2 -- which, in the case of CGN, will be too late. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
In message <D73FDB46-BF23-4825-89C6-51601D6221F3@internode.com.au>, Mark Newton writes:
Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment.
Comcast commissioned ISC to develop a working CGN. We are in the final release stages of our CGN product, AFTR. https://www.isc.org/software/aftr You can go and download it now it you want. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Thanks for the link. The most obvious question to me is scalability. What box is going to be running AFTR to do all this translation? It looks like the B4 part is running on the customer's CPE, but if we need to move hundreds of Mbps, if not Gbps, wouldn't that require some C/J/F class type of box? Frank -----Original Message----- From: marka@isc.org [mailto:marka@isc.org] Sent: Sunday, December 13, 2009 4:14 PM To: Mark Newton Cc: frnkblk@iname.com; nanog@nanog.org Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls. In message <D73FDB46-BF23-4825-89C6-51601D6221F3@internode.com.au>, Mark Newton writes:
Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment.
Comcast commissioned ISC to develop a working CGN. We are in the final release stages of our CGN product, AFTR. https://www.isc.org/software/aftr You can go and download it now it you want. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
There are specifications for them being developed in the IETF, BBF, and Cable Labs. Basically, all of the usual suspects are interested in having product that meets needs.
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
fred. check your mail system. it is regurgitating email from 2001, except it is modifying the headers to have current dates. randy
Would you consider Juniper SSG5 as a Consumer Grade router? They do IPv6 and they are pretty good in general, and cheap as well. Mehmet On Dec 2, 2009, at 3:16 PM, Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
-- Wade Peacock Sun Country Cablevision Ltd <wade_peacock.vcf>
On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
Depends. Can I get one at Frys for $69.95 and set it up with a web browser? - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On Wed, Dec 2, 2009 at 8:30 PM, Mark Newton <newton@internode.com.au> wrote:
On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
Depends. Can I get one at Frys for $69.95 and set it up with a web browser?
That would be cool, a nice box running JUNOS for seventy bucks, gimme two !! Cheers Jorge
On Dec 2, 2009, at 6:53 PM, Jorge Amodio wrote:
On Wed, Dec 2, 2009 at 8:30 PM, Mark Newton <newton@internode.com.au> wrote:
On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
Depends. Can I get one at Frys for $69.95 and set it up with a web browser?
That would be cool, a nice box running JUNOS for seventy bucks, gimme two !!
Noted on the christmas tree for santa ;) let's see if it will happen.. SSG5s are still on ScreenOS and going to be..., SRX series run JunOS but little too pricey for a home router :)
Cheers Jorge
Once upon a time, Mehmet Akcin <mehmet@akcin.net> said:
Noted on the christmas tree for santa ;) let's see if it will happen.. SSG5s are still on ScreenOS and going to be..., SRX series run JunOS but little too pricey for a home router :)
I think the SRX100 is the intended replacement for the SSG5. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Bill Fehring wrote:
On Wed, Dec 2, 2009 at 18:23, Mehmet Akcin <mehmet@akcin.net> wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
No. Way too expensive and virtually 100% of consumers would not be able to install it on their own.
If they can't plug it in (that's a huge task on its own for many people) and it "just works", it's not consumer grade. Yes, even if that means a billion "linksys" SSIDs on channel 6. ~Seth
--On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin <mehmet@akcin.net> wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
They do IPv6 and they are pretty good in general, and cheap as well.
Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT interested in implementing it). They also lack some other customer friendly features. Price point is also probably 3x-5x what most are willing to pay for CPE.
On Dec 10, 2009, at 4:56 PM, Michael Loftis wrote:
--On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin <mehmet@akcin.net
wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
They do IPv6 and they are pretty good in general, and cheap as well.
Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT interested in implementing it). They also lack some other customer friendly features.
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT.
Price point is also probably 3x-5x what most are willing to pay for CPE.
Yep. Side-note, SRX-100 is the new SSG-5 equivalent and it's JunOS instead of ScreenOS. Nice box. Owen
Once upon a time, Owen DeLong <owen@delong.com> said:
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
You need UPnP for a stateful firewall, whether it is mangling packets with NAT or not. I have an Xbox 360 behind an SSG-5 with no NAT, and I can't play some on-line games unless I open up the Xbox IP in the SSG. You can debate whether UPnP is the correct solution, but some solution is needed (even with IPv6) as long as stateful firewalls exist. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On 11/12/2009, at 1:14 PM, Owen DeLong wrote:
You don't need UPnP if you'r not doing NAT.
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
Mark Newton wrote, on 2009-12-11 03:09:
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.
That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic. Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
Mark Newton wrote, on 2009-12-11 03:09:
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.
That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic.
What you suggest? Manual configuration? We *know* that if a worm puts up a popup that says "Enable port 33493 on your firewall for naked pics of.." that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort. Redesigning the security so that human intervention is required isn't worth the effort, because the black hats are much better at convincing people to do something than the white hats are at teaching them why they shouldn't do it. Probably because we don't teach with naked pics of...
Valdis.Kletnieks@vt.edu wrote, on 2009-12-11 08:06:
On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
Mark Newton wrote, on 2009-12-11 03:09:
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.
That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic.
What you suggest?
That depends on the circumstances. UPnP is fine in some circumstances and wrong in others.
We *know* that if a worm puts up a popup that says "Enable port 33493 on your firewall for naked pics of.." that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort.
Not if the victim doesn't have rights on the firewall (e.g. enterprise). Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
On 11/12/2009, at 11:56 PM, Simon Perreault wrote:
We *know* that if a worm puts up a popup that says "Enable port 33493 on your firewall for naked pics of.." that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort.
Not if the victim doesn't have rights on the firewall (e.g. enterprise).
Would you be using "Consumer Grade - IPV6 Enabled Router Firewalls" in the enterprise? 'cos if you would, I think I might have entered the wrong thread :) - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On 12/12/2009 01:55 AM, Mark Newton wrote:
Would you be using "Consumer Grade - IPV6 Enabled Router Firewalls" in the enterprise? 'cos if you would, I think I might have entered the wrong thread :)
Yeah, I think I did. Sorry for the noise. Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
Mark Newton wrote, on 2009-12-11 03:09:
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.
That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic.
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. If you make it "smart" (i.e. UPnP) then it will of course autoconfigure itself for an appropriate virus. However, your average home user often doesn't change their $FOOGEAR password from the default of 1234, and it is reasonable to assume that at some point, viruses will ship with some minimal knowledge of how to "manually" fix their networking environment. Or better yet? Runs a password cracker until it figures it out, since the admin interfaces on these things are rarely hardened. If you actually /do/ a really good firewall, then of course users find it "hard to use" and your company takes a support hit, maybe gets a bad reputation, etc. There's no winning. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote, on 2009-12-11 08:36:
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.
If you make it "smart" (i.e. UPnP) then it will of course autoconfigure itself for an appropriate virus.
However, your average home user often doesn't change their $FOOGEAR password from the default of 1234, and it is reasonable to assume that at some point, viruses will ship with some minimal knowledge of how to "manually" fix their networking environment. Or better yet? Runs a password cracker until it figures it out, since the admin interfaces on these things are rarely hardened.
If you actually /do/ a really good firewall, then of course users find it "hard to use" and your company takes a support hit, maybe gets a bad reputation, etc.
There's no winning.
Agreed. We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. Thanks, Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
On Fri, 11 Dec 2009, Simon Perreault wrote:
We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers.
No, the conclusion is that for IPv6 there should be something that behaves much like current IPv4 NAT boxes, ie do stateful firewalling and only let internal computers initiate conenctions outgoing, do protocol sniffing for allowing incoming new connections, and use some uPNP like method to do temporary firewall openings. This is the social contract of the current home gateway ecosystem, and intiially IPv6 devices need to replicate this. Last I checked, this was the conclusion of multiple IPv6 related IETF working groups, check out "homegate" and "v6ops" WGs for instance. -- Mikael Abrahamsson email: swmike@swm.pp.se
On 12/12/2009, at 12:11 AM, Simon Perreault wrote:
We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers.
Eh? What does NAT have to do with anything? We already know that IPv6 residential firewalls won't do NAT, so why bring it into this discussion at all? Some of us are trying to formulate and offer real-life IPv6 services to our marketplaces before IPv4 runs out, and the vendors simply aren't interested in being there to help us out. Pointless distractions about orthogonal issues that don't matter (e.g., NAT) don't help at all. FWIW, I asked Fred Baker about this at the IPv6 Forum meeting in Australia this week. He'd just handled another question about the memory requirements required for burgeoning routing table growth by saying that if routers need extra RAM then routers with extra RAM will appear on the market, because "if you're prepared to pay money for it, we'll try to sell it to you." So I asked, "I'm prepared to pay money for IPv6-capable ADSL2+ CPE. Are you prepared to sell it to me?" and he said, "Yes, just not with our firmware." Which I thought was a bit of a cop-out, given that it was one of our customers who developed the IPv6 openwrt support in the first place, with zero support from Fred's employer, after we'd spent two years hassling them about their lack of action. ... and this is in the same week when, in the context of IPv6, someone else asked me how many units of their gear we'd ship ("Zero. You don't have a product with the features we need so we'll use one of your competitors instead. Lets revisit this when you're prepared to have a conversation that doesn't include `lack of market demand' as a reason for not doing it.") Argh. Disillusionment, much? - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
Once upon a time, Joe Greco <jgreco@ns.sol.net> said:
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.
I don't think hardware vs. software makes a "real" firewall. A NAT gateway has to have all the basic functionality of a stateful firewall, plus packet mangling. Typical home NAT gateways don't have all the configurability of an SSG or such, but the same basic functionality is there. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Once upon a time, Joe Greco <jgreco@ns.sol.net> said:
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.
I don't think hardware vs. software makes a "real" firewall. A NAT gateway has to have all the basic functionality of a stateful firewall, plus packet mangling. Typical home NAT gateways don't have all the configurability of an SSG or such, but the same basic functionality is there.
You can blow away the firmware of your NAT gateway and load something like DD-WRT. This gives you a hardware firewall (an external hardware device that acts as a deliberate firewall; i.e. you can firewall 1.2.3.4 from 5.6.7.8). It is not filtering packets in silicon, which is an alternate definition for "hardware firewall" that many in this group could use, but in common usage, it is the distinctness from the protected host(s) and the ability to implement typical firewalling rules and methods, with or _without_ NAT, that makes it a "hardware firewall." Your existing NAT gateway firmware may well be based on Linux and may have portions implemented by a Linux firewalling subsystem, but in most cases, you cannot really drill down to any significant level of detail, and quite frequently the main "anti-forwarding" protection offered is simply the difficulty in surmounting the artificial barrier created by the NAT addressing discontinuity. While this might technically count as "the same basic functionality," functionality that cannot be accessed or used might as well not be there for the purposes of this discussion. So I'll pass on considering your average NAT gateway as a "hardware firewall." ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Owen DeLong wrote:
On Dec 10, 2009, at 4:56 PM, Michael Loftis wrote:
--On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin <mehmet@akcin.net> wrote:
Would you consider Juniper SSG5 as a Consumer Grade router?
They do IPv6 and they are pretty good in general, and cheap as well.
Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT interested in implementing it). They also lack some other customer friendly features.
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.
Price point is also probably 3x-5x what most are willing to pay for CPE.
Yep.
Side-note, SRX-100 is the new SSG-5 equivalent and it's JunOS instead of ScreenOS. Nice box.
Owen
--On Sunday, December 13, 2009 9:17 AM -0800 Joel Jaeggli <joelja@bogus.com> wrote:
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
wishful thinking.
you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.
Amen indeed. Consumers do not care if its a good idea or not. And honestly in a home network, well, its not as frightening. In a business of any kind (including home based) it is bad. You should have a DMZ with carefully controlled open ports lists. But that's preaching to the choir here. IPv6 doesn't magically negate the need for UPnP, UPnP is not tied to NAT. It's a way for applications to ask the firewall to selectively open ports up to them. Intelligent stateful firewalls can do that for limited applications, perhaps with some sort of policy control even. Though Joe/Jill Gamer (which is what UPnP is for) won't know anything about any of that. They define a gateway as functioning or not. I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports.
I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports.
If the addresses of your gaming machines are no longer dynamic and their ports are no longer getting dynamically remapped, why do you need that instead of a way to tell the firewall that X machine is allowed to receive packets on Y ports from Z hostlist (where X,Z can be wildcarded, and, Y can be some form of list, range, or list of ranges)? No, IPv6 is not a panacea. However, IPv6 does eliminate the need for rapidly changing addresses on hosts that need to accept inbound connections, which makes it possible to define policy for those hosts rather than just trusting unauthenticated arbitrary applications to amend your security policy at your border. UPnP is the firewall equivalent of having US CBP admit any person who has someone in the US say that they should be admitted. While I do support some level of immigration reform and more open borders than has been the trend of late, even I would not go that far. Owen
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
wishful thinking.
you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.
Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Owen
On Mon, 2009-12-14 at 00:58 -0800, Owen DeLong wrote:
However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all?
I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.
Well, for many years I've argued (since I read an early draft of the proposal for uPnP ) that it really stood for "Unstoppable-Peek-and-Poke". It scares the hell outta me, full stop, way more than the users themselves - and they scare me a lot anyways. Seems a good time to ask while everyone's thinking about it: I wonder if anyone actually has first-hand experience of any el-cheapo plastic "home user" routers (say sub-50$US) that are worth a look at for low-end system trials? Zyxel maybe? I see Andrews & Arnold (in the UK) sell them and seem to rate them quite highly, yet the price is, frankly, a giveaway. Any thoughts? Ignoring, of course, the sad and embarassing fact that much of the UK's national telco backbone isn't v6 capable - a long (and buggy) story in itself, once you start trying to implement practical v6 end-to-end ) Gord
Once upon a time, Owen DeLong <owen@delong.com> said:
I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.
Well, "any applet a user clicks on" should not have permission to talk to random devices on the network (for example, Java applets can't do that), so I don't think it quite as bad as you make it out to be. I also don't really find the "computer is already compromised" case all that interesting, as at that point, all bets are off (since with C&C servers, compromised computers are already accessible to the outside world without UPnP). A firewall protects against unwanted inbound connections to things like file/print sharing, DNS proxies, etc. You also don't get port scans and such (even with a few open ports, the majority being "drop" slows down scanners significantly). You can also configure it to prevent certain outbound connections (e.g. connecting to random mail servers from desktop PCs). I would hope that you can configure firewall rules to override UPnP requests. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Mon, 14 Dec 2009, Owen DeLong wrote:
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
wishful thinking.
you're likely to still have a stateful firewall and in the consumer space someone is likely to want to punch holes in it.
Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all?
Because of the least surprise principle: Users get used to have NAT ~> they expect similar stateful firewall in IPv6. They get used to use UPnP in IPv4 ~> they expect something similar in IPv6. I don't think this is good, but bad engineering decision of UPnP cannot replaced with better ones overnight. Best Regards, Janos Mohacsi
Owen DeLong wrote:
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
wishful thinking.
you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.
Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all?
I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem. As a consumer my preferences for a security posture to the extent that I have one are: don't hose me don't make my life any more complicated than necessary
I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.
Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care.
Owen
On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote:
Owen DeLong wrote:
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
You don't need UPnP if you'r not doing NAT.
wishful thinking.
you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.
Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all?
I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem.
As a consumer my preferences for a security posture to the extent that I have one are:
don't hose me
don't make my life any more complicated than necessary
I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.
Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care.
Precisely. And if you want to get picky, remember that "availability" is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives. No, I'm not saying that this is good. I am saying that in the real world, it *will* happen. --Steve Bellovin, http://www.cs.columbia.edu/~smb
* Steven Bellovin (smb@cs.columbia.edu) wrote:
On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote:
Owen DeLong wrote: Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care.
Precisely. And if you want to get picky, remember that "availability" is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives.
No, I'm not saying that this is good. I am saying that in the real world, it *will* happen.
So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) /jkm
On 15/12/2009, at 11:19 PM, Joakim Aronius wrote:
So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...)
Hasn't essentially every ISP on the planet been doing that for years, only without the disclaimer? It's not like we're talking about creating UPnP from whole cloth. We're discussing a replacement of like-for-like, updating existing capabilities to support IPv6. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
* Mark Newton (newton@internode.com.au) wrote:
On 15/12/2009, at 11:19 PM, Joakim Aronius wrote:
So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...)
Hasn't essentially every ISP on the planet been doing that for years, only without the disclaimer?
It's not like we're talking about creating UPnP from whole cloth. We're discussing a replacement of like-for-like, updating existing capabilities to support IPv6.
As was mentioned earlier the end-user is mostly clueless and 'just want things to work'(tm). They do not know/care enough to make wise decissions when it comes to security and they cant identify the absence of security features. Personally I only have rudimentary knowledge of UPnP and UPnP forum but there are real security issues with the protocol and no(?) effort to fix them, current security specs are from 2003. (and varying degree of implementation in products of the security features that actually are in the standard) In the last years the security problems in e.g. Microsoft products have gotten a lot of press and even Joe Sixpack has a hunch that he ought to get an anti-virus program. With the increasingly complex home network environment we will likely see more advanced attacks including UPnP. Then we have a situation with embedded devices with more and more functionality which are hard to patch, that run insecure protocols and it will end up in a real mess. I basically agree with you, adding IPv6 would be a like-for-like replacement. But one difference is that there is an increased attack vector with a higher degree of connectivity (no NAT) and more complex and less mature IP implementations in devices. UPnP might still be the the way to go as it is already there, 'it works' etc. But not working actively with the security issues in the standards is plain stupid. The standard and the functionality of the CPE is the responsibility of the CPE manufacturer. An I guess that the responsibility of the ISP is to provision its customers with as good and secure CPEs that the market provide (and if the s*** hits the fan, point at the CPE manufacturer). Regards, /Joakim
On Dec 15, 2009, at 4:49 AM, Joakim Aronius wrote:
* Steven Bellovin (smb@cs.columbia.edu) wrote:
On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote:
Owen DeLong wrote: Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care.
Precisely. And if you want to get picky, remember that "availability" is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives.
No, I'm not saying that this is good. I am saying that in the real world, it *will* happen.
So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...)
/jkm
Personally, I think that CPE should come up relatively braindead except on the interior wired ethernet interfaces and require creating an SSID and suggesting creating a password (regardless of whether TKIM, WEP, WPA, etc, at least something) before enabling any wireless. It should require the user to create their own administrative password before being able to enable any other features on the box. If CPE manufacturers did this, it would remove a great many vulnerabilities in the world without making it particularly harder for the average end-user. Owen
Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
For ADSL, we've been punting Ovislink gear for a few years. In the past, I've had very good results with having feature requests implemented by the firmware developers (sometimes while I'm on the phone with them, literally). I haven't pushed the v6 thing too hard yet, as our DSL is wholesale'd out, and the wholesaler(s), unlike myself, don't do IPv6. I will gladly rekindle the relationship with the Ovislink dev contacts regarding IPv6, as I'm sure they will respond if there is a show of potential hardware sales to a few ISPs larger than I am. Steve
I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE Frank -----Original Message----- From: Wade Peacock [mailto:wade.peacock@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls. We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears. Does anyone have any leads to information about such products (In production or planned production)? We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them. Thoughts? -- Wade Peacock Sun Country Cablevision Ltd
I note that a lot of those have IPv6 support because of 3rd party DDWRT images :-) A lot of them support 6to4 only - and often quite poorly. MMC On 03/12/2009, at 1:27 PM, Frank Bulk wrote:
I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE
Frank
-----Original Message----- From: Wade Peacock [mailto:wade.peacock@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls.
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
-- Wade Peacock Sun Country Cablevision Ltd
-- Matthew Moyle-Croft Peering Manager and Team Lead - Commercial and DSLAMs Internode /Agile Level 5, 162 Grenfell Street, Adelaide, SA 5000 Australia Email: mmc@internode.com.au Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
Frank Bulk a écrit :
I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE
And from an operators perspective (not manufacturer): Free ISP ADSL (and fiber) operator in France does IPv6 natively to the end user with Router Advertisement since 2 years now. I think these "CPE" (Customer Premises Equipment) are called simply "box" in France (freebox, livebox, dartybox, and more). Between the Free box and the core network there is proprietary IPv6-in-IPv4 encapsualtion, not 6to4. No DHCPv6-PD, which I feel as a big restriction. Plans for livebox and 9box IPv6 do exist if not already deployed. Spanish FON Fonera based on openwrt, when I checked 2008, did IPv6 somehow, not sure whether natively. http://boards.fon.com/viewtopic.php?f=1&t=4532&view=previous From memory, at least one Japanese residential operator did IPv6 to the home several years ago, with explicit IPv6 advertisement on TV during prime time. Alex
Frank
-----Original Message----- From: Wade Peacock [mailto:wade.peacock@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls.
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
On Sat, 12 Dec 2009, Alexandru Petrescu wrote:
Frank Bulk a écrit :
I think they're (all) listed here: http://www.getipv6.info/index.php/Broadband_CPE
And from an operators perspective (not manufacturer):
Free ISP ADSL (and fiber) operator in France does IPv6 natively to the end user with Router Advertisement since 2 years now. I think these "CPE" (Customer Premises Equipment) are called simply "box" in France (freebox, livebox, dartybox, and more). Between the Free box and the core network there is proprietary IPv6-in-IPv4 encapsualtion, not 6to4. No DHCPv6-PD, which I feel as a big restriction.
implementing 6rd (which is used by Free) also a big restriction.
Plans for livebox and 9box IPv6 do exist if not already deployed.
Spanish FON Fonera based on openwrt, when I checked 2008, did IPv6 somehow, not sure whether natively. http://boards.fon.com/viewtopic.php?f=1&t=4532&view=previous
From memory, at least one Japanese residential operator did IPv6 to the home several years ago, with explicit IPv6 advertisement on TV during prime time.
Alex
Frank
-----Original Message----- From: Wade Peacock [mailto:wade.peacock@sunwave.net] Sent: Wednesday, December 02, 2009 5:16 PM To: nanog@nanog.org Subject: Consumer Grade - IPV6 Enabled Router Firewalls.
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
A Mikrotik Routerboard supports IPv6. Fairly cheap, under $100. But not easy enough for a novice home user to configure on their own. Could be a good cpe if it was pre-configured from the service provider though. I use a MT box at home which serves as my router, dual stack, and then set's up an IPv6 tunnel to SIXXS. Very stable platform. Only drawback is the lack of support for IPv6 over PPP. -- Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP Iron Mountain, MI 49801 Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
I believe that the Fritz box and the Apple Airport series gateways both qualify, although there is a price difference on the Apple gear. I am not sure about the price of the Fritz. Owen On Dec 2, 2009, at 3:16 PM, Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Thoughts?
-- Wade Peacock Sun Country Cablevision Ltd <wade_peacock.vcf>
Wade Peacock wrote:
We had a discussion today about IPv6 today. During our open thinking the topic of client equipment came up. We all commented that we have not seen any consumer grade IPv6 enable internet gateways (routers/firewalls), a kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.
Do you have an apple airport extreme or a linksys wrt610n? the WRTs of the world all 40 or so of the variants of that thing that have ever existed are rather old and in many cases bizarrely resource limited.
Does anyone have any leads to information about such products (In production or planned production)?
We are thinking that most vendors are going to wait until Ma and Pa home user are screaming for them.
Vendors are in business of stimulating the replacement cycle by adding features... right now the magic words are gigabit ethernet and 802.11n. Chances are ma and pa won't even know they device they has ipv6 (do they know it has ipv4?) unless it has a big-ass sticker on the outside of the box. like this i/o data ap from 2006... http://akiba-pc.watch.impress.co.jp/hotline/20060923/image/m060920r34.html
Thoughts?
you next wirelss ap has 2-6 radio phys an 800mhz mips processor and 64MB of ram, there's a lot of thing it can do that your old one can't
I guess Cisco's 800's are out of the "Consumer Grade" price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Regards Jorge
They work pretty well. They're one of the few that you can buy which supports DSL and they work. IPv6 support on the WIFI interfaces is IOS version dependent. They support DHCPv6 PD etc. I'm using one right now with v6. MMC On 04/12/2009, at 10:41 PM, Jorge Amodio wrote:
I guess Cisco's 800's are out of the "Consumer Grade" price range, but any comments about v6 support on them and how they compare with other options.
Just looking for feedback about good options for sort remote/branch/home office.
Regards Jorge
-- Matthew Moyle-Croft Peering Manager and Team Lead - Commercial and DSLAMs Internode /Agile
On Fri, Dec 04, 2009 at 10:59:49PM +1030, Matthew Moyle-Croft wrote:
They work pretty well.
They're one of the few that you can buy which supports DSL and they work. IPv6 support on the WIFI interfaces is IOS version dependent.
They support DHCPv6 PD etc. I'm using one right now with v6.
MMC
Can you comment on what version you got it to work on? I haven't futzed with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on the wireless subinterface. I tried putting it on a BVI interface, but didn't have much luck. -- Brandon Ewing (nicotine@warningg.com)
Brandon Ewing <nicotine@warningg.com> writes:
Can you comment on what version you got it to work on? I haven't futzed with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on the wireless subinterface. I tried putting it on a BVI interface, but didn't have much luck.
Version 12.4(20)T1 works.... interface Dot11Radio0 !.... ipv6 address 2001:db8:9F6B:2::1/64 ipv6 enable ipv6 nd prefix 2001:db8:9F6B:2::/64 cheers Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink@guug.de | -------------------------------------------------------------------------
On Fri, 4 Dec 2009, Jorge Amodio wrote:
I guess Cisco's 800's are out of the "Consumer Grade" price range, but any comments about v6 support on them and how they compare with other options.
Just looking for feedback about good options for sort remote/branch/home office.
Some 800's are supporting IPv6 very well even DHCPv6-PD. We tested 83x, 87x, 88x. No IPv6 support however for 80x and 85x series. We also tested Juniper Netscreen - they are also very capable devices. Best Regards, Janos Mohacsi
Jorge Amodio <jmamodio@gmail.com> writes:
I guess Cisco's 800's are out of the "Consumer Grade" price range, but any comments about v6 support on them and how they compare with other options.
Once you find the right IOS version they are working great. ;-) I had to upgrade my router @home in order to use IPv6 on the wireless lan. Interface configuration wasn't accepting any ipv6 commands. cheers Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink@guug.de | -------------------------------------------------------------------------
participants (43)
-
Alexandru Petrescu
-
Bernhard Schmidt
-
Bill Fehring
-
Brandon Ewing
-
Brandon Galbraith
-
Chris Adams
-
Chris Gotstein
-
Dave Temkin
-
Doug Barton
-
Durand, Alain
-
Fearghas McKay
-
Frank Bulk
-
Fred Baker
-
gordon b slater
-
Jack Bates
-
Jason.Weil@cox.com
-
Jens Link
-
Joakim Aronius
-
Joe Greco
-
Joel Jaeggli
-
John Jason Brzozowski
-
Jorge Amodio
-
Mark Andrews
-
Mark Newton
-
Matthew Dodd
-
Matthew Moyle-Croft
-
Mehmet Akcin
-
Michael Loftis
-
Mikael Abrahamsson
-
Mohacsi Janos
-
Nathan Ward
-
Owen DeLong
-
Paul Stewart
-
Randy Bush
-
Rubens Kuhl
-
Seth Mattinen
-
Simon Perreault
-
Stefan
-
Steve Bertrand
-
Steven Bellovin
-
TJ
-
Valdis.Kletnieks@vt.edu
-
Wade Peacock