IPv6 Firewall on CPEs - Default on or off

Tore Anderson tore.anderson at redpill-linpro.com
Mon Nov 26 21:21:54 CET 2012 

* Anfinsen, Ragnar

> Well, the customer already have a firewall/port-forwaring on IPv4. We can
> call it whatever we want, but in the end of the day, the customer
> perceives the NAT44 as a firewall/security barrier.

I would hazard a guess that the majority of your customers do no such
thing, have no expectation of there being such a thing as a firewall
provided, or being able to even tell you what NAT44 is. They know
there's a magic internet box, and that's about it.

Going anecdotal, my own parents and my mother in law fall in this
category. I guess Nick's grandma does as well. My parents have a xDSL
CPE doing NAT44, while my mother in law has a layer 2 cable modem. For
both of them though, it's just an "internet box". So only my parents
have any form of firewall (NAT44), my mother in law has a direct
unfiltered internet connection with no firewalling, NAT44, or anything
of the sort. She's entirely reliant on the security mechanisms included
and enabled default in her computer. And somehow, that seems to work out
for her and others like her. Fortunately.

For me, the major difference is that it's harder to give remote
assistance to my parents, since we need to jump through some hoops to
pierce through the NAT44 every time. I'm actually hoping that that
requirement would go away, now that they're becoming *your* customers. ;-)

>> - Your firewalling CPEs needs to maintain state for all IPv6 flows. Ugh,
>> state. That's a performance killer. And you're doing fibre, no?
> 
> Well, the ZyXEL P2812 actually have great performance numbers, where we do
> IPv4 NAT44, 6rd with Firewall at 1Gbps. I don't think that IPv6 will
> increase the average traffic the customers uses, it will only shift from
> IPv4 to IPv6 over time. Obviously the traffic will grow in total, but that
> has been designed into the solution.

In my experience, it isn't the throughput that kills performance of
stateful devices, it's the rate of flows being established and the
number of concurrent flows. I've had plenty of CPEs that have had no
problems fully saturating my WAN pipe when using NAT44 for large flows,
but as soon as I spun up a few BitTorrent downloads, interactive
protocols like HTTP started suffering long before the WAN pipe was close
to full.

Not saying the P2812 specifically cannot cope (haven't tried), though,
only that testing throughput alone gives you a poor indicator of the
performance of stateful devices.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/

More information about the ipv6-ops mailing list