IPv6 Firewall on CPEs - Default on or off
Anfinsen, Ragnar
Ragnar.Anfinsen at altibox.no
Mon Nov 26 22:34:00 CET 2012
On 26.11.12 21:21, "Tore Anderson" <tore.anderson at redpill-linpro.com>
wrote:
>I would hazard a guess that the majority of your customers do no such
>thing, have no expectation of there being such a thing as a firewall
>provided, or being able to even tell you what NAT44 is. They know
>there's a magic internet box, and that's about it.
>
>Going anecdotal, my own parents and my mother in law fall in this
>category. I guess Nick's grandma does as well. My parents have a xDSL
>CPE doing NAT44, while my mother in law has a layer 2 cable modem. For
>both of them though, it's just an "internet box". So only my parents
>have any form of firewall (NAT44), my mother in law has a direct
>unfiltered internet connection with no firewalling, NAT44, or anything
>of the sort. She's entirely reliant on the security mechanisms included
>and enabled default in her computer. And somehow, that seems to work out
>for her and others like her. Fortunately.
>
>For me, the major difference is that it's harder to give remote
>assistance to my parents, since we need to jump through some hoops to
>pierce through the NAT44 every time. I'm actually hoping that that
>requirement would go away, now that they're becoming *your* customers. ;-)
Point takenŠ ;)
>In my experience, it isn't the throughput that kills performance of
>stateful devices, it's the rate of flows being established and the
>number of concurrent flows. I've had plenty of CPEs that have had no
>problems fully saturating my WAN pipe when using NAT44 for large flows,
>but as soon as I spun up a few BitTorrent downloads, interactive
>protocols like HTTP started suffering long before the WAN pipe was close
>to full.
>
>Not saying the P2812 specifically cannot cope (haven't tried), though,
>only that testing throughput alone gives you a poor indicator of the
>performance of stateful devices.
We have tested the CPE with a high number of flows, much more that an
average user normally uses (2048 flows at max). I don't remember the
actual number, but I'll check and come back to you off list. We had some
performance issues, but they where fixed in our current firmware. Latest
and greatest from ZyXEL, so far we are the only ISP using this new
firmware. I'm not easily impressed, but on this issue I am (for a box at
that price).
/Ragnar
More information about the ipv6-ops
mailing list