Re: Alcatel-Lucent VPN Firewall Brick

["Justin M. Streiner" <streiner () cluebyfour org>]

On Mon, 26 Oct 2009, Christopher Morrow wrote:

> On Mon, Oct 26, 2009 at 12:36 PM, Justin M. Streiner
> <streiner () cluebyfour org> wrote:
> > On Mon, 26 Oct 2009, Jay Nakamura wrote:
> >
> > > Looking for input on Alcatel-Lucent VPN Firewall Brick.  I can look up
> > > spec and other published information but, as always, the devil is in
> > > the detail and you just never know what wall you run into until you
> > > actually try it so I wanted to see if anyone has used this and can
> > > point out good/bad things about this device.
> > >
> > > Our other option is Cisco IOS router right now.  Are there better
> > > options than these two?
> >
> > Fair warning: v6 honestly seems to have caught most firewall vendors with
> > their pants down.
>
> I'm not really sure that in the year 2009 that's a fair thing to still
> expect... honestly ipv6 has been in 'production' for ~7 years, for a
> CPE deployment it's certainly been to the point where it should be
> included by default.
>
> -1 alcalu :(

I don't know about AL's v6 status because I'm in the process of migrating 
away from them, and have been in the process of lots of due diligence with 
vendors in the past 6-ish months.  v6 support is pretty high on our 
list of 'must have' items.  I've been pretty disappointed with the 
response from most vendors.  Many of those have been along the lines of:

"Yeah... our v6 code should be out of customer trials in Q2 2010..."
"We do v6 in software today, and the next spin of XYZ hardware will do it 
in the ASICs..."
"We're working some kinks out, so the box forwards X pps of v6 today 
(let Y = the amount of v4 traffic the box can handle, let X = some 
amount significantly lower than Y), but we should have all of that sorted 
out in the next major code release and be able to handle Y pps of v6 
then."
"The firewall handles v6 today, but v6 support in the management front-end 
is still baking.  Should be ready to go in the next release."

Vendor responses to my "v6 has been around for about 10 years... why is 
all of this only happening *now*?" questions have largely been along the 
lines of "Customers only started asking for or requiring v6 support in the 
last X months/years...".  This gets us back to chicken-and-egg time.

I can understand their position to a degree, i.e. why waste resources on 
things that customers aren't requesting (read: won't compel them to buy 
more/bigger hardware or renew/upgrade support contracts)?  This might have 
been a somewhat valid position several years ago, but v6 as a necessity 
has been on many customers' radars for several years ago.  Frankly, not 
having fully baked v6 support today is pretty much inexcusable IMHO.

jms