nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 17 Apr 2014 21:00:54 +0000
On Apr 18, 2014, at 1:04 AM, Dustin Jurman <dustin () rseng net> wrote:
- the approach is from an end user than service provider. The firewall operator would be more interested in identifying PPS for attacks / compromised hosts VS QOS but I supposed it could be used for QOS as well. (Not my intent) So today we have NAT'd firewalls that overload a particular interface, IMHO since properly implemented V6 should not use NAT I would want my FW vendor to allow me to see what's going on PPS wise via the dashboard function. Most V4 firewalls do this today at an interface level.
This is a telemetry function (separately, I noted IPFIX functionality should be included).
- Average packet size for all hosts would allow operator to make a determination and set thresholds for new forms of attacks and exploits. (Thinking forward once applications take advantage of V6)
Again, this is a telemetry function, not a policy function.
- MTU Negotiated Between Hosts - Since this happens between endpoints in v6 this could be help identify tunnels in the network / changes in WAN topology.. Not like we haven't seen that before. While a change in flight should create a drop.. when the session reestablishes it could resize.
Yet again, a telemetry function. The MTU negotiation itself is irrelevant; the resultant packet-size is relevant, from a classification point of view. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls David Newman (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Seth Mos (Apr 17)