Re: Requirements for IPv6 Firewalls

["Dobbins, Roland" <rdobbins () arbor net>]

On Apr 18, 2014, at 1:04 AM, Dustin Jurman <dustin () rseng net> wrote:

> - the approach is from an end user than service provider. The firewall operator would be more interested in 
> identifying PPS for attacks / compromised hosts VS QOS but I supposed it could be used for QOS as well.  (Not my 
> intent) So today we have NAT'd firewalls that overload a particular interface, IMHO since properly implemented V6 
> should not use NAT I would want my FW vendor to allow me to see what's going on PPS wise via the dashboard function.  
> Most V4 firewalls do this today at an interface level. 

This is a telemetry function (separately, I noted IPFIX functionality should be included).

> - Average packet size for all hosts would allow operator to make a determination and set thresholds for new forms of 
> attacks and exploits.  (Thinking forward once applications take advantage of V6)  

Again, this is a telemetry function, not a policy function.

> - MTU Negotiated Between Hosts - Since this happens between endpoints in v6 this could be help identify tunnels in 
> the network / changes in WAN topology.. Not like we haven't seen that before.  While a change in flight should create 
> a drop.. when the session reestablishes it could resize.  

Yet again, a telemetry function.  The MTU negotiation itself is irrelevant; the resultant packet-size is relevant, from 
a classification point of view. 

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton