[arin-ppml] The non-deployment of IPv6

Keith W. Hare Keith at jcc.com
Fri Dec 11 09:53:17 EST 2009



Lee Howard said

>Keith Hare said:
>> 1. Finding firewall (or whatever vendors are calling it today) 
>> equipment that supports IPv6
>
>From www.getipv6.info click "IPv6 Deployment and Migration Planning," 
>then "Device Support."  
>http://jitc.fhu.disa.mil/apl/ipv6.html#security
>http://www.ipv6-to-standard.org/index.php

Yep, did that. Then I went to the vendor web sites. 

It's been a while since I looked at the Fortinet web site, but last I looked, I couldn't find ANYTHING on the Fortinet web site that said IPv6. And, the current version of FortiOS is V4 or so. Does V4 have all of the features in the V3.0 that was certified? Probably, but how do I figure that out?

I looked at the Juniper Networks web site earlier this week. Based on a suggestion from Owen, I looked at a Juniper SRX box that would be about what I need. The info for the SRX box doesn't anything about IPv6 support. However it does say that the SRX box runs JUNOS, and I finally found another web page that describes the IPv6 standards supported by JUNOS. So that implies that the SRX boxes support IPv6, I guess.

That's my point (beef, soapbox, etc.). The vendors that support IPv6 don't think IPv6 is important enough to mention it in the spec sheets for each piece of equipment where it would be easy to find. The information, if it is available, is hidden off in some dusty corner.


>> 2. Finding an upstream that supports IPv6
>
>From www.getipv6.info click "IPv6 Deployment and Migration Planning," 
>then "Providers Currently Selling IPv6 Transit."

None of the Providers on this list are anywhere close to me, so I would either need to get some sort of long dedicated link or work with an IPv6 tunnel broker. That answer is easy -- I know where the web page is to set up an account with a pretty good, pretty cheap tunnel broker. 

My real point is that from discussions on this list, I know that one of my local vendors is working on IPv6 somewhere. However, the local sales rep doesn't admit to knowing anything about it.

Most of the rest of Lee's response was to comments from some other message.

Keith

>
>> The killer question is will we be able to find robust v4 to v6 
>> solutions when the time comes when we need to get traffic from 
>> v6 only external users or sending traffic to v6 only sites. I am 
>> assuming the answer to that question will be.... yes.....since when 
>> the time comes there is going to be a huge demand for them. 
>
>I'm very skeptical.  Stateless NAT46/64 means a 1:1 mapping of
>addresses, which doesn't help after IPv4 is unavailable.  Stateful
>NAT46 isn't even on the table at IETF yet.  Doubtful we'll have a
>product in time.  No equipment vendors say they'll have one-to-
>many address family translation by EOY 2011.
>
>> The point at which you need to do something about v6  is when you 
>> are going to start getting external traffic (SMTP, HTTP, etc.) from 
>> v6 only users... or when your own users are going to start to want 
>> to access v6 only sites.
>
>As an enterprise network operator, do you support a VPN for
>remote employees?  Once they can't get a global IPv4 address, if
>they change ISPs they'll either be behind IPv6 or large-scale NAT
>(i.e., NAT444).  Will your VPN work?
>
>> lots of network hardware vendors that support IPv6, take a few 
>> minutes and see if you can find where on their web sites and spec 
>> sheets they document IPv6 support.
>
>I went to the websites of half a dozen large network equipment
>makers and searched for "IPv6."  AdTran should be embarrassed,
>but otherwise, there are hits at all of them.  You can complain 
>about features that are late in coming in some edge platforms, but 
>nearly everything will at least allow an IPv6 address now.
>
>Lee





More information about the ARIN-PPML mailing list