Nick and all, Chiming in here as a kinda unusual occurance. I agree with Nicks assessment here unfortunately. Seems across a broad business spectrum a disinterest in IPv6 remains or presists. Given, what I believe to be an accurate essesment by Nick below, it would seem that a more concerted effort to make IPv6 more palatable in very short order is advisable. As to how to accomplish that, I do not know. -----Original Message-----
From: Nick Hilliard <nick@inex.ie> Sent: Oct 27, 2007 9:25 AM To: michael.dillon@bt.com Cc: address-policy-wg@ripe.net, ipv6-wg@ripe.net Subject: Re: [address-policy-wg] Commercial IPv6 firewall support
Some people have claimed that they cannot yet sell IPv6 Internet access because there is no IPv6 firewall support. According to this ICANN study: http://www.icann.org/committees/security/sac021.pdf this is not quite true. At least 30% of the 42 vendors surveyed, had IPv6 support.
There is, of course, "support" and support when talking about any feature, whether ipv6 related or not.
As a useful example of what "support" implies, the "support" from one of my firewall vendors includes basic support for ipv6 packet forwarding and filtering, but no support for configuring this from the GUI. And no support for failover / failback on ipv6. And no support for ospfv3. Or DHCPv6. Or v6 support for VPNs. And so on - you get the idea. There are piles more features which just aren't there if you use v6. In fact, I would suggest that there is such a large functionality gap between their ipv4 and ipv6 support right now, that even if they invested heavily between now and the current expected dates for ipv4 exhaustion, I seriously doubt that they would achieve feature parity, not to mind stability parity for these features.
I have talked to them about this, and their opinion is that there is no commercial demand for ipv6, and therefore ipv6 feature parity is on the feature roadmap. And indeed, it is difficult for the organisation I work for to demand ipv6 support, when other companies can talk to their vendors with a EUR100m firewall / networking contract going a-begging. I have little doubt that this is the reason that MOP got re-enabled by default on a certain router vendor's products.
Them: "We have EUR200m to spend and we want MOP enabled by default". Vendor: "Three bags full, sir".
Me: "I want to you spend $50m in development costs to support ipv6, and then i'll buy some low end kit from you" Vendor: <laughs hysterically>
Open source solutions tend to fare better in this regard. Lots of people may end up using them in a future ipv6 world, but you're not going to end up seeing F500 companies stampeding to replace their current high-end solutions with m0n0wall installations, just because they have more-or-less parity support for ipv4 and ipv6.
There's a more interesting discussion of this of this linked from:
http://www.arin.net/meetings/minutes/ARIN_XX/ppm.html
See the talk entitled "IPv6 Support Among Commercial Firewalls", by Dave Piscitello.
Nick
-- Network Ability Ltd. | Technical Operations | Tel: +353 1 6169698 3 Westland Square | INEX - Internet Neutral | Fax: +353 1 6041981 Dublin 2, Ireland | Exchange Association | Email: nick@inex.ie
'Regards, Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com