Ray Patrick Soucy

FOSS Routing in an IPv6 World

Free and Open Source Software (FOSS) routing platforms will play a key role in the deployment of IPv6 on the corporate network.  With migration away from Network Address Translation (NAT) appliances to provide redundant connectivity to the corporate world, SMB and Enterprise networks will need to become familiar with BGP routing if they wish to have service from more than one provider.

Unfortunately, routers that can handle BGP routing and throughput requirements for corporate networks are often a cost-prohibitive barrier to entry.  The solution is to look into FOSS alternatives for providing edge routing for the corporate network.

Projects like XORP and companies like Vyatta will play an increasingly important role in IPv6 deployment as IT administrators suddenly realize that they need something different than a NAT appliance to provide connectivity for their corporations.

Until it becomes as easy to setup and manage an IPv6 router as it is to setup and manage a NAT appliance, many corporate networks will stay away from IPv6.

The largest challenge will be breaking the miss-conception that NAT provides security, and that by using public IP addressing networks will be exposed.  In actual fact, NAT in itself provides limited security at the cost of breaking the Internet.  Resulting in a plethora of supporting technologies to make NAT work, such as UPnP, which don’t scale.

The illusion of total security that NAT provides is often more dangerous to the interests of corporate networks than not using it at all.  At least when you know your network is open you take measures to harden your hosts.

For the most part, host-based Firewalls have become very good and should be preferred.  For an additional level of security you can use Access Lists on your IPv6 router to isolate traffic that is permitted on your network.  But most importantly, the Stateful Packet Inspection (SPI) Firewall, which is what provides NAT appliances their security, is not dependent on private IP addressing or NAT.

Using Linux ip6tables (as well as most IPv6-enabled firewalls) you can provide the same level of connection tracking that is currently provided by NAT appliances to only allow established incoming connections by default.

The cost of building a enterprise-grade Linux-based IPv6 router and Firewall is significantly less expensive than the big iron provided by companies like Cisco and Juniper, often by an order of magnitude, and with today’s consumer hardware, these Linux-based systems can out-perform certain commercial offerings in throughput and packets per second.

Corporations seeking to gain IPv6 connectivity should strongly consider FOSS solutions if commercial offerings are cost-prohibitive.