3 min read
While IPv6 has been in development for more than two decades, the availability of residential IPv6 has been inconsistent. Traditional CPE devices running IPv4 with NAT add IPv6 capabilities and IPv6 to IPv4 transition mechanisms, often before native IPv6 connections are available in deployment. CDRouter is IPv6 capable and provides vendors, ISPs, and test labs with a set of functional test cases to verify the IPv6 readiness of CPE devices.
While developing CDRouter IPv6, we benchmarked several off-the-shelf IPv6 CPE devices. Right away, the results were surprising.
Surprisingly, traditional CPE products advertised as firewall devices often do not have a firewall enabled for IPv6. Even worse, some devices do not have an option to enable a firewall for IPv6.
In cases where the IPv6 firewall does exist, the level of functionality available to IPv4 connections is not always available to IPv6 connections. This is true of advanced applications that normally need an IPv4 ALG to operate through NAT. In IPv6, the firewall must still open incoming ports for applications such as active mode FTP. CDRouter’s IPv6 application module can reveal which application protocols may not work as expected through the IPv6 firewall.
6to4 is the most common way of connecting IPv6 devices across the IPv4 Internet. Some devices are not correctly installing default routes for IPv6 in order to work with 6to4 tunnels and prevent CPE devices from reaching the native IPv6 Internet.
CDRouter IPv6 provides both IPv6 and IPv4 testing at the same time. For transition technologies like 6to4, this provides a mechanism to verify the robustness of the IPv6 implementation when the IPv4 network is dynamic. Some devices have a static implementation that is unable to change when the IPv4 network changes. These devices require a reboot to handle network changes.
The roll out of IPv6 is also placing more demands on IPv4 services such as DNS. The size of DNS name records is growing beyond the original UDP 512 byte limitation of DNS and now requires the use of the EDNS0 option and IPv4 fragmentation. However, some IPv4 based CPEs have issues supporting IPv4 fragmenting responses from DNS servers. Along with IPv6 test cases, CDRouter contains additional DNS tests to verify support of the EDNS0 and larger fragmented IPv4 DNS responses.
Some CPE devices are given up potential bandwidth by limiting the MTU size to IPv6’s minimum MTU size of 1280 bytes. CDRouter Path MTU discovery testing can determine the CPE’s IPv6 MTU and verify forwarding of various packet sizes.
Some devices that do not officially support IPv6 actually have an IPv6 implementation that is enabled. These devices send out IPv6 Router Advertisements and support 6to4 tunneling automatically. Worse, they don’t have an IPv6 firewall enabled and provide no means of disabling IPv6. Unknowingly, users may expose themselves to IPv6 based attacks since inbound traffic is not blocked.