3 min read
While IPv6 has been in development for more than two decades, the availability of residential IPv6 has been inconsistent. Traditional CPE devices running IPv4 with NAT add IPv6 capabilities and IPv6 to IPv4 transition mechanisms, often before native IPv6 connections are available in deployment. CDRouter is IPv6 capable and provides vendors and operators with a set of functional test cases to verify the IPv6 Readiness (i.e., through RFC 7084 testing) of CPE devices.
While developing CDRouter IPv6, we benchmarked several off-the-shelf IPv6 CPE devices. The results were surprising right away.
Surprisingly, traditional CPE products advertised as firewall devices often do not have a firewall enabled for IPv6. Even worse, some devices do not have an option to enable a firewall for IPv6.
In cases where the IPv6 firewall does exist, the level of functionality available to IPv4 connections is not always available to IPv6 connections. This is true of advanced applications that normally need an IPv4 ALG to operate through NAT. In IPv6, the firewall must still open incoming ports for applications such as active mode FTP. CDRouter’s IPv6 application module can reveal which application protocols may not work as expected through the IPv6 firewall.
CDRouter IPv6 provides simultaneous IPv6 and IPv4 testing. For IPv6 transition technologies, this provides a mechanism to verify the robustness of the IPv6 implementation when the IPv4 network is dynamic. Some devices have a static implementation that cannot change when the IPv4 network changes. These devices require a reboot to handle network changes.
The rollout of IPv6 is also placing more demands on IPv4 services such as DNS. The size of DNS name records is growing beyond the original UDP 512-byte limitation of DNS and now requires the use of the EDNS0 option and IPv4 fragmentation. However, some IPv4-based CPEs have issues supporting IPv4 fragmenting responses from DNS servers. Along with IPv6 test cases, CDRouter contains additional DNS tests to verify support of the EDNS0 and larger fragmented IPv4 DNS responses.
Some CPE devices are given up potential bandwidth by limiting the MTU size to IPv6’s minimum MTU size of 1280 bytes. CDRouter Path MTU discovery testing can determine the CPE’s IPv6 MTU and verify the forwarding of various packet sizes.
Some devices that do not officially support IPv6 actually have an enabled IPv6 implementation. These devices send out IPv6 Router Advertisements and support tunneling automatically. Worse, they don’t have an IPv6 firewall enabled and provide no means of disabling IPv6. Unknowingly, users may expose themselves to IPv6-based attacks since inbound traffic is not blocked.