I was just told by a jtac engineer that in junos 10.4 they have removed support for 6in4 tunnels to services like Hurricane Electric. They don't plan on adding it back until 11.4. My tunnel work on 10.3R2 and broke when I moved to 10.4R2. That is why I opened the case.
I thought juniper was supposed to be a IPv6 leader. hmmmm.
6in4 tunnels are not likely to be used for enterprise connectivity,
How about this for a limitation: I have a client who uses SRX5800 and is getting ready to turn on IPv6 for their web server segment (and that segment only). The SRX cannot offer IDP on the IPv6 traffic. So now it's time to bake off other vendors to see what their IDP/IPS devices can offer for IPv6.
The 6in4 support in branch SRX was originally inherited from core Junos and was supported in packet-mode. We discovered that there was a possibility that it could be used to circumvent the security policies on the device (no I won't disclose any more details) so we had to address that.
We are flow-enabling all existing IPv6 features along with adding new ones, but it takes time.
A more accurate characterization would be "does not yet offer IDP for IPv6 traffic". Talk to your sales rep, it may be available sooner than you think...
Without revealing the *dirty* details, I was wondering if the security bypass for 6IN4 tunnels was attributed to whether the ip-0/0/0 and underlying IPv4 interface were in the same zone? I'm currently running mine in separate zones (on 10.3R1.9) and therefore just curious if this configruation is also susceptible to the same security bypass?
I haven't had a close look at the tunnel setup yet, but wouldn't it be possible to get a working setup by terminating the tunnel in a packet-vr and then sending it to a second vr for flow based processing? There is an appnote describing how to do this for MPLS traffic, but tunneled v6 is probably similar. Just a thought
Thanks for posting this. It explains why my SixxS tunnel stoped working when JTAC advised me to move off 11.x (due to it causing spontaneous reboots on my SRX210) , moving back to 10.4R4.
So now I get to play the game of "which is more important to me, stability or IPv6?"
