SRX Services Gateway
Reply
Visitor
nbarsotti
Posts: 5
Registered: ‎11-01-2010

Re: SRX and IPv6

I was just told by a jtac engineer that in junos 10.4 they have removed support for 6in4 tunnels to services like Hurricane Electric.  They don't plan on adding it back until 11.4.  My tunnel work on 10.3R2 and broke when I moved to 10.4R2.  That is why I opened the case.

I thought juniper was supposed to be a IPv6 leader. hmmmm.

Super Contributor
tbehrens
Posts: 349
Registered: ‎04-30-2010
0

Re: SRX and IPv6

6in4 tunnels are not likely to be used for enterprise connectivity,

 

How about this for a limitation: I have a client who uses SRX5800 and is getting ready to turn on IPv6 for their web server segment (and that segment only). The SRX cannot offer IDP on the IPv6 traffic. So now it's time to bake off other vendors to see what their IDP/IPS devices can offer for IPv6.

 

Juniper Employee
Juniper Employee
mxk
Posts: 13
Registered: ‎02-06-2008

Re: SRX and IPv6

Hi. 

 

The 6in4 support in branch SRX was originally inherited from core Junos and was supported in packet-mode. We discovered that there was a possibility that it could be used to circumvent the security policies on the device (no I won't disclose any more details) so we had to address that.

 

We are flow-enabling all existing IPv6 features along with adding new ones, but it takes time. 


--mxk
Juniper Employee
Juniper Employee
mxk
Posts: 13
Registered: ‎02-06-2008
0

Re: SRX and IPv6

A more accurate characterization would be "does not yet offer IDP for IPv6 traffic". Talk to your sales rep, it may be available sooner than you think...


--mxk
Super Contributor
tbehrens
Posts: 349
Registered: ‎04-30-2010
0

Re: SRX and IPv6

Interesting, thank you. I'm mulling this over with our channel SEs right now.

 

We found this document: 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-srx-jseries-support...

 

which shows IPv6 IDP to be supported today on SRX100/210/240, and unsupported on every other platform at present.

 

Contributor
techniq
Posts: 40
Registered: ‎01-14-2009
0

Re: SRX and IPv6

Without revealing the *dirty* details, I was wondering if the security bypass for 6IN4 tunnels was attributed to whether the ip-0/0/0 and underlying IPv4 interface were in the same zone?  I'm currently running mine in separate zones (on 10.3R1.9) and therefore just curious if this configruation is also susceptible to the same security bypass?

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: SRX and IPv6

I haven't had a close look at the tunnel setup yet, but wouldn't it be possible to get a working setup by terminating the tunnel in a packet-vr and then sending it to a second vr for flow based processing? There is an appnote describing how to do this for MPLS traffic, but tunneled v6 is probably similar. Just a thought

New User
notubes
Posts: 1
Registered: ‎05-25-2011
0

Re: SRX and IPv6

Anybody knows when ISIS will support IPv6 on the SRX?

Regular Visitor
Feren
Posts: 8
Registered: ‎02-28-2008
0

Re: SRX and IPv6

nbarsotti,

 

Thanks for posting this.  It explains why my SixxS tunnel stoped working when JTAC advised me to move off 11.x (due to it causing spontaneous reboots on my SRX210) , moving back to 10.4R4.

 

So now I get to play the game of "which is more important to me, stability or IPv6?"   :smileymad:

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: SRX and IPv6

[ Edited ]

Does SRX650 requires license for IPv6?

No needed, right?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.