Artificial Juniper SRX limitations preventing IPv6 deployment (and sales)

[Andrew Kirch via NANOG <nanog () lists nanog org>]

To those from Juniper,

You are actively harming your own sales, and IPv6 deployment.

On the SRX3xx line, Junos artificially limits update-router-advertisement
to three downstream interfaces. In practice, that means the box will only
automatically inject delegated IPv6 prefixes into RAs on three VLANs.

This is not a hardware limit. This is not a throughput limit. This is not
“the ASIC can’t handle it.” This is an arbitrary cap in software.

Here is the operational problem:

I have an SRX-340 acquired through Juniper, fully legitimate. It’s being
used in my home. I have five VLANs:
• management
• desktops
• servers
• iot
• guest

On IPv4, this is trivial. Each VLAN is routable, each segment is isolated,
everyone’s happy.

On IPv6, because of this three-interface limit, I can only have automatic
prefix delegation and router advertisements on three of those VLANs. After
that, Junos just refuses the config. There is no documented way to extend
it. There is no warning in the product literature that “this feature stops
working at 3.” There is no published technical justification, in fact, I
can't find anything published about this limit at all.

The result is that I cannot deploy IPv6 cleanly across my entire network
using Juniper’s intended/automated method. My choices are:
• break my segmentation model to fit an undocumented limit, or
• start doing manual RA gymnastics and scripting around Junos just to reach
VLAN #4 and VLAN #5.

Neither of those is what we should be calling “enterprise-ready IPv6.”
 It's not even "home-ready IPv6". It's embarrassing.

One of the small branches where I installed an SRX-345 has over 40 vlans.
We heavily segmented to protect the network from east-west movement, for
compliance, and to prevent the spread of ransomware.  This is exactly the
kind of paper-cut that keeps corporate networks from rolling out IPv6
everywhere. It’s not that IPv6 is “hard.” It’s that Juniper quietly ship
artificial restrictions and then make the fix “buy a bigger box that you
otherwise don't need.”  I for one am not buying it.

If this is a licensing/commercial segmentation decision (“branch” products
get three VLANs of working IPv6 and if you need more you’re supposed to
move up-market and spend tens of thousands more), then please say that, on
the record, so operators can plan accordingly (buy from another vendor) and
so architects can see what they’re actually buying.

If it’s not intentional product gating, then please remove the limit, and
provide that to everyone who has bought an SRX-3xx. There is no technical
reason an SRX-3xx should only be able to advertise delegated IPv6 prefixes
on three VLANs. There are both hardware and software solutions that work as
UTM firewalls for branch offices that don't have automatic limits. I am not
beholden to Juniper, and I can/will buy other solutions if I have to.

That is not helping IPv6 adoption. I opened a jcare ticket on it years ago,
and got crickets, so now we're going to see if sunlight is the best
disinfectant. I'm not your biggest customer but I've purchased well over
$700,000 worth of Juniper gear and jcare. I'm asking that Juniper publicly
commit to fixing this, because I assure you I can buy something else.

Regards,
Andrew Kirch
AS401854
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/Z2ZX77BK4KT72XH3W6NDM42PUZXZ6ECU/