At the Mini CPX here in Cologne the guys from Spirent presented some performance testing along with Check Point. Really interesting stuff and cool technology!During the presentation I wondered how much impact we would see on Check Point firewalls when instead of IPv4 packets IPv6 packets are processed.
Apparently, when it comes to the payload, there’s no change. If it is HTTP over IPv4 or HTTP over IPv6 – doesn’t matter.But the processing of the IPv6 addresses take a little bit longer and there is a noticeable performance drop of about 10%. Quite neglectable in my opinion.
The other part is connection table, where you actually have to store the 128 bit long IPv6 IP address. In comparison to a 32 bit long IPv4 address this will consume 4 times more memory. From what I’ve learned so far we don’t actually see this number, but a decrease of about 40% in maximum connections.
The relevance for real live installations is quite low. First we have increased connection capacity due to 64-bit GAIA operating system. Second the amount of IPv6 traffic in normal installation will not come near to any numbers that we see with IPv4 at the moment. And if it does, you should do a PoC along with Check Point and maybe Spirent first to make sure you’re choosing the right solution for your multi-gigabit IPv6 troughput.