SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Fix UTM Licensing To Expire IPv6 Temporary Addresses Faster

Fix UTM licensing to "age out" faster the many IPv6 "temporary addresses" that are created by most devices (running Windows, Mac OS X, iOS, Android, Linux). As an example, I have 12 devices connected to my network, but because I run in an IPv4/IPv6 environment, UTM is currently counting 113 IP addresses and sending me daily warnings that I have exceeded my license count and no new devices can be added to the network.

In the forum post linked below I have gone into greater detail, but the issue essentially is that in 2014 almost every IPv6-capable device is generating a new RFC 4941 "temporary address" **each day**. Given that UTM seems to track IP addresses for 7 days, the licensing system rapidly fills up with temporary addresses that are no longer being used.

I think the fix may be to change the licensing system to deal with IPv6 addresses differently from IPv4. For IPv6 you may want to expire the IPv6 addresses after 24 hours because odds are probably 99% that you won't see those addresses again.

To be more precise, a "permanent" IPv6 address that is built using the MAC address of the device will have "ff:fe" in the middle of the last 4 blocks of the IPv6 address. If the licensing system saw that in an IPv6 address, it could count it as it would for an IPv4 address and could probably assume it could expire in 7 days as an IPv4 address would. However, any IPv6 addresses lacking "ff:fe" between the 6th and 7th address block (or less depending upon IPv6 address compression) could be treated as "temporary addresses" and aged out after 24 hours.

More information and an example can be found here:

https://www.astaro.org/gateway-products/general-discussion/52608-50-user-limit-ipv6-privacy-addresses.html#post270833

57 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Dan York shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    13 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Bill Jones commented  ·   ·  Flag as inappropriate

        Unfortunately, XG Firewall (Copernicus) does not support DHCP-PD so I cannot use native IPv6 on it, so I'm stuck in a catch-22 scenario

      • Andy Neillans commented  ·   ·  Flag as inappropriate

        I tried contacting Sophos Sales to get a price to up the limit on mine - hoping it would be a modest cost. But never received a response.

      • Ronnie Cooper commented  ·   ·  Flag as inappropriate

        I have a family size of 6 at home and am bumping up against the 50 IP limit. I think many would pay for a license increase at home. I'm trying to reach Sophos for an extended license maybe to 100 - not sure if many others have tried that route.

      • Andrew Kay commented  ·   ·  Flag as inappropriate

        It used to be 10IPs. And as this is a enterprise level product being offered to home users for *free* (try getting a free ASA from Cisco) I for one am happy I even get 50IPs.

      • Willo commented  ·   ·  Flag as inappropriate

        Agree. I have actually looked at buying the UTM, I believe in giving back, but the jump from Free to paid is ridiculous

      • GaNL commented  ·   ·  Flag as inappropriate

        I agree: ipv6 changes the world somehow, also on this topic.

      • Jesse Stanford commented  ·   ·  Flag as inappropriate

        I agree.

        An alternative, simple resolution could be to have separate limits, i.e. 50 ipv4 and 100 ipv6, or something like that. Cmon Sophos, this is an easy one :)

      • Support LL commented  ·   ·  Flag as inappropriate

        I think it's not fair, that IPv4 and IPv6 is counted double for a single device, with the temporary feature there are three counts for one device.
        If the UTM recognize the same Mac Address there should be only a single license count.

      • Anonymous commented  ·   ·  Flag as inappropriate

        One option would be to allow for an adjustable timeout limit, so you could throttle it down to whatever you would like. (or allow a range of options to elect)

      • Thomas Zimmermann commented  ·   ·  Flag as inappropriate

        I second that! In a dual-stack environment of 9 devices I got over the 50 IP limit of the home license in less than two days... :-)

      • Dan York commented  ·   ·  Flag as inappropriate

        I will note that this issue is still present in the very latest version of UTM 9.205-12 to which I upgraded today. (Not that I expected it to be fixed but more that I noticed that in my feature request I did not include a version number while reporting the issue.)

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.