Roman Jokl: Security must go hand in hand with ease of use even for IPv6
Roman heads the Kerio Control team and we talked about his experiences running the team and making Kerio Control IPv6 compatible.
You've lead the Kerio Control team for more than a year. What do you spend your time on?
I'm researching features in our backlog. That's how I spent most of my time. The second part of my job is the day-to-day management of the Kerio Control UTM team. And third, if I have time, I still code.
What do you enjoy the most about coding?
I enjoy challenges where you have an interesting problem and you are asked to solve it within strict technical or time constrains. For example I worked on IPv6 support in our proxy server. Under ordinary circumstances, you'd go through in-depth research and planning phases. But if you approach it as a hackathon-like situation, with some luck you'll have a working prototype within a couple of days and that intense focus and effort can help you uncover things you wouldn't normally discover as easily or as quickly.
I really enjoyed working on the Linux driver in Kerio Control. It's a highly technical, challenging job, where you get to see in plain view how other programmers coded different parts of the Linux core. It's exiting to see the thought process behind parts of the Linux core. I had similar experience with Qt libraries, also a beautifully architected and well thought-out design.
Kerio Control is IPv6 compatible. How difficult was it to add IPv6?
In terms of security, there's really not a huge, principal difference between a IPv4 and IPv6 firewall. Users don't and shouldn't see much of a difference. It's critical for us, in fact it's one of our design principles, that complexity never trump ease of use even in something as high-tech as Kerio Control.
The addition of IPv6 does, however, have a huge impact on the engineering side, the changes under the hood are massive. We had to go through our existing source code line by line and then modify or add new code to accommodate for a well functioning dual IPv4/IPv6 mode. The majority of the code is universal but we are making it such that it anticipates both situations.
Are customers ready for IPv6?
I'm still somewhat surprised by the hesitation of some administrators to adopt IPv6. The writing on the wall is clear, the Internet will be fully IPv6 compatible in the not so distant future. And it is our responsibility as well as the responsibility of other networking vendors to be ready when the customer says "it's time for me to switch to IPv6".