Le mardi 10 avril 2007 03:39, james woodyatt a écrit : > One concern I've been asked to think about is that the product > doesn't offer any mechanism for nodes on the leaf network to request > the opening of a pinhole in the stateful packet filter. This > function is performed in the IPv4 case by NAT-PMP (which Apple has > tried to advance within IETF without much success), but there is no > equivalent function for IPv6. This was a deliberate decision on our > part, but now we're left reconsidering it. > > I know the world's experts on IPv6 operations are regular > participants here, so I'm hoping the group will provide me with the > clue that I'm trying desperately to catch. With regards to stateful and inbound IPv6 firewalling, the v6ops NAP document says: To implement simple security for IPv6 in, for example a DSL or Cable Modem connected home network, the broadband gateway/router should be equipped with stateful firewall capabilities. These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state). There should also be an easy interface which allows users to create inbound 'pinholes' for specific purposes such as online-gaming. Administrators and the designers of configuration interfaces for simple IPv6 firewalls need to provide a means of documenting the security caveats that arise from a given set configuration rules so that users (who are normally oblivious to such things) can be made aware of the risks. As rules are improved iteratively, the goal will be to make use of the IPv6 Internet more secure without increasing the perceived complexity for users who just want to accomplish a task. So... there seems to be a need for a mechaninism to open pinholes (I do not expect the average user be able to do that). The hot debate around ICE & ANAT on MMUSIC at last IETF also hinted at IPv6 stateful firewalls, very much like IPv4 (though of course there should be no address/port translation). > As far as I know, there is no current or pending IETF standard for > nodes to use in requesting open pinholes through the stateful packet > filter in a residential IPv6 gateway. Neither have I seen any such work. > In light of the IETF consensus > noted earlier in this thread, doesn't that seems like a serious > oversight? Isn't this function something that rightfully belongs in > ICMP6? If not, do we really think extending NAT-PMP and UPnP IGD to > support IPv6 network boundary filters is a good idea? I would rather define a sane way to do "hole punching" for connection-oriented protocol. We know how to establish a UDP (or UDP-Lite) flow between two IPv6 hosts both behind a stateful firewall... but somehow I am having a hard time buying the TCP "simultaneous open" idea. I definitely agree we need something. I don't know PMP too well, but isn't it limited to one hop? -- Rémi Denis-Courmont http://www.remlab.net/
Attachment:
pgpYTVoPAQLxh.pgp
Description: PGP signature