Re: IPv6-PMP?

[james woodyatt <jhw@apple.com>]

On Apr 10, 2007, at 02:45, Rémi Denis-Courmont wrote:
> So... there seems to be a need for a mechaninism to open pinholes  
> (I do
> not expect the average user be able to do that).

I feel confident saying that my employers will not expect its  
customers to manage firewall configuration manually.  They currently  
enjoy the automatic operation of NAT-PMP with IPv4/NAT and I have  
every reason to expect that an IPv6 version of PMP is what will end  
up happening unless there is a standard protocol to use instead.

> I would rather define a sane way to do "hole punching" for
> connection-oriented protocol. We know how to establish a UDP (or
> UDP-Lite) flow between two IPv6 hosts both behind a stateful
> firewall... but somehow I am having a hard time buying the
> TCP "simultaneous open" idea.

I must say I'm surprised that a consensus has arisen around the need  
for stateful packet filtering at residential IPv6 gateways without  
there also being an effort underway to standardize the method for  
IPv6 nodes to solicit pinholes in them.  I'm sure I must have missed  
the discussions where the decision to defer this took place, but I'm  
someone knows where I can review the email archives.  Someone?

> I definitely agree we need something. I don't know PMP too well, but
> isn't it limited to one hop?

Yes, it's limited to one hop, but it's the best we have, so that's  
what we do.  You can review the protocol specification here:

	<http://www.tools.ietf.org/html/draft-cheshire-nat-pmp>

This draft is now expired, and we are currently discussing whether  
and how to expand it for describing support for soliciting pinholes  
in IPv6 stateful packet filters at the default gateway.


--
j h woodyatt <jhw@apple.com>