Le mardi 10 avril 2007 20:48, james woodyatt a écrit : > > I would rather define a sane way to do "hole punching" for > > connection-oriented protocol. We know how to establish a UDP (or > > UDP-Lite) flow between two IPv6 hosts both behind a stateful > > firewall... but somehow I am having a hard time buying the > > TCP "simultaneous open" idea. > > I must say I'm surprised that a consensus has arisen around the need > for stateful packet filtering at residential IPv6 gateways without > there also being an effort underway to standardize the method for > IPv6 nodes to solicit pinholes in them. I am not so sure there is a "consensus" around the use of stateful firewalls for SOHO CPEs. As I understand v6ops-nap, it says: "if you want security equivalent to that of a NAT, you can use a stateful firewall, and hence you should not be afraid of IPv6". It does not say "you shall use a stateful firewall in any case". But of course, some people are going to do that, and "This wifi access point protects your computer" stickers look good on the shelves - even if users then disable the firewall because it breaks their favorite P2P app. In fact, in the residential^Wunmanaged cases, one may well do with a host firewall, which is much easier and more efficient at mapping ports to applications, than any middlebox. As far as I can tell, UPnP, NAT-PMP and the "DMZ" concept found in some cheap NATs are more about working around the private addressing problems, than security. In that sense, there is no need for them in IPv6 world. I am still concerned that these stateful firewalls will be present in other types of access networks, and while UDP is quite easy to pass through with hole punching, TCP, SCTP and DCCP are almost impossible. That seems to be shrinking the added-value of IPv6, which is not something we (at least, I) want. > I'm sure I must have missed > the discussions where the decision to defer this took place, but I'm > someone knows where I can review the email archives. Someone? Me too... > <http://www.tools.ietf.org/html/draft-cheshire-nat-pmp> > > This draft is now expired, and we are currently discussing whether > and how to expand it for describing support for soliciting pinholes > in IPv6 stateful packet filters at the default gateway. That's getting off-topic, but IMHO, it should be using official IP protocols numbers rather than assume TCP or UDP. I can count at least five IETF transport protocols to this day, all using the same port numbering/muxing mechanism. While I gave up hope of seeing them go through existing IPv4/NAT world (and I understand you can't break backward compatibility), I am still optimistic about IPv6. Otherwise, it's appreciable that it seems to work (not assuming external port = internal port like UPnP) and not bloated (contrary to UPnP). Regards, -- Rémi Denis-Courmont http://www.remlab.net/
Attachment:
pgpw09t5h50dg.pgp
Description: PGP signature