Re: IPv6-PMP?

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

On Tue, 10 Apr 2007 10:48:29 -0700
james woodyatt <jhw@apple.com> wrote:

> On Apr 10, 2007, at 02:45, Rémi Denis-Courmont wrote:
> >
> > So... there seems to be a need for a mechaninism to open pinholes  
> > (I do
> > not expect the average user be able to do that).
> 
> I feel confident saying that my employers will not expect its  
> customers to manage firewall configuration manually.  They currently  
> enjoy the automatic operation of NAT-PMP with IPv4/NAT and I have  
> every reason to expect that an IPv6 version of PMP is what will end  
> up happening unless there is a standard protocol to use instead.
> 
> > I would rather define a sane way to do "hole punching" for
> > connection-oriented protocol. We know how to establish a UDP (or
> > UDP-Lite) flow between two IPv6 hosts both behind a stateful
> > firewall... but somehow I am having a hard time buying the
> > TCP "simultaneous open" idea.
> 
> I must say I'm surprised that a consensus has arisen around the need  
> for stateful packet filtering at residential IPv6 gateways without  
> there also being an effort underway to standardize the method for  
> IPv6 nodes to solicit pinholes in them.  I'm sure I must have missed  
> the discussions where the decision to defer this took place, but I'm  
> someone knows where I can review the email archives.  Someone?
> 

Maybe I'm missing something, but couldn't the fatal problem be that one
piece of malware, delivered via an email attachment for example, that
the user is fooled into running, could open up a "pin-hole" that is large
enough to fly a jumbo jet through  (and drive a bus through, and sail a
super-tanker through, all at the same time) ?

Regards,
Mark.