[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6-PMP?



Hi,

On Tue, Apr 10, 2007 at 07:32:12PM -0700, james woodyatt wrote:
> The problem I'm highlighting here is that manually configuring  
> firewall rules is way, way beyond the skills of the vast majority of  
> our customers.  To remedy that with IPv4/NAT, we integrated NAT-PMP  
> into the operating system so that when you start the AFP server (for  
> example; it works just as well for SMTP, HTTP, IMAP, foo, bar and  
> baz) on your computer (in Mac OS X 10.4, you also have to have the  
> Bonjour preference pane installed and configured properly, though  
> this may not be required in future operating systems), you  
> automatically get the IPv4/NAT port-mapping rule installed in your  
> router for you.  No complicated configuration necessary.  It just  
> works automatically, and there it is: a mostly reasonable facsimile  
> of end-to-end goodness restored to the Internet.

While I read your words, and understand the situation, I actually fail
to understand the IPv6 situation.

Adapting the description above to IPv6 would mean something like this:

 - as soon as a program calls listen() to setup a socket for incoming
   IPv6 connections, the OS would notify the "firewall thing" that these
   packets should be let in
 - everything that has no process listening for it (or is not a response
   packet to an outgoing connection) is dropped by the "firewall thing"

Now - if you just shut down the IPv6 filter on the firewall, what you
get is:

 - as soon as a program calls listen() to setup a socket for incoming
   IPv6 connections, the OS would start accepting these packets, instead
   of sending "TCP RST" or "UDP port unreachable"
 - everything that has no process listening for it (or is not a response
   packet to an outgoing connection) is dropped by the host's TCP/IP stack


For IPv4/NAT you actually need to notify the "firewall thing" of desired
connections (because it needs to know *which* host on RFC space to forward
the packets to), but in the model above, the "IPv6 firewall thing" would
actually 

 - refuse packets that would be dropped at the host anyway
 - forward everything that the host would handle, with no idea about
   the legitimacy of the application (read: it would let through connections
   to trojan backdoors etc. as well, as the OS can't know that their
   listen() request ist "bad")


So what am I missing here...?

[..]
> No such facility is available for IPv6, and that strikes me as very  
> weird.  For a long time, I had assumed that the reason it wasn't  
> there was that we were all expecting that residential IPv6 gateways  
> wouldn't need to break the end-to-end transparency of the network by  
> blocking flows that didn't match application state, and therefore we  
> wouldn't be seeing stateful packet filters at default gateways.   
> Alas, I now realize that was a mistake.  So, why don't we have  
> anything like UPnP IGD and NAT-PMP for IPv6?  They're necessary for  
> IPv4/NAT and we need them in IPv6 for the same reasons.  It seems  
> like we ought to standardize them.

*If* you have a stateful IPv6 filter in the default gateway, and want
to have it work without manual configuration for incoming connections,
then indeed, you need something like "PMP IPv6".

OTOH I'm not sure what the benefit of an IPv6 filter in this scenario is,
if it is auto-deactivated for all interesting traffic anyway...

(Yes, I know.  People will yell at you if you don't have "IPv6 firewall!!"
on the product's data sheet.  But some half-informed people will yell at 
you anyway... :( )

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279