Le mercredi 11 avril 2007 09:14, Gert Doering a écrit : (...) > For IPv4/NAT you actually need to notify the "firewall thing" of > desired connections (because it needs to know *which* host on RFC > space to forward the packets to), but in the model above, the "IPv6 > firewall thing" would actually > > - refuse packets that would be dropped at the host anyway > - forward everything that the host would handle, with no idea about > the legitimacy of the application (read: it would let through > connections to trojan backdoors etc. as well, as the OS can't know > that their listen() request ist "bad") > > > So what am I missing here...? That's also what I understand. > [..] > > > No such facility is available for IPv6, and that strikes me as very > > weird. For a long time, I had assumed that the reason it wasn't > > there was that we were all expecting that residential IPv6 gateways > > wouldn't need to break the end-to-end transparency of the network > > by blocking flows that didn't match application state, and > > therefore we wouldn't be seeing stateful packet filters at default > > gateways. Alas, I now realize that was a mistake. So, why don't we > > have anything like UPnP IGD and NAT-PMP for IPv6? They're > > necessary for IPv4/NAT and we need them in IPv6 for the same > > reasons. It seems like we ought to standardize them. > > *If* you have a stateful IPv6 filter in the default gateway, and want > to have it work without manual configuration for incoming > connections, then indeed, you need something like "PMP IPv6". > > OTOH I'm not sure what the benefit of an IPv6 filter in this scenario > is, if it is auto-deactivated for all interesting traffic anyway... I somehow agree: Personnal firewalls are better suited, all the more since software vendors cannot assume that there is an edge firewall, so they can't make their product security rely on this. However: - in some scenarios, you want to drop unsolicited traffic early (e.g. if the last mile is some bnadwidth-challenged radio technology), - some programs that are only supposed to serve the LAN won't open pinhole (yeah, I just said that was lame in the previous paragraph), - many people seem to think that a disaster will happen if the NATs side effect security vanishes, and they won't switch to IPv6 if there is no "stateful firewall" (regardless of the fact that most malware is now transmitted through upper layers that won't care about stateful firewalls). > (Yes, I know. People will yell at you if you don't have "IPv6 > firewall!!" on the product's data sheet. But some half-informed > people will yell at you anyway... :( ) Hmm, some product managers in NetworkBoxCorp will read that IPv6 CPEs need a "stateful firewall" because IETF said so. So they'll put it to the requirements list, and voilà, it has to be there in every IPv6 CPEs. And then, IPv6 is completely useless, since it has the exact same connectivity problems as IPv4+NAT: outbound TCP works; UDP works through hole punching if you know the peer address/port. Inbound TCP does not work (so COMEDIA SIP does not), unsolicited UDP does not work. So IPv6 becomes pretty useless, while it remains very costly an upgrade. -- Rémi Denis-Courmont http://www.remlab.net/
Attachment:
pgpN9S3zdCDT0.pgp
Description: PGP signature