[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The argument for writing a general purpose NAT for IPv6

To: james woodyatt <jhw@apple.com>
Subject: Re: The argument for writing a general purpose NAT for IPv6
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 19 Apr 2007 16:39:51 +0200
Cc: IETF V6OPS WG <v6ops@ops.ietf.org>
In-reply-to: <1F310BCB-2EE0-441B-BB2F-67DF3EA6ABF4@apple.com>
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <200704111052.05934@auguste.remlab.net> <F26D69F6-8BEE-4D3D-A5B4-C730E9975DA1@apple.com> <200704112214.30985@auguste.remlab.net> <F65A3EA3-3E07-4C63-A4FF-C94832D556FC@apple.com> <70C6EFCDFC8AAD418EF7063CD132D06404352E36@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <courier.46248EB6.00006E0C@softhome.net> <1F310BCB-2EE0-441B-BB2F-67DF3EA6ABF4@apple.com>

On 17-apr-2007, at 21:33, james woodyatt wrote:

No. I'm just trying to get active mode FTP clients and Quicktime/RealPlayer streaming clients, which use RTCP/RTP transports, tocommunicate properly from the local network with servers on theIPv6 WAN the way they do today with servers on the IPv4 WAN. Maybenext month, I'll try to get more esoteric applications to work.

The end-to-end connectivity of IPv6 IS ALREADY BROKEN-- by theinsistence that stateful packet filters block inbound flowinitiations in factory default configurations of residential IPv6gateways. This is *exactly* how the end-to-end connectivity ofIPv4 got broken. We are all now merrily marching off to do itagain to IPv6, and I'M NOT IN A POSITION TO STOP IT.


I feel slightly responsible here after writing this:

http://arstechnica.com/journals/apple.ars/2007/2/14/7063

The problem is that people are now getting IPv6 connectivity withoutrealizing it, and having everything open over v6 despite filteringefforts (yes, NAT isn't a firewall, but these people don't reallyknow what either of these words mean anyway) is can only end badly.

However, let me propose a different direction for solving this:rather than waiting until a port number is selected, put into acontrol stream, then intercept that control stream, recover the portnumber and open up the firewall, why not simply set aside a range ofport numbers for these types of purposes and let those through thefirewall?

With IPv4 this wouldn't work because there has to be a mappingbetween an private and a public address, but with IPv6 that's notnecessary.

I can see how someone may be uncomfortable with this because it meansit's still possible for packets to come in from the outside to hostson the inside, but as long as no services are present on the ports inquestion, that's not really an issue, except for possible IP layerexploits, but I'm pretty sure that's a thing of the '90s.


Iljitsch van Beijnum

Follow-Ups:
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>

References:
- I-D ACTION:draft-ietf-v6ops-nap-06.txt
  - From: Internet-Drafts@ietf.org
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- RE: IPv6-PMP?
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: IPv6-PMP?
  - From: Thomas Narten <narten@us.ibm.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: EricLKlein@softhome.net
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: The argument for writing a general purpose NAT for IPv6
Next by Date: Re: how V6OPS arrived at the present consensus about firewalls
Previous by thread: Re: The argument for writing a general purpose NAT for IPv6
Next by thread: Re: The argument for writing a general purpose NAT for IPv6
Index(es):
- Date
- Thread