| |||||||||||||
LCA: IP address exhaustion and the end of the open netLCA: IP address exhaustion and the end of the open netPosted Jan 26, 2011 13:37 UTC (Wed) by foom (subscriber, #14868)In reply to: LCA: IP address exhaustion and the end of the open net by kleptog Parent article: LCA: IP address exhaustion and the end of the open net
> I'm disappointed the ISPs are so reluctant to do anything to help, and surprised that consumer equipment hasn't just worked around the problem using automatic 6to4 tunnelling.
...Remember when Apple did *just that* by default with the Airport wireless router and got flamed to a crisp for it?
(Log in to post comments)
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 13:48 UTC (Wed) by kleptog (subscriber, #1183) [Link]
From what I can find they got flamed because they provided no firewall in the default config. But were there problems besides that?
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 14:43 UTC (Wed) by foom (subscriber, #14868) [Link]
Yes, they allowed incoming TCP (and every other kind of) connections in IPv6 -- restoring End-to-End connectivity, just what everyone wanted, right? Oops.
Then they asked IETF what they should've done instead. IETF said "duh you need a stateful firewall"; Apple said "but wait? you mean we still need all that crappy NAT-code, just without translating the network address? And didn't you decline to standardize on what exactly such a thing needs?". Argument ensues over how mean Apple is for daring to say that stateful firewalls have the same impacts on end-to-end connectivity as NAT...or something like that.
In order to build a in-network firewall, you need to have a application-level understanding for a bunch of different protocols (FTP, IRC, SIP, H323, PPTP, RTSP, at least). And you need a protocol for endpoints to ask the firewall to pretty please actually allow it to allow incoming connections on some port (so that bittorrent and similar protocols requiring incoming connections work)
Both of these have existed for IPv4 for a long time, but IETF had declined to standardize them. And neither NAT-PMP or uPNP (at that time -- I don't know if they do now) supported IPv6 addresses.
And at least NAT-PMP *intentionally* only supported IPv4, because at the time they figured it was just a bad hack before residential gateways could let endpoints handle their own traffic again with IPv6, and restore the End-to-End principle like in the good old days.
I dunno what the current status is...I think there's still no such protocol support.
Some more history:
The Apple guy in question has since taken it upon himself to write down in RFC form what such a home router should be expected to do...apparently said RFC was just approved two days ago, after over 3 years of discussions. And I'll note also that it's somehow turned from a "BCP" into "Informational", too.
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 16:14 UTC (Wed) by spaetz (subscriber, #32870) [Link]
> http://www.rfc-editor.org/rfc/rfc6092.txt
Ironically this resolves to an ipv6 address here which does not respond to a ping (other ipv6 sites work just fine). So loading that page took 5 minutes until it fell back to ipv4. :-)
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 17:55 UTC (Wed) by the2masters (subscriber, #27656) [Link]
works here
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 18:38 UTC (Wed) by foom (subscriber, #14868) [Link]
Oh, and in case it wasn't clear: the lack of uPNP/NAT-PMP IPv6 makes using IPv6 through such a stateful filter a *WORSE* experience than using IPv4 through NAT currently is.
Applications on home endpoints still can't directly accept incoming connections (wasn't the like the whole point of IPv6?), and unlike with IPv4 there was (is?) no widely-accepted/implemented protocol to allow random endpoints to request such access.
IPv6 for the home, if we're to have a stateful firewall between all users and the internet, seems basically useless -- it doesn't enable applications like video chat or p2p filesharing to work any easier or more reliably than on IPv4...
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 23:37 UTC (Wed) by drag (subscriber, #31333) [Link]
> IPv6 for the home, if we're to have a stateful firewall between all users and the internet, seems basically useless -- it doesn't enable applications like video chat or p2p filesharing to work any easier or more reliably than on IPv4...
If you have more then one person using the same protocol it can make all the difference in the world.
LCA: IP address exhaustion and the end of the open net Posted Jan 28, 2011 11:27 UTC (Fri) by i3839 (guest, #31386) [Link]
That is total rubbish.
The way for an application to open an incoming port is, well, to open a socket on that port and listen to it. That's it. It magically works with no stupidity going on.
People have forgotten this because NAT madness and overzealous firewalls have entrenched themselves deeply enough.
You only need a firewall if you, as a user, want to restrict who and what may access what or who else. If applications can change that policy then you can as well have no firewall at all.
Firewalls are overrated. In this case Apple did the right thing and should have ignored all the whiners.
|
|||||||||||||