Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
LCA: IP address exhaustion and the end of the open net
Posted Jan 26, 2011 14:43 UTC (Wed) by foom (subscriber, #14868)
Then they asked IETF what they should've done instead. IETF said "duh you need a stateful firewall"; Apple said "but wait? you mean we still need all that crappy NAT-code, just without translating the network address? And didn't you decline to standardize on what exactly such a thing needs?". Argument ensues over how mean Apple is for daring to say that stateful firewalls have the same impacts on end-to-end connectivity as NAT...or something like that.
In order to build a in-network firewall, you need to have a application-level understanding for a bunch of different protocols (FTP, IRC, SIP, H323, PPTP, RTSP, at least). And you need a protocol for endpoints to ask the firewall to pretty please actually allow it to allow incoming connections on some port (so that bittorrent and similar protocols requiring incoming connections work)
Both of these have existed for IPv4 for a long time, but IETF had declined to standardize them. And neither NAT-PMP or uPNP (at that time -- I don't know if they do now) supported IPv6 addresses.
And at least NAT-PMP *intentionally* only supported IPv4, because at the time they figured it was just a bad hack before residential gateways could let endpoints handle their own traffic again with IPv6, and restore the End-to-End principle like in the good old days.
I dunno what the current status is...I think there's still no such protocol support.
Some more history:
The Apple guy in question has since taken it upon himself to write down in RFC form what such a home router should be expected to do...apparently said RFC was just approved two days ago, after over 3 years of discussions. And I'll note also that it's somehow turned from a "BCP" into "Informational", too.
Posted Jan 26, 2011 16:14 UTC (Wed) by spaetz (subscriber, #32870)
Ironically this resolves to an ipv6 address here which does not respond to a ping (other ipv6 sites work just fine). So loading that page took 5 minutes until it fell back to ipv4. :-)
Posted Jan 26, 2011 17:55 UTC (Wed) by the2masters (subscriber, #27656)
Posted Jan 26, 2011 18:38 UTC (Wed) by foom (subscriber, #14868)
Applications on home endpoints still can't directly accept incoming connections (wasn't the like the whole point of IPv6?), and unlike with IPv4 there was (is?) no widely-accepted/implemented protocol to allow random endpoints to request such access.
IPv6 for the home, if we're to have a stateful firewall between all users and the internet, seems basically useless -- it doesn't enable applications like video chat or p2p filesharing to work any easier or more reliably than on IPv4...
Posted Jan 26, 2011 23:37 UTC (Wed) by drag (subscriber, #31333)
If you have more then one person using the same protocol it can make all the difference in the world.
Posted Jan 28, 2011 11:27 UTC (Fri) by i3839 (guest, #31386)
The way for an application to open an incoming port is, well, to open a socket on that port and listen to it. That's it. It magically works with no stupidity going on.
People have forgotten this because NAT madness and overzealous firewalls have entrenched themselves deeply enough.
You only need a firewall if you, as a user, want to restrict who and what may access what or who else. If applications can change that policy then you can as well have no firewall at all.
Firewalls are overrated. In this case Apple did the right thing and should have ignored all the whiners.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds