Recent Features
| |||||||||||||
Schaller: The long journey towards good free video conferencingSchaller: The long journey towards good free video conferencingPosted Oct 15, 2012 14:28 UTC (Mon) by Uraeus (subscriber, #33755)In reply to: Schaller: The long journey towards good free video conferencing by njwhite Parent article: Schaller: The long journey towards good free video conferencing
The omission of SIP isn't really an omission as I do link to Ekiga, which is a SIP client as an introduction. Also the Empathy stack do support SIP calling too, but as I mention it is about being able to reach a large subset of your friends and family and XMPP/GTalk seems to be a better bet currently for that than SIP, especially as Google seems to share our wish for the use of free codecs.
(Log in to post comments)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 14:37 UTC (Mon) by njwhite (subscriber, #51848) [Link]
I see, thanks for the clarification. So you're targetting the largest somewhat specified (e.g. non-Skype) video chat client. Is 'GTalk' popular, then? I haven't heard of anybody using it before.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 14:54 UTC (Mon) by ms (subscriber, #41272) [Link]
In my experience, gtalk is vastly nicer and easier to use than skype. I almost always seriously struggle to make skype work, especially if you have anything unusual in your audio chain (e.g. using jack). GTalk however has not just debs provided but an apt repo and really does seem to "just work". Presumably it's less secure than skype, but it does seem to "just work" much more than skype on linux. Also, at work, we've used Google+'s "hang outs" which are basically video conference calls over gtalk. They also seem to work pretty well - screen sharing etc. Echo cancellation is an issue though...
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:05 UTC (Mon) by peter_lemenkov (subscriber, #71124) [Link]
> I haven't heard of anybody using it before
It's based on XMPP which means it has NAT-related issues which are fixed/"workarounded" years ago in SIP (not to mention Skype). No wonder why it gains popularity so slowly.
I really believe that IPv6 will stop this nat/websockets mess but it'll take another ~5-10 years of sticking with SIP or Skype.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:28 UTC (Mon) by Tester (subscriber, #40675) [Link]
Actually, the NAT work-arounds work in XMPP, because everyone is using ICE. While in SIP, well, you always go through a server, so it doesn't really work for anything else than simple voice.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:39 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
SIP uses separate connections for signaling and data. Signaling connection can be a straightforward client-to-server TCP/UDP connection.
Data connection is a completely different story, though.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 17:22 UTC (Mon) by Tester (subscriber, #40675) [Link]
Sure SIP uses a separate connection for data and signalling. The signalling goes through the server and in theory, the media (the data) can be direct P2P, but in practice, in every SIP deployment, the SIP server munches the SDP to tell both sides to send their media through the server, because SIP was never designed to take NATs into account. Sure, ICE was designed for that, and although it's universally deployed with XMPP (because Google Talk requires it), also no one uses it with SIP.
And I should mention, the XMPP signalling is almost exactly the same as SIP, except better specified with less useless flexibility, meaning you get actual compatibility.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:32 UTC (Mon) by phedders (subscriber, #14685) [Link]
IPV6 will not stop us needing to deal with NAT. You really dont want all your computers, printers, tellies and fridges at home to be directly accessiblel on the internet. Phone companies still want a walled garden where you dont run servers on your phone/laptop. NAT is good for protecting you somewhat.
Solutions like uPNP and STUN work, and work well. Sometimes :)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:54 UTC (Mon) by lutchann (subscriber, #8872) [Link]
This has been rehashed 1,000,000 times elsewhere on the Internet, but you're confusing NAT and stateful firewalls. NATs almost always contain a stateful firewall, leading people to believe that eliminating NAT will somehow reduce their network security. It will not, as long as stateful firewalls are in place, and nobody is proposing the elimination of stateful firewalls during the transition to IPv6.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 16:20 UTC (Mon) by nybble41 (subscriber, #55106) [Link]
Aside from not needing to remap ports and share a public IP address, a stateful firewall causes the exact same problems as NAT in regards to the end-to-end principle. Two systems which are both behind stateful firewalls can't connect to each other unless one of their administrators consents to open a port for incoming traffic, or they use a technique designed to deal with NAT, like UDP hole-punching (which highlights the limits of both NAT and stateful firewalls for ingress filtering).
If you allow applications to open their own ports (e.g. with uPnP), then you gain no real security advantage compared to simply allowing the traffic through. Blacklisting specific ports due to security issues is a workaround at best, a leaky patch for insecure protocols that can't do their own authentication. Static firewalls have their place providing layered defense for dedicated systems--for example, making sure that your web server can only receive incoming connections on port 80--but general-purpose workstations, and especially mobile devices, need to be self-contained, secure in the face of a direct connection to the Internet with no intervening firewall. The only reasonable place to implement that security is in the server software itself, backed up by OS-level local security primitives.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 16:34 UTC (Mon) by lutchann (subscriber, #8872) [Link]
> general-purpose workstations, and especially mobile devices, need to be self-contained, secure in the face of a direct connection to the Internet with no intervening firewall.
In principle, yes, but (a) the state of the art isn't really there yet, and until then we need "defense in depth"; (b) there's no money to be made from selling FEWER layers of security. The Android phone I bought yesterday came with a trial version of a virus scanner...what...?
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 6:13 UTC (Tue) by mastro (subscriber, #72665) [Link]
You bought your phone from the wrong people.
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 4:26 UTC (Wed) by lutchann (subscriber, #8872) [Link]
This is getting horribly off-topic, but I'll bite. I wanted a phone with a physical QWERTY keyboard, snappy web browser, IMAP client, GPS navigation, and connectivity via WiFi and T-Mobile USA's "4G" data network. That's it--no games, no "app store", no camera, no "mobile TV", no NFC...
What phone should I have bought, and from whom?
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 6:56 UTC (Wed) by mastro (subscriber, #72665) [Link]
If things like "no camera" and "no NFC" are hard requirements, your options are probably extremely limited. If that's the case, IMHO you should reconsider your priorities if you prefer to give your money to someone that installs "a trial version of a virus scanner" on an Android device rather than having NFC and camera on it.
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 14:06 UTC (Wed) by lutchann (subscriber, #8872) [Link]
Oh, no, I meant those items are irrelevant to my decision. I'm perfectly happy to ignore features I don't need (provided they don't cause any harm).
So, given that, do you have any suggested phones for me to look at? I can still return this one...
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 17:31 UTC (Wed) by hummassa (subscriber, #307) [Link]
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 17:45 UTC (Wed) by lutchann (subscriber, #8872) [Link]
The Relay 4G is the phone I just bought, which fits my needs. I was just curious what mastro would have recommended that apparently wouldn't have come loaded with T-Mobile/Samsung bloatware.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 17:10 UTC (Mon) by raven667 (subscriber, #5198) [Link]
You have to allow the traffic you want through in either case and can use similar technologies to do so but the case where all the machines have real routable IPs is simpler and has less caveats thana system with NAT involved. Protocols like STUN or the need to have a third party proxy the traffic go away in a post-NAT world, you just have to deal with simple rules on the firewall/router or a protocol like uPnP to automatically put in appropriate rules, then bob's your uncle.
In fact the need for a network firewall should be re-evaluated in many cases. Desktop operating systems and many devices already come with fully functional host-based firewalls, having another firewall on the router is redundant and unnecessary as you allude to in your post.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 18:18 UTC (Mon) by jpnp (subscriber, #63341) [Link]
Desktop operating systems may well come with reasonable firewalling built in, but today my printer connects by default to the network; my TV connects to the network (and whenever it thinks it can get away with it uses the opportunity to "offer me the chance to purchase partner content"); my picture viewer connects to the network and I have little doubt that by the time I replace my fridge that will want a network connection. In addition my phone and the phones and tablets of those who visit me connect to my network.
The five desktop/laptop/server machines which I have on my network and where I have full control over the OS are a minority of the devices wanting IP addresses, even in my house. In these circumstances I think border firewalls on home routers are here to stay regardless of IPv6.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 18:49 UTC (Mon) by janfrode (subscriber, #244) [Link]
Your TV, fridge, printer, picture viewer, etc.. will be hiding on one of your residential 2^(128-56) = 4722366482869645213696 ipv6 addresses, so they woun't be that easy to find for an attacker..
> I think border firewalls on home routers are here to stay regardless of IPv6.
I hope not..
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:00 UTC (Mon) by drag (subscriber, #31333) [Link]
> Your TV, fridge, printer, picture viewer, etc.. will be hiding on one of your residential 2^(128-56) = 4722366482869645213696 ipv6 addresses, so they woun't be that easy to find for an attacker..
They will be announcing themselves over discovery protocols. Otherwise it makes it impossible to find them and thus defeat the purpose of having them connected in the first place.
> I hope not..
It won't.
This is why we have things like uPNP and why things like uPNP won't go away.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:59 UTC (Mon) by janfrode (subscriber, #244) [Link]
> They will be announcing themselves over discovery protocols. Otherwise it makes it impossible to find them and thus defeat the purpose of having them connected in the first place.
Yes, they will be announcing on the local network. Not to the outside world. But yes, maybe we need to keep critical infrastructure (fridge) on separate subnets that are firewalled off, and real computers on open subnets.
BTW, nice perspective quote from rfc4864:
"At full-rate full-duplex 40 Gbps (400 times the typical 100
As far as I've heard, the current IPv6 providers are divided on this issue. Some give their customers stateful firewall by default, others offer but don't enable by default. RFC6092 suggest that it's OK to have the CPE firewall default off/transparent.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 20:48 UTC (Mon) by raven667 (subscriber, #5198) [Link]
>> They will be announcing themselves over discovery protocols. Otherwise it makes it impossible to find them and thus defeat the purpose of having them connected in the first place.
>Yes, they will be announcing on the local network. Not to the outside world. But yes, maybe we need to keep critical infrastructure (fridge) on separate subnets that are firewalled off, and real computers on open subnets.
In fact they could operate with fe80::/16 addresses only if it truly was a local-only service.
Home firewall/routers could also make it easy to whitelist particular hosts, similar to the "Server IP" feature in most contemporary devices, except valid for more than one device, while leaving a default policy of outbound flows only.
> "...5,000 years to scan the entirety of a single 64-bit
There are probably ways to optimize this greatly by choosing which ranges to scan in what order based on likely MAC addresses, or by stealing web server logs or other data to find lists of in-use addresses.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 20:57 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
except that none of these systems are really local-only services.
If nothing else, I'll bet that every single one of them is going to want to do NTP lookups to set their clock. That will require hitting the Internet.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 21:49 UTC (Mon) by martinfick (subscriber, #4455) [Link]
True! It would be nice if all these nifty too powerfull, bufferbloat producing, home gateway routers could server ntp by default to internal networks. And that if only there were a default protocol (perhaps DHCP?) that would point these device to our internal NTP gateway, and if only our new devices would do this by default for us if the gateway advertises this, instead of always relying on an outbound connection! Anyone device vendors working on standardising this one yet?
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 21:57 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
If you use DHCP to allocate IPv6 addresses, this is possible, but the link-local addresses are defined as being created independantly of any DHCP server.
and once you get an IP address from the DHCP server, you now have a real IPv6 address that is accessible from anywhere on the Internet (unless you have a firewall or NAT device in place)
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 2:35 UTC (Tue) by elanthis (guest, #6227) [Link]
Link local addresses can still use service discovery on the local network to find things like an NTP server. Link local addresses basically depend on service discovery to even be useful.
Also, a DHCP server does not guarantee a binary option between public Internet connectivity or the use of a firewall/NAT. There's nothing in the world that says a DHCP server can't assign local addresses (fc00::/7) that don't route over the 'Net. You'd need a truly bad ISP for attackers to even be able to send you packets to those addresses, or receive packets from those addresses.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 2:36 UTC (Tue) by kevinm (guest, #69913) [Link]
There is already a DHCP option defined for specifying NTP server addresses, and NTP also supports broadcasting a query on the local subnet. It would make sense for home routers to listen on the local subnet for NTP broadcast requests and reply to them.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 22:01 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I understand that there is a reason these devices are being connected to the Internet so a truly local-only device is probably rare. One added point though is that the device could use is public address for client connections (NTP, download updates, DNS, etc.) and advertise its fe80:: address for management and local-only services using multicast-DNS as is standard now-a-days. That's very simple to implement and greatly reduces the attack surface for services that shouldn't be remotely accessible.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 11:40 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
The perimeter defence will honour things like uPNP as long as no device does something stupid with it. Given how consumer gadgets are cobbled together that probably means never (I'd like to be proven wrong, but I think I have a pretty good idea of the measures taken by gadget producers to make sure the local intern does not take shortcuts while customizing the local android clone for their fridge)
If there was a way to make sure random third-party developers do not demand over-broad accesses just because they can, it avoids work and no one's looking android apps would install automatically without any 'do you really want to let the app do that' phase.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:06 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
having things only show up on link-local addresses doesn't work.
What if you have a wired and wireless network that are separate? If you only get link-local addresses, you can't see the device from the other network.
If you do get an address other than the link-local address, you will be exposed to the entire Internet unless you have a border router blocking you.
The days of unrestricted end-to-end traffic are gone, and won't be back.
The most that we can hope for is that end-to-end traffic is an option controlled by the local router/firewall administrator, rather than the current situation where many/most ISPs block the access.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:09 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
Oh yes, another reason those devices won't be limited to the link-local addresses is that they will want to talk to the Internet.
for some strange reason, people think that a smart fridge needs to show you the local weather report, so it 'needs' to talk to the Internet.
your TV has an actual need to be able to find out what programs are airing and when they get rescheduled, so it will be talking to the Internet.
So these devices are not going to be limited to the local network.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 22:41 UTC (Mon) by tpo (subscriber, #25713) [Link]
> for some strange reason, people think that a smart fridge needs to
> show you the local weather report, so it 'needs' to talk to the Internet.
Once we'll get serious about saving energy, the fridge will possibly want to know whether it needs to fill up its coldness reservoir in advance, because tomorrow will be a warm day and it won't be able to rely on cold outside air to help it cool its contents :-)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 21:36 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
Days of restricted end-to-end _might_ soon get back.
I absolutely loathe the model of "soft center, hard perimeter" - it's broken beyond belief right now, so in lots of cases right now relation "being accessible" is equal to "being authorized to use".
We should probably evolve towards "no perimeter, everything is hardened" model. For example, by using IPSec to create authenticated overlays over the IPv6 network.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 21:44 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
you may loath the 'soft center, hard permieter' model, but as long as it works, there's really no incentive for it to change.
defining how to setup IPv6 IPSec on your TV, DVR, Washing Machine, Fridge, etc is not trivial (for that matter, setting it up securely on your full blown computers is not trivial, even for experienced admins)
As long as devices can be shipped and 'just work' without some complicated setup, manufacturers will continue to have that as the default.
Any completely automated IPSec setup process is not going to be any more secure, as the rogue equipment will be able to automate joining the network just like any legitimate equipment.
Now that you have a 'soft center', the only remaining question is if you opt to expose this out to the Internet, or if you try to get some protection by putting a 'hard shell' around it.
and arguments for ubiquitous IPSec or SSL can actually reduce the overall security if they make it impossible for the devices at the edge of the network to protect devices inside the network.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 21:57 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
Right now "soft center" doesn't work, it only pretends to do it. Admins of large companies are already feeling the heat with all those CEOs' iPhones that just MUST be connected to the internal network.
>Any completely automated IPSec setup process is not going to be any more secure, as the rogue equipment will be able to automate joining the network just like any legitimate equipment.
Right now IPSec is impossible to use, but that's because nobody has yet started to "humanize" it.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 22:05 UTC (Mon) by raven667 (subscriber, #5198) [Link]
> Right now IPSec is impossible to use, but that's because nobody has yet started to "humanize" it.
True and unfortunate. There should be no need for SSL because IPSec should cover that use case but Opportunistic Encryption just didn't work well enough in the real world and ESP doesn't work well with NAT. IPSec represents the bad kind of multi-vendor consensus design that tries to be everything and ends up being nothing.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 22:29 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
> Right now "soft center" doesn't work, it only pretends to do it.
right now nothing 'works' (for some definition of 'works')
Every large organization that has tried to get rid of the hard shell and harden everything has been broken into. But at the same time, every large organization that has tried to have a 'hard shell' and a free-for all inside has also been broken into.
'hard shell' by itself only works if you can control the communication out of the network
'harden everything' only works if you actually control every device on your network and have a sane way of administering the result.
The 'current' model of allowing everyone to have their own personally owned equipment that the company has no control over, and letting them connect it to the network (either directly, or via USB to the company computers) is a situation that gives you no control over your external communication, and no control over anything running inside.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 22:31 UTC (Tue) by sorpigal (subscriber, #36106) [Link]
> 'harden everything' only works if you actually control every device on your network and have a sane way of administering the result.
I'll go one further: Harden everything only works if it's 99.99% automatic. Once you increase the number of devices hardening becomes so insanely time consuming that it just won't be done. The only sane way for one man to secure just 1000 devices is for him not to have to; in the ipv6 future 1000 will be a number that's easy for an individual to hit.
My prediction is that security through "the thieves haven't broken in to my house YET" will be the rule of the day. We're almost there now, but it will just get worse. Those users who notice that their toasters have been rooted, are stealing credit card numbers and forwarding them overseas will simply throw the toasters out and buy new ones, not attempt to secure them.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 23:38 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]
Hardening doesn't need to be complicated. Just imagine that you touch your phone to your refrigerator and it is automatically authorized to connect to your logical home network (by enrolling it into IPSec overlay).
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 23:51 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
sure, then you have a party and a guest bumps up against the fridge with a phone in their pocket (or backpack) and now your fridge in connected to their network.
even assuming that someone takes the time to engineer your solution, and all the different manufacturers manage to agree on a common spec for how it would work, and going even further, manage to implement it in a compatible way.
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 0:20 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]
You'll need to add some interaction, like a simple "Confirm" button on fridge's touchscreen.
And most of components are already here. NFC is available on most phones and NFC readers are dirt-cheap.
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 0:22 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
> NFC is available on most phones
with the notable exception of Apple devices. how many companies are going to make a fridge that cannot be configured by any Apple customers?
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 0:28 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]
You assume that it's a permanent situation. iPhones will probably get NFC as soon as Apple feels like inventing it.
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 15:33 UTC (Wed) by sorpigal (subscriber, #36106) [Link] If you could achieve this I think it's fair to say that this is approaching 99% automatic.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 21:23 UTC (Mon) by filteredperception (guest, #5692) [Link]
+1 for the comment (as I understand things). I would encourage anyone interested in this issue to provide me feedback on my current 'Right To Serve' cause. It is an attempt to legally force Google to remove the "no servers of any kind without prior written permission" from their ISP (I live in Kansas City) service's terms. Apparently my manifesto[1] has received public high praise from a Navy Information Warfare Officer in slashdot comments. That has led to Mr. Vint Cerf of Google currently investigating the matter. Though his deadline before I file my complaint with the Kansas Attorney General is tomorrow, so I get the feeling the GooLawyers may have silenced him on this issue already.
[1]
[2]
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 16:32 UTC (Mon) by bronson (subscriber, #4806) [Link]
And, as has been rehashed 1,000,000 times, NAT is one button simplicity: turn it on, your inside devices are isolated and mostly hidden. You can describe it to a layperson in a few sentences.
Stateful firewalls can be safely managed by network admins and tech heads, but not end users. Good luck describing it to someone who doesn't know what port numbers and network assignments are.
So, until something better comes along, the best policy for the unwashed masses has proven to be NAT.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 16:49 UTC (Mon) by lutchann (subscriber, #8872) [Link]
Actually, IPv6 home routers that have a stateful firewall without NAT are turn-key as well. In fact, they're even easier to explain: "Plug this in, turn it on, and it automatically connects your network to your ISP and firewalls all your devices so nobody can connect them them from the Internet." That's even simpler than having to explain about public IP addresses vs internal/non-routeable IP addresses, port sharing, etc.
The only people who will have trouble are the people who know "just enough to be dangerous", because they won't buy anything that doesn't say "NAT" on the box, and that's going to become increasingly uncommon in low-end home devices.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 17:16 UTC (Mon) by raven667 (subscriber, #5198) [Link]
You have the right of it, stateful IPv6 firewalls have the same security protection as IPv4 NAT but are simpler to maintain and simpler to design protocols for. It's also easy to use something like uPNP or to make static rule checkboxes like "I want to use VoIP", or "I want to host a webserver", that put in the appropriate rules. That shouldn't be any more complicated than the existing systems, less complicated than configuring port forwarding.
Another policy would be to turn off any filtering for hosts which have their own built-in firewall. That should simplify protocols and reduce connectivity and support problems across the board.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 3:27 UTC (Tue) by bronson (subscriber, #4806) [Link]
Sure, in the future, stateful firewalls will hopefully become easier to configure than NAT. That will be a great day.
Today? The near future? I haven't seen an IPv6 stateful firewall that even comes close. Over the last decade the IPv6 world has created tons of theoretical, pie-in-the-sky ideas but very few actual clickable interfaces. Until that changes, NAT is the only reasonable choice for the layperson.
Stateful ipv6 firewalls are here today Posted Oct 16, 2012 6:14 UTC (Tue) by ebiederm (subscriber, #35028) [Link]
Today ipv6 stateful firewalls are here. Essentially a stateful ipv6 firewall is:
*filter
# Allow existing connections to continue and related connections to start
To add a network address and port translation function requires a few more rules, but beyond that the implementation complexity is exactly the same.
Which means all of your ipv4 work for a NAT firewall translates seamlessly to an ipv6 stateless firewall. The functionality has existed in the linux kernel since what looks like November of 2005 and was released in 2.6.15 or 2.6.16.
If you look carefully you can even find consumer routers with stateful ipv6 firewalls.
An ipv6 statefull firewall looks just like an ipv4 NAT firewall except it doesn't scramble your ip address and port number.
Stateful ipv6 firewalls are here today Posted Oct 16, 2012 17:40 UTC (Tue) by bronson (subscriber, #4806) [Link]
It sounds like you agree with me? You can't possibly expect the layperson to understand what "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" means.
Actual *clickable* interfaces.
Stateful ipv6 firewalls are here today Posted Oct 16, 2012 17:56 UTC (Tue) by raven667 (subscriber, #5198) [Link]
Is that supposed to be sarcasm? That doesn't seem like a serious response. The end-user, layperson interface is exactly the same as today because the rules are identical and are managed in the same way with the same tools. The kind of iptables config that your router GUI writes out is the same kind of config it writes out for ip6tables, existing devices that support IPv6 already do this AFAIK.
No one is suggesting that end-users need to write their own rules to an iptables-save file by hand, attacking that is a straw man.
Stateful ipv6 firewalls are here today Posted Oct 16, 2012 21:29 UTC (Tue) by bronson (subscriber, #4806) [Link]
The rules are the same but the GUIs aren't. It's not easy to buy simple, NAT-equivalent stateful IPv6 firewalls from Belkin/Linksys/NetGear/etc. Using the present tense is a wee bit optimistic, no?
All I'm saying is, once IPv6 routers can be configured to do selective ingress as easily as IPv4 routers, we will all celebrate. That day is not here yet. (or wasn't at the end of 2011, the last time I shopped for a new wifi access point).
Stateful ipv6 firewalls are here today Posted Oct 18, 2012 0:56 UTC (Thu) by marcH (subscriber, #57642) [Link]
> Once IPv6 routers can be configured to do selective ingress as easily as IPv4 routers,
The interface of IPv4 routers has generally been horrible. It doesn't matter because you don't even have a choice; you need the default setting = NAT enabled. Consumers must find their IPv4 routers very easy to use indeed since most they don't have to use them at all. Even gamers don't have to any more since UPnP. The vast majority has no idea what a NAT is and does not need to know.
So yes: IPv6 is a new problem in a way because now you do have the choice of filtering versus not. A good problem/checkbox to have. Giving people this checkbox is exactly what IPv6 is all about.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:58 UTC (Mon) by hawk (subscriber, #3195) [Link]
Why would you want NAT instead of just filtering some traffic if the goal is just to have some devices not directly accessible from the Internet?
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 17:57 UTC (Mon) by pkern (subscriber, #32883) [Link]
I see people demanding central stateful firewalls for IPv6. And because there's no masquerading / NAPT nobody designed something equivalent to the NAT traversal protocols we have in IPv4. It's sad.
So what those stateful firewalls do is the same as for IPv4: deep packet inspection to get the endpoints out of the packets (think of SIP signaling) and allowing them to communicate. Which fails horribly with any sort of encryption and new protocols the firewall does not understand. Also you're lucky if the firewall lets IPsec/ESP through at all, given that such traffic cannot be inspected and would need to be passed through verbatim and unchecked, which is what you're trying to avoid with stateful firewalls in the first place.
I don't see end-to-end communication happening with IPv6 and I'm not sure what to do about it. Even CPEs like AVM's FritzBox are now shipped with stateful firewalls by default.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 18:08 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I would expect protocols like IPSec to be allowed by default and not require any configuration in an IPv6 firewall, it should work for all devices behind the firewall and should probably a stateless rule. Same for SIP or other VoIP or P2P protocols, once they are allowed on the firewall they should work for all devices behind the firewall because there is no more need for port forwarding.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 18:15 UTC (Mon) by pkern (subscriber, #32883) [Link]
As for SIP/P2P/etc. that's not how it works. Everything into the home network is blocked by default, everything going out is allowed. Hence once you need to allow further ports aside the control connection you need to tell the firewall to allow it in. As there's no such protocol, the firewall does inspection. If your protocol is encrypted (like e.g. BitTorrent nowadays) or not supported, then you can just call out but you can't be called. You cannot do a simple "allow P2P switch" on the firewall unless you allow all incoming traffic. Those applications do not use fixed ports. Of course you can whitelist single ports and then do a configuration dance like the port forwarding one on IPv4. But that won't fly with the plug'n'play applications that just work on IPv4 because we have STUN/ICE and the like.
(Funny enough the NAT traversal between Windows BitTorrent clients on IPv4 and unfirewalled IPv6 hosts happens through Teredo tunneling.)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:02 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
by the way, Linux now contains NAT for IPv6. As a result, it will 'shortly' be available on the many routers that run Linux.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:09 UTC (Mon) by pkern (subscriber, #32883) [Link]
Sure, it's even useful. Think of DNAT, i.e. port forwarding, in cases when you migrate a VM onto another host, for instance. I don't know if it contains masquerading/NAPT, but I guess it does. I just hope that people don't misuse that and use tools like ndppd instead for the odd cases that need the sharing of a single /64. (Obviously, if you only get a /127 point-to-point link that would not help.)
Schaller: The long journey towards good free video conferencing Posted Oct 17, 2012 15:45 UTC (Wed) by Lennie (subscriber, #49641) [Link]
I think nat/websockets mess as you call it will be worked around soon, they'll just add a peer2peer procol and NAT to the browser. Look up: WebRTC ;-)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 15:35 UTC (Mon) by Otus (guest, #67685) [Link]
Many Android devices have a Google Talk client preinstalled, and it uses the same account that you need in any case.
No idea about numbers, though.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 6:42 UTC (Tue) by merge (subscriber, #65339) [Link]
Yes and it's by far the best XMPP (well GTalk) client on Android. That's so sad. I haven't found ANY real (normal XMPP) client that stays connected so well, uses so little battery and has working presence. Only basic XMPP functionality, but that the "Talk" app does that per-fect-ly well. That's exactly what it takes to convince people to use it. And I do, because I use XMPP.
But if you want to use just any other XMPP server, you have to cope with crappy (if you're not careful "fake" (another company in-the-middle)) client apps.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 8:50 UTC (Tue) by job (guest, #670) [Link]
I can recommend Xabber, a client rich in functionality which was supposed to have its source code released, but I don't know what became of that. It works well, has logging and contact list integration (which almost works).
There is also Yaxim, which is completely free and works well but doesn't come with any of the extra functionality.
Those are all chat only. Voice and video chat is probably better served using SIP on Android as there is some native support for it.
OT: XMPP clients on Android Posted Oct 16, 2012 14:23 UTC (Tue) by debacle (subscriber, #7114) [Link] I can find yaxim on F-Droid, as well as Beem and Gibberbot, but not Xabber. Is it free software?
OT: XMPP clients on Android Posted Oct 16, 2012 15:49 UTC (Tue) by mathstuf (subscriber, #69389) [Link]
They ran a "If we get X followers on Twitter in a month, we'll release Xabber under GPLv2" campaign a month or two ago (I think X was either 500 or 1000). Not sure if they made it or not.
OT: XMPP clients on Android Posted Oct 16, 2012 15:52 UTC (Tue) by mathstuf (subscriber, #69389) [Link]
> (I think X was either 500 or 1000)
Heh, it's 50,000. Well, it's close in some respect :P . That said, they're at 3,000+ right now, so it's pretty far away. Even though notifications are busted (no LED, sound, and an icon is missing for the bar[1]), the auto-OTR is worth it, IMO.
[1]There's a gap for it, but it's invisible if at the end of the icons.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 18:29 UTC (Tue) by khc (subscriber, #45209) [Link]
I am not sure what you want is possible. To save battery, it would seem like you have to have push notification, which needs a server side component. Unless you want to host that your own as well, but that's not a solution for most people.
Schaller: The long journey towards good free video conferencing Posted Oct 16, 2012 18:53 UTC (Tue) by njs (guest, #40338) [Link]
Interestingly, the GTalk client appears to use some entirely custom protocol. It's some sort of best-effort sync-as-you-can thing, like the GMail client, not XMPP at all. (You can see if you send messages via another client, they magically appear on your phone in real-time as if you were typing them there, which I'm pretty sure XMPP can't do.)
I assume that's their magic - the actual XMPP client is running on their server, and can maintain presence and receive messages even while your phone's connectivity is wobbly.
|
|||||||||||||