| |||||||||||||
Schaller: The long journey towards good free video conferencingSchaller: The long journey towards good free video conferencingPosted Oct 15, 2012 17:57 UTC (Mon) by pkern (subscriber, #32883)In reply to: Schaller: The long journey towards good free video conferencing by peter_lemenkov Parent article: Schaller: The long journey towards good free video conferencing
I see people demanding central stateful firewalls for IPv6. And because there's no masquerading / NAPT nobody designed something equivalent to the NAT traversal protocols we have in IPv4. It's sad.
So what those stateful firewalls do is the same as for IPv4: deep packet inspection to get the endpoints out of the packets (think of SIP signaling) and allowing them to communicate. Which fails horribly with any sort of encryption and new protocols the firewall does not understand. Also you're lucky if the firewall lets IPsec/ESP through at all, given that such traffic cannot be inspected and would need to be passed through verbatim and unchecked, which is what you're trying to avoid with stateful firewalls in the first place.
I don't see end-to-end communication happening with IPv6 and I'm not sure what to do about it. Even CPEs like AVM's FritzBox are now shipped with stateful firewalls by default.
(Log in to post comments)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 18:08 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I would expect protocols like IPSec to be allowed by default and not require any configuration in an IPv6 firewall, it should work for all devices behind the firewall and should probably a stateless rule. Same for SIP or other VoIP or P2P protocols, once they are allowed on the firewall they should work for all devices behind the firewall because there is no more need for port forwarding.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 18:15 UTC (Mon) by pkern (subscriber, #32883) [Link]
As for SIP/P2P/etc. that's not how it works. Everything into the home network is blocked by default, everything going out is allowed. Hence once you need to allow further ports aside the control connection you need to tell the firewall to allow it in. As there's no such protocol, the firewall does inspection. If your protocol is encrypted (like e.g. BitTorrent nowadays) or not supported, then you can just call out but you can't be called. You cannot do a simple "allow P2P switch" on the firewall unless you allow all incoming traffic. Those applications do not use fixed ports. Of course you can whitelist single ports and then do a configuration dance like the port forwarding one on IPv4. But that won't fly with the plug'n'play applications that just work on IPv4 because we have STUN/ICE and the like.
(Funny enough the NAT traversal between Windows BitTorrent clients on IPv4 and unfirewalled IPv6 hosts happens through Teredo tunneling.)
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:02 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
by the way, Linux now contains NAT for IPv6. As a result, it will 'shortly' be available on the many routers that run Linux.
Schaller: The long journey towards good free video conferencing Posted Oct 15, 2012 19:09 UTC (Mon) by pkern (subscriber, #32883) [Link]
Sure, it's even useful. Think of DNAT, i.e. port forwarding, in cases when you migrate a VM onto another host, for instance. I don't know if it contains masquerading/NAPT, but I guess it does. I just hope that people don't misuse that and use tools like ndppd instead for the odd cases that need the sharing of a single /64. (Obviously, if you only get a /127 point-to-point link that would not help.)
|
|||||||||||||