IPv6 content experiment

Colm MacCarthaigh colm at stdlib.net
Tue Apr 10 13:06:42 CEST 2007


On Mon, Apr 09, 2007 at 01:25:38PM +0100, Brandon Butterworth wrote:
> > Where IPv6 is starting to have an edge is in p2p applications, getting
> > rid of NAT and allowing in-bound connections again solves a lot of
> > problems for the p2p providers.
> 
> Which break as the first thing most people do is put a firewall
> in place. Why do people carry on insisting open end to end
> connectivity is the holy grail and designing protocols that don't
> tolerate firewalls. Why would they not have a firewall for v6 too?

No reason at all. But you'll find that the majority of firewalls do not
blanket filter inbound connections by default, and there's no good
reason for them to either. In fact most end user firewalling products
these days detect listen()'s and ask the user if they would like to
allow or disallow inbound connectivity to that application. The point is
that that flexibility becomes optional again, rather than restricted
mandatorily.

Personally I don't think it is the job of protocol designers to tolerate
firewalls, that just gets us a billion protocols which all tunnel over
HTTP. Internet security is better served by discrete protocols which are
possible to filter and allow on a more granular basis. In short; end to
end connectivity (which I don't consider a holy grail btw, just a bare
minimum for genuine internet participation) encourages greater security
because it diminishes the prevalence of stupid hacks.

I could build a p2p system which tunneled over DNS and worked
near-universally, but I doubt you'd be thanking me for it.

> Most end users have an OS that really shouldn't be left open to
> access by all, 

NAT is not a firewall, and does not meaningfully protect these users.
It's not like we don't already see millions of those bozes participating
in botnets already. Nor does the removal of NAT leave them open to
access by all.

> add v6 to a major site (I've looked at this for BBC sites for years and
> it's never been worth the risk) without black holing users we'll be
> a big step towards general use.

Why not just have www.ipv6.bbc.co.uk ? Does that really represent much
risk? Seems like a better idea to iron out those problems before hand.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net


More information about the ipv6-ops mailing list