Default security functions on an IPv6 CPE

Nick Hilliard nick at
Fri Jun 3 13:23:45 CEST 2011

On 02/06/2011 18:39, Steinar H. Gunderson wrote:
> Den 2. juni 2011 16:29 skrev Nick Hilliard<nick at>  følgende:
>> Anyway, it's a good thing that we've learned from this mistake and aren't
>> designing any more protocols or protocol extensions which encode endpoint
>> identifiers inside the data stream.
> Who is “we” here? For sure, BitTorrent, Skype, and lots of different
> gaming protocols do this, and are in wide use. After all, how else
> would you initiate peer-to-peer communication?

Thing is, it doesn't really matter if a bunch of bittorrent streams fail to 
materialise because of endpoint connectivity loss.  And Skype works around 
things by using an arsenal of nat / firewall bypass tricks, several of 
which require third party arbitration, and all of which are pretty smart / 
ugly (i.e. fragile).  For the gaming protocols, are you referring to WoW? 
That's just bittorrent - again, it makes no real difference if a couple of 
streams fail for whatever reason.  Same with other p2p protocols.

So yeah, encoding endpoint information works but only if you're prepared to 
accept or work around extremely high levels of breakage.  In the case of 
FTP and SIP, we put in application level protocol interpreters and do 
things like opening dynamic ports and so on.  These often work reasonably 
well, although it means that we need to accept that we cannot use strong 
encryption for the control communication.  This sucks.


More information about the ipv6-ops mailing list