Default security functions on an IPv6 CPE
Nick Hilliard
nick at foobar.org
Fri Jun 3 13:23:45 CEST 2011
On 02/06/2011 18:39, Steinar H. Gunderson wrote:
> Den 2. juni 2011 16:29 skrev Nick Hilliard<nick at foobar.org> følgende:
>> Anyway, it's a good thing that we've learned from this mistake and aren't
>> designing any more protocols or protocol extensions which encode endpoint
>> identifiers inside the data stream.
>
> Who is “we” here? For sure, BitTorrent, Skype, and lots of different
> gaming protocols do this, and are in wide use. After all, how else
> would you initiate peer-to-peer communication?
Thing is, it doesn't really matter if a bunch of bittorrent streams fail to
materialise because of endpoint connectivity loss. And Skype works around
things by using an arsenal of nat / firewall bypass tricks, several of
which require third party arbitration, and all of which are pretty smart /
ugly (i.e. fragile). For the gaming protocols, are you referring to WoW?
That's just bittorrent - again, it makes no real difference if a couple of
streams fail for whatever reason. Same with other p2p protocols.
So yeah, encoding endpoint information works but only if you're prepared to
accept or work around extremely high levels of breakage. In the case of
FTP and SIP, we put in application level protocol interpreters and do
things like opening dynamic ports and so on. These often work reasonably
well, although it means that we need to accept that we cannot use strong
encryption for the control communication. This sucks.
Nick
More information about the ipv6-ops
mailing list