UPnP/IPv6 support in home routers?
Doug McIntyre
merlyn at geeks.org
Mon Dec 11 16:22:39 CET 2017
On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.
I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.
That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
But that couldn't be impressed on the first tiers of support
what-so-ever. That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.
More information about the ipv6-ops
mailing list