UPnP/IPv6 support in home routers?

Kristian McColm Kristian.McColm at rci.rogers.com
Mon Dec 11 21:50:47 CET 2017


And therein lies the root of the problem.. the ‘crap’ never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ‘crap.’ I realize this is more idealistic than pragmatic, but we will have much smoother network integration if we don’t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we’re halfway there.

________________________________
From: fernando.gont.netbook.win at gmail.com <fernando.gont.netbook.win at gmail.com> on behalf of Fernando Gont <fernando at gont.com.ar>
Sent: Monday, December 11, 2017 3:43:27 PM
To: Kristian McColm
Cc: ipv6-ops at lists.cluenet.de; Fernando Gont
Subject: Re: UPnP/IPv6 support in home routers?

Kristian,

I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.

The "principle of least privilege" applies to connectivity, too.

Thanks!
Fernando






On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <Kristian.McColm at rci.rogers.com<mailto:Kristian.McColm at rci.rogers.com>> wrote:

Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it’s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.



________________________________
From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com at lists.cluenet.de<mailto:rci.rogers.com at lists.cluenet.de> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com at lists.cluenet.de<mailto:rci.rogers.com at lists.cluenet.de>> on behalf of Doug McIntyre <merlyn at geeks.org<mailto:merlyn at geeks.org>>
Sent: Monday, December 11, 2017 10:22:39 AM
To: ipv6-ops at lists.cluenet.de<mailto:ipv6-ops at lists.cluenet.de>
Subject: Re: UPnP/IPv6 support in home routers?

On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD.  Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.


I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.

That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
          allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

But that couldn't be impressed on the first tiers of support
what-so-ever.  That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.





________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Fernando Gont
e-mail: fernando at gont.com.ar<mailto:fernando at gont.com.ar> || fgont at acm.org<mailto:fgont at acm.org>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20171211/3a516f76/attachment-0001.html 


More information about the ipv6-ops mailing list