In message <[email protected]> james woodyatt writes: > On Oct 10, 2011, at 08:51 , Michael Richardson wrote: > > > > It does break the *I*nternet model: the one where the ISPs control > > everything like the telcos did before, and I need to beg to be allowed > > to receive SYN packets. Why do I care if it breaks the business plans > > of some ISPs? > > I hate to break the news to you, but it isn't the ISPs that are making > you beg to receive a SYN packet from anywhere on the Internet. It's > the home gateway vendors, who are following the advice of RFC 4864 to > implement stateful default-deny simple security mechanisms, and who > follow the advice of myriad other 'experts' who insist that these > functions be enabled by default. > > Shorter james: it's your residential subscribers who insisting that > your devices need to beg for permission to receive inbound SYN packets > from arbitrary remote addresses. > > The IETF is in the process of specifying a protocol to let you beg for > incoming packets, c.f. I-D.ietf-pcp-base. I wish you all the luck in > the world convincing the average home networking gear buyer that they > shouldn't need any of this craziness. Sincerely. I tried that. Been > there, done that, got the T-shirt, ended up buffing the car with it, > donated the car to charity when the car wore out... in other words, I > am done struggling against what you call "the Internet model" because > from my perspective that's like to trying to bail out San Francisco > bay with a tea cup. Have fun storming the castle though...
All of this is only true for IPv4 but not for IPv6. If you need a SYN from outside, then you need a globally routable address and then practically speaking you need IPv6. The most simple solution is 6to4 but that means replacing the border router if it doesn't support 6to4. The other way is to accept the rfc1918 address you got from the NAT and TCP tunnel through the NAT. For an electrical meter with extremely low throughput needs and very high delay tolerance, this seems easy enough. The meter simply need to know the IP address of its electrical transmission provider. If that IP addres is not configured right at installation, the power never comes on and someone would notice. The electrical transmission provider can then provide an IPv6 address and a gateway to IPv6. The cost is a tiny flow of TCP keepalives but if the ISP complains, tell them to support IPv6. It is a shame that you can't get a SYN from outside into a home network that is behind an IPV4 only NAT44, but use of NAT is not a situation that the IETF encouraged. We can't change that so we can only try to move forward on a better path. btw- ietf-pcp-base is just yet another hack built onto NAT44 to try to extend its life. For the last 15 years the IPv4 sky was falling. Now it finally really is falling as the NAT hacks are coming undone in many ways and the ISPs can't get addresses to build infrastructure. The good news is now we can get something done with IPv6. Curtis _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
