On 22 Nov 2016, at 18.51, Juliusz Chroboczek <[email protected]> wrote: >> I can put that controller into my own home and operate it > Assuming that you can control the stateful firewall that's running on the > edge routers. Recall that the edge router is not necessarily on the local > link, and that there can be multiple edge routers. > > (I see that hnet-full in OpenWRT/LEDE installs a thing called > "minimalist-pcproxy", but I have no idea what it does and whether it > handles multiple edge routers correctly.)
It does. Downside with it is that it is based on essentially non-IETF stuff (my expired draft) for figuring who to forward the requests to. PCP WG wasn’t that keen about it, and then they disbanded. Perhaps someone should adopt it here if firewall hole punching is still on the agenda (as plain PCP proxy specified in the PCP WG is not up to the multiprefix part of the task, and is also overly complex). > (In order to keep the discussion at the high intellectual level customary > for this group, I suggest that all mentions of uPNP be banned. PCP > (formerly NAT-PMP) is the Standards Track protocol for punching holes in > stateful firewalls and NAT boxes, and unlike uPNP it actually makes > sense.) Does it? Now that I have thought about it more, I do not control all devices in my home that well to start with (hello, embedded things that talk IP), and I am not that keen to allow them to punch holes in firewall. Obviously, they can do call-home anyway (if they are not on a restricted access subnet at any rate), but it is one less vulnerable externally visible protocol implementation to worry about if they can only call outside and not have port scanners hit them. As an anecdote, I upgraded my home infra during the last month (hello, Turris Omnia), and essentially thought about ‘do I want this piece or not’. What made the cut from homenet/friends: - ohybridproxy (only really scalable and sensible IPv6 rdns source that I am aware of, given nodes talk mdns) - shsp (joke draft, but my home automation stuff still runs DNCP-based distributed computation using it) What didn’t: - the rest (I have few subnets, but they have also different policies in regard to each other and outside world => autoconfiguration is not on the cards). Manual configuration = win for most things, if you are security conscious, and I try to be. Cheers, -Markus _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
