Op 21-3-2016 om 00:29 schreef Stuart Gathman:
On 03/20/2016 11:36 AM, Xen wrote:
By the way, if UPnP was ever a problem in terms of NAT security,
obviously the problem is much worse in IPv6, since there is not even
any NAT and all devices are always exposed.
"Addressable" is NOT the same thing as "exposed". Any sane IPv6
router for the home (every one I have have seen so far) blocks all
incoming connections by default - just like NAT effectively does.
There is no operational difference for the clueless home owner. With a
consumer firewall, selected ports can be "forwarded" through IP4 NAT
to a selected internal IP. Similarly, selected ports can be unblocked
for selected internal objects with an IP6 firewall.
There is a fundamental issue with this and that is that this is a rather
arbitrary "sanest method of configuration" rather than a topology
feature. What you get is like a multi-to-multi mapping (one on one, so
to speak) there is just a filter in between that will block incoming
connections. That means that the filter will record and maintain
outgoing connections like a current NAT firewall does. There is no
advantage to this over NAT other than the fact that you can use the same
port if you wanted on multiple devices.
There is no longer a "port to different port" mapping, now it is simply
"open or closed".
The port to port mapping is not really a fundamental feature, typically
the ports for internal devices are not meaningful. There is a bit of an
advantage in not configuring anything but you also lose the feature of
being able to map anything in the first place. If those ports on the
internal network are meaningful, they don't have to be meaningful on the
outside. When you cross boundaries, meanings can change. For example, I
have a device internally running on port 22, but externally port 80.
This is because I was located on a premises that blocked outgoing port
22 connections. And basically all other connections except 80 and 443.
There are also other ports open on that router but they are all
accessible through the same IP and domain.
Now tell me, what is the advantage of IPv6, I don't see any.
I'm sure the mapping is a feature that is on IPv6 routers as well. But
are you telling me that I am going to need a different domain to access
every local device (because they use each a different public IP address)?.
Sure, the router will have this feature. So what is the advantage then.
I'm still using one IP to access all services.
I'm sure certain people have experienced conflicts because for instance
certain games required certain incoming ports (doesn't really happen,
but okay. Think a file-sharing program, that may require some fixed
ports). Current torrent clients are able to choose any port they want.
Maybe it's a bit of a configuration hassle if you want fixed ports.
Nothing insurmountable and actually something that helps you understand
your network.
What advantage do I have if I have addressable (but per the
configuration of the firewall) inexposed IP addresses for each internal
device, including possibly the router?
Can you tell me that?
The only semi-valid criticism is that with IP4 NAT, the effective 48
bit (IP+ random 16 bit port) public address is periodically recycled
to point to different internal objects. With IP6 sans NAT, the
128-bit (Subnet + random 64 bit host ip) public address, while random
and periodically changing like IP4 NAT, is not recycled. A given IP
only ever points to a single internal object. This could potentially
reveal more information to someone logging IP+port on the outside.
But it is not yet clear what exactly it would gain them.
You know, sometimes people say "why do you want it?" and often times
when people say these things, it's just because people want it and there
is no other reason.
An example was a computer game that does not allow direct trade between
players in an online world. Most of these online worlds do allow direct
trade between individuals in a way of exchanging items in a relatively
safe way. Did particular game did not have it. When some people started
arguing for inclusion of this feature, the wannabe employees of this
company started defending the status quo by saying "why do you need
it?". "Why do you want it?". And it was completely obvious and is
completely obvious to any sane normal person out there, even in the real
world, that being able to give stuff to another player, is something
that is meaningful and helpful. To anyone not affiliated with the status
quo of that game, this would normally not be a question. Of course you
want to trade. Of course you want to be able to hand someone something.
You can do so in real life, why would you not want to do something like
that in a virtual world.
So in that case the question became really "why not?".
Today, you are saying "why not?" but the situation is different.
I do not feel a need or desire for IPv6. So in this case my question is
predominantly: "why?".
It's like building a research facility on the moon for no reason
whatsoever and to anyone who says "why?" you respond "there is no valid
criticism". Well there first has to be a reason, doesn't it. Doesn't there.
And simply the number of addresses is no reason for a change in topology.
The question is: WHY DO YOU WANT or feel the need or desire for (RANDOM)
64-bit addresses on an internal network?
First of all, a random non-reusable address is clearly a bag of
nonsense, as you indicate. That's no sane method of doing anything.
Think of a programming stack, queue or list. You want the queue, stack
or list to remain in an elegant state, for instance that indices keep
starting at 0 and that the first element is at index 0. You don't want a
runaway system where the indices become higher and higher constantly but
you expect not to run into trouble because you have reserved 64-bit for
them.
Maybe I'm assuming, perhaps. Then enlighten me.
There is a linux system in which numbers go up. It is the linux software
raid. If you have a raid type that needs rebuilding, I believe the
number of any disk "added again" to the array will always go up. So if
you keep doing that, these numbers keep going up (both of them, if you
have a 2-disk array). That in itself bugs people.
I do not even like random addresses in my network unless it is for
devices I could never want to directly address anyway.
I also do not like hexadecimal addresses in a hard to understand format.
People recognise 192.168.1.1. People are not going to recognise any of
that other shit. And you say there is no valid criticism? Sorry, you're
wrong.
But of course you recognise this, but as you say, or as I feel, this
system you've just shown me is just the output of a ludicrous mind.
Instead of a small set of understandable addresses with a fixed scope of
a certain containment (like what we have now, in that sense of about 255
addresses) they create 18446744073709551616 possible addresses ... just
looking at it makes clear now little sense this makes. That are being
randomly consumed, and only (?!) because there are so many, is there no
real risk of actually exhausting them, even when it would be a
theoretical possibility and end result.
At least that is what it seems to be, from the way you just described it.
My apologies if I'm not well enough versed in this to really discuss
this. But what you've just shown is me is just more stupid than what I
already thought...........
A random 64-bit address is 8 bytes. A byte is 2 hexadecimal digits. That
means if these addresses are really random in the entire range, you need
16 digits to write them down. Currently, I can remember every device
with one decimal number between 1 and 254. So where is the advantage
here? People in the past used to directly access public IPs by IP. By
heart. I never did much of that, but it happened. I do use a domain
service for my IP and don't remember it.
Often times I still manually write them in to some "host" program call
or something of the kind. There can be DNS issues and it is often
helpful to directly attempt IP addresses instead of domains to
troubleshoot that. Sometimes.
In Europe bank accounts have been 'europenized'. There is no real
advantage but all European account numbers in the EU are now directly
addressable throughout the EU. Surely there is an advantage to knowing
those addresses more easily. But local addressing has also been forced
to conform to the standard. My 7 digit account number now has the form
of NL88INGB000xxxxxxx. So it is now an 18 character number. There is a
structure to it so it is not that hard to remember. But you're being
forced to use these addresses even though the banks themselves can
easily translate the old addresses into the new ones (or really, vice
versa). It's not that they can't. You are being disallowed. It is a
political choice. For which there is not really any practical imperative.
I know my mother's bank account number by heart. But I don't know if she
has the same 88, because the same bank also uses different numbers for
that. That makes no sense, but it is true. I see the same in IPv6.
I see no advantages to IPv6. I mean, its structure.
You say "there is no valid criticism". I can see the advantage of having
more than one IP address for certain purposes. Simply because yes, it
could be helpful to have a port 80 for something else as well. My port
80 leads to 22 internally, and 443 leads to port 80 I believe. A bit of
a make-do setup. More addresses would mean more ports available. But I
wouldn't want them to be mapped one-on-one -- that would not even be a
solution because both of these ports are on the same device. There is
another device in my home that is not accessible yet. I just haven't
bothered. I also wouldn't want it to be directly accessible on the
outside (addressable) with the same address that I have for it on the
inside. I just don't want that.
What I want is clear: I want this to stay the same, or at least to
remain in a similar setup. I have no habit and dependance on a complete
and utter structure of IPv4, but I also don't see what's really wrong
with it. The while A B and C address ranges (or something like that) are
rather arbitrary and don't make a lot of sense, but there is also no
issue to that. They would have had to be arbitrarily something else.
What the world needed was a 6 number global address, and nothing else.
Not 128 bit. 48 bit, and that was perfect, and it was enough.
You could simply have introduced routers that could acquire multiple
addresses from an ISP, or better yet, a system where multiple
connections could be multiplexed over the single line, and a router can
simply handle 2 or more connections. Simply expose several MAC addresses
(for example) and acquire an IP on each. Then be able to use several
routers, or one for both. Then do whatever you want with it. It's fun,
and if it is elegant it is nice as well. The complexity on a router does
not extend by a great deal.
You only need it for fixed services anyway, like, what else do you need
it for.
No one ever had trouble with IPv4 unless they needed fixed ports. In a
home network setting at least.
There is no valid criticism. No, there is no valid need.
You are making life more difficult, you are creating trouble. And
there's no need for that.
"Home networks need to provide the tools to handle these situations in a
manner accessible to all users of home networks. **Manual configuration
is rarely, if at all, possible**, as the necessary skills and in some
cases even suitable management interfaces are missing."
This in itself should be clear enough.
"Firewalls that restrict incoming connections may be used to prevent
exposure, however, this reduces the efficacy of end-to-end connectivity
that IPv6 has the potential to restore."
So basically they want full exposure, but recognise that this is not
actually desirable, so they introduce a firewall that will block
incoming connections, when at first the whole reason for having
individual addresses was in large part to solve the problem of not being
reachable.
So they *wanted* all devices to be reachable, but now recognise that
such a thing is not actually desirable. There is no point to having
addresses if you can't do anything with it. That means you STILL need
UPnP to open ports. Nothing has changed.
Except everything has become a 1000 times more complex, apparently.
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
