dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
17
InvalidError
join:2008-02-03

1 recommendation

InvalidError to 34764170

Member

to 34764170

Re: IPv6 beta

said by 34764170:

Another area that will benefit greatly from IPv6 is VoIP. SIP is a total pain with NAT.

The main reason for the pain is simply the requirement to keep an inbound port open on the accidental firewall created by NAT's IP:port S:D connection tracking: can't forward inbound until you know who to forward the traffic to.

You would run into many of the same problems with a basic IPv6 firewall that denies inbound by default much the same way NAT routers do.

As far as I can see, the main potential problem IPv6 does fix for VoIP and similar services is the potential confusion in a scenario where someone owns multiple SIP devices that attempt to connect to the same server while using the same inbound port. On IPv4, the router would have no way to know which client packets belong to since they all have the same signature. Letting UPnP pick the inbound port or configuring clients with different ports both solve this IPv4 problem - assuming the router and SIP client's UPnP implementations are both working properly... though this goes for the IPv6 firewall as well.

SimplePanda
BSD
Premium Member
join:2003-09-22
Montreal, QC

1 recommendation

SimplePanda

Premium Member

said by InvalidError:

said by 34764170:

Another area that will benefit greatly from IPv6 is VoIP. SIP is a total pain with NAT.

The main reason for the pain is simply the requirement to keep an inbound port open on the accidental firewall created by NAT's IP:port S:D connection tracking: can't forward inbound until you know who to forward the traffic to.

You would run into many of the same problems with a basic IPv6 firewall that denies inbound by default much the same way NAT routers do.

An additional portion of this problem is that there still isn't a very well defined port management system for IPV6 firewalls.

With V4 we have NAT-PMP and UPnP (gross) to handle this. V6 still doesn't really have a counterpart to tell the firewall to open ports as needed by opening/closing applications.

The port problem is compounded by address randomization on V6 networks by default in most OS's in SLAAC environments. DHCPv6 can solve this to some extent in that you can configure your router manually to always give your computer a specific address and then manually open ports needed but that's a pretty lousy solution compared to the relatively transparent operating of a NAT with PMP/UPnP support.

This is one area where Apple can show some real leadership - updating NAT-PMP to work well with IPv6 and really push it as a standard. Alas, Apple seems to care about 0% about IPv6, as evidenced by their V6 stack on OS X (happy eyeballs always on and can't be disabled) and their routers (PPPoE IPv6 completely unsupported).

Sigh.
34764170 (banned)
join:2007-09-06
Etobicoke, ON

1 recommendation

34764170 (banned)

Member

said by SimplePanda:

An additional portion of this problem is that there still isn't a very well defined port management system for IPV6 firewalls.

With V4 we have NAT-PMP and UPnP (gross) to handle this. V6 still doesn't really have a counterpart to tell the firewall to open ports as needed by opening/closing applications.

The port problem is compounded by address randomization on V6 networks by default in most OS's in SLAAC environments. DHCPv6 can solve this to some extent in that you can configure your router manually to always give your computer a specific address and then manually open ports needed but that's a pretty lousy solution compared to the relatively transparent operating of a NAT with PMP/UPnP support.

This is one area where Apple can show some real leadership - updating NAT-PMP to work well with IPv6 and really push it as a standard. Alas, Apple seems to care about 0% about IPv6, as evidenced by their V6 stack on OS X (happy eyeballs always on and can't be disabled) and their routers (PPPoE IPv6 completely unsupported).

Not really true. UPnP has already been updated for IPv6 and there are already implementations out there supporting it now.

The privacy address issue shouldn't be an issue if the UPnP client is doing its job properly. It should be able to monitor the OS to see the new privacy address being added and as new connections are being made outbound using the new address the UPnP client should know to open the ports with the new IP address too.

I can't say as I agree about Apple and v6. There execution and implementation has not been perfect but in a lot of regards they have done a better job than most of the other vendors over all.