= Сообщение: 7274 из 7402 ============================================= IPV6 = От : Michiel van der Vlist 2:280/5555 24 Apr 23 16:22:01 Кому : Victor Sudakov 24 Apr 23 16:22:01 Тема : Connection Tests FGHI : area://IPV6?msgid=2:280/5555+64469543 На : area://IPV6?msgid=2:5005/49+644576e2 = Кодировка сообщения определена как: CP850 ================================== ============================================================================== Hello Victor,
On Monday April 24 2023 01:20, you wrote to me:
VS>>> Only when you know the IPv6 address and port beforehand.
MV>> When runing servers you normally do...
VS> P2P apps like Transmission are not really servers.
VS> Well they are in the strict sense of the word, but people just start VS> them up and hope for them to work out of the box,
That's their problem...
VS> and they are often configured by default to randomize port numbers on VS> each start.
Bad practise...
VS>>> Usually an IPv6 address on the home LAN is dynamic (SLAAC),
MV>> No. SLAAC addresses are not dynamic. They are derived from the MV>> MAC address.
VS> Not any more. AFAIK the recent implementation of SLAAC uses the VS> privacy extensions which do not use the MAC address but some random VS> numbers to derive the IPv6 host address.
Privacy extensions use random numbers for the host part. AFAIK SLAAC still uses the MAC address. What I do see is that DHCP6 is often preferred over SLAAC and the host part of a DHCP6 address also looks random. But it definitely is a fixed address. So no problem.
VS>>> and the port in peer-to-peer applications, VoIP applications etc VS>>> is often dynamic too.
MV>> VOIP normally uses standard ports.
VS> SIP (the signalling protocol) does, but the RTP uses random ports. A VS> firewall has no way to know the RTP dynamic port numbers unless it VS> inspects the SIP protocol.
If those "random" ports are previously initaiated by the SIP protocol there should be no problem.
VS>>> The situation is different of course when you are hosting an VS>>> IPv6 web-server or something like that. It would have a fixed VS>>> IPv6 address and port anyway, so there is no need for VS>>> punch-holing the firewall.
MV>> Indeed.
VS> I don't really understand your point. If we decide that UPnP (think VS> "automatic firewall configuration from the inside") is desirable for VS> IPv4,
That "we" does not include me. I have never used UPnP, have always had it disabled in my routers and never had any need for it.
I consider UPnP a security risk.
So maybe I am not the right person to discuss this "issue".
VS> then it's desirable for IPv6 too. If we decide that UPnP is not VS> desirable, you can do without it in IPv4: just configure a static VS> RFC1918 address and port on your internal "server" and create a static VS> NAT/portmapping entry on the router.