Hello Victor,

On Friday April 07 2023 00:25, you wrote to me:

Please eleborate...

The Transmission torrent client, and the syncthing file
synchronization utility can use the UPnP protocol to request a
firewall to pass *IPv4* incoming traffic (and create a port porwarding
for IPv4 NAT). They cannot however (at least to my knowledge) use UPnP
or any other protocol to request a router to open a hole for incoming traffic in an *IPv6* firewall.

I see. Or so I think. You ask for some kind of "IPv6 equivalent" for UPnP. But why would you want that? UpNP is a questionable idea anyway. For IPv4 it creates an entry in de NAT table and as a side effect creates a hole in the firewall.

But why would you need that for IPv6?

For IPv6 there (normally) is no NAT, so no need to create an entry in a NAT table. In IPv6 avery device has a Unique Global Address, so one can simply create pinholes in advance as needed for the address in question.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Dear Michiel,

10 Apr 23 15:46, you wrote to me:

Please eleborate...

The Transmission torrent client, and the syncthing file
synchronization utility can use the UPnP protocol to request a
firewall to pass *IPv4* incoming traffic (and create a port
porwarding for IPv4 NAT). They cannot however (at least to my
knowledge) use UPnP or any other protocol to request a router to
open a hole for incoming traffic in an *IPv6* firewall.

I see. Or so I think. You ask for some kind of "IPv6 equivalent" for
UPnP. But why would you want that? UpNP is a questionable idea anyway.
For IPv4 it creates an entry in de NAT table and as a side effect
creates a hole in the firewall.

But why would you need that for IPv6?

For IPv6 there (normally) is no NAT, so no need to create an entry in
a NAT table.

The "IPv6 equivalent" for UPnP is not for creating entries in the NAT table (which is absent in IPv6). It is for creating rules in an IPv6 firewall allowing incoming traffic to an application running on an IPv6-enabled host. A firewall (IPv4 or IPv6) is usually configured to block incoming traffic which is not part of an established outgoing connection.

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address in question.

Only when you know the IPv6 address and port beforehand. Usually an IPv6 address on the home LAN is dynamic (SLAAC), and the port in peer-to-peer applications, VoIP applications etc is often dynamic too.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Dear Michiel,

10 Apr 23 15:46, you wrote to me:

Please eleborate...

The Transmission torrent client, and the syncthing file
synchronization utility can use the UPnP protocol to request a
firewall to pass *IPv4* incoming traffic (and create a port
porwarding for IPv4 NAT). They cannot however (at least to my
knowledge) use UPnP or any other protocol to request a router to
open a hole for incoming traffic in an *IPv6* firewall.

I see. Or so I think. You ask for

It is not even that I *ask for* it. I've read here, some messages ago, that some home router declared "IPv6 punch-holing support." Infortunately I could not find more information either about the model of the router or its features.

for some kind of "IPv6 equivalent" for
UPnP. But why would you want that? UpNP is a questionable idea anyway.
For IPv4 it creates an entry in de NAT table and as a side effect
creates a hole in the firewall.

But why would you need that for IPv6?

For IPv6 there (normally) is no NAT, so no need to create an entry in
a NAT table.

The "IPv6 equivalent" for UPnP is not for creating entries in a NAT table (which is absent in IPv6). It is for creating rules in an IPv6 firewall allowing incoming traffic to an application running on an IPv6-enabled host. A firewall (IPv4 or IPv6) is usually configured to block incoming traffic which is not part of an established outgoing connection.

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address in question.

Only when you know the IPv6 address and port beforehand. Usually an IPv6 address on the home LAN is dynamic (SLAAC), and the port in peer-to-peer applications, VoIP applications etc is often dynamic too.

The situation is different of course when you are hosting an IPv6 web-server or something like that. It would have a fixed IPv6 address and port anyway, so there is no need for punch-holing the firewall.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Tuesday April 11 2023 09:47, you wrote to me:

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address
in question.

Only when you know the IPv6 address and port beforehand.

When runing servers you normally do...

Usually an IPv6 address on the home LAN is dynamic (SLAAC),

No. SLAAC addresses are not dynamic. They are derived from the MAC address.

and the port in peer-to-peer applications, VoIP applications etc is
often dynamic too.

VOIP normally uses standard ports.

The situation is different of course when you are hosting an IPv6 web-server or something like that. It would have a fixed IPv6 address
and port anyway, so there is no need for punch-holing the firewall.

Indeed.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hello Rob,

Wednesday April 05 2023 23:22, I wrote to you:

Next up, the Fidonet nodelist.

We will see in a day or two...

Hmmm.... it seems to take a bit longer than just a couple of days. Almost two weeks later and still no binkp.synchro.net in the nodelist for 1:103/705. :(


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Tue Apr 18 2023 11:44 am

Hello Rob,

Wednesday April 05 2023 23:22, I wrote to you:

Next up, the Fidonet nodelist.

We will see in a day or two...

Hmmm.... it seems to take a bit longer than just a couple of days. Almost two weeks later and still no binkp.synchro.net in the nodelist for 1:103/705. :(

I haven't requested the change from NC/RC yet. That's on me.
--
digital man (rob)

Synchronet "Real Fact" #59:
Synchronet swag used to be available for purchase at cafepress.com/synchronet Norco, CA WX: 63.3øF, 62.0% humidity, 9 mph S wind, 0.00 inches rain/24hrs
--- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Dear Michiel,

15 Apr 23 09:28, you wrote to me:

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address
in question.

Only when you know the IPv6 address and port beforehand.

When runing servers you normally do...

P2P apps like Transmission are not really servers.

Well they are in the strict sense of the word, but people just start them up and hope for them to work out of the box, and they are often configured by default to randomize port numbers on each start.

Usually an IPv6 address on the home LAN is dynamic (SLAAC),

No. SLAAC addresses are not dynamic. They are derived from the MAC address.

Not any more. AFAIK the recent implementation of SLAAC uses the privacy extensions which do not use the MAC address but some random numbers to derive the IPv6 host address.

and the port in peer-to-peer applications, VoIP applications etc
is often dynamic too.

VOIP normally uses standard ports.

SIP (the signalling protocol) does, but the RTP uses random ports. A firewall has no way to know the RTP dynamic port numbers unless it inspects the SIP protocol.

The situation is different of course when you are hosting an IPv6
web-server or something like that. It would have a fixed IPv6
address and port anyway, so there is no need for punch-holing the
firewall.

Indeed.

I don't really understand your point. If we decide that UPnP (think "automatic firewall configuration from the inside") is desirable for IPv4, then it's desirable for IPv6 too. If we decide that UPnP is not desirable, you can do without it in IPv4: just configure a static RFC1918 address and port on your internal "server" and create a static NAT/portmapping entry on the router.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Monday April 24 2023 01:20, you wrote to me:

Only when you know the IPv6 address and port beforehand.

When runing servers you normally do...

P2P apps like Transmission are not really servers.

Well they are in the strict sense of the word, but people just start
them up and hope for them to work out of the box,

That's their problem...

and they are often configured by default to randomize port numbers on
each start.

Bad practise...

Usually an IPv6 address on the home LAN is dynamic (SLAAC),

No. SLAAC addresses are not dynamic. They are derived from the
MAC address.

Not any more. AFAIK the recent implementation of SLAAC uses the
privacy extensions which do not use the MAC address but some random numbers to derive the IPv6 host address.

Privacy extensions use random numbers for the host part. AFAIK SLAAC still uses the MAC address. What I do see is that DHCP6 is often preferred over SLAAC and the host part of a DHCP6 address also looks random. But it definitely is a fixed address. So no problem.

and the port in peer-to-peer applications, VoIP applications etc
is often dynamic too.

VOIP normally uses standard ports.

SIP (the signalling protocol) does, but the RTP uses random ports. A firewall has no way to know the RTP dynamic port numbers unless it inspects the SIP protocol.

If those "random" ports are previously initaiated by the SIP protocol there should be no problem.

The situation is different of course when you are hosting an
IPv6 web-server or something like that. It would have a fixed
IPv6 address and port anyway, so there is no need for
punch-holing the firewall.

Indeed.

I don't really understand your point. If we decide that UPnP (think "automatic firewall configuration from the inside") is desirable for
IPv4,

That "we" does not include me. I have never used UPnP, have always had it disabled in my routers and never had any need for it.

I consider UPnP a security risk.

So maybe I am not the right person to discuss this "issue".

then it's desirable for IPv6 too. If we decide that UPnP is not
desirable, you can do without it in IPv4: just configure a static
RFC1918 address and port on your internal "server" and create a static NAT/portmapping entry on the router.

Works for me...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)