nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Redploying most of 127/8 as unicast public

From: Matthew Walster <matthew () walster org>
Date: Sat, 20 Nov 2021 21:15:24 +0000
On Sat, 20 Nov 2021 at 13:47, Måns Nilsson <mansaxel () besserwisser org>
wrote:


Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20,
2021 at 11:16:59AM +0000 Quoting Matthew Walster (matthew () walster org):

3. IPv6 "port forwarding" isn't really an easy thing -- people are not

used

to each machine having a global address.


This is the problem in a nutshell. After 27 years of destroying the
E2E model on the internet, people do not anymore understand how IP
(regardless of version) was supposed to work; any node to any node.

Why should we burden ourselves with this cumbersome and painful, useless
layer of abstraction that is "port forwarding", when the choice of
universal reachability is around the corner?



Because it's a REALLY bad idea to have unmanaged devices reachable from the
open internet. Dial-out, not dial-in. You need a firewall. You need a way
of punching holes in that firewall for services you explicitly allow, be
that manually through an interface, or temporarily via an automated system
like upnp/nat-pmp.



If people can set a port forward up, they can click "allow" in a
routing-based firewall interface. Only it is better, because one can
have several parallel services using well-known ports. Sometimes (most
of the time) the protocol spec has no option to change port either,
making port forwarding futile anyway. (the let's have a TXT record bunch
at it again, purposefully ignoring SRV since its inception.)



It's not always people. Lots of games, lots of telephony things, services
like Syncthing... They all open firewall holes (yes, NAT is a firewall) to
allow inbound connections for specific conditions, like "this protocol and
port combination".



I guess juggling our pains differently is what we are doing here. What
is unthinkable to one is quite OK to someone else.



Indeed.



(But I am right)



You are not. I'm glad my internet connected light bulbs are controlled by
the Australian firm that manufactures them and the American firm that has a
surveillance device in my kitchen listening for the immortal words "turn on
the living room lights", rather than Billy* from Doncaster who's looking
for something funny to do after losing at CS:GO again and happens to have
found a list of IP addresses of known vulnerable devices accessible from
the internet.

M

*Billy may or may not be a fictional person living in Yorkshire, UK. For
the sake of argument, Not All Yorkshiremen.
Previous By Date Next
Previous By Thread Next

Current thread: