Redploying most of 127/8 as unicast public

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 20 Nov 2021 at 13:47, Måns Nilsson <mansaxel at besserwisser.org>
wrote:

> Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20,
> 2021 at 11:16:59AM +0000 Quoting Matthew Walster (matthew at walster.org):
> > 3. IPv6 "port forwarding" isn't really an easy thing -- people are not
> used
> > to each machine having a global address.
>
> This is the problem in a nutshell. After 27 years of destroying the
> E2E model on the internet, people do not anymore understand how IP
> (regardless of version) was supposed to work; any node to any node.
>
> Why should we burden ourselves with this cumbersome and painful, useless
> layer of abstraction that is "port forwarding", when the choice of
> universal reachability is around the corner?
>

Because it's a REALLY bad idea to have unmanaged devices reachable from the
open internet. Dial-out, not dial-in. You need a firewall. You need a way
of punching holes in that firewall for services you explicitly allow, be
that manually through an interface, or temporarily via an automated system
like upnp/nat-pmp.


> If people can set a port forward up, they can click "allow" in a
> routing-based firewall interface. Only it is better, because one can
> have several parallel services using well-known ports. Sometimes (most
> of the time) the protocol spec has no option to change port either,
> making port forwarding futile anyway. (the let's have a TXT record bunch
> at it again, purposefully ignoring SRV since its inception.)
>

It's not always people. Lots of games, lots of telephony things, services
like Syncthing... They all open firewall holes (yes, NAT is a firewall) to
allow inbound connections for specific conditions, like "this protocol and
port combination".


> I guess juggling our pains differently is what we are doing here. What
> is unthinkable to one is quite OK to someone else.
>

Indeed.


> (But I am right)
>

You are not. I'm glad my internet connected light bulbs are controlled by
the Australian firm that manufactures them and the American firm that has a
surveillance device in my kitchen listening for the immortal words "turn on
the living room lights", rather than Billy* from Doncaster who's looking
for something funny to do after losing at CS:GO again and happens to have
found a list of IP addresses of known vulnerable devices accessible from
the internet.

M

*Billy may or may not be a fictional person living in Yorkshire, UK. For
the sake of argument, Not All Yorkshiremen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211120/65938232/attachment.html>

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]