[Info-vax] implementing IPv6 on the internet

[Dirk Munk]

Jan-Erik Soderholm wrote:
> Den 2016-09-21 kl. 18:13, skrev Dirk Munk:
>> Jan-Erik Soderholm wrote:
>>> Den 2016-09-21 kl. 15:07, skrev Dirk Munk:
>>>> Jan-Erik Soderholm wrote:
>>>>> Den 2016-09-21 kl. 14:28, skrev Dirk Munk:
>>>>>> Chris wrote:
>>>>>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> No.  NAT was never designed for network security, but
>>>>>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>>>>>
>>>>>>>> With IPv6, you'll have to do firewalling for real.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Richard
>>>>>>>
>>>>>>> Just another opinion and whatever it was originally designed for,
>>>>>>> it's turned out to be quite a sound and cost effective solution
>>>>>>> to the problem.
>>>>>>>
>>>>>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> I've explained that already. By default IPv6 access from the
>>>>>> internet is
>>>>>> blocked on a CE router.
>>>>>>
>>>>>> If you want to allow access to an IPv6 device on your LAN, you
>>>>>> have to
>>>>>> configure on your router access to that IPv6 address *and* to the
>>>>>> appropriate ports.
>>>>>
>>>>> Do you have any reference to such an router? I'd just like
>>>>> to read up some on what it looks like in the router GUI
>>>>> then doing the config work.
>>>>
>>>> Yes, by far the best routers in this respect are Fritz!box routers
>>>> made by
>>>> AVM in Berlin.
>>>> This is the address of the Swedish distributor:
>>>>
>>>> http://www.datanat.se/egensida/avm-ac-n-1300mbps-routers/529
>>>>
>>>> I don't think there is a Swedish manual, but you can find a English
>>>> manual
>>>> on their web site.
>>>>
>>>>>
>>>>> And what about some non-technical customer that just would
>>>>> like to have access to some IPv6 home security device?
>>>>> Is it easy enough for non-technical people to use?
>>>>
>>>> Well, if they can setup port forwarding with IPv4, then I see no
>>>> reason why
>>>> you can't do it with IPv6.
>>>
>>> Yes, but my point is that most users can't no matter the IP version. :-)
>>> Even IPv4 port forwarding is way above the majority of users.
>>> That is why new "home" devices in many cases uses help from
>>> an internet server that handles the IP addresses and ports.
>>> Like TeamViewer works, it works client-to-client without any
>>> port forwarding at any end (both can be behind NAT routers).
>>>
>>
>> I had a look at TeamViewer, and I'm sure it will be useful for certain
>> purposes.
>>
>> However why it should be simpler then opening a port escapes me, it is
>> quite a big software package.
>
> It is way easier to use then managing a router. And what the
> heck does the size of the package/download has to do with that?
>

Lots of configuration possibilities? Lots of things to read?

>
>>
>> Furthermore I doubt if it even knows about IPv6, most likely it just IPv4
>> aware.
>>
>> And I very much doubt if consumers will want to pay €360 per year for
>> TeamViewer.
>>
>
> You are totally missing the point. I'm not sure that it is worth
> trying, but anyway...
>
> 1'st, Teamviewer is free for the basic functionallity, but irrelevant.

Nice, but I had a short look and saw "buy" with €360 per year as 
cheapest option.

>
> 2'nd, TW was only mentioned as an example of how communication
> between clients behind NAT'ed routers is solved without forcing
> the user to learn about "port forwarding".

Fine, but it still assumes both end-points have TeamViewer.

>
> There are also other equipments (home security, home automation)
> that works in very much the same way. The equipment annonces itself
> to some service on the net, and your client (like phone app) asks
> this server for the actual IP/port to use. (The the domain has
> been resolved to an IP is totaly irrelevant).
>
>

I know, but then you're always dependant on some other service.


>
>>>>
>>>>>
>>>>> Today, that is solved by having the device announcing itself
>>>>> to some publicaly available server where the user from the
>>>>> "outside" can get the IP and port to access the device.
>>>>> Like TeamViewer does today.
>>>>>
>>>>> I guess there will be similar solutions using IPv6 also,
>>>>> since that is much easier to use for non-tech people.
>>>>> You never see or have to know any IP addresses at all.
>>>>
>>>> You will not use IP addresses, more likely DNS names.
>>>
>>> Doesn't make any difference, if you haven't "opened" your
>>> router for the traffic a domain name will not get you
>>> anywhere.
>>>
>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> With IPv4 you have to route a port number on the WAN port of your
>>>>>> router to
>>>>>> an IPv4 address and port on the LAN. (port forwarding)
>>>>>>
>>>>>> No real difference.
>>>>>
>>>>
>>>
>>
>