[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)
Baptiste Jonglez
bjonglez at illyse.org
Mon Jul 14 08:22:22 EDT 2014
On Mon, Jul 14, 2014 at 11:12:01AM +0200, John Crispin wrote:
>
> The OpenWrt developers are proud to announce the first release
> candidate of OpenWrt Barrier Breaker.
Excellent news, thanks!
> * Native IPv6-support
> - RA & DHCPv6+PD client and server
> - Local prefix allocation & source-restricted routes
> (multihoming)
> * Extended IPv6-support
> - Added DS-Lite support and improved 6to4, 6in4 and 6rd-support
> - Experimental support for Lightweight 4over6, MAP-E and MAP-T
> - Draft-support for self-managing home networks (HNCP)
The default configuration of the IPv6 firewall seems to take the "mostly
closed" approach. That is, it doesn't forward any inbound packets (except for
ICMPv6 and, of course, return traffic).
This is a perfectly valid approach, although one could argue about
end-to-end reachability. But without a firewall control protocol such as
PCP [1], applications cannot be reached from the outside (which might be
desirable for P2P, VoIP, gaming, etc).
Interesting, people from Swisscom take the opposite approach, and deployed
a "mostly open" IPv6 firewall in their CPEs:
http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01
http://www.internetsociety.org/deploy360/blog/2014/06/video-balancing-end-user-ipv6-security-and-end-to-end-connectivity-ripe-68/
Which brings me to the question: is supporting PCP [1] a planned feature?
Not that many clients support it yet, but well... It seems that MiniUPnPd
has recently gained support for PCP:
http://www.ietf.org/proceedings/87/slides/slides-87-pcp-13.pdf
But since server-side PCP is closely related to the firewall, it probably
needs some proper integration for OpenWRT (unless this is already
implemented?)
Thanks,
Baptiste
[1] http://en.wikipedia.org/wiki/Port_Control_Protocol
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140714/951c2523/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list