On Sat, 20 Nov 2021 at 13:47, Måns Nilsson <mansa...@besserwisser.org> wrote:
> Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, > 2021 at 11:16:59AM +0000 Quoting Matthew Walster (matt...@walster.org): > > 3. IPv6 "port forwarding" isn't really an easy thing -- people are not > used > > to each machine having a global address. > > This is the problem in a nutshell. After 27 years of destroying the > E2E model on the internet, people do not anymore understand how IP > (regardless of version) was supposed to work; any node to any node. > > Why should we burden ourselves with this cumbersome and painful, useless > layer of abstraction that is "port forwarding", when the choice of > universal reachability is around the corner? > Because it's a REALLY bad idea to have unmanaged devices reachable from the open internet. Dial-out, not dial-in. You need a firewall. You need a way of punching holes in that firewall for services you explicitly allow, be that manually through an interface, or temporarily via an automated system like upnp/nat-pmp. > If people can set a port forward up, they can click "allow" in a > routing-based firewall interface. Only it is better, because one can > have several parallel services using well-known ports. Sometimes (most > of the time) the protocol spec has no option to change port either, > making port forwarding futile anyway. (the let's have a TXT record bunch > at it again, purposefully ignoring SRV since its inception.) > It's not always people. Lots of games, lots of telephony things, services like Syncthing... They all open firewall holes (yes, NAT is a firewall) to allow inbound connections for specific conditions, like "this protocol and port combination". > I guess juggling our pains differently is what we are doing here. What > is unthinkable to one is quite OK to someone else. > Indeed. > (But I am right) > You are not. I'm glad my internet connected light bulbs are controlled by the Australian firm that manufactures them and the American firm that has a surveillance device in my kitchen listening for the immortal words "turn on the living room lights", rather than Billy* from Doncaster who's looking for something funny to do after losing at CS:GO again and happens to have found a list of IP addresses of known vulnerable devices accessible from the internet. M *Billy may or may not be a fictional person living in Yorkshire, UK. For the sake of argument, Not All Yorkshiremen.