On Mon, Jul 14, 2014 at 11:12:01AM +0200, John Crispin wrote: > > The OpenWrt developers are proud to announce the first release > candidate of OpenWrt Barrier Breaker.
Excellent news, thanks! > * Native IPv6-support > - RA & DHCPv6+PD client and server > - Local prefix allocation & source-restricted routes > (multihoming) > * Extended IPv6-support > - Added DS-Lite support and improved 6to4, 6in4 and 6rd-support > - Experimental support for Lightweight 4over6, MAP-E and MAP-T > - Draft-support for self-managing home networks (HNCP) The default configuration of the IPv6 firewall seems to take the "mostly closed" approach. That is, it doesn't forward any inbound packets (except for ICMPv6 and, of course, return traffic). This is a perfectly valid approach, although one could argue about end-to-end reachability. But without a firewall control protocol such as PCP [1], applications cannot be reached from the outside (which might be desirable for P2P, VoIP, gaming, etc). Interesting, people from Swisscom take the opposite approach, and deployed a "mostly open" IPv6 firewall in their CPEs: http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 http://www.internetsociety.org/deploy360/blog/2014/06/video-balancing-end-user-ipv6-security-and-end-to-end-connectivity-ripe-68/ Which brings me to the question: is supporting PCP [1] a planned feature? Not that many clients support it yet, but well... It seems that MiniUPnPd has recently gained support for PCP: http://www.ietf.org/proceedings/87/slides/slides-87-pcp-13.pdf But since server-side PCP is closely related to the firewall, it probably needs some proper integration for OpenWRT (unless this is already implemented?) Thanks, Baptiste [1] http://en.wikipedia.org/wiki/Port_Control_Protocol
pgp_4pZJKrYEj.pgp
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
