Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
lxgr 7 hours ago

> IPv6 restores globally routable addresses to every node, letting peers connect without contortions.

Global routeability doesn't automatically mean global reachability.

Many consumer and professional routers will block inbound TCP connections, and incoming UDP traffic without at least similar outbound UDP traffic preceding it, so you will still need hole punching.

Hole punching does get significantly more easy with v6, though, since there's really only one way to do "outbound connections only" firewalling (while there's several ways to port translate, some really hostile to hole punching).

Arguably one thing that's missing is a very simple, implicit standard that allows signalling a willingness to accept an inbound TCP connection from a given IP/port that such stateful firewalls can honor, similar to how they already implicitly do it for UDP, but with HTTP 3 running over UDP, the point might well be moot soon.

Giefo6ah 7 hours ago | parent | next [-]

That simple, implicit standard exists since RFC793:

  Simultaneous initiation is only slightly more complex, as is shown in
  figure 8.  Each TCP cycles from CLOSED to SYN-SENT to SYN-RECEIVED to
  ESTABLISHED.



      TCP A                                            TCP B

  1.  CLOSED                                           CLOSED

  2.  SYN-SENT     --> <SEQ=100><CTL=SYN>              ...

  3.  SYN-RECEIVED <-- <SEQ=300><CTL=SYN>              <-- SYN-SENT

  4.               ... <SEQ=100><CTL=SYN>              --> SYN-RECEIVED

  5.  SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...

  6.  ESTABLISHED  <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED

  7.               ... <SEQ=101><ACK=301><CTL=ACK>     --> ESTABLISHED

                Simultaneous Connection Synchronization

                               Figure 8.
Every stateful firewall supports this. All you need to communicate off-band is IP addresses and ports.
lxgr 2 hours ago | parent [-]

Huh, TIL, thank you!

Are you sure all firewalls support this? RFC 5382 seems to specify it, but then again, middleboxes aren't exactly known for strict RFC compliance...

Denatonium 5 hours ago | parent | prev | next [-]

This is true, but the beauty of UDP is that it's basically just a raw socket with a tiny 8 byte header slapped on top, with 2 bytes for source port, 2 bytes for destination port, 2 bytes for length, and 2 bytes for a checksum.

You could slap a UDP header on top of the TCP header and get the benefits of TCP with the hole-punching capabilities of UDP, provided you implemented some kind of keep-alive functionality and an out-of-band way of telling the "server" to establish an outbound connection with the "client". Or use QUIC, assuming it fits the use case.

the8472 6 hours ago | parent | prev [-]

At least there's an explicit standard for signalling: RFC 6887 Port Control Protocol. Many routers also support it.

But it's often disabled for the same reason as having router-level firewalls in the first place.

lxgr 32 minutes ago | parent | next [-]

Port forwarding and hole punching have different objectives and outcomes, and I believe PCP only caters to the former.

While the outcomes might be similar (some inbound connections are possible), the scope (one specific external IP/port vs. everybody) and the semantics ("endorsement of public hosting" vs allowing P2P connections that are understood to require at least some third-party mediation) differ.

I also don't think that port forwarding is possible through multiple levels of firewalls (similar to "double NAT").

ninkendo 6 hours ago | parent | prev [-]

> But it's often disabled for the same reason as having router-level firewalls in the first place.

Yeah, anything that allows hosts to signal that they want to accept connections, is likely the first thing a typical admin would want to turn off.

It’s interesting because nowadays it’s egress that is the real worry. The first thing malware does is phone home to its CNC address and that connection is used to actually control nodes in a bot net. Ingress being disabled doesn’t really net you all that much nowadays when it comes to restricting malware.

In an ideal world we’d have IPv6 in the 90’s and it would have been “normal” for firewalls to be things you have on your local machine, and not at the router level, and allowing ports is something the OS can prompt the user to do (similar to how Windows does it today with “do you want to allow this application to listen for connections” prompt.) But even if that were the case I’m sure we would have still added “block all ingress” as a best practice for firewalls along the way regardless.

forgotaccount3 5 hours ago | parent [-]

> Ingress being disabled doesn’t really net you all that much nowadays when it comes to restricting malware.

But how much of this is because ingress is typically disabled so ingress attacks are less valuable relative to exploiting humans in the loop to install something that ends up using egress as part of it's function.

Dylan16807 3 hours ago | parent [-]

Since we're talking about programs that are trying to set up a connection no matter what, I'm going to say "not much". It's not significantly shrinking the attack surface and forcing attackers onto a plan B that's meaningfully harder to do. It just adds this layer of awkwardness to everything, and attackers shrug and adapt.

ectospheno 3 hours ago | parent [-]

You block inbound to block inbound. Of course it doesn’t do anything for outbound. Acting like you can just turn inbound filtering off because of that is disingenuous.

Dylan16807 2 hours ago | parent [-]

Nobody suggested "just turn inbound filtering off"?? We're talking about an alternate universe of program design.

And we're talking about malware in general, not inbound or outbound specifically.