[LINK] There goes the neighbourhood...

Karl Auer kauer at biplane.com.au
Wed May 11 19:52:04 AEST 2011


On Wed, 2011-05-11 at 18:51 +1000, Kim Holburn wrote:
> You know I really worry about this.  I can't say I really understand
> as much about IPv6 as I'd like but I worry with all the concern about
> tracing IP connections and preserving anonymity that IPv6 will make
> that much harder for people, especially normal home users.

Oh, worry away. We all do :-) But IPv6 is for all practical purposes the
only way out of here. Any further changes to the aircraft will have to
be made while in flight.

> The main reason NAT is a problem for VOIP/SIP/H323 is that they put IP
> addresses in the data.  If they relied on IP headers like every
> sensible protocol designer it would never have been an issue.

Are you sure? I don't know that those protocols put IP addresses in the
packet data. The problem has nothing to do with that, the problem is NAT
itself. How do I connect to you, if you are behind NAT? There are only
two ways - port forwarding or an external rendezvous server. STUN is the
latter, and Skype does it just the same way. But instead of a few
locations that have to be well-known, they piggyback STUN-like services
onto their unfortunate supernodes.

I doubt that "VOIP/SIP/H323" put IP addresses in the payloads, but I
could be wrong.

>   You wouldn't need STUN servers or anything else.  Just the packets.

To get through NAT you would indeed require more than "just the
packets". NAT stops one user connecting to another user. They require
the services of an intermediary OR they need to know each other well
enough to set up port forwarding.

>   The other fault is that they splatter udp connections with lots of
> ports.  Not necessary.

I'll have to go read up on it, but I'm not sure that's the case. Can you
provide a pointer to evidence of this profligate port usage? Not a
challenge, just interested! I've used Ekiga from behind a pretty tight
firewall[1], and have had no difficulty, and no need to open up a
zillion ports.

Regards, K.

[1] Basically this: allow inbound established and related; allow inbound
ssh; allow inbound useful icmp; allow outbound; deny all.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20110511/8c8cac66/attachment.sig>


More information about the Link mailing list