*** Answering a msg posted in area FIDOTEST (FIDOTEST).

Hello Rob,

On Sunday April 02 2023 12:43, you wrote to me:

I see you took the easy way out. You removed the AAAA record from
the DNS.

For now. No point advertising an incorrect address.

Indeed. For the BBS it may even annoy the users. With the IPv6 address in place a user that is running an IPv6 capable terminal program may have to wait a minute or so for his software to realize that IPv6 is not working and fall back to IPv4.

Perhaps you should come to the IPv6 echo. That is where the
expertise is...

Will do.

So... here I am...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Sun Apr 02 2023 10:36 pm

*** Answering a msg posted in area FIDOTEST (FIDOTEST).

Hello Rob,

On Sunday April 02 2023 12:43, you wrote to me:

I see you took the easy way out. You removed the AAAA record from
the DNS.

For now. No point advertising an incorrect address.

Indeed. For the BBS it may even annoy the users. With the IPv6 address in place a user that is running an IPv6 capable terminal program may have to wait a minute or so for his software to realize that IPv6 is not working and fall back to IPv4.

Perhaps you should come to the IPv6 echo. That is where the
expertise is...

Will do.

So... here I am...

So my ISP (Spectrum, aka Comcast Business) enabled IPv6 for me recently (after many years of service and unanswered inquiries from me about IPv6 support) without any notice or explanation. I have 5 static IPv4 addresses (a so-called "5 pack"), but I have no idea if I also have static IPv6 addresses or what they are.

For my public network interface on my Windows box (vert.synchro.net), ipconfig reports:

Ethernet adapter Internet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
Physical Address. . . . . . . . . : 00-25-90-85-ED-7D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2600:6c88:8c40:5b::f5a(Preferred)
Lease Obtained. . . . . . . . . . : Sunday, April 02, 2023 10:35:32 PM
Lease Expires . . . . . . . . . . : Sunday, April 09, 2023 10:35:23 PM
IPv6 Address. . . . . . . . . . . : 2600:6c88:8c40:5b:7d15:cb62:16c5:350c(Preferred)
Temporary IPv6 Address. . . . . . : 2600:6c88:8c40:5b:c89:48b4:f442:1e7b(Deprecated)
Temporary IPv6 Address. . . . . . : 2600:6c88:8c40:5b:4964:18d3:2b0d:df6d(Preferred)
Link-local IPv6 Address . . . . . : fe80::9ec:7a2:d500:1bf8%19(Preferred)
IPv4 Address. . . . . . . . . . . : 71.95.196.34(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : fe80::eaad:a6ff:fe58:de1a%19
71.95.196.33
DHCPv6 IAID . . . . . . . . . . . : 67118480
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-F4-0D-4C-00-25-90-85-ED-7D
DNS Servers . . . . . . . . . . . : 2607:f428:ffff:ffff::1
2607:f428:ffff:ffff::2
192.168.1.2
1.1.1.1
2607:f428:ffff:ffff::1
2607:f428:ffff:ffff::2
NetBIOS over Tcpip. . . . . . . . : Disabled

When I connect out to an Internet site (e.g. whatismyipaddress.com), it says I'm connecting from 2600:6c88:8c40:5b:915d:3a98:8ac1:7886, but I'm pretty sure that address changes.

For my public network interface on my Debian Linux box (cvs.synchro.net), 'ip a' reports:

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group de fault qlen 1000
link/ether 00:10:18:2a:1a:b6 brd ff:ff:ff:ff:ff:ff
inet 71.95.196.35/29 brd 71.95.196.39 scope global enp1s0
valid_lft forever preferred_lft forever
inet 71.95.196.36/29 brd 71.95.196.39 scope global secondary enp1s0
valid_lft forever preferred_lft forever
inet 71.95.196.37/29 brd 71.95.196.39 scope global secondary enp1s0
valid_lft forever preferred_lft forever
inet6 2600:6c88:8c40:5b:210:18ff:fe2a:1ab6/64 scope global dynamic mngtmpadd r noprefixroute
valid_lft 604780sec preferred_lft 604780sec
inet6 fe80::210:18ff:fe2a:1ab6/64 scope link
valid_lft forever preferred_lft forever

My ISP provided router appears to be a Sagemcom, but I don't know much more about it (I use my own wireless access points and routers for DHCP/NAT/Firewall for the other devices on my internal/private networks). The ISP router (the Sagemcom) web UI reports that the vert.synchro.net system has IPv6 address 2600:6c88:8c40:5b::f5a, but when I attempt to connect to that IPv6 address or the ::7886 address (or even just ping6 them) from a remote host, I don't have any success.

Still a bit mysterious to me with so many addresses and so little information from the ISP. Any tips are welcome,
--
digital man (rob)

Sling Blade quote #8:
Karl Childers: I don't reckon I got no reason to kill nobody.
Norco, CA WX: 51.0øF, 92.0% humidity, 0 mph WSW wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Connection Tests
By: Rob Swindell to Michiel van der Vlist on Mon Apr 03 2023 01:47 am

Howdy,

My ISP provided router appears to be a Sagemcom, but I don't know much more about it (I use my own wireless access points and routers for DHCP/NAT/Firewall for the other devices on my internal/private networks). The ISP router (the Sagemcom) web UI reports that the vert.synchro.net system has IPv6 address 2600:6c88:8c40:5b::f5a, but when I attempt to connect to that IPv6 address or the ::7886 address (or even just ping6 them) from a remote host, I don't have any success.

Assume you can ping your ip6 addresses from the inside of your network?

Your router is probably blocking IPv6 traffic (most I've seen do), and you'll probably need to enable ICMP and relevant traffic to hosts if you want to enable inbound ipv6.

Still a bit mysterious to me with so many addresses and so little information from the ISP. Any tips are welcome,

First thing would be to figure out if you have a static subnet, and what it is. Most folks that I've spoken with get a /60 or /56 from their ISP. Business customers may get a /48. From your prefix (2600:6c88:8c40:5b::), its not easy to figure out what addresses you got - and it my be a /64 (which would be unusual). And if you got a /60 or /56, its strange that your router is handing out ...:5b::.

I dont know Sagemcom so dont know if it is a business router (which probably gives you some control over handing out addresses), or consumer router (which would mean its probably useless for ip6).

Still a bit mysterious to me with so many addresses and so little information from the ISP. Any tips are welcome,

Most OSes switch ip6 addresses regularly (hence the "temporary ones"), so dont be surprised if the ip6 address chanes often - you can turn it off to have a consistent one, or assign a static address.


...ëîåï
--- SBBSecho 3.15-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (3:633/509)

Re: Connection Tests
By: deon to Rob Swindell on Mon Apr 03 2023 09:58 pm

Assume you can ping your ip6 addresses from the inside of your network?

Yes. And connect to TCP services (e.g. Telnet, etc.)

Your router is probably blocking IPv6 traffic (most I've seen do), and you'll probably need to enable ICMP and relevant traffic to hosts if you want to enable inbound ipv6.

I've never used the ISP's router's port blocking/forwarding/NAT/gateway features before (for IPv4), so now I'm looking what it supports. It does have DHCPv6 and DHCP-PD was disabled, so I've enabled that and expecting for it to hand out addresses in the range:

2600:6c88:8c40:5b::1 to ::1000 (according to its default configuration)

I haven't seen that happen yet. I'm guessing this means I have been allocated a /64 (?).

Still a bit mysterious to me with so many addresses and so little information from the ISP. Any tips are welcome,

First thing would be to figure out if you have a static subnet, and what it is. Most folks that I've spoken with get a /60 or /56 from their ISP. Business customers may get a /48. From your prefix (2600:6c88:8c40:5b::), its not easy to figure out what addresses you got - and it my be a /64 (which would be unusual). And if you got a /60 or /56, its strange that your router is handing out ...:5b::.

I dont know Sagemcom so dont know if it is a business router (which probably gives you some control over handing out addresses), or consumer router (which would mean its probably useless for ip6).

Looks like I have control: https://1drv.ms/i/s!ApZPvWcrEaRQ5_wrKOnYR4bZu_jJ3Q?e=8f5cy5

There are also options for Port Forwarding, Firewall, IPv6 Pin-holing, IPv6 DMZ, but I've never used any of those (or similar) features for my public IPv4 interfaces (my servers' public IPv4 network interfaces are just "wide open" as far as the ISP router is concerned).

Still a bit mysterious to me with so many addresses and so little information from the ISP. Any tips are welcome,

Most OSes switch ip6 addresses regularly (hence the "temporary ones"), so dont be surprised if the ip6 address chanes often - you can turn it off to have a consistent one, or assign a static address.

Thanks. I'll keep playing with it.
--
digital man (rob)

Rush quote #84:
Looming low & ominous, twilight premature t-heads rumbling a distance overture Norco, CA WX: 54.6øF, 68.0% humidity, 3 mph ESE wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Connection Tests
By: Rob Swindell to deon on Mon Apr 03 2023 10:35 am

I've never used the ISP's router's port blocking/forwarding/NAT/gateway features before (for IPv4), so now I'm looking what it supports. It does have DHCPv6 and DHCP-PD was disabled, so I've enabled that and expecting for it to hand out addresses in the range:

2600:6c88:8c40:5b::1 to ::1000 (according to its default configuration)

I haven't seen that happen yet. I'm guessing this means I have been allocated a /64 (?).

Looks like I have control: https://1drv.ms/i/s!ApZPvWcrEaRQ5_wrKOnYR4bZu_jJ3Q?e=8f5cy5

So this looks like the "lan side" of your network. The uplink side should show you what prefix you were allocated. It's possible that your router "requested" a segment (internally), allocated it self ...:5b: and the dhcp-pd is then allocating that out as you have shown. You may need to be running a dhcpv6 client on systems to get allocated an address.

If you change it to stateless/SLAAC, then hosts should allocate their own address at will (without a dhcp client). But nothing in your diagram showed firewalling control, and it may be that anything in the "DMZ" is accessible inbound and everything else is not?


...ëîåï
--- SBBSecho 3.15-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (3:633/509)

Hello Rob,

On Monday April 03 2023 01:47, you wrote to me:

So my ISP (Spectrum, aka Comcast Business) enabled IPv6 for me
recently (after many years of service and unanswered inquiries from me about IPv6 support) without any notice or explanation.

Better late than never and late they are. I have had native IPv6 ftom my ISP since 2016 and I consider that "late" as well. One ISP here in The Netherlands suppoted IPv6 since 2010 or so...

I have 5 static IPv4 addresses (a so-called "5 pack"), but I have no
idea if I also have static IPv6 addresses or what they are.

In IPv6 the correct term is a "static prefix" or "dynamic prefix". I have a dynamic prefix. Technically speaking. In practise changes are rare. Here ISPs offer static prefixes on a Business account.

For my public network interface on my Windows box (vert.synchro.net), ipconfig reports:

Ethernet adapter Internet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
Physical Address. . . . . . . . . : 00-25-90-85-ED-7D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . :
2600:6c88:8c40:5b::f5a(Preferred)
Lease Obtained. . . . . . . . . . : Sunday, April 02, 2023 10:35:32
PM
Lease Expires . . . . . . . . . . : Sunday, April 09, 2023 10:35:23
PM
IPv6 Address. . . . . . . . . . . : 2600:6c88:8c40:5b:7d15:cb62:16c5:350c(Preferred)
Temporary IPv6 Address. . . . . . : 2600:6c88:8c40:5b:c89:48b4:f442:1e7b(Deprecated)
Temporary IPv6 Address. . . . . . : 2600:6c88:8c40:5b:4964:18d3:2b0d:df6d(Preferred)
Link-local IPv6 Address . . . . . : fe80::9ec:7a2:d500:1bf8%19(Preferred)
IPv4 Address. . . . . . . . . . . : 71.95.196.34(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : fe80::eaad:a6ff:fe58:de1a%19
71.95.196.33
DHCPv6 IAID . . . . . . . . . . . : 67118480
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-F4-0D-4C-00-25-90-85-ED-7D
DNS Servers . . . . . . . . . . . : 2607:f428:ffff:ffff::1
2607:f428:ffff:ffff::2
192.168.1.2
1.1.1.1
2607:f428:ffff:ffff::1
2607:f428:ffff:ffff::2
NetBIOS over Tcpip. . . . . . . . : Disabled

With IPv6 you do not get a single address or just a handfull as is common practice with IPv4. You get a block of addreses. For business accounts a /48 is common. I have a /56 on my consumer account.

With IPv6 it is common to assign one or more adresses to each interface in the LAN. The one that is always there is the so called "link local address". It is only valid on the local link and can not be routed. It is always assigned, even when there is no internet connection. It starts with fe80:. It should be pingable from other devices on the same LAN segment.

Then there are the global unicast addresses that is assigned when there is an IPv6 router present that is connected to the internet. There should be at least one. It can either be assigned by SLAAC or DHCP6. In your case it is the address ending in ::f5a. It is that address that you should advertise in the DNS when making that system available for running servers.

You also see some temporary adresses. So called privacy addersses. These are used for making outgoing calls. They can be disabled on the OS level. I have disabloed them on the system running servers as I find they are just in the way for that paricular use.

When I connect out to an Internet site (e.g. whatismyipaddress.com),
it says I'm connecting from 2600:6c88:8c40:5b:915d:3a98:8ac1:7886, but
I'm pretty sure that address changes.

I am a bit puzzeld where that comes from. Keep in mind that with IPv6 every device in your LAN has it own IPv5 address(es). So the result depends on what machine you use to connect to whatsmyipaddress.com.

My ISP provided router appears to be a Sagemcom,

I too have a Sagemcom. An F3896LG-ZG to be precise. I am afraid I can't be of much help as it is a DOCSIS 3.1 modem/router with ISP specific firmware.

but I don't know much more about it (I use my own wireless access
points and routers for DHCP/NAT/Firewall for the other devices on my internal/private networks).

I am a bit puzzled here. You say you use your own router. Does that mean the Sagemcom is in bridge mode? Or do you have a router behind router configuration?

The ISP router (the Sagemcom) web UI reports that the vert.synchro.net system has IPv6 address 2600:6c88:8c40:5b::f5a,

Checks out... So you Sagemcom is not in bridge mode. The Sagemcom acts as a router and has assigned that addres (via DHCP6) to the Fido Machine.

but when I attempt to connect to that IPv6 address or the ::7886
address (or even just ping6 them) from a remote host, I don't have any success.

Of course. With IPv6 there is no NAT (or not normally) and so there is also no port forwarding. Every device has its own public address. But... that does not mean that it is open to the internet. There is no NAT, but every decent router has a firewall that blocks any unsollicited incoming packet. To run a server on that address one has to go through a procedure that is a bit similar to port forwarding in IPv4. On must instruct the firewall to pass the port for that particular address. Some router manufactures call it pinholing. Others call it ... port forwarding... To make it easier to understand for the customet they say... :(

So, the reason you can not connect from a remote host is because port 24554 is blocked by the firewall in the router. (as it should by default) It presumably also blocks Ping.

Still a bit mysterious to me with so many addresses and so little information from the ISP. Any tips are welcome,

Perhaps you should go through some of the many basic training course in IPv6 that are available on the Internet. I find this one a good starting point for the IPv6 newbie:

https://www.youtube.com/watch?v=PWiERFT27NU&vl=nl

But maybe this one is below you level. In that case you can easely find something more advanced.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hello Rob,

On Monday April 03 2023 10:35, you wrote to deon:

I've never used the ISP's router's port
blocking/forwarding/NAT/gateway features before (for IPv4), so now I'm looking what it supports. It does have DHCPv6 and DHCP-PD was
disabled, so I've enabled that and expecting for it to hand out
addresses in the range:

2600:6c88:8c40:5b::1 to ::1000 (according to its default
configuration)

I haven't seen that happen yet.

But it has assigned 2600:6c88:8c40:5b::f5a to your Fidonet machine. Keep in mind that the "1000" is hexadecimal. "::f5a" is in the range ::1-::1000 hexadecimal.

So it seems to work as configured.

I'm guessing this means I have been allocated a /64 (?).

No, that has nothing to do with the size of your prefix. I would be surprised if you only have a /64 on a business account...

Looks like I have control: https://1drv.ms/i/s!ApZPvWcrEaRQ5_wrKOnYR4bZu_jJ3Q?e=8f5cy5

yep...

There are also options for Port Forwarding, Firewall, IPv6 Pin-holing,

Ah, so they cal it pin-holing. :)

That is what you need for incoming IPv6.

IPv6 DMZ, but I've never used any of those (or similar) features for
my public IPv4 interfaces (my servers' public IPv4 network interfaces
are just "wide open" as far as the ISP router is concerned).

So it is in fact in bridge mode for IPv4?

Still a bit mysterious to me with so many addresses and so
little information from the ISP. Any tips are welcome,

All the info you need from your ISP that you do not already have is the size of your IPv6 block assigned to you and if it is static or dynamic.

Most OSes switch ip6 addresses regularly (hence the "temporary
ones"), so dont be surprised if the ip6 address chanes often - you
can turn it off to have a consistent one, or assign a static
address.

As you can see in my list of IPv6 nodes, many Fidonet sysops have assigned a ::f1d0:1:103:705 type of address for their Fidonet node.

How about outgoing connections? Have you made an outgoing IPv6 binkp connect yet? Feel free to try to connect to my system for testing.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hi Michiel,

On 2023-04-04 14:34:18, you wrote to Rob Swindell:

MvdV> How about outgoing connections? Have you made an outgoing IPv6 binkp
MvdV> connect yet? Feel free to try to connect to my system for testing.

I can answer that:

- 04 Apr 14:08:27 [30668] incoming from 2600:6c88:8c40:5b:b126:a220:6909:9e27 (53589)
+ 04 Apr 14:08:38 [25170] incoming session with 2600-6c88-8c40-005b-b126-a220-6909-9e27.biz6.spectrum.com [2600:6c88:8c40:5b:b126:a220:6909:9e27]
- 04 Apr 14:08:38 [25170] SYS Vertrauen
- 04 Apr 14:08:38 [25170] ZYZ Rob Swindell
- 04 Apr 14:08:38 [25170] LOC Riverside County, California
- 04 Apr 14:08:38 [25170] NDL 115200,TCP,BINKP
- 04 Apr 14:08:38 [25170] TIME Tue Apr 04 2023 05:08:32 GMT-0700 (Pacific Daylight Time)
- 04 Apr 14:08:38 [25170] VER BinkIT/2.41,JSBinkP/4,sbbs3.20a/Win32 binkp/1.1
+ 04 Apr 14:08:38 [25170] addr: 1:103/705@fidonet
...

So: yes! ;-)


Bye, Wilfred.

--- FMail-lnx64 2.2.0.0
* Origin: FMail development HQ (2:280/464)

Hello Wilfred,

On Tuesday April 04 2023 14:44, you wrote to me:

I can answer that:

- 04 Apr 14:08:27 [30668] incoming from 2600:6c88:8c40:5b:b126:a220:6909:9e27 (53589) + 04 Apr 14:08:38
[25170] incoming session with 2600-6c88-8c40-005b-b126-a220-6909-9e27.biz6.spectrum.com [2600:6c88:8c40:5b:b126:a220:6909:9e27]

Great! So now I can add him to the list. Outgoing only for the moment.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hi Michiel,

On 2023-04-04 15:02:47, you wrote to me:

I can answer that:

- 04 Apr 14:08:27 [30668] incoming from
2600:6c88:8c40:5b:b126:a220:6909:9e27 (53589) + 04 Apr 14:08:38
[25170] incoming session with
2600-6c88-8c40-005b-b126-a220-6909-9e27.biz6.spectrum.com
[2600:6c88:8c40:5b:b126:a220:6909:9e27]

MvdV> Great! So now I can add him to the list. Outgoing only for the moment.

When I search back in my binkd log, the first one was:

- 09 Mar 03:57:21 [14000] incoming from 2600:6c88:8c40:5b:a4c4:c9ce:e0ea:71ea (58374)

(The last 64 bits of his IPv6 address change at least once a day. So the privacy extensions seem to be enabled on his system)

Bye, Wilfred.

--- FMail-lnx64 2.2.0.0
* Origin: FMail development HQ (2:280/464)

Hello Wilfred,

On Tuesday April 04 2023 15:27, you wrote to me:

When I search back in my binkd log, the first one was:

- 09 Mar 03:57:21 [14000] incoming from 2600:6c88:8c40:5b:a4c4:c9ce:e0ea:71ea (58374)

Almost a month ago...

(The last 64 bits of his IPv6 address change at least once a day. So
the privacy extensions seem to be enabled on his system)

That was already clear from the IPconfig output he posted.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hi Michiel,

On 2023-04-04 16:16:19, you wrote to me:

When I search back in my binkd log, the first one was:

- 09 Mar 03:57:21 [14000] incoming from
2600:6c88:8c40:5b:a4c4:c9ce:e0ea:71ea (58374)

MvdV> Almost a month ago...

(The last 64 bits of his IPv6 address change at least once a day. So
the privacy extensions seem to be enabled on his system)

MvdV> That was already clear from the IPconfig output he posted.

Indeed... Consider it confirmed. ;-)


Bye, Wilfred.

--- FMail-lnx64 2.2.0.0
* Origin: FMail development HQ (2:280/464)

Hello Rob,

Tuesday April 04 2023 14:34, I wrote to you:

How about outgoing connections? Have you made an outgoing IPv6 binkp connect yet? Feel free to try to connect to my system for testing.

Winfred informed us that you can make outgoing IPv6 connections.

For your information:

To get rid of the privacy extension, the temp adresses used for outgoing that change every day: From a command window with administrator rights:

netsh int ipv6 set privacy disabled

To create a fixed address:

netsh int ipv6 add address Internet 2600:6c88:8c40:5b:f1do:1:103:705

Disclaimer: the syntax of netsh may be slightly different on newer Windows versions.


For incoming you should create a pinhole for port 24554 and maybe port 23.

If possible create a pinhole for address :: that is the unspicified address. Then port 24554 will be passed for all adresses on the LAN. No need to change it if you get a second node or if the address changes. If not supported use the applicable address.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Tue Apr 04 2023 02:34 pm

Hello Rob,

On Monday April 03 2023 10:35, you wrote to deon:

I've never used the ISP's router's port
blocking/forwarding/NAT/gateway features before (for IPv4), so now I'm looking what it supports. It does have DHCPv6 and DHCP-PD was
disabled, so I've enabled that and expecting for it to hand out addresses in the range:

2600:6c88:8c40:5b::1 to ::1000 (according to its default
configuration)

I haven't seen that happen yet.

But it has assigned 2600:6c88:8c40:5b::f5a to your Fidonet machine.

Using that as vert's public IPv6 and adding it to the ISP router's DMZ (and IPV6 DMZ, they're 2 different settings) did the trick. <shrug>

There are also options for Port Forwarding, Firewall, IPv6 Pin-holing,

Ah, so they cal it pin-holing. :)

That is what you need for incoming IPv6.

I didn't having any luck playing with the Pin-holing. I'd rather DMZ-it anyway as I have far too many services and ports.

As you can see in my list of IPv6 nodes, many Fidonet sysops have assigned a ::f1d0:1:103:705 type of address for their Fidonet node.

That is cute.

How about outgoing connections? Have you made an outgoing IPv6 binkp connect yet? Feel free to try to connect to my system for testing.

Yeah, outbound IPv6 connections were fine.
--
digital man (rob)

Breaking Bad quote #49:
So you do have a plan? Yeah, Mr. White! Yeah, Science! - Jesse Pinkman
Norco, CA WX: 58.5øF, 28.0% humidity, 7 mph E wind, 0.00 inches rain/24hrs
--- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hello Rob,

On Tuesday April 04 2023 13:23, you wrote to me:

But it has assigned 2600:6c88:8c40:5b::f5a to your Fidonet machine.

Using that as vert's public IPv6 and adding it to the ISP router's DMZ (and IPV6 DMZ, they're 2 different settings) did the trick. <shrug>

Indeed it did:

+ 22:27 [580] call to 1:103/705@fidonet
22:27 [580] trying 2600:6c88:8c40:5b::f5a [2600:6c88:8c40:5b::f5a]...
22:27 [580] connected
+ 22:27 [580] outgoing session with 2600:6c88:8c40:5b::f5a:24554
- 22:28 [580] OPT CRAM-MD5-8d5205ef15ecd86abb661b6305c69fb0
+ 22:28 [580] Remote requests MD mode
- 22:28 [580] SYS Vertrauen
- 22:28 [580] ZYZ Rob Swindell
- 22:28 [580] LOC Riverside County, California
- 22:28 [580] NDL 115200,TCP,BINKP
- 22:28 [580] TIME Tue Apr 04 2023 13:28:08 GMT-0700 (Pacific Daylight Time)
- 22:28 [580] VER BinkIT/2.41,JSBinkP/4,sbbs3.20a/Win32 binkp/1.1
+ 22:28 [580] addr: 1:103/705@fidonet

Now all that is needed for full membership of the Fidonet IPv6 club is add an AAAA record for that address to the DNS. ;-)


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hello Rob,

Tuesday April 04 2023 22:28, I wrote to you:

Now all that is needed for full membership of the Fidonet IPv6 club is
add an AAAA record for that address to the DNS. ;-)

I see that is also done. :)


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Tue Apr 04 2023 04:22 pm

To create a fixed address:

netsh int ipv6 add address Internet 2600:6c88:8c40:5b:f1do:1:103:705

That worked (after changing 'o' to '0' of course).

For incoming you should create a pinhole for port 24554 and maybe port 23.

With the DMZ set, no pin-holes needed.
--
digital man (rob)

Sling Blade quote #9:
Doyle Hargraves: Morris here is a modern-day poet, kinda like in olden times. Norco, CA WX: 60.7øF, 24.0% humidity, 8 mph SSE wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hello Rob,

On Tuesday April 04 2023 15:18, you wrote to me:

netsh int ipv6 add address Internet 2600:6c88:8c40:5b:f1do:1:103:705

That worked (after changing 'o' to '0' of course).

Of course. ;-)

And your binkp server answers on that address:

+ 09:37 [3496] call to 1:103/705@fidonet
09:37 [3496] trying 2600:6c88:8c40:5b:f1d0:1:103:705
[2600:6c88:8c40:5b:f1d0:1:103:705]...
09:37 [3496] connected
+ 09:37 [3496] outgoing session with 2600:6c88:8c40:5b:f1d0:1:103:705:24554
- 09:37 [3496] OPT CRAM-MD5-357f8433fbc4ded531732d8e1c7c8842
+ 09:37 [3496] Remote requests MD mode
- 09:37 [3496] SYS Vertrauen
- 09:37 [3496] ZYZ Rob Swindell
- 09:37 [3496] LOC Riverside County, California
- 09:37 [3496] NDL 115200,TCP,BINKP
- 09:37 [3496] TIME Wed Apr 05 2023 00:37:54 GMT-0700 (Pacific Daylight Time)
- 09:37 [3496] VER BinkIT/2.41,JSBinkP/4,sbbs3.20a/Win32 binkp/1.1
+ 09:37 [3496] addr: 1:103/705@fidonet

So all you have to do to earn your 'f' in the list is update the DNS for the mew IPv6 address.

Binkd has the possibility to specify the address to use for outgoing calls. It overrides the OS preference.

bindaddr 2600:6c88:8c40:5b:f1do:1:103:705

I don't know about BinkIT.

For incoming you should create a pinhole for port 24554 and maybe
port 23.

With the DMZ set, no pin-holes needed.

I am still a bit puzzled about your setup. Do you have /any/ barrier between the big bad InterNet and your Fido Machine?


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hi Michiel,

On 2023-04-05 11:52:31, you wrote to Rob Swindell:

MvdV> bindaddr 2600:6c88:8c40:5b:f1do:1:103:705
^
Again! ;-)


Bye, Wilfred.

--- FMail-lnx64 2.2.0.0
* Origin: FMail development HQ (2:280/464)

Hello Wilfred,

On Wednesday April 05 2023 12:57, you wrote to me:


MvdV>> bindaddr 2600:6c88:8c40:5b:f1do:1:103:705

^
Again! ;-)

Arghh! Copy/paste... :(


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Wed Apr 05 2023 11:52 am

Hello Rob,

On Tuesday April 04 2023 15:18, you wrote to me:

netsh int ipv6 add address Internet 2600:6c88:8c40:5b:f1do:1:103:705

And your binkp server answers on that address:

+ 09:37 [3496] outgoing session with 2600:6c88:8c40:5b:f1d0:1:103:705:24554

So all you have to do to earn your 'f' in the list is update the DNS for the mew IPv6 address.

It probably makes more sense to just create a new hostname for fido traffic and have that point to that IPv6 address. Is this just a vanity address or does it have some functional puporse?

Binkd has the possibility to specify the address to use for outgoing calls. It overrides the OS preference.

bindaddr 2600:6c88:8c40:5b:f1do:1:103:705

I don't know about BinkIT.

Maybe. Outbound IPv6 interface control isn't very strong in Synchronet right now.

For incoming you should create a pinhole for port 24554 and maybe

port 23.

With the DMZ set, no pin-holes needed.

I am still a bit puzzled about your setup. Do you have /any/ barrier between the big bad InterNet and your Fido Machine?

Just the Windows firewall.
--
digital man (rob)

Synchronet "Real Fact" #18:
Rob Swindell first learned to program in C by hacking on WWIV BBS software Norco, CA WX: 56.3øF, 41.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hello Rob,

On Wednesday April 05 2023 10:08, you wrote to me:

So all you have to do to earn your 'f' in the list is update the
DNS for the mew IPv6 address.

It probably makes more sense to just create a new hostname for fido traffic and have that point to that IPv6 address.

Yes. Always a good idea to have different host names for different services. Then you have the option to split the services over different machines without having to change host names if the need arises. Most DNS providers have no limit on the number of subdomains.

Is this just a vanity address or does it have some functional puporse?

It is just vanity, it serves no technical purpose. But it is quit popular among the Fidonet IPv6 sysops. Over a third of them have such a vanity address.

Binkd has the possibility to specify the address to use for
outgoing calls. It overrides the OS preference.

bindaddr 2600:6c88:8c40:5b:f1do:1:103:705

I don't know about BinkIT.

Maybe. Outbound IPv6 interface control isn't very strong in Synchronet right now.

You can always discuss it with the author. ;-)

I am still a bit puzzled about your setup. Do you have /any/
barrier between the big bad InterNet and your Fido Machine?

Just the Windows firewall.

So you can configure it to pass ICMP6 Ping so that your binkp server address becomes pingable...


Cheers, Michiel

-+- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)
---
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Wed Apr 05 2023 07:42 pm

Hello Rob,

On Wednesday April 05 2023 10:08, you wrote to me:

So all you have to do to earn your 'f' in the list is update the
DNS for the mew IPv6 address.

It probably makes more sense to just create a new hostname for fido traffic and have that point to that IPv6 address.

Yes. Always a good idea to have different host names for different services. Then you have the option to split the services over different machines without having to change host names if the need arises. Most DNS providers have no limit on the number of subdomains.

I'm my own DNS provider, so yeah, no limit. :-) I added binkp.synchro.net for the f1d0 address and updated my _binkp._src SRV record as well. Next up, the Fidonet nodelist.

Is this just a vanity address or does it have some functional puporse?

It is just vanity, it serves no technical purpose. But it is quit popular among the Fidonet IPv6 sysops. Over a third of them have such a vanity address.

It's showing off a "feature" of IPv6. :-)

Binkd has the possibility to specify the address to use for
outgoing calls. It overrides the OS preference.

bindaddr 2600:6c88:8c40:5b:f1do:1:103:705

I don't know about BinkIT.

Maybe. Outbound IPv6 interface control isn't very strong in Synchronet right now.

You can always discuss it with the author. ;-)

I didn't write most of the IPv6 support in Synchronet, that was Stephen Hurd, but I can certainly look into it.

I am still a bit puzzled about your setup. Do you have /any/
barrier between the big bad InterNet and your Fido Machine?

Just the Windows firewall.

So you can configure it to pass ICMP6 Ping so that your binkp server address becomes pingable...

True that.
--
digital man (rob)

Synchronet "Real Fact" #24:
1584 Synchronet BBS Software registrations were sold between 1992 and 1996 Norco, CA WX: 67.6øF, 23.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hello Rob,

On Wednesday April 05 2023 13:38, you wrote to me:

I'm my own DNS provider, so yeah, no limit. :-) I added
binkp.synchro.net for the f1d0 address and updated my _binkp._src SRV record as well.

Check:

+ 22:59 [3480] call to 1:103/705@fidonet
22:59 [3480] trying binkp.synchro.net [2600:6c88:8c40:5b:f1d0:1:103:705]...
22:59 [3480] connected
+ 22:59 [3480] outgoing session with binkp.synchro.net:24554
[2600:6c88:8c40:5b:f1d0:1:103:705]
- 22:59 [3480] OPT CRAM-MD5-5932afa00556584e121b45fb2b25f3ca
+ 22:59 [3480] Remote requests MD mode
- 22:59 [3480] SYS Vertrauen
- 22:59 [3480] ZYZ Rob Swindell
- 22:59 [3480] LOC Riverside County, California
- 22:59 [3480] NDL 115200,TCP,BINKP
- 22:59 [3480] TIME Wed Apr 05 2023 13:59:30 GMT-0700 (Pacific Daylight Time)
- 22:59 [3480] VER BinkIT/2.41,JSBinkP/4,sbbs3.20a/Win32 binkp/1.1
+ 22:59 [3480] addr: 1:103/705@fidonet

Next up, the Fidonet nodelist.

We will see in a day or two...

Is this just a vanity address or does it have some functional
puporse?

It is just vanity, it serves no technical purpose. But it is quit
popular among the Fidonet IPv6 sysops. Over a third of them have
such a vanity address.

It's showing off a "feature" of IPv6. :-)

Yes, it is. But "playing around" also has a function in climbing the learning curve.

You can always discuss it with the author. ;-)

I didn't write most of the IPv6 support in Synchronet, that was
Stephen Hurd, but I can certainly look into it.

Staying tuned...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hello Rob,

Wednesday April 05 2023 23:22, I wrote to you:

Next up, the Fidonet nodelist.

We will see in a day or two...

BTW, I also tested vert.synchro.net at the Telnet port.

[quote]

Synchronet BBS for Win32 Version 3.20
Telnet connection from: 2001:1c02:1105:4500:f1d0:2:280:5556
Resolving hostname...
[..]
_
Synchronet BBS for Win32 Version 3.20 Copyright 2022 Rob Swindell

V E R T R A U E N

[/quote]

So that is OK as well. :-)


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Dear Rob,

03 Apr 23 10:35, you wrote to deon:

https://1drv.ms/i/s!ApZPvWcrEaRQ5_wrKOnYR4bZu_jJ3Q?e=8f5cy5

There are also options for Port Forwarding, Firewall, IPv6 Pin-holing, IPv6 DMZ, but I've never used any of those (or similar) features for

Does anyone know what software clients actually support IPv6 Pin-holing? I would think Bittorrent clients and utilities like syncthing should (because they support UPnP for IPv4), but I guess they don't do IPv6 Pin-holing. Maybe some games?

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Thursday April 06 2023 18:30, you wrote to Rob Swindell:

Does anyone know what software clients actually support IPv6
Pin-holing?

I am not sure what you mean by "software clients" in this context. IPv6 pin-holing is something that is applied to a firewall. Firewalls are found in routers and OSs.

I would think Bittorrent clients and utilities like syncthing should (because they support UPnP for IPv4), but I guess they don't do IPv6 Pin-holing. Maybe some games?

Please eleborate...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

On Thu, 6 Apr 2023 15:38:43 +0200
"Michiel van der Vlist" (2:280/5555) <Michiel.van.der.Vlist@f5555.n280.z2.fidonet> wrote:

Hello Victor,

On Thursday April 06 2023 18:30, you wrote to Rob Swindell:

Does anyone know what software clients actually support IPv6
Pin-holing?

I am not sure what you mean by "software clients" in this context.
IPv6 pin-holing is something that is applied to a firewall. Firewalls
are found in routers and OSs.

I would think Bittorrent clients and utilities like syncthing
should (because they support UPnP for IPv4), but I guess they
don't do IPv6 Pin-holing. Maybe some games?

I think he means software that uses uphp to open ports on a firewall as
and when they are needed, and the firewalls that respond to such
requests by opening the port. Therefore the app is poking a pinhole
through the firewall.
--
End Of The Line BBS - Plano, TX
telnet endofthelinebbs.com 23
--- SBBSecho 3.20-Linux
* Origin: End Of The Line BBS - endofthelinebbs.com (1:124/5016)

Dear Michiel,

06 Apr 23 15:38, you wrote to me:

Does anyone know what software clients actually support IPv6
Pin-holing?

I am not sure what you mean by "software clients" in this context.
IPv6 pin-holing is something that is applied to a firewall. Firewalls
are found in routers and OSs.

A "software client" in this context is a software like Transmission or uTorrent for example, which is capable of requesting a router to open a port to allow incoming packets to the address/ports where the software is listening.

In other words, a "software client" is something that "applies" pin-holing to a firewall.

I would think Bittorrent clients and utilities like syncthing
should (because they support UPnP for IPv4), but I guess they
don't do IPv6 Pin-holing. Maybe some games?

Please eleborate...

The Transmission torrent client, and the syncthing file synchronization utility can use the UPnP protocol to request a firewall to pass *IPv4* incoming traffic (and create a port porwarding for IPv4 NAT). They cannot however (at least to my knowledge) use UPnP or any other protocol to request a router to open a hole for incoming traffic in an *IPv6* firewall.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Dear Nigel,

06 Apr 23 09:59, you wrote to All:

Does anyone know what software clients actually support IPv6
Pin-holing?

I am not sure what you mean by "software clients" in this context.
IPv6 pin-holing is something that is applied to a firewall.
Firewalls are found in routers and OSs.

I would think Bittorrent clients and utilities like syncthing
should (because they support UPnP for IPv4), but I guess they
don't do IPv6 Pin-holing. Maybe some games?

I think he means software that uses uphp to open ports on a firewall
as and when they are needed, and the firewalls that respond to
such requests by opening the port. Therefore the app is poking a
pinhole through the firewall.

Correct. I know some software that can have ports opened on an IPv4 firewall, but none so far which can do that to an IPv6 firewall (even if the firewall claims that it supports IPv6 pinholing, who can make use of it?).

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Friday April 07 2023 00:25, you wrote to me:

Please eleborate...

The Transmission torrent client, and the syncthing file
synchronization utility can use the UPnP protocol to request a
firewall to pass *IPv4* incoming traffic (and create a port porwarding
for IPv4 NAT). They cannot however (at least to my knowledge) use UPnP
or any other protocol to request a router to open a hole for incoming traffic in an *IPv6* firewall.

I see. Or so I think. You ask for some kind of "IPv6 equivalent" for UPnP. But why would you want that? UpNP is a questionable idea anyway. For IPv4 it creates an entry in de NAT table and as a side effect creates a hole in the firewall.

But why would you need that for IPv6?

For IPv6 there (normally) is no NAT, so no need to create an entry in a NAT table. In IPv6 avery device has a Unique Global Address, so one can simply create pinholes in advance as needed for the address in question.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Dear Michiel,

10 Apr 23 15:46, you wrote to me:

Please eleborate...

The Transmission torrent client, and the syncthing file
synchronization utility can use the UPnP protocol to request a
firewall to pass *IPv4* incoming traffic (and create a port
porwarding for IPv4 NAT). They cannot however (at least to my
knowledge) use UPnP or any other protocol to request a router to
open a hole for incoming traffic in an *IPv6* firewall.

I see. Or so I think. You ask for some kind of "IPv6 equivalent" for
UPnP. But why would you want that? UpNP is a questionable idea anyway.
For IPv4 it creates an entry in de NAT table and as a side effect
creates a hole in the firewall.

But why would you need that for IPv6?

For IPv6 there (normally) is no NAT, so no need to create an entry in
a NAT table.

The "IPv6 equivalent" for UPnP is not for creating entries in the NAT table (which is absent in IPv6). It is for creating rules in an IPv6 firewall allowing incoming traffic to an application running on an IPv6-enabled host. A firewall (IPv4 or IPv6) is usually configured to block incoming traffic which is not part of an established outgoing connection.

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address in question.

Only when you know the IPv6 address and port beforehand. Usually an IPv6 address on the home LAN is dynamic (SLAAC), and the port in peer-to-peer applications, VoIP applications etc is often dynamic too.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Dear Michiel,

10 Apr 23 15:46, you wrote to me:

Please eleborate...

The Transmission torrent client, and the syncthing file
synchronization utility can use the UPnP protocol to request a
firewall to pass *IPv4* incoming traffic (and create a port
porwarding for IPv4 NAT). They cannot however (at least to my
knowledge) use UPnP or any other protocol to request a router to
open a hole for incoming traffic in an *IPv6* firewall.

I see. Or so I think. You ask for

It is not even that I *ask for* it. I've read here, some messages ago, that some home router declared "IPv6 punch-holing support." Infortunately I could not find more information either about the model of the router or its features.

for some kind of "IPv6 equivalent" for
UPnP. But why would you want that? UpNP is a questionable idea anyway.
For IPv4 it creates an entry in de NAT table and as a side effect
creates a hole in the firewall.

But why would you need that for IPv6?

For IPv6 there (normally) is no NAT, so no need to create an entry in
a NAT table.

The "IPv6 equivalent" for UPnP is not for creating entries in a NAT table (which is absent in IPv6). It is for creating rules in an IPv6 firewall allowing incoming traffic to an application running on an IPv6-enabled host. A firewall (IPv4 or IPv6) is usually configured to block incoming traffic which is not part of an established outgoing connection.

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address in question.

Only when you know the IPv6 address and port beforehand. Usually an IPv6 address on the home LAN is dynamic (SLAAC), and the port in peer-to-peer applications, VoIP applications etc is often dynamic too.

The situation is different of course when you are hosting an IPv6 web-server or something like that. It would have a fixed IPv6 address and port anyway, so there is no need for punch-holing the firewall.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Tuesday April 11 2023 09:47, you wrote to me:

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address
in question.

Only when you know the IPv6 address and port beforehand.

When runing servers you normally do...

Usually an IPv6 address on the home LAN is dynamic (SLAAC),

No. SLAAC addresses are not dynamic. They are derived from the MAC address.

and the port in peer-to-peer applications, VoIP applications etc is
often dynamic too.

VOIP normally uses standard ports.

The situation is different of course when you are hosting an IPv6 web-server or something like that. It would have a fixed IPv6 address
and port anyway, so there is no need for punch-holing the firewall.

Indeed.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Hello Rob,

Wednesday April 05 2023 23:22, I wrote to you:

Next up, the Fidonet nodelist.

We will see in a day or two...

Hmmm.... it seems to take a bit longer than just a couple of days. Almost two weeks later and still no binkp.synchro.net in the nodelist for 1:103/705. :(


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Re: Connection Tests
By: Michiel van der Vlist to Rob Swindell on Tue Apr 18 2023 11:44 am

Hello Rob,

Wednesday April 05 2023 23:22, I wrote to you:

Next up, the Fidonet nodelist.

We will see in a day or two...

Hmmm.... it seems to take a bit longer than just a couple of days. Almost two weeks later and still no binkp.synchro.net in the nodelist for 1:103/705. :(

I haven't requested the change from NC/RC yet. That's on me.
--
digital man (rob)

Synchronet "Real Fact" #59:
Synchronet swag used to be available for purchase at cafepress.com/synchronet Norco, CA WX: 63.3øF, 62.0% humidity, 9 mph S wind, 0.00 inches rain/24hrs
--- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Dear Michiel,

15 Apr 23 09:28, you wrote to me:

In IPv6 avery device has a Unique Global Address, so one
can simply create pinholes in advance as needed for the address
in question.

Only when you know the IPv6 address and port beforehand.

When runing servers you normally do...

P2P apps like Transmission are not really servers.

Well they are in the strict sense of the word, but people just start them up and hope for them to work out of the box, and they are often configured by default to randomize port numbers on each start.

Usually an IPv6 address on the home LAN is dynamic (SLAAC),

No. SLAAC addresses are not dynamic. They are derived from the MAC address.

Not any more. AFAIK the recent implementation of SLAAC uses the privacy extensions which do not use the MAC address but some random numbers to derive the IPv6 host address.

and the port in peer-to-peer applications, VoIP applications etc
is often dynamic too.

VOIP normally uses standard ports.

SIP (the signalling protocol) does, but the RTP uses random ports. A firewall has no way to know the RTP dynamic port numbers unless it inspects the SIP protocol.

The situation is different of course when you are hosting an IPv6
web-server or something like that. It would have a fixed IPv6
address and port anyway, so there is no need for punch-holing the
firewall.

Indeed.

I don't really understand your point. If we decide that UPnP (think "automatic firewall configuration from the inside") is desirable for IPv4, then it's desirable for IPv6 too. If we decide that UPnP is not desirable, you can do without it in IPv4: just configure a static RFC1918 address and port on your internal "server" and create a static NAT/portmapping entry on the router.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Victor,

On Monday April 24 2023 01:20, you wrote to me:

Only when you know the IPv6 address and port beforehand.

When runing servers you normally do...

P2P apps like Transmission are not really servers.

Well they are in the strict sense of the word, but people just start
them up and hope for them to work out of the box,

That's their problem...

and they are often configured by default to randomize port numbers on
each start.

Bad practise...

Usually an IPv6 address on the home LAN is dynamic (SLAAC),

No. SLAAC addresses are not dynamic. They are derived from the
MAC address.

Not any more. AFAIK the recent implementation of SLAAC uses the
privacy extensions which do not use the MAC address but some random numbers to derive the IPv6 host address.

Privacy extensions use random numbers for the host part. AFAIK SLAAC still uses the MAC address. What I do see is that DHCP6 is often preferred over SLAAC and the host part of a DHCP6 address also looks random. But it definitely is a fixed address. So no problem.

and the port in peer-to-peer applications, VoIP applications etc
is often dynamic too.

VOIP normally uses standard ports.

SIP (the signalling protocol) does, but the RTP uses random ports. A firewall has no way to know the RTP dynamic port numbers unless it inspects the SIP protocol.

If those "random" ports are previously initaiated by the SIP protocol there should be no problem.

The situation is different of course when you are hosting an
IPv6 web-server or something like that. It would have a fixed
IPv6 address and port anyway, so there is no need for
punch-holing the firewall.

Indeed.

I don't really understand your point. If we decide that UPnP (think "automatic firewall configuration from the inside") is desirable for
IPv4,

That "we" does not include me. I have never used UPnP, have always had it disabled in my routers and never had any need for it.

I consider UPnP a security risk.

So maybe I am not the right person to discuss this "issue".

then it's desirable for IPv6 too. If we decide that UPnP is not
desirable, you can do without it in IPv4: just configure a static
RFC1918 address and port on your internal "server" and create a static NAT/portmapping entry on the router.

Works for me...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)