libp2p
UPNP alternative for v6 statefull firewalls
Even tho NAT was originally meant as a tool to make IT management easier when merging different company networks after merger and acquisitions, it has been extremely widely deployed due to the IPv4 starvation and users started relying on it for security as it allows them to play it loosy goosy on a private network without being exposed to internet (which is terrible horizontal security but whatever, it's convenient and I did used to do that myself).
To meet this security expectation from customers, here where I live (and I expect in most places) all off the shelf residential and business IPv6 deployments ship with stateful IPv6 firewalls by default. It would be nice if we could not rely on DCUTR if the router allows us to do so because the extra hops of DCUTR add latency and make it unsuitable for use-cases like DHT servers. Alternatives:
- RFC3633 would allow us to request a delegated range, FWIW the 2 routers I have tried this with also add a firewall exception to the delegated range, maybe this is a flag in the request ? Overall I have only ever seen it used with
/64which is a bit overkill, I don't know if it's possible to just request a/128. I think this also requiresroot(or equivalent) permissions or some advanced networking capabilities for the libp2p process. - UPNP
AddPinHolehttps://github.com/libp2p/go-libp2p/issues/2496#issuecomment-1689895095 - ... ? ideas wanted
Asking people to change the config option of their router is not an option for the same reason asking people to port forward does not work and why we have upnp and dcutr.
Priority requirement: low ~ very low
UPnP can also be used for IPv6 with AddPinhole.
https://pkg.go.dev/github.com/huin/goupnp/dcps/internetgateway2?utm_source=godoc#WANIPv6FirewallControl1.AddPinholeCtx
We should give some love to our upnp components. We could update our go-nat dependency to include support for IPv6.
