REPLY: 2:280/5555 643a5332   
   MSGID: 2:5005/49 644576e2   
   CHRS: CP866 2   
   TZUTC: 0700   
   TID: hpt/fbsd 1.9.0-cur 2019-12-05   
   Dear Michiel,   
      
   15 Apr 23 09:28, you wrote to me:   
      
    MV>>> In IPv6 avery device has a Unique Global Address, so one   
    MV>>> can simply create pinholes in advance as needed for the address   
    MV>>> in question.   
      
    VS>> Only when you know the IPv6 address and port beforehand.   
      
    MV> When runing servers you normally do...   
      
   P2P apps like Transmission are not really servers.   
      
   Well they are in the strict sense of the word, but people just start them up   
   and hope for them to work out of the box, and they are often configured by   
   default to randomize port numbers on each start.   
      
    VS>> Usually an IPv6 address on the home LAN is dynamic (SLAAC),   
      
    MV> No. SLAAC addresses are not dynamic. They are derived from the MAC   
    MV> address.   
      
   Not any more. AFAIK the recent implementation of SLAAC uses the privacy   
   extensions which do not use the MAC address but some random numbers to derive   
   the IPv6 host address.   
      
    VS>> and the port in peer-to-peer applications, VoIP applications etc   
    VS>> is often dynamic too.   
      
    MV> VOIP normally uses standard ports.   
      
   SIP (the signalling protocol) does, but the RTP uses random ports. A firewall   
   has no way to know the RTP dynamic port numbers unless it inspects the SIP   
   protocol.   
      
    VS>> The situation is different of course when you are hosting an IPv6   
    VS>> web-server or something like that. It would have a fixed IPv6   
    VS>> address and port anyway, so there is no need for punch-holing the   
    VS>> firewall.   
      
    MV> Indeed.   
      
   I don't really understand your point. If we decide that UPnP (think "automatic   
   firewall configuration from the inside") is desirable for IPv4, then it's   
   desirable for IPv6 too. If we decide that UPnP is not desirable, you can do   
   without it in IPv4: just configure a static RFC1918 address and port on your   
   internal "server" and create a static NAT/portmapping entry on the router.   
      
   Victor Sudakov, VAS4-RIPE, VAS47-RIPN   
   --- GoldED+/BSD 1.1.5-b20170303-b20170303   
    * Origin: Ulthar (2:5005/49)   
   SEEN-BY: 1/123 10/0 1 15/0 50/109 90/1 103/705 104/117 105/81 106/201   
   SEEN-BY: 123/131 124/5016 153/757 7715 154/10 203/0 214/22 218/0 1   
   SEEN-BY: 218/215 700 860 221/0 1 6 226/30 227/114 229/110 112 113   
   SEEN-BY: 229/206 307 317 400 424 426 428 452 470 550 664 700 240/1120   
   SEEN-BY: 240/5832 266/512 280/464 5003 5006 5555 282/1038 292/854   
   SEEN-BY: 292/8125 301/1 113 812 310/31 317/3 320/219 322/757 341/66   
   SEEN-BY: 341/234 342/200 396/45 423/120 460/58 463/68 467/888 633/280   
   SEEN-BY: 712/848 770/1 5000/111 5001/100 5005/49 53 5015/46 5020/545   
   SEEN-BY: 5020/715 830 846 1042 4441 5030/49 5053/51 5054/8 5058/104   
   SEEN-BY: 5064/56 5075/128 5080/102 5083/1 444   
   PATH: 5005/49 5020/1042 301/1 280/464 103/705 218/700 229/426