TID: FMail-W32 2.2.0.0   
   RFC-X-No-Archive: Yes   
   TZUTC: 0200   
   CHRS: CP850 2   
   MSGID: 2:280/5555 64469543   
   REPLY: 2:5005/49 644576e2   
   Hello Victor,   
      
   On Monday April 24 2023 01:20, you wrote to me:   
      
    VS>>> Only when you know the IPv6 address and port beforehand.   
      
    MV>> When runing servers you normally do...   
      
    VS> P2P apps like Transmission are not really servers.   
      
    VS> Well they are in the strict sense of the word, but people just start   
    VS> them up and hope for them to work out of the box,   
      
   That's their problem...   
      
    VS> and they are often configured by default to randomize port numbers on   
    VS> each start.   
      
   Bad practise...   
      
    VS>>> Usually an IPv6 address on the home LAN is dynamic (SLAAC),   
      
    MV>> No. SLAAC addresses are not dynamic. They are derived from the   
    MV>> MAC address.   
      
    VS> Not any more. AFAIK the recent implementation of SLAAC uses the   
    VS> privacy extensions which do not use the MAC address but some random   
    VS> numbers to derive the IPv6 host address.   
      
   Privacy extensions use random numbers for the host part. AFAIK SLAAC still   
   uses the MAC address. What I do see is that DHCP6 is often preferred over   
   SLAAC and the host part of a DHCP6 address also looks random. But it   
   definitely is a fixed address. So no problem.   
      
    VS>>> and the port in peer-to-peer applications, VoIP applications etc   
    VS>>> is often dynamic too.   
      
    MV>> VOIP normally uses standard ports.   
      
    VS> SIP (the signalling protocol) does, but the RTP uses random ports. A   
    VS> firewall has no way to know the RTP dynamic port numbers unless it   
    VS> inspects the SIP protocol.   
      
   If those "random" ports are previously initaiated by the SIP protocol there   
   should be no problem.   
      
    VS>>> The situation is different of course when you are hosting an   
    VS>>> IPv6 web-server or something like that. It would have a fixed   
    VS>>> IPv6 address and port anyway, so there is no need for   
    VS>>> punch-holing the firewall.   
      
    MV>> Indeed.   
      
    VS> I don't really understand your point. If we decide that UPnP (think   
    VS> "automatic firewall configuration from the inside") is desirable for   
    VS> IPv4,   
      
   That "we" does not include me. I have never used UPnP, have always had it   
   disabled in my routers and never had any need for it.   
      
   I consider UPnP a security risk.   
      
   So maybe I am not the right person to discuss this "issue".   
      
    VS> then it's desirable for IPv6 too. If we decide that UPnP is not   
    VS> desirable, you can do without it in IPv4: just configure a static   
    VS> RFC1918 address and port on your internal "server" and create a static   
    VS> NAT/portmapping entry on the router.   
      
   Works for me...   
      
      
   Cheers, Michiel   
      
   --- GoldED+/W32-MSVC 1.1.5-b20170303   
    * Origin: he.net certified sage (2:280/5555)   
   SEEN-BY: 1/123 15/0 19/10 90/1 103/705 104/117 105/81 106/201 123/131   
   SEEN-BY: 124/5016 153/757 7715 154/10 203/0 218/700 221/0 6 226/30   
   SEEN-BY: 227/114 229/110 112 113 206 307 317 400 426 428 452 470 550   
   SEEN-BY: 229/664 700 240/1120 5832 250/1 266/512 280/464 5003 5006   
   SEEN-BY: 280/5555 282/1038 292/854 8125 301/1 310/31 317/3 320/219   
   SEEN-BY: 322/757 341/66 234 342/200 396/45 423/120 460/58 633/267   
   SEEN-BY: 633/280 281 410 412 418 420 509 712/848 770/1 5019/40 5020/545   
   SEEN-BY: 5020/1042 5053/58   
   PATH: 280/5555 464 633/280 229/426