Add support for Port Control Protocol

[jech]

My router has support for NAT-PMP and PCP, but not for uPNP.

go-ipfs redirects the IPv4 port, but doesn't seem to open a firewall hole for the IPv6 port.

[ghost]

It looks like the NAT library [1] we use simply has no code whatsoever for IPv6, and no PCP support either :(

[1] https://github.com/fd/go-nat

[jech]

It looks like the NAT library [1] we use simply has no code whatsoever for IPv6, and no PCP support either :(

Lars, may I suggest that this deserves a mention in the README? Like it or not, the IETF are recommending that home routers implement a stateful IPv6 firewall, and people are implementing the IETF recommendation. Thanks for the prompt answer,

…

-- Juliusz

[Kubuxu]

I have to disagree, for Home IPv6 Networks IETF recommends statefull firewall but is not decided in it behaviou. As described in RFC 7348 Section 3.6.1:

The topic of whether future home networks as described in this
document should have a 'default deny' or 'default allow' position has
been discussed at length in various IETF meetings without any
consensus being reached on which approach is more appropriate.

The IETF also recognises that stating 'default deny' policy is less than optimal:

It should be noted that a 'default deny' filtering approach would effectively
replace the need for IPv4 NAT traversal protocols with a need to use
a signalling protocol to request a firewall hole be opened [...]

The IPv6 is supported with IPv6 design in mind.

[jech]

It seems like I'm meeting the whole team :-)

I have to disagree, for Home IPv6 Networks IETF recommends statefull firewall
but is not decided in it behaviou. As described in RFC 7348 Section 3.6.1:

The topic of whether future home networks as described in this
document should have a 'default deny' or 'default allow' position has
been discussed at length in various IETF meetings without any
consensus being reached on which approach is more appropriate.

IETF-watching is my favourite spectator sport too.

You're right, I expressed myself badly. The IETF is recommending that
a stateful filter should be implemented, that it should allow outgoing
flows by default, and refuses to express an opinion on incoming flows. It
seems to me howeverthat they've accepted that the firewalls will be deny
by default. See RFC 6092:

REC-31: All valid sequences of TCP packets (defined in [RFC0793])
MUST be forwarded for outbound flows and explicitly permitted inbound
flows.

This does not say that inbound flows that are not explicitly permitted
should be dropped, but comes pretty close.

Two additional elements:

• the Apple wireless router (whatever its name) had a permissive policy
  in the first version that supported IPv6. After a lot of public outcry,
  this was changed to deny-by-default in subsequent versions.
• OpenWRT has a deny-by-default policy.

I expect that pretty much all IPv6 home routers will ship with
deny-by-default policies. I agree, that sucks.

-- Juliusz

[ghost]

Whatever the details about IPv6 and home routers -- we should implement port mapping for IPv6, either by adding it to the existing NAT-PMP and UPnP code, or by implementing PCP, or both.

[jech]

Whatever the details about IPv6 and home routers -- we should implement port mapping for IPv6, either by adding it to the existing NAT-PMP and UPnP code, or by implementing PCP, or both.

NAT-PMP only does IPv4. PCP is the scheduled replacement for NAT-PMP, and it's sort-of-backwards-compatible. As to UPnP -- the sooner it's forgotten, the better for everyone.

[Kubuxu]

I would love to support it but:

1. I don't see any go libs for PCP
2. I don't have any hardware that supports PCP

Do you know if there are any Linux based, easy to setup PCP servers?

[jech]

Do you know if there are any Linux based, easy to setup PCP servers?

I could be wrong, but I believe that miniupnpd supports PCP.

…

-- Juliusz

[whyrusleeping]

can someone spare me googling "PCP"?

[Kubuxu]

Port Control Protocol

[jech]

PCP: https://tools.ietf.org/html/rfc6887 and https://tools.ietf.org/html/rfc7488 See Appendix A of RFC 6887 for compatibility with NAT-PMP (RFC 6886).

[ffrediani]

Has anyone found any updated information about it ? I have been looking about issues related to the lack of support to open port dynamically to internal IPv6 hosts and PCP support on CPE and related devices.
I fully agree that default-deny is the best and correct approach.

Does anyone have any update about PCP support in in the way to ease up incoming IPv6 connections at all ?

[Stebalien]

The state is: no progress. Support would have to be added to https://github.com/libp2p/go-nat (or upstream but that appears to be dead).

Issue: fd/go-nat#3

[sashahilton00]

Just copy/pasting this here from what I posted upstream. I'll probably try integrating this with go-nat at a later date once I get the chance to test/bug fix/add remaining functionality, as not being able to port forward IPv6 is only going to become more of a hindrance.

I just wrote this implementation: go-pcp. Warning in advance, it is alpha code, but if someone wants to test it out with their PCP server (I don't have one available atm) and report/fix any bugs, it should be fairly trivial to integrate this with go-nat, as I tried to make the methods relatively 1-1 with the intent of integrating it at a later date.

[ffrediani]

Hi @sashahilton00
Thanks for the update.

Just to be sure we on the same page about this subject when you mean port forward you mean allow a IPv6 traffic forward to a LAN IPv6 Address and port right ? I am asking that because it is common to confuse it with NAT Port Forward in IPv4 as NAT isn't meant to exist in IPv6.
Thanks

[jech]

IPv6 home routers typically ship with a stateful firewall that blocks incoming connections. PCP allows an application to punch a hole in the firewall — allow incoming connections to a given (IP, port). PCP also does IPv4 port forwarding, and therefore obsoletes NAT-PMP. (It is possible to run both PCP and NAT-PMP for backwards compatibility.)

Please see RFC 6887:

PCP allows applications to create mappings from an external IP address, protocol, and port to an internal IP address, protocol, and port. These mappings are required for successful inbound communications destined to machines located behind a NAT or a firewall.

[ffrediani]

Hi @jech
Yes exactly that.
Thanks.

[sashahilton00]

@ffrediani what jech said. I should have referred to it as port mapping, but it was late and it slipped past me. Anyway, PCP is the successor to both NAT-PMP and UPnP. Support is a little sparse at the moment (I couldn't test it on the router I have), but it should accelerate over time.

Also, as of this moment there is a WIP PR on the upstream repo, #15 PR moved to libp2p/go-nat#17 as upstream appears to be unmaintained.