[mythtv] Proposed change to Network Communications

Gary Buhrmaster gary.buhrmaster at gmail.com
Wed Mar 8 06:35:00 UTC 2017


On Tue, Mar 7, 2017 at 11:24 PM, Peter Bennett <pgbennett at comcast.net> wrote:

> Yes - that will use a wildcard bind (QHostAddress::Any). That is what I used
> for my test. It allows IPV4 or IPV6 connections.

My one concern (which I think I mentioned elsewhere)
is that this may result in an unexpected, and vulnerable
default configuration where before, for a typical
residential installation it did not.

While NAT is not security, most residential users
are using a IPv4 NAT gateway that performs a
stateful NAT solution which implements what
appears (to many) to implement a firewall
functionality.

In the US, the #1 (and the largest part of
the legacy #2) cable providers provide native
IPv6, such that if you may get globally routed
IPv6 addresses on your home systems, often
without even knowing it.

This may result in an unexpected vulnerability
since the myth protocols do not implement
authentication/authorization functionality
(unless you are going to fix that first).

The only mitigation is that typically no one
is going to externally "scan" the IPv6 address
space, but as your IPv6 address is going to
be used to connect to multiple locations (and
logged), collecting globally routed IPv6
addresses is simply an exercise.

Systems should default to as secure as
reasonable.  I can mostly compromise on
accepting a default to 0.0.0.0 for IPv4 (given
almost everyone uses a NAT gateway).
Defaulting to :: for IPv6 may be a step too
far.

Separating IPv4 (defaulting to 0.0.0.0) and
IPv6 (defaulting to ::1/128) might be the
better approach.


If you do decide to default to :: for all,
the release notes need to make it very
clear what that means for IPv6.


More information about the mythtv-dev mailing list