[mythtv] Proposed change to Network Communications
stuarta at squashedfrog.net
Thu Mar 9 22:58:30 UTC 2017
On 09/03/17 22:01, rudy zijlstra wrote:
> On 09-03-17 22:42, Stuart Auchterlonie wrote:
>> On 09/03/17 21:35, Peter Bennett wrote:
>>> On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
>>>> Do not get me wrong, I think IPv6 is the now, and
>>>> IPv4 is legacy/dead. But the myth protocol has been
>>>> regularly stated by the MythTV elders as not being
>>>> public Internet ready, and only with stateful protection
>>>> (or someone who knows how to configure firewall rules)
>>>> should one consider running the device on the public
>>>> Internet. Changing the defaults to run IPv6 publicly
>>>> will require stepping up the other parts of the protocol
>>>> (one mitigation short of authentication might be to set
>>>> the TTL for the myth protocol to something like 3,
>>>> (just like DTCP-IP), which is more or less "in the
>>>> residence" for 98% of the users).
>>> Thinking about this some more, I came up with an addition to the
>>> previous proposal.
>>> Keep the "Listen on all ip addresses" checkbox that I proposed.
>>> Whether or not "Listen on all ip addresses" is checked, check the sender
>>> of all incoming connections. If the sender is a public IP address,
>>> simply ignore the connection.
>>> Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
>>> Internet". Default this to unchecked. When this is unchecked, only
>>> provide private ip addresses from the below list in the drop down boxes
>>> for IP address. When it is checked, provide all ip addresses in the drop
>>> down and bypass the sender ip address check.
>>> The following IP addresses are the private ip addresses that would be
>>> allowed. Everything else would be rejected.
>>> 192.168.0.0 - 192.168.255.255
>>> 172.16.0.0 - 172.31.255.255
>>> 10.0.0.0 - 10.255.255.255
>>> 127.0.0.1 (local loop-back)
>>> 169.254.0.0 - 169.254.255.255 (link-local)
>>> ::1 (local loop-back)
>>> fe80::/10 (link-local)
>>> fc00::/7 (unique local)
>> This will work for all the "local" addresses inside a home network.
>> As ipv6 gains more widespread adoption, the primary mechanism that
>> ISP's will use to provide global ipv6 address space inside the home
>> network is "prefix delegation". This is where the ISP tells the
>> router the /64 network that it should assign addresses from.
> The delegated prefix does not need to be a /64. In fact, the prefix i
> have is a /48 :)
> The delegated prefixes are likely between /56 and /64
Of course, I too have a /48.
Anyway, the idea was "if i have a global address, then accept traffic
from that subnet". The actual size of the subnet will be determined
by what is on the interface, even if you have a /48 allocation, each
subnet (i would expect) to be a /64 if you expect SLAAC to work.
> mythtv-dev mailing list
> mythtv-dev at mythtv.org
> MythTV Forums: https://forum.mythtv.org
More information about the mythtv-dev