[mythtv] Proposed change to Network Communications

Stephen Worthington stephen_agent at jsw.gen.nz
Fri Mar 10 01:29:36 UTC 2017


On Thu, 9 Mar 2017 22:58:30 +0000, you wrote:

>On 09/03/17 22:01, rudy zijlstra wrote:
>> 
>> 
>> On 09-03-17 22:42, Stuart Auchterlonie wrote:
>>> On 09/03/17 21:35, Peter Bennett wrote:
>>>>
>>>> On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
>>>>> Do not get me wrong, I think IPv6 is the now, and
>>>>> IPv4 is legacy/dead.  But the myth protocol has been
>>>>> regularly stated by the MythTV elders as not being
>>>>> public Internet ready, and only with stateful protection
>>>>> (or someone who knows how to configure firewall rules)
>>>>> should one consider running the device on the public
>>>>> Internet.  Changing the defaults to run IPv6 publicly
>>>>> will require stepping up the other parts of the protocol
>>>>> (one mitigation short of authentication might be to set
>>>>> the TTL for the myth protocol to something like 3,
>>>>> (just like DTCP-IP), which is more or less "in the
>>>>> residence" for 98% of the users).
>>>> Thinking about this some more, I came up with an addition to the
>>>> previous proposal.
>>>>
>>>> Keep the "Listen on all ip addresses" checkbox that I proposed.
>>>>
>>>> Whether or not "Listen on all ip addresses" is checked, check the sender
>>>> of all incoming connections. If the sender is a public IP address,
>>>> simply ignore the connection.
>>>>
>>>> Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
>>>> Internet". Default this to unchecked. When this is unchecked, only
>>>> provide private ip addresses from the below list in the drop down boxes
>>>> for IP address. When it is checked, provide all ip addresses in the drop
>>>> down and bypass the sender ip address check.
>>>>
>>>> The following IP addresses are the private ip addresses that would be
>>>> allowed. Everything else would be rejected.
>>>>
>>>> 192.168.0.0 - 192.168.255.255
>>>> 172.16.0.0 - 172.31.255.255
>>>> 10.0.0.0 - 10.255.255.255
>>>> 127.0.0.1 (local loop-back)
>>>> 169.254.0.0 - 169.254.255.255 (link-local)
>>>> ::1 (local loop-back)
>>>> fe80::/10 (link-local)
>>>> fc00::/7 (unique local)
>>>>
>>> This will work for all the "local" addresses inside a home network.
>>>
>>> As ipv6 gains more widespread adoption, the primary mechanism that
>>> ISP's will use to provide global ipv6 address space inside the home
>>> network is "prefix delegation". This is where the ISP tells the
>>> router the /64 network that it should assign addresses from.
>> The delegated prefix does not need to be a /64. In fact, the prefix i
>> have is a /48 :)
>> 
>> The delegated prefixes are likely between /56 and /64
>> 
>
>Of course, I too have a /48.
>
>Anyway, the idea was "if i have a global address, then accept traffic
>from that subnet". The actual size of the subnet will be determined
>by what is on the interface, even if you have a /48 allocation, each
>subnet (i would expect) to be a /64 if you expect SLAAC to work.

I have a /56.  Best would be to have an option to set the size of the
local IPv6 network.  In the absence of that option, use the subnet
size seen on the interface (almost always a /64).  If you limit it to
only the link-local subnet, then IPv6 traffic from someone's WiFi that
was on a different /64 would be unable to access the MythTV system.

The same option should probably be available for IPv4 - optionally
specify a netmask for the local network.  That way anyone who has a
sophisticated network setup where different parts of a 10.x.x.x
address space are used for different things (like different sites in a
company) can restrict things to just the local part of that network if
they want.


More information about the mythtv-dev mailing list