[mythtv-users] MythTV and IPV6
Gary Buhrmaster
gary.buhrmaster at gmail.com
Wed Sep 23 17:50:09 UTC 2015
On Wed, Sep 23, 2015 at 4:31 PM, Bill Meek <keemllib at gmail.com> wrote:
.....
> You don't need a global address.
It depends. If you want access to "the entire Internet" you need
global addresses at some point (either direct, or (if you insist,
but in my opinion usually a poor idea) NAT'ed). While there are
currently few major sites that are IPv6 only, the future is clear.
> My ISP, for example, was allowing the
> use of 6to4 protocol, but after about 2 years removed it. Now only
> business customers can get globally routable IPv6 addresses, e.g.
> 2001:db8::1.
That is short sighted of them. At least in the US, most major
ISPs (FIOS is a glaring exception(*)) are offering globally routed
IPv6 addresses to their consumers, and more and more CPE
devices properly support IPv6. In the rest of the world, IPv6
is stronger still. Of course, there are always pockets of
specialness.
It should be noted that many people are running IPv6 without
even knowing it (windows supports teredo tunneling in at least
some "out of the box" configurations). Enterprises with "tight"
firewalls were sometimes surprised that not blocking IP
protocol 41 allowed (at least some) IPv6. I believe there were
a couple of apps that took advantage of this to bypass the
corporate firewall blocks.
I have been running IPv6 at home (using GUA addresses)
for quite some time for all of my networks (although admittedly
my VoIP network does not currently have IPv6 capable call server
so it is mostly moot on that network). Certainly you need to
define appropriate policy to block access to applications that
do not have adequate authentication/authorization mechanisms.
And while everyone should (likely) enable authentication/authorization
for MythWeb, and your MySQL server has the ability to be
properly configured, you might want to be careful about your
BEs/FEs (no authorization/authentication for the myth protocol
ports). If setting a firewall is too complex for your configuration,
you might want to consider setting the BackendServerIP6 to
be ::1. Certainly those that have depended on using NAT
for security will have to (re)think their requirements when using
GUAs. But that may be a good thing. It should be noted
that most more recent distributions do include reasonable
firewall starter sets for one to work with, and some even
provide a gui editor for modification.
Gary
(*) There are a few understandable reasons, but still mostly
bad reasons, for this.
More information about the mythtv-users
mailing list