[mythtv] Proposed change to Network Communications

Stuart Auchterlonie stuarta at squashedfrog.net
Thu Mar 9 21:42:16 UTC 2017


On 09/03/17 21:35, Peter Bennett wrote:
> 
> 
> On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
>> Do not get me wrong, I think IPv6 is the now, and
>> IPv4 is legacy/dead.  But the myth protocol has been
>> regularly stated by the MythTV elders as not being
>> public Internet ready, and only with stateful protection
>> (or someone who knows how to configure firewall rules)
>> should one consider running the device on the public
>> Internet.  Changing the defaults to run IPv6 publicly
>> will require stepping up the other parts of the protocol
>> (one mitigation short of authentication might be to set
>> the TTL for the myth protocol to something like 3,
>> (just like DTCP-IP), which is more or less "in the
>> residence" for 98% of the users).
> Thinking about this some more, I came up with an addition to the
> previous proposal.
> 
> Keep the "Listen on all ip addresses" checkbox that I proposed.
> 
> Whether or not "Listen on all ip addresses" is checked, check the sender
> of all incoming connections. If the sender is a public IP address,
> simply ignore the connection.
> 
> Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
> Internet". Default this to unchecked. When this is unchecked, only
> provide private ip addresses from the below list in the drop down boxes
> for IP address. When it is checked, provide all ip addresses in the drop
> down and bypass the sender ip address check.
> 
> The following IP addresses are the private ip addresses that would be
> allowed. Everything else would be rejected.
> 
> 192.168.0.0 - 192.168.255.255
> 172.16.0.0 - 172.31.255.255
> 10.0.0.0 - 10.255.255.255
> 127.0.0.1 (local loop-back)
> 169.254.0.0 - 169.254.255.255 (link-local)
> ::1 (local loop-back)
> fe80::/10 (link-local)
> fc00::/7 (unique local)
> 

This will work for all the "local" addresses inside a home network.

As ipv6 gains more widespread adoption, the primary mechanism that
ISP's will use to provide global ipv6 address space inside the home
network is "prefix delegation". This is where the ISP tells the
router the /64 network that it should assign addresses from.

This allows all the normal ipv6 automatic address selection (SLAAC)
to occur, and things to "just work".

We should ensure that if the backend has an ipv6 ip with global scope,
then connections from within that subnet are considered local.

I hope this makes sense?


Regards
Stuart


> For UDP - just ignore messages from ip addresses not on the list. As far
> as I can see, UDP is only used for one purpose in MythTV. In the
> frontend it is used for Airplay, where audio data is received and
> played. If you are playing some sound, somebody on the internet could
> send you some audio data if they spoof the sending address. The backend
> does not bind UDP so nothing could be sent to it via UDP.
> 
> Peter
> 
> 
> 
> 
> 
> _______________________________________________
> mythtv-dev mailing list
> mythtv-dev at mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-dev
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org
> 



More information about the mythtv-dev mailing list