REPLY: 2:280/5555 6434155d
MSGID: 2:5005/49 6434ca25
CHRS: CP866 2
TZUTC: 0700
TID: hpt/fbsd 1.9.0-cur 2019-12-05
Dear Michiel,

10 Apr 23 15:46, you wrote to me:

 MV>>> Please eleborate...

 VS>> The Transmission torrent client, and the syncthing file
 VS>> synchronization utility can use the UPnP protocol to request a
 VS>> firewall to pass *IPv4* incoming traffic (and create a port
 VS>> porwarding for IPv4 NAT). They cannot however (at least to my
 VS>> knowledge) use UPnP or any other protocol to request a router to
 VS>> open a hole for incoming traffic in an *IPv6* firewall.

 MV> I see. Or so I think. You ask for

It is not even that I *ask for* it. I've read here, some messages ago, that
some home router declared "IPv6 punch-holing support." Infortunately I could
not find more information either about the model of the router or its features.


 MV> for some kind of "IPv6 equivalent" for
 MV> UPnP. But why would you want that? UpNP is a questionable idea anyway.
 MV> For IPv4 it creates an entry in de NAT table and as a side effect
 MV> creates a hole in the firewall.

 MV> But why would you need that for IPv6?

 MV> For IPv6 there (normally) is no NAT, so no need to create an entry in
 MV> a NAT table.

The "IPv6 equivalent" for UPnP is not for creating entries in a NAT table
(which is absent in IPv6). It is for creating rules in an IPv6 firewall
allowing incoming traffic to an application running on an IPv6-enabled host. A
firewall (IPv4 or IPv6) is usually configured to block incoming traffic which
is not part of an established outgoing connection.

 MV> In IPv6 avery device has a Unique Global Address, so one
 MV> can simply create pinholes in advance as needed for the address in
 MV> question.

Only when you know the IPv6 address and port beforehand. Usually an IPv6
address on the home LAN is dynamic (SLAAC), and the port in peer-to-peer
applications, VoIP applications etc is often dynamic too.

The situation is different of course when you are hosting an IPv6 web-server
or something like that. It would have a fixed IPv6 address and port anyway, so
there is no need for punch-holing the firewall.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
 * Origin: Ulthar (2:5005/49)
SEEN-BY: 1/123 10/0 1 15/0 50/109 90/1 103/705 104/117 105/81 106/201
SEEN-BY: 123/131 124/5016 153/757 7715 154/10 203/0 214/22 218/0 1
SEEN-BY: 218/215 700 860 221/0 1 6 226/30 227/114 229/110 111 112
SEEN-BY: 229/113 206 307 317 400 424 426 428 452 470 550 664 700 240/1120
SEEN-BY: 240/5832 266/512 280/464 5003 5006 5555 282/1038 292/854
SEEN-BY: 292/8125 301/1 310/31 317/3 320/219 322/757 335/364 341/66
SEEN-BY: 341/234 342/200 396/45 423/120 460/58 256 1124 5858 463/68
SEEN-BY: 467/888 633/280 712/848 770/1 4500/1 5000/111 5001/100 5005/49
SEEN-BY: 5005/53 5015/46 5020/545 715 830 846 1042 4441 5030/49 5053/51
SEEN-BY: 5054/8 30 5058/104 5064/56 5075/128 5080/102 5083/1 444
PATH: 5005/49 5020/1042 221/6 460/58 280/464 103/705 218/700 229/426