By the way, if UPnP was ever a problem in terms of NAT security,
obviously the problem is much worse in IPv6, since there is not even any
NAT and all devices are always exposed.
Now even though you are living together in a "house" all "residents" now
need to solve these issues on their own.
This makes it almost impossible to run any kind of home server, because
the default setup is going to be: access internet services, don't worry
about local network access or even if you do have it, accept that you
will be at risk of getting hacked or exposed constantly.
The exposure might be dealt with by the protocols (if they work) but
there is a high chance they won't, because the model at the beginning is
that everything is exposed.
If your premise is complete exposure, if that is what you intend and
want, then you won't be able to achieve meaningful protection in any way.
If you banish all clothes and then try to find a way for people to not
see you naked, that won't work.
"So we have no clothes anymore, how can we find a way for people to not
be cold and to not be seen naked? Hmmm difficult".
You know, maybe don't banish the clothes.
Maybe don't banish NAT.
Maybe don't banish localized, small, understandable networks.
Maybe don't banish the boundary between the local and the remote. Maybe
not do away with membranes.
Nature has designed life around membranes, all cells have membranes.
"Cell membranes protect and organize cells. All cells have an outer
plasma membrane that regulates not only what enters the cell, but also
how much of any given substance comes in."
The basic topology for IPv6 is so deeply misunderstood and misdesigned
from my perspective....
That it tries to create a membrane based purely on subnet masking.
And that's not a safe thing because a misconfigured system automatically
gives access. You want all internal addresses to be in the same pool (as
the router accepts a list or segment of adddress from the ISP). The
router is supposed to distribute those addresses across clients while
allowing them to know and find each other, ie. by giving them the
information on the subnet masks they are supposed to use. The subnet
mask is everyone's potential and right to not care about any fixed
boundaries between the local and the remote (wide) network.
Maybe you can call it empowerment (everyone has a public address). But
it is also a huge loss of control. It's a loss of power. Networks that
can't be configured by any individual person. Inability to shield
anything from anyone in a real sense.
Local clients (ie. Linux and Windows computers and Mac computers and
Android phones) now requiring the intelligence to safely distinguish
between local and remote services, a problem that was never even solved
in IPv4, let alone that IPv6 even stands the slightest chance of
meaningfully solving it.
All of these devices needing to perfectly cooperate in order to find and
know the local network. Particularly if there is a segmentation between
"secure" and "insecure" or between "guest" and "resident". And what if
you want two subnet masks for a different purpose? A managed switch has
means to physically separate (in a way) two different nets on the same
cables. You may be wanting to run a network of servers in your home that
is separate from your local home network. You lose pretty much all
control in being able to do this effectively.
Even if IPv6 gives some freedom or liberation, it is mostly due to the
router allowing this. Everyone his own IP address. Everyone his own
front door. People love that, in a way. But it also means you no longer
have a family.
Op 20-3-2016 om 16:05 schreef Xen:
Op 20-3-2016 om 11:56 schreef Tim Coote:
Is it intended that NetworkManager will conform to /support / exploit
the Homenet network name and address assignment and routeing
protocols (http://bit.ly/1LyAE7H), either to provide end to end
connectivity or to provide a monitoring layer so that the actual
state of the network topologies can be understood?
Home or small networks seem to be getting quite complex quickly and
way beyond what consumers can be expected to
understand/configure/troubleshoot/optimise, with one or two ISP’s per
person (via mobile phone + wifi connectivity) + an ISP for the
premises; and wildly differing network segment performance
characteristics and requirements (e.g. media streaming vs home
automation).
I can't answer your question but in my mind there are only 2 or 3
issues mostly:
- a mobile phone that connects through home wifi, external wifi, or
mobile/3G/4G connectivity, may access predominantly internet (cloud)
services and not have access to anything in the home network by
default, and there is not really any good platform to enable this.
(all that it needs is a router really that provides loopback, an
internet domain, and a way to access LAN services both from the
outside and inside) (but most people don't run services on their
network anyway except when it is some appliance-like NAS)
(but If you're talking about media streaming and home automation, this
outside/inside access thing becomes important)
Other than that there is no issue for most people. If your mobile app
is configured with an internal IP address, you get in trouble when you
are outside the network, if you configure it with an external address,
not all routers will allow you to access it from the inside.
For example the popular (or once popular) D-Link dir-655 router
doesn't allow it, while all TP-Link routers are said to support it (a
support rep from China or something demonstrated it to me with
screenshots).
- I don't think IPv6 is a feasible model for home networking and
configuring it is said to be a nightmare even for those who understand
it. I don't think it solves any problems, or at least doesn't solve it
the right way that makes it easier to use home networking. I think
IPv6 is a completely flawed thing to begin with, but as long as it
stays on the outside, I don't care very much. NAT shielding from the
outside is a perfect model. Anyone requiring network access from the
outside should be in a situation where they are able to configure it
(port forwarding). Even where you could (as an advanced user) require
2 or more IP addresses at home, you still don't need a 100 or 65535.
IPv6 in the home solves problems practically no one has, and opens up
every device to internet access without any firewall in between. If
home networking is only defined by subnet mask, it becomes a pain to
understand how you can shield anything from anyone. You have to define
your home network in public internet IP address terms. No more easy
192.168.1.5 that even non-technical users recognise. If there's no
NAT, you're lost, and only wannabe "I can do everything" enthusiasts
really understand it.
When I read the Charter of that homenet thing, it is all about IPv6:
https://datatracker.ietf.org/wg/homenet/charter/
Their statements are wildly conflicting:
"While IPv6 resembles IPv4 in many ways, it changes address allocation
principles and allows
direct IP addressability and routing to devices in the home from the
Internet. ***This is a promising area in IPv6 that has proved
challenging in IPv4 with the proliferation of NAT.***" (emphasis mine)
"End-to-end communication is both an opportunity and a concern as it
enables new applications but also exposes nodes in the internal
networks to receipt of unwanted traffic from the Internet. Firewalls
that restrict incoming connections may be used to prevent exposure,
however, this reduces the efficacy of end-to-end connectivity that
IPv6 has the potential to restore."
The reality is of course that people (and games/chat applications)
have always found a way around the problems. UPnP port forwarding,
while not perfect, has been a make-do solution that basically allowed
any application end-to-end connectivity as long as you don't require
fixed ports (few people do).
The internet has been designed around two basic topologies:
client-server and peer-to-peer. Client-server has never been
challenging with NAT, only peer-to-peer has. For example, online games
always use a client-server model in which NAT is a complete non-issue.
The only times when NAT becomes an issue is with direction connections
between two clients (peers) which is a requirement mostly for
communication applications and/or applications that require high
bandwidth (voice, video).
Ever since UPnP these devices can simply go to any router on the
network and say "open me up" and they'd have access. I would have
preferred the thing to be a little different (didn't really look at
the specs, but you have a feel for it) giving more control to the home
network operator (the way it is now, it is a haven and a heaven for
viruses, trojans and backdoors) but essentially as soon as a central
server coordinates the setup between two peers, they are done and the
issue is solved. Servers by definition do not need to contact clients
on their own. Devices with random addresses by definition do not need
to be reached via a static, well-defined or well-known address that
lives outside of any server that negotiates access to it.
If a server is negotiating access to it anyway, it can also help in
setting up the connection and this has always been done, ie. instant
messenger chat applications (MSN, Yahoo, etc.) while being very simple
programs, worked through this model. If you talk about a modern age of
smartphone apps, they all work through the same model: cloud
interfaces, messages often being sent through the server, and in other
cases peer-to-peer connections being setup by central (cloud) servers.
The challenges to MY mind are really: how can I setup home-controlled
"cloud" services that seemlessly integrate into, or sync with, cloud
based (backup) solutions? How can I bridge the local and the remote?
That is MY issue.
You can either setup some NAS in your home that has cloud, or you can
acquire it from a remote service provider, but you can't do both or
anything in between, is what I mean.
And yet, they say:
"Home networks need to provide the tools to handle these situations in
a manner accessible to all users of home networks. Manual
configuration is rarely, if at all, possible, as the necessary skills
and in some cases even suitable management interfaces are missing."
So basically they want to create an automated, complex algorithm and
protocol-based resolving architecture that will solve an incredible
difficult problem that was created by introducing something that was
not needed.
"Restore end-to-end connectivity". End-to-end connectivity was never
an issue after the advent of UPnP port forwarding. You could redesign
UPnP (or I could) and the system is really simple in essence, and
essentially what you need even if it opens op backdoors and potential
for acquired malware, but that's the same way everywhere: your kids
can open up the windows and doors to your house, unless you lock those
doors and windows.
You don't go and solve that problem by giving all the kids and
residents in your house a front door of their own, and then worry
about how you can prevent unwanted access to those doors and windows.
And when everyone has a front door of their own, there are no more
hallways, and then you go and think about how you are going to solve
the problem of having no hallways.
And then you start thinking about several kinds of locks and keys, and
having locks to your doors that only residents have, or locks that
also outsiders can access, and how can you distribute those keys and
locks, and it is too complex for people to do it on their own, so we
need computers to solve it for us......
And you've really lost it. You've lost your sanity and your sensibility.
In my eye NetworkManager can't even do the basic thing of a NAT IPv4
home network right. Now you want it to provide advanced tools for
topology monitoring.
I would redesign NetworkManager to begin with, but that's just me.
There are some bad choices being made that create a huge amount of
problems as in most current software. I see no end to the nonsense
that is being introduced, pardon my language. I mean in general, not
here. I think most people have a bad feel for what makes elegant
software, and you can see it in systems such as:
- systemD,
- linux software raid (mdadm)
- any number of thing that I don't know enough about.
Linux people propose a mindset of "don't think, just do" or "don't
criticise, just get your hands dirty" ie. they profess a belief in not
really thinking things though, but just getting to work on the thing
that already exist. Then maybe, after you have earned your reputation,
maybe you will come to be in the position where you can design stuff.
And the open source development model favours this.
I was involved in the creation or thinking up of some new feature of
the Log4J logging platform for java. What happened is that an outsider
other than me suggested a new feature and showed a proof of concept. I
tried to discuss the architecture of what was really needed, but the
project lead just took the idea, whipped up a solution in no time,
that coincided with what was already there, pushed it, had a vote on
it, and basically just made it a part of the core package. The
original person and myself were left out in the dark and the original
person was never heard of again.
Log4J version 2 is flawed and some of it requires a lot of thinking,
but the solution that was included basically uses the existing
architecture to the max thus requiring very little coding. It means it
also has all the flaws that the main architecture has.
If an architecture has flaws, the more it tries to do, the bigger the
problems become.
If your foundation is flawed, it doesn't matter very much if you try
to do very little. The more you try however, the bigger the systems
are that you build on top of it, and the more of a cancer they become.
I'm sorry if I make it sound if I feel this way about NetworkManager,
in essence it is still a small system. But there is no end to the
problems you create if you are going to try to implement any sense of
protocol or complex problem solving thing in this. Even if you want a
monitoring tool for IPv6 resolution protocols, you'd need to try to
make it as standalone as possible, and to try to reduce the contact
surface with NetworkManager in a way. In a sense of okay it's there,
we can write a plugin for using it, but we have to stay a bit remote
from it so its problems don't affect us as much. Like the idea of
being a more older brother or a more mature mentor ;-).....
That's when you talk about monitoring.
If you want to actively support those protocols. There are three
scenarios:
1. create a different version of NetworkManager that adds onto the
core and wraps around it in a way. Don't make this part of the core,
try to keep creating and fixing and evolving the core on its own.
2. try to create independent libraries that contain all the complexity
and mathematics of the resolution protocols, that are easy to use and
that provide a simple API that NM can hook onto, which means both
don't affect each other as much, and if NM wants to provide an
interface to handling these things, that's fine, the complexity of it
will just be up to a library writer to solve.
3. Keep evolving or redesign the core product. Solve the problems it
has. Then do any of the above.
All and all what you want is more elegancy and simplicity in the
entire thing, even if the IPv6 addition is a tangle of wires on its
own accord.
You know, make it easy for people to switch between IPv4 and IPv6, or
even make it possible to use both at the same time, I don't know.
Sorry for the rant. If everything in this life was up to me, I would:
- throw away IPv6 and design something that actually made sense
- change NetworkManager by thinking about the interface to users first
and then designing everything around that
- dump Linux altogether and try to exit this planet ;-).
I would do a lot of other things. There is no end to the projects I
would undertake. There is also no end to the tears I witness every day
in my life.
I'll see you, and sorry for the implications that this is in any way a
flawed product, I do believe there is a competitor to it now (in the
Linux world) but since this is your home bread and home stead, pardon
my offensive language. Please.
Regards.
Bart.
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list