[vegardx]

While having an unique address per application can be cool, I don't like the premise that this is used as some sort of security layer.

We have firewalls. We know how they work and how to implement them well. For all intents and purposes a typical NAT-setup is bascially wide open from the inside and out. You can do the same with a few simple rules on a firewall.

[pilif]

I know we have firewalls, but in the normal desktop use-case, there are some applications that you want to be able for external clients to connect to.

Skype (or other VoIP clients), Bittorrent, Game servers, etc all work better with or flat-out require external connectivity.

In the V4 world, we have upnp or NAP-PMP to allow applications to open a port on the router and to have the router then forward the packets to a client behind the router.

In the V6 world there's no equivalent protocol even though the work needed would be smaller (forwarding to a given host/port combination is enough - no port mapping).

It's bizarre that at the moment, servers on my various machines at home get better connectivity over IPv4 (thanks to NAP-PMP) than over IPv6 (thanks to my firewall).

Having application specific addresses would provide more than enough security for many simpler LANs (good luck guessing a 64 or even 80 bit number in order to get the one where the "juicy" ports are open) to use in absence of a v6 compatible NAP-PMP equivalent.

I would totally trust the 80 bits of pool size as a sufficient security boundary and I'd disable the IPv6 firewall for my home network if this concept of application specific addresses would exist.

This would also be much closer to the ideal of the old times where every machine was assumed to be connectible without additional configuration anywhere.

[kalleboo]

Isn't it easy enough to just have a local firewall on each machine where you open up ports for the apps you want to be public?

[pilif]

The firewall on a local machine might suffer from exploits, thus still allowing access.

Or I might want some services open to my lan and only a smaller subset opened to the public (something the personal firewalls built into many OSes can't do)

[kalleboo]

> The firewall on a local machine might suffer from exploits, thus still allowing access.

Is a updated firewall from Apple, Microsoft or ipfw more or less likely to suffer from exploits than a cut-rate device from ASUS, Netgear or Linksys that hasn't been updated in years?

> Or I might want some services open to my lan and only a smaller subset opened to the public (something the personal firewalls built into many OSes can't do)

That may be fair enough but that's just a reason to improve the firewalls in the OSes. As soon as you tether to your phone or use public WiFi you're going to want a solid local firewall anyhow.

[justincormack]

The idea is that it can be turned off from the machine itself, so eg if you get hacked via a website or email, your firewall might get disabled, while another box would also need to be hacked. (Of course things like UPNP give the machines control over the router so making this moot, which is why I dodnt run them).

[kalleboo]

> Of course things like UPNP give the machines control over the router so making this moot

Yep this was exactly my point

[vegardx]

I don't really think they get better connectivity. If you can establish a connection from the inside things works as intended for basically everything. Peer-to-peer is a little different.

Personally I find it a little scary that we allow applications to just open up inbound ports as they see fit. Would you, say, install MySQL locally and have it listen on such an address because it's so unlikely that anyone will ever find it anyway?

[ay]

If you install MySQL locally, you should not have it listen on any address other than the loopback by default.

And when you do expose it, if you care about security, you should configure the appropriate iptables along the way there and then, rather than relying on a magic box somewhere upstream filtering the packets.

This can be doubly useful if the box in question your laptop which you carry around in various, potentially hostile, environments.

[vegardx]

I was just using MySQL as a hypothetical example, as they listen on all interfaces by default with packages supplied by Oracle. Next time you're on a tech conference, do a scan on the local network.

My point was that by his standard he would just let it listen on all interfaces because in his own word, nobody would find it. Which sounds very naive.

[ay]

Okay then I think we were in violent agreement.

I was arguing the whole "listen on all interfaces by default" is wrong - if one needs to expose the app, they should do so explicitly, and you did the same.

[gonzo]

> We have firewalls. We know how they work and how to implement them well. For all intents and purposes a typical NAT-setup is bascially wide open from the inside and out.

Now consider source routing.

Yup.