On Mon, Feb 19, 2024 at 10:31 AM Tim Howe <tim.h@bendtel.com> wrote:
On Mon, 19 Feb 2024 10:01:06 -0800 William Herrin <bill@herrin.us> wrote:
So when the user wants to run a home server, their IPv4 options are to create a TCP or UDP port forward for a single service port or perhaps create a generic port forward for every port to a single internal machine. Protocols other than TCP and UDP not supported.
OK, but I'm not sure what you are getting at by saying this is TCP and UDP exclusive... I don't know why it would be; what's the example you think is typically being denied?
Hi Tim, NATs don't generally process protocols like GRE, ESP (IPSEC), SCTP and most of the hundred fifty or so other protocols that sit atop IPv4. They don't have code that would make it possible to process those packets. They're generally TCP, UDP, and ICMP. Anything else is necessarily dropped.
The assumption being that a guardrail for someone being really self-destructive is removed.
In more sophisticated scenarios where subtler errors are possible, I described it as a "security layer" rather than a "guardrail." But yes: we're talking about the same thing.
I still believe that the statement "IPv6 is typically delivered to "most people" without border security" to be demonstrably false.
I concede the claim. I am satisfied with your evidence that I was in error. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/