Keith Moore wrote:
Given how hostile consumer ISPs are to retail customers runing servers
visible to the public, I don't get it. It makes P2P stuff somewhat
easier but UPNP and STUN already let you do a lot of it from behind a
NAT.
The requirements for NAT traversal drastically increase the cost and
decrease the reliability of apps that need to do that.
See:
https://datatracker.ietf.org/doc/draft-ohta-e2e-nat/
for the solution with the end to end transparency not requiring NAT
traversal.
Certain configuration efforts at server side such as accepting incoming
connections only to certain ports, of course, are necessary if you want
some (though not so strong) security.
UPNP is a
security hole and STUN isn't a fix at all, sort of a bandage at best.
It should be noted that, though E2ENAT requires modifications (removal
of harmful functionalities of usual NAT boxes) to existing NAT boxes,
with UPNP capable legacy NAT boxes, we can fully enjoy E2E transparency
over TCP and UDP, which I call "almost end to end NAT".
As a result, I can safely declare IPv6 unnecessary.
Masataka Ohta