miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

multiple ipv6 addresses

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Compilation/Installation
View previous topic :: View next topic  
Author Message
survient



Joined: 01 Sep 2019
Posts: 2

PostPosted: Sun Sep 01, 2019 12:22 am    Post subject: multiple ipv6 addresses Reply with quote

I'm in the process of converting some helper scripts for a service that does not natively support UPNP with IPv6 from using direct firewall rule modifications on my local gateway to instead use UPNP and I'm running into a snag in regards to which IPv6 address to use. All clients on my network have at least 2 if not more public IPv6 addresses and from a design perspective I can't determine whether the intent is to create pinhole rules for every IPv6 address or just a single address. For doing multiple IPs I run into an issue with upnpc if the IP being provided doesn't match the "Local LAN ip address":

Code:

$ upnpc -6 -A "" 0 1234::5678 12345 tcp 120
upnpc : miniupnpc library test client, version 2.1.
 (c) 2005-2018 Thomas Bernard.

for more information.
List of UPNP devices found on the network :
 desc: :||[1234::1]:54321|rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

 desc: 4.3.2.1:8443|upnp
 st: upnp:rootdevice

Found valid IGD : [1234::1]:54321|ctl|IPConn
Local LAN ip address : 1234::ABCD
AddPinhole([]:0 -> [1234::5678]:12345) failed with code 606 (Action not authorized)


in that example the LAN IP is detected as 1234::ABCD but I'm trying to add a pinhole for a secondary IP on the box of 1234::5678. My gateway device has secure_mode=no so I'm not sure if this is expected or not.

Alternatively if the UPNP design with IPv6 is only intended to pinhole one IP, then what is the method to determine which IP that is?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun Sep 01, 2019 10:10 pm    Post subject: Reply with quote

1) secure_mode in miniupnpd is only used for IPv4 PortMappings

2) upnpc tries to reach the UPnP IGD by aopening a socket without sepcifying any IP address. So it is the default one that is used. It all depends on your routing table

3) please have a look at the syslog for miniupnpd to check why the pinhole is rejected.

Spec for addPinhole : http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
survient



Joined: 01 Sep 2019
Posts: 2

PostPosted: Mon Sep 02, 2019 12:51 am    Post subject: Reply with quote

Thanks. Here is what I'm seeing:

miniupnpd[16461]: Client 1234::ABCD tried to access pinhole for internal 1234::5678 and is not authorized to do it
miniupnpd[16461]: Returning UPnPError 606: Action not authorized
miniupnpd[16461]: level=0 type=8

based on the standards document regarding "AddPinhole()" it states:

"[IGD2] RECOMMENDS access control requirements and authentication levels to be applied by default for
this action. However, devices MAY choose a different security policy.
In particular, [IGD2] RECOMMENDS that unauthenticated and unauthorized control points are only
allowed to invoke this action with:
• InternalPort value greater than or equal to 1024,
• InternalClient value equals to the control point's IP address.
It is REQUIRED that InternalClient cannot be one of IPv6 addresses used by the gateway. "

This lines up pretty closely with what the "secure_mode" option is supposed to address for ipv4.

What I'm having trouble wrapping my head around is the intended design for a client-service in this regard; to only make use the default IPv6 address, or to try and open up pinholes for each public IPv6 address assigned to a device. If I had to guess it seems like it's supposed to just try and figure out the default IP and use that, ensuring the only IP it "publishes" to a external service is this default but there don't appear to be a lot of examples to compare against.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Sep 02, 2019 8:08 pm    Post subject: Reply with quote

You have to remember the UPnP IGD design context. It is designed so a program on a host in your LAN can request a port to be open automatically.
That's useful for P2P programs.
In that cas, I don't understand what's the "several IPs" scenario.
The program will detect the "default" IP and use it for requesting the PinHole, but also to receive inbound connections, etc.
There is no use in using several Global adresses
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
mark



Joined: 21 Jul 2020
Posts: 2
Location: UK

PostPosted: Tue Jul 21, 2020 12:51 pm    Post subject: multiple ipv6 addresses Reply with quote

IPv6 allows, and often requires, multiple addresses on the same interface. The is more difficult in IPv4, although not always impossible.

What it means is that a host configured with multiple addresses on a single interface will receive traffic destined for any of those addresses. From the perspective of a layer-4 protocol, e.g. TCP, the host can have separate connections using the same TCP address (port) on the same interface because the IP addresses are different.

There are many reasons that this may be configured. If the networks are different, then someone may want the host to serve different networks, e.g. DHCP. If the networks are the same, then it may be due to the obfuscation of IP addressing by Privacy Extensions and Random Addressing that many OSes now employ.

With Cisco, to use multiple IPv4 networks on the same router interface, you must use secondary addressing, and this has some routing protocol limitations. With IPv6, you can simply assign different networks to the same interface, and the routing protocols will work with them all. This doesn't replace the subinterface concept that is often used for VLANs because the different networks will all be on the same layer-2 broadcast domain

Thank You

Mark
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu Aug 06, 2020 5:12 pm    Post subject: Reply with quote

UPnP is designed to hide implementation details to the user, so the use of hosting several services on several IP addresses, etc. is very out of context.
For such use, you will configure everything manually.

UPnP is for use in context where the host computer has IP automatically assigned, and is connected to 1 LAN. In that context, there is only 1 IPv6 Globally routable address. (but there are of course a LinkLocal address and potentially unique local addresses)
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Compilation/Installation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.