06:19 <isd> ocdtrekkie: iirc we'd talked a bit about the possibility having Sandstorm automatically configure port forwarding, but kindof dismissed the idea because upnp has security problems. But I was reading a bit about nat traversal earlier and discovered there are some more recent protocols out there for this sort of thing; transmission (bittorrent client) seems to use something called NAT-PMP, and there's apparently a successor to

06:19 <isd> that called Port Control Protocol. I wonder if it's worth revisiting to see if there's a good option for this after all.

06:26 <crab> hi isd.

06:27 <JacobWeisz[m]> I guess my main peeve was the general concept of a device inside a network being allowed or capable of configuring the router without authentication, rather than the specifics of uPNP as a protocol.

06:28 <isd> I mean, in this case, "configure the router" really just means "work around the fact that NAT means you can't just listen()"

06:28 <isd> crab: hi

06:29 <JacobWeisz[m]> I suppose if newer versions of the protocol/concept exist and are used today by modern software, I guess we might as well. It just feels like something I'd not want my router to respond to.

06:29 <JacobWeisz[m]> So my question is what percentage of home routers support whatever we implement out of the box?

06:36 <isd> I kinda expect to find the newer versions won't let you grab 80/443. But it's worth looking into what we can expect from most routers I think.

14:48 <TimMc> isd: Not to mention some ISPs block inbound 80 and 25 in their infrastructure.

14:49 <JacobWeisz[m]> Yeah, I choose to keep 6080 because even if my ISP doesn't block it, it's against the TOS for me to server at well-known ports.

14:53 <TimMc> It helps to think of NATs and firewalls as distinct -- uPNP gets around the accidental-firewalling that NAT induces, but you can still set policy about what is allowed to listen.

14:53 <TimMc> (depending on your router, heh)

14:54 <TimMc> IMO NATs are one of the worst things to happen to personal computing.

14:54 <JacobWeisz[m]> I don't know... the accidental security they produce has probably saved a lot of people a lot of pain.

15:41 <jfred> maybe, but I feel like that has more to do with the firewall than with the NAT; a default-deny firewall would provide similar levels of security

15:41 <jfred> a default-deny firewall alone I should say

16:11 <JacobWeisz[m]> I'm thinking about your D-Link and Netgear home routers of the world where admin/password has thrived for a decade or more and the user has no idea if they have a firewall or not.

16:32 <TimMc> That's part of why port 80 inbound is blocked by ISPs, too. :-P

19:03 <isd> fwiw the few ISPs I've had where I've tried port 80, it's been open -- frankly it's not that rife for abuse and it's unlikely for something to accidently expose itself.

19:03 <isd> port 25 is another story though

19:04 <isd> But yes, I think there's firewalls, and then there's port forwarding... which is basically just "routing" in the context of a NAT, so that is somthing routers should be doing, I think...

19:04 <JacobWeisz[m]> I haven't tested mine, I just know it's a terms violation to use it.

19:05 <JacobWeisz[m]> I imagine the home ISPs larger than mine have similar terms, whether they bother to technically block it or not.

19:05 <isd> Maybe we shouldn't try to use the low ports in the auto-config anyway then; if the user wants that they can do the forwarding manually. That way it's more likely people know what they're getting into there.

19:07 <isd> In an ideal world, networks would operate on capability principles, so you'd hook your sandstorm box up to the network, and it would do the network equivalent of a powerbox request, and a thing would pop up on your phone/laptop letting you decide how to expose it.

19:07 <isd> But we're stuck with ip and NAT I think :P

19:31 <isd> I think tonight is office hours?

19:43 <JacobWeisz[m]> I think so, yeah.

20:25 <isd> Ok, let's go with that then.

20:25 <isd> Someone else should make a notes grain; my sandstorm box isn't booting and I still need to troubleshoot why.

20:40 <isd> ...or not. Got it working, finally.

20:46 <isd> Ok, made a notes grain.