From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass smtp.mailfrom=; dkim=pass header.d=gmail.com; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=gmail.com policy.dmarc=quarantine Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by mail.toke.dk (Postfix) with ESMTPS id C763DE6DC4E for ; Sat, 21 Mar 2026 16:08:45 +0100 (CET) Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-2b04d051664so24213275ad.0 for ; Sat, 21 Mar 2026 08:08:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774105723; x=1774710523; darn=lists.galene.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=dGb/uL4ST+IrNctvtDdl2Rzz4HPuIbaJvvMwtLo2n9o=; b=ZmeVzxwI9rxfFddSKDVxb7g1FcxblZDdyAdhppNXYM/zVx201WGJ4zPDA5rOF7pXLz L3bPPsvPgnZZacWDyIqhJGQOmEzqP4/Pgn45WAQ/1A+7Qic1vM8XxVpme4mAA3xxYMZF prtpeJj3THVu4nMMG4+N3UQfgIYfYddrSQBbuKm1ZKpeAx9bXWcwqVm/7D1+yUeyJbCm 59DyfYaEOs9Hi8+GWthZVWfp8QY4BprLP5haGHG0YhX0kuzL3GkmJ2Hot2qmj0oDl3d4 aMrXm9GAIKrCdA7+4KM9ChSvh6LoQ4imzthOxU/wum5WkK1Lin/IaN5PGTpI0c/gc20K CJQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774105723; x=1774710523; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dGb/uL4ST+IrNctvtDdl2Rzz4HPuIbaJvvMwtLo2n9o=; b=QhOMvYSQAVMjzieV/FZb5XYFc+E9zfbY3fhptecbFhOBRi/e7B42ouB+T+0GJaDSg1 NVo4vub3PAGyHU7X5yuZEKsGEL8HXozK7VL4/P3BRAMGr1DhGgFOxk4CvE6Cupd4yYbt V2dJJZyJBTIc4DqbwY8NVkVXLxSkJRQfV9n4NCR8NTv1Q3uLp0FKrGEjKwW6rdMyAtAc p05TUyBusWiGKBwBOCs/NSaqnSaMjjXPrhyYR+qTjW102An7XPNQVYO+huDTvmwX9Fxu QVqk5swUjE3SbdqvP6WOXpkeTsFMYDGp/N85x4LLh+erTwmHpNjTI5DnmApsmUcPN7vE WkGQ== X-Gm-Message-State: AOJu0Yygpwb2Pn4JryD1VwJtdZ/PcGph0TbM2YrE2deef14FyadX/X4y B6NqnjAqLRHTD3OcKwT4JRp7AOqIU2vruHFRmCNy5quV1ZoGVN40TCLy8u0iTQ== X-Gm-Gg: ATEYQzwT9UZfd5Lv8ihwG0ZYkgu+iDjXJkyUXUXc3tyNrmpgHOmAnJQqGJ1UUj7Ufmz nXjg1M8dREV7OTV0sQ/wB3PK0/2vOUDxidIoZRVbZ8XbdjjtxW9qfcbnu7QdRd84MMUBp9xRfDM QTJcC/C/yUFvZDizsocqCVt3Yb6jYZMnFDWjWa3OahrpeKM2dZB0RFInwbJ3TxT3eTMpSJ257ZM VBZaFsF2UJaopM7mViciMHlnxe1ElXIJGA2NscP/+vGItlRLMYlB9KQnduA+g16O7UOF5Os3Xoo nwtjvJ5rqd3d3lnkPY8M6BMlaHVgRpU/T2mqVjV41+lDXJcuTGnVlVbgjAL6wsPJ4j4utAZsHfV 5XXb55JLQOxgrTN4W9AfrWKt3lEh6ajnTkSeI/SB+k13tJglFNfDi/ZSFHTM26x1GGiSy1qBlmY HI+3vXjnJjtBKkLhKN4a4fqN62+QpXt2Dp X-Received: by 2002:a17:902:ecc1:b0:2ae:c916:511 with SMTP id d9443c01a7336-2b082793f54mr61958735ad.24.1774105722894; Sat, 21 Mar 2026 08:08:42 -0700 (PDT) Received: from ?IPV6:2604:3d08:1381:5f60::9cd? ([2604:3d08:1381:5f60::9cd]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b0836554a1sm53506445ad.53.2026.03.21.08.08.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 21 Mar 2026 08:08:41 -0700 (PDT) Message-ID: <00ba65f8-e83d-4ce6-affe-19984223e1c9@gmail.com> Date: Sat, 21 Mar 2026 08:08:40 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: galene@lists.galene.org References: <874imask25.wl-jch@irif.fr> <202603201610.62KGAmXp026937@korolev.univ-paris7.fr> <87ikapo195.wl-jch@irif.fr> Content-Language: en-US From: Craig Miller In-Reply-To: <87ikapo195.wl-jch@irif.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: UJ4U6P6IK65TGCHMG2IZU6TVMFR4HPOJ X-Message-ID-Hash: UJ4U6P6IK65TGCHMG2IZU6TVMFR4HPOJ X-MailFrom: cvmiller@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Subject: [Galene] Re: IPv6 and ICE [was: galene on IPv6 only] List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: I think the goal needs to be better described. In an IPv6-only environment, there is NO NAT. Yes there is a stateful firewall, but ports are opened to destinations in a DMZ network for services offered from the DMZ. For Galene, if a pool of UDP ports were be defined, then that pool could be opened in the stateful firewall allowing incoming UDP to the Galene server. There would be no need for ICE or STUN, since those address/port destinations would be available to the internet. Craig... On 3/21/26 04:44, Juliusz Chroboczek wrote: > I'm separating this into its own thread, so we can focus on Galene > improvements in the main thread. > >>> I, too, used to be optimistic about IPv6 ;-) >> That is another discussion. So I'll try to be brief. > No need to be brief, people who are not interested will hit delete. > >> Even here in the laggard US more consumer ISPs are offering IPv6 >> either enabled by default or enabled on request. > Oh, fully agreed, sorry for the misunderstanding. I have no doubts that > IPv6 is being widely deployed. I'm also fully committed to having Galene > work well in v6-only networks. (In fact, Nexedi, one of the former > sponsors of Galene, are running a v6-only network internally, using > reverse proxies for all v4 access.) > > What I'm no longer optimistic about is IPv6 traffic being end-to-end, with > no middleboxes. People are putting stateful firewalls around their IPv6 > networks, so we still need things like STUN and TURN in order to cross > these firewalls. And I have it on good authority that people are doing > NAT in IPv6. Granted, it's 1-to-1 NAT, not NAPT, but it's still NAT. > > And then there's the issue of corporate firewalls (that whitelist web > traffic and Zoom, because the web and Zoom are supposedly not threats, but > block anything else). And don't get me started on state-sponsored > firewalls (China, of course, but also Russia and other petrodictatorships). > >>> ICE is still required, since both address selection and blackhole >>> detection are done by ICE. >> This is not a problem in my case. IPv6 in the clear, no NAT. > How I wish that were true! > > There's the issue of the client-side firewall. If it's a simple stateful > firewall, as in most residential networks, then you need ICE in order > to ensure that the first packet in a UDP flow goes from client to server. > If it's a fascist corporate firewall that blocks all non-web traffic, then > you need a TURN server on port 443 (and preferably more than one, on > different IP ranges). > > Even when there's no firewall, ICE is the mechanism that allows Galene to > detect that a UDP flow is no longer functioning, and therefore to reliably > restart a flow after a UDP outage: it detects the case when UDP suddenly > gets filtered but the TCP WebSocket remains functional. > > -- Juliusz > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org -- IPv6 is the future, the future is here http://ipv6hawaii.org/