[Galene] IPv6 and ICE [was: galene on IPv6 only]

[Juliusz Chroboczek <jch@irif.fr>]

I'm separating this into its own thread, so we can focus on Galene
improvements in the main thread.

>> I, too, used to be optimistic about IPv6 ;-)
> 
> That is another discussion.  So I'll try to be brief.

No need to be brief, people who are not interested will hit delete.

> Even here in the laggard US more consumer ISPs are offering IPv6
> either enabled by default or enabled on request.

Oh, fully agreed, sorry for the misunderstanding.  I have no doubts that
IPv6 is being widely deployed.  I'm also fully committed to having Galene
work well in v6-only networks.  (In fact, Nexedi, one of the former
sponsors of Galene, are running a v6-only network internally, using
reverse proxies for all v4 access.)

What I'm no longer optimistic about is IPv6 traffic being end-to-end, with
no middleboxes.  People are putting stateful firewalls around their IPv6
networks, so we still need things like STUN and TURN in order to cross
these firewalls.  And I have it on good authority that people are doing
NAT in IPv6.  Granted, it's 1-to-1 NAT, not NAPT, but it's still NAT.

And then there's the issue of corporate firewalls (that whitelist web
traffic and Zoom, because the web and Zoom are supposedly not threats, but
block anything else).  And don't get me started on state-sponsored
firewalls (China, of course, but also Russia and other petrodictatorships).

>> ICE is still required, since both address selection and blackhole
>> detection are done by ICE.

> This is not a problem in my case.  IPv6 in the clear, no NAT.

How I wish that were true!

There's the issue of the client-side firewall.  If it's a simple stateful
firewall, as in most residential networks, then you need ICE in order
to ensure that the first packet in a UDP flow goes from client to server.
If it's a fascist corporate firewall that blocks all non-web traffic, then
you need a TURN server on port 443 (and preferably more than one, on
different IP ranges).

Even when there's no firewall, ICE is the mechanism that allows Galene to
detect that a UDP flow is no longer functioning, and therefore to reliably
restart a flow after a UDP outage: it detects the case when UDP suddenly
gets filtered but the TCP WebSocket remains functional.

-- Juliusz