From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mail.toke.dk; spf=pass smtp.mailfrom=irif.fr; dkim=pass header.d=irif.fr; arc=none (Message is not ARC signed); dmarc=none
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2])
	by mail.toke.dk (Postfix) with ESMTPS id 61DC4E6CBA9
	for <galene@lists.galene.org>; Sat, 21 Mar 2026 12:44:40 +0100 (CET)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1])
	by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 62LBidv9027868
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Sat, 21 Mar 2026 12:44:40 +0100
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253])
	by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 62LBidTO007417;
	Sat, 21 Mar 2026 12:44:39 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1])
	by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 7925683A84;
	Sat, 21 Mar 2026 12:44:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h=
	content-type:content-type:mime-version:user-agent:references
	:in-reply-to:subject:subject:from:from:message-id:date:date
	:received:received; s=dkim-irif; t=1774093478; x=1774957479; bh=
	Dlb39jU7B7QFkNuBGyUqj8tzgiOgadFvIjmEMWiFbG0=; b=PYr4eMQhTWdFr2Bk
	/dxCRH3bw86yTFDXSNKX/pW9KbPYr6L38+3f7lEM22hxsBUhW8yi4rFHUmvmaNSv
	5NvxS7nDm2BjssEgnnmwuwE2iMe08/zWXwMVcpLD1PyMbJkmKpMw7CGrTMwW9VOS
	ALpjPhke07OzXSHpDb4xbUNejxbXBRkWaWVBpo7Mayeokogvuuvb8cAB+5a1QApP
	4Hc35hUdohQcUqcKle0DpRZpirW8xbcaJkCqlUyMmp7lY2z0eHcZ2u+Kb1eBis/v
	WGU/2zo7rT3WGJgMFmOJftKfvNSEGP9oGxVZrA3krU+GUZzHVFwdWAMefauWnIuT
	cw5eUw==
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1])
	by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023)
	with ESMTP id 4G5F4g1eW6dq; Sat, 21 Mar 2026 12:44:38 +0100 (CET)
Received: from trurl.irif.fr (82-64-191-149.subs.proxad.net [82.64.191.149])
	(Authenticated sender: jch)
	by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 7DD89836F4;
	Sat, 21 Mar 2026 12:44:38 +0100 (CET)
Date: Sat, 21 Mar 2026 12:44:38 +0100
Message-ID: <87ikapo195.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Curtis Villamizar <curtis@orleans.occnc.com>
Cc: galene@lists.galene.org
In-Reply-To: <202603201610.62KGAmXp026937@korolev.univ-paris7.fr>
References: <874imask25.wl-jch@irif.fr>
	<202603201610.62KGAmXp026937@korolev.univ-paris7.fr>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/30.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Sat, 21 Mar 2026 12:44:40 +0100 (CET)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Sat, 21 Mar 2026 12:44:39 +0100 (CET)
X-Miltered: at korolev with ID 69BE84A7.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 69BE84A7.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 69BE84A7.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 69BE84A7.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 69BE84A7.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 69BE84A7.001 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Message-ID-Hash: TZUMZYSQPMN5Z7NRHZ3GMRIGQYCF5S5E
X-Message-ID-Hash: TZUMZYSQPMN5Z7NRHZ3GMRIGQYCF5S5E
X-MailFrom: jch@irif.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Galene] IPv6 and ICE [was: galene on IPv6 only]
List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= <galene.lists.galene.org>
Archived-At: <https://lists.galene.org/galene/87ikapo195.wl-jch@irif.fr/>
List-Archive: <https://lists.galene.org/galene/>
List-Help: <mailto:galene-request@lists.galene.org?subject=help>
List-Owner: <mailto:galene-owner@lists.galene.org>
List-Post: <mailto:galene@lists.galene.org>
List-Subscribe: <mailto:galene-join@lists.galene.org>
List-Unsubscribe: <mailto:galene-leave@lists.galene.org>

I'm separating this into its own thread, so we can focus on Galene
improvements in the main thread.

>> I, too, used to be optimistic about IPv6 ;-)
> 
> That is another discussion.  So I'll try to be brief.

No need to be brief, people who are not interested will hit delete.

> Even here in the laggard US more consumer ISPs are offering IPv6
> either enabled by default or enabled on request.

Oh, fully agreed, sorry for the misunderstanding.  I have no doubts that
IPv6 is being widely deployed.  I'm also fully committed to having Galene
work well in v6-only networks.  (In fact, Nexedi, one of the former
sponsors of Galene, are running a v6-only network internally, using
reverse proxies for all v4 access.)

What I'm no longer optimistic about is IPv6 traffic being end-to-end, with
no middleboxes.  People are putting stateful firewalls around their IPv6
networks, so we still need things like STUN and TURN in order to cross
these firewalls.  And I have it on good authority that people are doing
NAT in IPv6.  Granted, it's 1-to-1 NAT, not NAPT, but it's still NAT.

And then there's the issue of corporate firewalls (that whitelist web
traffic and Zoom, because the web and Zoom are supposedly not threats, but
block anything else).  And don't get me started on state-sponsored
firewalls (China, of course, but also Russia and other petrodictatorships).

>> ICE is still required, since both address selection and blackhole
>> detection are done by ICE.

> This is not a problem in my case.  IPv6 in the clear, no NAT.

How I wish that were true!

There's the issue of the client-side firewall.  If it's a simple stateful
firewall, as in most residential networks, then you need ICE in order
to ensure that the first packet in a UDP flow goes from client to server.
If it's a fascist corporate firewall that blocks all non-web traffic, then
you need a TURN server on port 443 (and preferably more than one, on
different IP ranges).

Even when there's no firewall, ICE is the mechanism that allows Galene to
detect that a UDP flow is no longer functioning, and therefore to reliably
restart a flow after a UDP outage: it detects the case when UDP suddenly
gets filtered but the TCP WebSocket remains functional.

-- Juliusz