2

I've been setting up my new home network this week and one question has got me thinking - I can't seem to find a clear answer. Despite blocking all inbound connections (except to specific ports on my home server) by default to devices on both IPv4 and IPv6, push notifications still work. I've allowed all outbound traffic by default (I realise this may need fine tuning). My IPv4 network does have UPnP I believe, but I'm not convinced my IPv6 network would (am I being naive in thinking it wouldn't be necessary?).

By nature, push notifications are incoming traffic if I'm not mistaken. Why do they still work from a technical standpoint? Does the device hold a persistent outbound connection which is frequently checking for notifications, or is it likely to be UPnP that's allowing the inbound connection?

To be clear I'm not looking to block push notifications, I just want to know why they aren't affected by inbound traffic blocks.

Alex Ward
  • 23

1 Answers1

3

The phone has created an outgoing connection to the "cloud messaging" service and just keeps occasionally receiving data over it. (It's quite similar to how old IM/chat apps such as IRC or XMPP or AIM used to work – they just had a long-lasting TCP connection to the server. I think Google's FCM might even be using the same XMPP protocol.)

Your firewall (and your NAT gateway) keeps track of connection state and automatically allows incoming traffic that looks like it's associated with an existing active connection (based on TCP port pair and sequence numbers). This is necessary in order to even establish that connection, and of course to receive responses over it.

Note that the phone doesn't need to keep asking for new data every second – it can simply receive it at any time; TCP connections are free-form and not tied to a request/response format. The server can send data over that TCP connection at any time as long as it isn't closed.

(Although sometimes it's unavoidable. In an ideal world, an idle TCP connection should be able to last hours or even days between bursts of activity (as long as you're still on the same network and your address hasn't changed). But because many home routers have rather short state timeouts, the phone does occasionally wake up and send a "keep-alive" packet over that connection to extend the firewall's state expiry timers.)

The "port forwarding" mechanism of UPnP IGD is not relevant in the IPv6 world, however, home IPv6 networks are still typically behind a firewall so the updated IGD2 protocol does have calls to expose a specific port for that as well.

grawity
  • 501,077