[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))

[Simon Horne]

At 07:56 AM 15/11/2005, you wrote:
>At 03:03 PM 11/14/2005, Simon Horne wrote:
>s reason a lot of people are very hesitant to turn it on in their routers.
>
>Other security risks as well.
>
>As you imply, Malcode on a PC can take advantage of PnP to set up all
>sorts of covert channels.

Yes, they take advantage of the Microsoft stack that ships with Win XP 
(which is disabled by default) and should be left that way. Which is why I 
used an internal compiled stack from Intel.

>I have seen some rather nasty uses of PnP in attacks on physical
>security.  I hope we don't punt on this one.

Nor do I, however it works and can be done in VoIP and if you do not enable 
UPnP within the PC the chances of malware is greatly reduced however it is 
still does not remove it. Malware can have their own internal stack, There 
really needs to be some form of security within the routers to determine 
which programs/machines are permitted to use it. Until that happen I don't 
think widespread adoption will occur either..

Lets not forget malware can already call out to a server on the Internet, 
open a pin hole and the server can then gain access to the computer on the 
network without UPnP.

Simon


Simon Horne
Director
Packetizer Labs
www.packetizer.com/labs