[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))
Randell Jesup
rjesup at wgate.com
Mon Nov 14 23:39:29 CST 2005
Simon Horne <s.horne at packetizer.com> writes:
>There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway
>Device) refer www.upnp.org and most home/small office routers now support it.
>The biggest problem is that it potentially adds a security risk to the
>network, other malicious programs running on the LAN can open ports up as
>they wish, there is no security to filter which programs can us it . For
>this reason a lot of people are very hesitant to turn it on in their routers.
Security is a real problem with UPnP, though it's not fundamentally
much worse given a sophisticated attacker behind a normal NAT. A
sophisicated attacker with code on the inside can punch holes and set up
tunnels from the inside. The difference in UPnP is that it's easier to
set up semi-permanent holes (at least until router reboots), and easier to
open holes allowing any incoming IP, and easier to set up holes that go to
"standard" services that might be exploitable.
Another big problem with UPnP is the double-nat problem.
Put a device behind two UPnP NATs and you can't open a port through both.
With STUN/etc, you can open ports through any number of NATs.
The last big problem with UPnP is the size and complexity of
the commands to open ports. Some routers can take 5-10 seconds to open
a single port with UPnP. Even a good implementation is contrained by the
amount of data transferred for UPnP.
--
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com
More information about the Voipsec
mailing list