UPnP/IPv6 support in home routers?

[Tom Hill]

On 11/12/17 15:03, Gert Doering wrote:
> But that's the whole idea of UPnP or IGD.  Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.

I would disagree, on the purely theoretical basis of how it would be
presented to the user:

 Situation 1: 'good' host has opened recognisable TCP port
 Situation 2: 'bad' host has opened unrecognisable TCP port
 Situation 3: 'good' host has opened all TCP/UDP ports to its addresses
 Situation 4: 'bad' host has opened all TCP/UDP ports to its addresses

It is relatively trivial to identify or query malicious behaviour when
the possible situations in front of you are #1 and #2. When they are #3
and #4 it isn't as simple because you simply have less information about
what's going on.

If the standards were to theoretically permit the legitimate
'DFZ-enabling' in any such protocol, software creators will eventually
use it for legitimate (albeit probably stupid) reasons, and it'll become
common enough that even a relatively clued-up user would not be able to
recognise if a host is placing itself in a DFZ for legitimate or
illegitimate reasons.

I personally disable uPnP everywhere, but as we're stuck with it in the
wild, we should always be considering how changes could make the
situation even worse than the current situation, as opposed to saying
"this is all rubbish anyway". :)

-- 
Tom