UPnP/IPv6 support in home routers?
gert at space.net
Tue Dec 19 16:45:56 CET 2017
On Mon, Dec 18, 2017 at 10:12:42PM +0000, Tom Hill wrote:
> On 11/12/17 15:03, Gert Doering wrote:
> > But that's the whole idea of UPnP or IGD. Whether you open one port or
> > all of them, on request of a possibly-compromised host, is of no relevance.
> I would disagree, on the purely theoretical basis of how it would be
> presented to the user:
> Situation 1: 'good' host has opened recognisable TCP port
> Situation 2: 'bad' host has opened unrecognisable TCP port
> Situation 3: 'good' host has opened all TCP/UDP ports to its addresses
> Situation 4: 'bad' host has opened all TCP/UDP ports to its addresses
> It is relatively trivial to identify or query malicious behaviour when
> the possible situations in front of you are #1 and #2. When they are #3
> and #4 it isn't as simple because you simply have less information about
> what's going on.
This is assuming that the host #2 won't just open a standard TCP port
to do its thing. Why shouldn't it? It's bad, so lying about it's purpose
is straightforward... (and then, everything is HTTP anyway today).
> If the standards were to theoretically permit the legitimate
> 'DFZ-enabling' in any such protocol, software creators will eventually
> use it for legitimate (albeit probably stupid) reasons, and it'll become
> common enough that even a relatively clued-up user would not be able to
> recognise if a host is placing itself in a DFZ for legitimate or
> illegitimate reasons.
> I personally disable uPnP everywhere, but as we're stuck with it in the
> wild, we should always be considering how changes could make the
> situation even worse than the current situation, as opposed to saying
> "this is all rubbish anyway". :)
"bad hosts can open back doors at their whim" is as bad as it can get,
there is no "more of that".
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops