UPnP/IPv6 support in home routers?

Gert Doering gert at space.net
Tue Dec 19 16:45:56 CET 2017


On Mon, Dec 18, 2017 at 10:12:42PM +0000, Tom Hill wrote:
> On 11/12/17 15:03, Gert Doering wrote:
> > But that's the whole idea of UPnP or IGD.  Whether you open one port or
> > all of them, on request of a possibly-compromised host, is of no relevance.
> I would disagree, on the purely theoretical basis of how it would be
> presented to the user:
>  Situation 1: 'good' host has opened recognisable TCP port
>  Situation 2: 'bad' host has opened unrecognisable TCP port
>  Situation 3: 'good' host has opened all TCP/UDP ports to its addresses
>  Situation 4: 'bad' host has opened all TCP/UDP ports to its addresses
> It is relatively trivial to identify or query malicious behaviour when
> the possible situations in front of you are #1 and #2. When they are #3
> and #4 it isn't as simple because you simply have less information about
> what's going on.

This is assuming that the host #2 won't just open a standard TCP port
to do its thing.  Why shouldn't it?  It's bad, so lying about it's purpose
is straightforward... (and then, everything is HTTP anyway today).

> If the standards were to theoretically permit the legitimate
> 'DFZ-enabling' in any such protocol, software creators will eventually
> use it for legitimate (albeit probably stupid) reasons, and it'll become
> common enough that even a relatively clued-up user would not be able to
> recognise if a host is placing itself in a DFZ for legitimate or
> illegitimate reasons.


> I personally disable uPnP everywhere, but as we're stuck with it in the
> wild, we should always be considering how changes could make the
> situation even worse than the current situation, as opposed to saying
> "this is all rubbish anyway". :)

"bad hosts can open back doors at their whim" is as bad as it can get,
there is no "more of that".

Gert Doering
        -- NetMaster
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list