[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))
s.horne at packetizer.com
Tue Nov 15 06:29:17 GMT 2005
At 01:39 PM 15/11/2005, you wrote:
>Simon Horne <s.horne at packetizer.com> writes:
> >There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway
> >Device) refer www.upnp.org and most home/small office routers now
> support it.
> >The biggest problem is that it potentially adds a security risk to the
> >network, other malicious programs running on the LAN can open ports up as
> >they wish, there is no security to filter which programs can us it . For
> >this reason a lot of people are very hesitant to turn it on in their
> Security is a real problem with UPnP, though it's not fundamentally
>much worse given a sophisticated attacker behind a normal NAT. A
>sophisicated attacker with code on the inside can punch holes and set up
>tunnels from the inside. The difference in UPnP is that it's easier to
>set up semi-permanent holes (at least until router reboots), and easier to
>open holes allowing any incoming IP, and easier to set up holes that go to
>"standard" services that might be exploitable.
I agree, that is why under NO circumstances do you enable UPnP on the Win
XP machine and use an internal stack in the application to greatly mitigate
> Another big problem with UPnP is the double-nat problem.
>Put a device behind two UPnP NATs and you can't open a port through both.
>With STUN/etc, you can open ports through any number of NATs.
Except if one of those NAT's is symmetric (which is 90% of all routers are)
then it maybe broke.
>From RFC 3489 - STUN
1. Applicability Statement
...STUN does not enable incoming UDP packets through symmetric NATs....
> The last big problem with UPnP is the size and complexity of
>the commands to open ports. Some routers can take 5-10 seconds to open
>a single port with UPnP. Even a good implementation is contrained by the
>amount of data transferred for UPnP.
Yes, absolutely this is correct (however in practise it's around 1-2 sec),
this is why it opens 2 UDP ports "in advance" before the call and is ready
waiting when the call arrives When a call is received 2 more are opened.
At the end of the call the original 2 are closed. Leaving the 2 new ports
available for the next call.
It's not an ideal solution for high call volume EP's but it does work.
More information about the Voipsec