[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))

Simon Horne s.horne at packetizer.com
Tue Nov 15 06:29:17 GMT 2005 

At 01:39 PM 15/11/2005, you wrote:
>Simon Horne <s.horne at packetizer.com> writes:
> >There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway
> >Device) refer www.upnp.org and most home/small office routers now 
> support it.
>
> >The biggest problem is that it potentially adds a security risk to the
> >network, other malicious programs running on the LAN can open ports up as
> >they wish, there is no security to filter which programs can us it . For
> >this reason a lot of people are very hesitant to turn it on in their 
> routers.
>
>         Security is a real problem with UPnP, though it's not fundamentally
>much worse given a sophisticated attacker behind a normal NAT.  A
>sophisicated attacker with code on the inside can punch holes and set up
>tunnels from the inside.  The difference in UPnP is that it's easier to
>set up semi-permanent holes (at least until router reboots), and easier to
>open holes allowing any incoming IP, and easier to set up holes that go to
>"standard" services that might be exploitable.

I agree, that is why under NO circumstances do you enable UPnP on the Win 
XP machine and use an internal stack in the application to greatly mitigate 
any risk.


>         Another big problem with UPnP is the double-nat problem.
>Put a device behind two UPnP NATs and you can't open a port through both.
>With STUN/etc, you can open ports through any number of NATs.

Except if one of those NAT's is symmetric (which is 90% of all routers are) 
then it maybe broke.

>From  RFC 3489 - STUN
1.  Applicability Statement
   ...STUN does not enable incoming UDP packets through symmetric NATs....


>         The last big problem with UPnP is the size and complexity of
>the commands to open ports.  Some routers can take 5-10 seconds to open
>a single port with UPnP.  Even a good implementation is contrained by the
>amount of data transferred for UPnP.

Yes, absolutely this is correct (however in practise it's around 1-2 sec), 
this is why it opens 2 UDP ports "in advance" before the call and is ready 
waiting when the call arrives  When a call is received 2 more are opened. 
At the end of the call the original 2 are closed. Leaving the 2 new ports 
available for the next call.
It's not an ideal solution for high call volume EP's but it does work.

Simon


Simon Horne
Director
Packetizer Labs
www.packetizer.com/labs

More information about the Voipsec mailing list