Pedro Melo wrote: > Hi, > > On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote: >> UPnP is a working choice, but bad. Just google for it. Since it is >> based on HTTP attackers found a way to open ports on your >> router. > > Having a open TCP port is not necessarily a security risk. It only > becomes a security risk if the server that listens to that port has > security problems. > > Don't blame open TCP ports with mistakes of server programmers.
The point is that app x can forward ports to app y. In my normal use this is no problem and I'm fine with it. I only have ssh open. But my parents use Windows and it has a lot of ports open with security bugs. I can not blame TCP for it, but I am very happy that a bug in Flash or something else can not open a forward on the router. So I like the fact that a NAT is some sort of firewall for my parents. >> Besides that, I do not like the idea that every app can open >> ports. > > Well, how are they supposed to accept connections? And please don't > mention rfc2549 :). What is wrong with that? I live in the city, we have enough pidgins :) You are right, I would love to see it working that an app can open a port for services. No NAT problem. That would be very userfriendly. But to trust such thing for my parents I need to a way to make windows secure. I guess that is my main problem. > Really, I think you should get used to it. With IPv6 (and yes, I'm a > believer :) ) you will (or at least I hope you will) lose that NAT > security barrier that we all grown so fond of, and the responsibility > of server software implementations will be much much greater. I'm also a believer. I have a /64 network at home with public addresses. Very nice to have. But back to my parents: if they get IPv6 I would install a firewall on the router to block most incoming connections. > Personally, I think we will get user-level firewall APIs: you > negotiate a Jingle session with your peer and then open the necessary > ports with a source filter. Maybe use NAT-PMP and not UPnP. It only covers the forwarding and already works on some router. UPnP IGD may be supported by more router but IMHO NAT-PMP is the future. http://files.dns-sd.org/draft-cheshire-nat-pmp.txt > but getting back to our topic: you get to authenticate and check > certificates on that open TCP connections. If you don't trust that, > our protocol is flawed. Agreed. Dirk -- The truth may be out there, but lies are inside your head. -- (Terry Pratchett, Hogfather)
