Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I use a lot of software/devices which I think is using UPnP (airplay, airdrop, pioneer dj pro link, maybe the printer etc.). There's talk here about disabling UPnP but does that mean that the devices wouldn't be able to find each other? I don't want to babysit my router.

Or aren't they using UPnP? Quick googling wasn't successful. I thought most of those autodiscover-services use UPnP.



There are 2 parts to UPnP.

One is service discovery, in cooperation with zeroconf (aka bonjour/mDNS). This is handled 100% by devices themselves.

The other is the port forwarding protocol, where devices can ask your router to open a port in the NAT to the wide internet forwarded to them. This is done in the router. It's also a potential massive security hole.

If you disable UPnP on your router, you only disable the second thing. The first thing keeps working.


The service discovery isn't really the security hole though, is it? I mean I have mDNS configured on my LAN. It's the port forwarding, and specifically, configuring it so that any rando device on the network can set up port forwarding, which is the security problem.

If you really want the dubious convenience of UPnP port forwarding, at least limit it to the one or two devices on your LAN that need it.


Right, service discovery is fine.

It's just that two things with wildly different security profiles get referred to with the same name


No, mDNS it is not really the issue.

Even most VPNs won’t, by default, allow mDNS packets across, without adding a relay server and some additional configuration.

But, yeah, letting any application basically go into ‘server’ mode on your home network at-will is not the most secure setup.


thanks, yeah i was only thinking about service discovery


"It depends" as not all the names you listed as examples use the same technology, but in general "UPNP is more useful for thins which need an incoming connection" (kinda sorta). This might be, say, a bittorrent client needing to allow other clients in on a port to share the file... sharing. To share. :) If you understand how Active vs Passive FTP works and how the incoming connections might need to be tracked (nf_conntrack for Linux folks), UPNP is more like that - apps which handle bi-directional conversations with the outside world beyond your router.

Airdrop uses an ad-hoc WiFi network (peer-to-peer) with TLS, as does I think (Android) Beam. If I'm not mistaken some other devices in this area (Chromecast, Roku, etc.) use similar techniques, and sometimes leverage bluetooth ad-hoc networks. Discovery services like printers and fileshares tend to use (I'm assuming you're macOS) Bonjour (Rendezvous, renamed awhile back), which is sort of like an ad-hoc multicast (mDNS) solution if I understand it. On Windows it would use something like Netbios - conceptually the same. I just set a static IP on my wifi printer and call it a day, it's trivial stuff being a printer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: