Anybody heard about UP&P ?

Anybody heard about UP&P ?

[Marc Rechté]

To enable remote assistance from Internet of a WinXP PC on a LAN using 
NAT one must have a UP&P NAT compatible router.

Can Netfilter act as such a router, and if so do you have an idea of the 
chain to apply ?

Thanks for your help

Marc.

RE: Anybody heard about UP&P ?

[Carl Farrington]

UPNP means Universal Plug'n'Play. I guess WinXP looks to automagically reconfigure the NAT rules via upnp.

No idea about the netfilter stuff myself I'm afraid.

> -----Original Message-----
> From: Marc Rechté [mailto:mrechte@randodetente.org]
> Sent: 20 February 2004 07:14
> To: netfilter@lists.netfilter.org
> Subject: Anybody heard about UP&P ?
> 
> To enable remote assistance from Internet of a WinXP PC on a LAN using
> NAT one must have a UP&P NAT compatible router.
> 
> Can Netfilter act as such a router, and if so do you have an idea of the
> chain to apply ?
> 
> Thanks for your help
> 
> Marc.
> 

RE: Anybody heard about UP&P ?

[Rob Sterenborg]

> UPNP means Universal Plug'n'Play. I guess WinXP looks to 
> automagically reconfigure the NAT rules via upnp.
> 
> No idea about the netfilter stuff myself I'm afraid.
> 
> > From: Marc Rechté [mailto:mrechte@randodetente.org]
> > 
> > To enable remote assistance from Internet of a WinXP PC on 
> a LAN using 
> > NAT one must have a UP&P NAT compatible router.
> > 
> > Can Netfilter act as such a router, and if so do you have 
> an idea of 
> > the chain to apply ?

Netfilter doesn't do UPnP.

Maybe you can use this information :
http://support.microsoft.com/default.aspx?scid=kb;en-us;q301529
http://www.pccitizen.com/remotecontrol.htm#C.%20XP%20Remote%20Assistance/Rem
ote%20Control

It says something about "opening up port 3389" but I don't know if it's tcp,
udp or both... I think that in your case you have to forward the packets
coming in from this port to your WinXP box.


Gr,
Rob

Re: Anybody heard about UP&P ?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 756 bytes --]

On Fri, 2004-02-20 at 09:14, Marc Rechté wrote:
> To enable remote assistance from Internet of a WinXP PC on a LAN using 
> NAT one must have a UP&P NAT compatible router.
> 
Errr ... no! UPnP is a way for a network device to tell other network
devices who ask what port a specific service is on.

Remote assistance uses port 3389 IIRC ...

> Can Netfilter act as such a router, and if so do you have an idea of the 
> chain to apply ?
> 
No.

> Thanks for your help
> 
> Marc.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Anybody heard about UP&P ?

[Chris Brenton]

This sounds *really* fishy to me. Sounds to me like what they are
looking to do is setup a 1 to 1 NAT mapping (or possibly port
forwarding) to the host needing "remote assistance" and probably punch
open the filtering as well. 

Do you know how how much access gets opened up? Any authentication or
encryption being used during the management session? Any guarantee that
the hole gets closed up when they are done? Any logging of the access as
well as what gets changed during the session?

You could always ask what level of access is required and just manually
create the rules yourself. At least that way you know what is going on.

I think I'm real glad Netfilter does not support this. Sounds like a
compromise waiting to happen.

C


On Fri, 2004-02-20 at 14:35, Carl Farrington wrote:
> UPNP means Universal Plug'n'Play. I guess WinXP looks to automagically reconfigure the NAT rules via upnp.
> 
> No idea about the netfilter stuff myself I'm afraid.
> 
> > -----Original Message-----
> > From: Marc Rechté [mailto:mrechte@randodetente.org]
> > Sent: 20 February 2004 07:14
> > To: netfilter@lists.netfilter.org
> > Subject: Anybody heard about UP&P ?
> > 
> > To enable remote assistance from Internet of a WinXP PC on a LAN using
> > NAT one must have a UP&P NAT compatible router.
> > 
> > Can Netfilter act as such a router, and if so do you have an idea of the
> > chain to apply ?
> > 
> > Thanks for your help
> > 
> > Marc.
> > 
> 
> 

Re: Anybody heard about UP&P ?

[Alex Satrapa]

Marc Rechté wrote:
> To enable remote assistance from Internet of a WinXP PC on a LAN using 
> NAT one must have a UP&P NAT compatible router.

UPnP(tm) is basically SNMP done with SOAP instead of ASN.1, with some bits of ZeroConf thrown in for good measure.

It involves resource discovery, service discovery and property manipulation.

If you're interested, the specification for an "Internet Gateway Device" is available from the UPnP website. Basically, the IGD allows (authorised) machines to request the gateway to do things such as:
 - Connect to the internet
 - report statistics
 - create a forwarded port

The "create a forwarded port" part is used by Remote Assistance as well as MSN Messenger.

These are not things that can be emulated in netfilter - you'll need a SOAP service, and a whole bunch of other software to implement the IGD specification.

Last time I looked, some people had in fact implemented UPnP services for Linux, but I'm not sure whether IGD was implemented.

Regards
Alex

RE: Anybody heard about UP&P ?

[Carl Farrington]

> From: Alex Satrapa [mailto:alex@lintelsys.com.au]
> Sent: 22 February 2004 22:46
> To: netfilter@lists.netfilter.org
> Subject: Re: Anybody heard about UP&P ?
> 
> Marc Rechté wrote:
> > To enable remote assistance from Internet of a WinXP PC on a LAN using
> > NAT one must have a UP&P NAT compatible router.
> 
> UPnP(tm) is basically SNMP done with SOAP instead of ASN.1, with some bits
> of ZeroConf thrown in for good measure.
> 
> It involves resource discovery, service discovery and property
> manipulation.
> 
> If you're interested, the specification for an "Internet Gateway Device"
> is available from the UPnP website. Basically, the IGD allows (authorised)
> machines to request the gateway to do things such as:
>  - Connect to the internet
>  - report statistics
>  - create a forwarded port
> 
> The "create a forwarded port" part is used by Remote Assistance as well as
> MSN Messenger.
> 
> These are not things that can be emulated in netfilter - you'll need a
> SOAP service, and a whole bunch of other software to implement the IGD
> specification.
> 
> Last time I looked, some people had in fact implemented UPnP services for
> Linux, but I'm not sure whether IGD was implemented.
> 

http://linux-igd.sourceforge.net/  looks to be the thing. Not yet working with Microsoft products though.

Re: Anybody heard about UP&P ?

[rruegner]

hi, this is the current art of design  of uni plug an play
http://linux-igd.sourceforge.net/ on linux
Regards

----- Original Message ----- 
From: "Carl Farrington" <carl@compsup.net>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, February 22, 2004 11:55 PM
Subject: RE: Anybody heard about UP&P ?


> From: Alex Satrapa [mailto:alex@lintelsys.com.au]
> Sent: 22 February 2004 22:46
> To: netfilter@lists.netfilter.org
> Subject: Re: Anybody heard about UP&P ?
>
> Marc Rechté wrote:
> > To enable remote assistance from Internet of a WinXP PC on a LAN using
> > NAT one must have a UP&P NAT compatible router.
>
> UPnP(tm) is basically SNMP done with SOAP instead of ASN.1, with some bits
> of ZeroConf thrown in for good measure.
>
> It involves resource discovery, service discovery and property
> manipulation.
>
> If you're interested, the specification for an "Internet Gateway Device"
> is available from the UPnP website. Basically, the IGD allows (authorised)
> machines to request the gateway to do things such as:
>  - Connect to the internet
>  - report statistics
>  - create a forwarded port
>
> The "create a forwarded port" part is used by Remote Assistance as well as
> MSN Messenger.
>
> These are not things that can be emulated in netfilter - you'll need a
> SOAP service, and a whole bunch of other software to implement the IGD
> specification.
>
> Last time I looked, some people had in fact implemented UPnP services for
> Linux, but I'm not sure whether IGD was implemented.
>

http://linux-igd.sourceforge.net/  looks to be the thing. Not yet working
with Microsoft products though.

RE: Anybody heard about UP&P ?

[bmcdowell]

When I wanted to get this particular feature working to chat with my Dad, I wrote a quickie script to -j ACCEPT his IP.  Then I use another one to reset my rules when we're done chatting.  Worked fine after that, NAT and all.

IIRC, UPnP was the reason for that first 'big' XP patch right after it came out.  So, yes, it is probably a vulnerability.


Bob

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Chris Brenton
Sent: Sunday, February 22, 2004 6:33 AM
To: netfilter@lists.netfilter.org
Subject: RE: Anybody heard about UP&P ?


This sounds *really* fishy to me. Sounds to me like what they are
looking to do is setup a 1 to 1 NAT mapping (or possibly port
forwarding) to the host needing "remote assistance" and probably punch
open the filtering as well. 

Do you know how how much access gets opened up? Any authentication or
encryption being used during the management session? Any guarantee that
the hole gets closed up when they are done? Any logging of the access as
well as what gets changed during the session?

You could always ask what level of access is required and just manually
create the rules yourself. At least that way you know what is going on.

I think I'm real glad Netfilter does not support this. Sounds like a
compromise waiting to happen.

C


On Fri, 2004-02-20 at 14:35, Carl Farrington wrote:
> UPNP means Universal Plug'n'Play. I guess WinXP looks to automagically reconfigure the NAT rules via upnp.
> 
> No idea about the netfilter stuff myself I'm afraid.
> 
> > -----Original Message-----
> > From: Marc Rechté [mailto:mrechte@randodetente.org]
> > Sent: 20 February 2004 07:14
> > To: netfilter@lists.netfilter.org
> > Subject: Anybody heard about UP&P ?
> > 
> > To enable remote assistance from Internet of a WinXP PC on a LAN using
> > NAT one must have a UP&P NAT compatible router.
> > 
> > Can Netfilter act as such a router, and if so do you have an idea of the
> > chain to apply ?
> > 
> > Thanks for your help
> > 
> > Marc.
> > 
> 
>