On Tue, 20 Apr 2010 18:03:09 EDT, Simon Perreault said:
This is the latest proposal. The Security Considerations section needs some love...
I may be the only one that finds that unintentionally hilarious. In any case, to a first-order approximation, it doesn't even matter all that much security wise. I mean - let's be *honest* guys. After XP SP2 got any significant market penetration, pretty much everybody had a host-based firewall that defaulted to default-deny, so the NAT-firewall was merely belt and suspenders. Pretty much all the attacks we've seen in the last few years have been things like web drive-bys, trojaned torrents, and other stuff that sails right in through open ports through the firewall (both host and standalone). And any malware that's able to turn around and punch open a port on the host firewall is just as easily able to go and use uPNP to send a "Pants Down!" command to the standalone firewall. (Yes, defense in depth is a Good Thing. But that external firewall isn't doing squat for your security if it actually accepts uPNP from inside.)