> the author depends on NAT as a security feature, when it was never designed to be one
> UPnP is a convenience feature, and is disabled in all security focused networks.
uPnP punches holes in a NAT. If you shouldn't be trusting NAT to protect you anyway, why bother disabling a feature that's designed to punch holes in it? Just set up your firewall to protect your network, and it's not an issue.
(I suppose some routers might automatically add a firewall exception when doing uPnP hole punching, but if so that's an issue with those routers, not with the idea of relying on a firewall.)
UPNP doesn't "punch holes in NAT." It is dynamically configuring NAT to provide a specific translation. The same kind of dynamic translation happens the other way for any allowed outgoing traffic, and lots of old NAT traversal tricks made use of that before UPNP was a thing.
The hole was always there. People get this topic confused all the time because the majority of network devices doing NAT are also acting as firewalls of varying efficacy. There are basically no non-firewall routers anymore, they all have at least simple network address ACLs.
The purpose of upnp is touchless configuration. If you care about security, that is orthogonal to your goals, and so it must be restricted by some other policy enforcement.
Good point, I should have been more careful about the terminology. My point was that it's possible to have UPnP configure a port to be translated for a particular host on the LAN but still have a firewall on the router blocking access to that port.
Another reply to my comment suggests that at least some consumer routers open a firewall port up as well, meaning that UPnP is still a potential security hole on those routers. (This might actually be required by the IGD protocol spec for all I know, that would be unfortunate...)
> the author depends on NAT as a security feature, when it was never designed to be one
> UPnP is a convenience feature, and is disabled in all security focused networks.
uPnP punches holes in a NAT. If you shouldn't be trusting NAT to protect you anyway, why bother disabling a feature that's designed to punch holes in it? Just set up your firewall to protect your network, and it's not an issue.
(I suppose some routers might automatically add a firewall exception when doing uPnP hole punching, but if so that's an issue with those routers, not with the idea of relying on a firewall.)