You're new here and your first post is asking for information that would help you circumvent the plusnet router security!

You don't really expect help on this do you?

That's quite a hostile response but I will ignore it as my intentions are not as you imply.

Quite the opposite, I would like to understand this feature so I can ensure my program functions correctly for users that have this security feature enabled. If the feature makes what I'm trying to do impossible, then I will make no efforts to circumvent it. I simply want to understand it to make sure I'm not making an error.

---

@fydrenak wrote:

That's quite a hostile response but I will ignore it as my intentions are not as you imply.

 

Quite the opposite, I would like to understand this feature so I can ensure my program functions correctly for users that have this security feature enabled. If the feature makes what I'm trying to do impossible, then I will make no efforts to circumvent it. I simply want to understand it to make sure I'm not making an error.

---

Well consider this, you've turned up on the plusnet forum talking about a plusnet hub one and wanting to know how to get around it's upnp limitations from a security perspective.

That's like turning up on a van forum saying you've locked yourself out of your van and need help getting back into it - nobody will assist you.

Even if you are legit plusnet don't make any technical details about their router available to us.

@fydrenak - You refer to UPNP as a security feature when it has more holes than a sieve! 

@7up The inaccurate simile is wholly unnecessary. I have never once asked how to 'get around' any 'upnp limitations'. As I said before; I have no intention of circumventing anything, I merely want to understand what the limitations are so I know what is possible to do legitimately. I am not interested in any hacks or workarounds, I just want to know what this option on my router actually does.

I would greatly appreciate it if the contents of my question were focused on instead of making baseless judgements about me personally. That makes for a pretty toxic way to welcome new members of the forum.

The final line in your reply is the only constructive one, but I at least thank you for it. I assumed that all the settings users can control on the router are documented somewhere, else how are consumers expected to decide whether or not to enable/disable the feature without knowledge of what it does? That is the only level of information I am looking for.

@dvorak Thank you, I might try Reddit as well but I generally try to avoid it. For what it's worth, I am a Plusnet customer. The only reason I have access to multiple brands' routers is that I switch between multiple places of living fairly frequently, and I have asked some of those around me to test my program and send me the response.

@fydrenak  I assume you've read the RFC for this:

https://tools.ietf.org/html/rfc6970

This will explain everything you need to know.

@Mook I never referred to UPNP itself as a security feature, but to 'UPNP Extended Security' as it is written in the router settings, which I think can safely be called a security feature. UPNP could be considered a security risk but the fact is sometimes people want to build peer to peer networks with a 'plug and play' client. Expecting your average consumer to find their local IP, keep it static, and manually port forward is a bit much. Also, assuming UPNP is configurable only from the LAN, if you have malicious code that would use UPNP you have far bigger problems and UPNP being enabled. And disabling it likely stops absolutely nothing. Evidently the industry agrees with me as people have been trying to call it insecure for years but it is still very widely used.

If you think there is something I have not considered in my security assessment of UPNP I welcome the information.

I'd hardly call quoting 'UPNP Extended Security' a security assessment but each to their own I guess. To be honest I don't use the Plusnet Router so I don't know in what context the aforementioned quote actually refers to so I will say no more but I do recommend you read the RFC, it will be time well spent.

@Mook Thank you for that link, I have been working from the specification of UPNP device architecture specification (http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf) when building my implementation. I admit to not being familiar with the PCP IWF. Is this what is expected to be used by modern applications?

@Mook My assessment is what I outlined in why I think UPNP is not too insecure for use in modern applications. I reviewed what it enables and I don't think it allows an attacker to do much more than they would be able to do anyway given that they're inside the network. The quote of the name was my response to the comment that i called UPNP itself a security feature.

It's always been my understanding that an RFC is the defacto standard for this kind of thing and when I've had to deal with protocols this is my first port of call.

But UPnP is bad news, do a search of the CVE site using UPNP and you'll get an idea.

@7up 

"You don't really expect help on this do you?"

What a ridiculous response !

15,000 posts and this is how you behave in response to a new person asking a perfectly natural question.

Perhaps you have come to think that you are so important that it's your job to be rude to anyone who doesn't spend all their time here ?

Maybe that's why your fixes to posts ratio is so low.

Of course the OP should be able to know how his router works.

I also want to know, as I'm investigating whether this router is vulnerable to NAT slipstreaming.

Is that ok with you ?  -  It probably isn't relevant, but how can I tell unless I know what this bland unhelpful label "Advanced Security" actually means.

Security Through Obscurity is a discredited approach.

In any case the OP is already logged in to the router advanced settings - how much worse can it get.  Apparently he already pwned his network.