uPnP on home/school router

Just tested a newly purchased Dlink DIR-601 router for our son to take back
to school...
Left it setup with the local 192.168..0.1 address
and plugged it into our local 192.168.1.x network to get a WAN side DHCP
address.
Worked fine - hardwire and WiFi -

I also think I stumbled onto what I thought was an ICS or 192.168.0.1 issue
that I posted in another thread,
but now think it really is the uPnP router feature/setup.
I have that feature disabled on my local routers,
so never really saw it pop up on Windows Network Connections (XP).

So - I read about what uPnP does,
and wondering if and when it really should be enabled ?

--
----------------------------------
"If everything seems to be going well,
you have obviously overlooked something." - Steven Wright

In message <i5ab5b$sok$(E-Mail Removed)> "ps56k"
<(E-Mail Removed)> was claimed to have wrote:

>Just tested a newly purchased Dlink DIR-601 router for our son to take back
>to school...
>Left it setup with the local 192.168..0.1 address
>and plugged it into our local 192.168.1.x network to get a WAN side DHCP
>address.
>Worked fine - hardwire and WiFi -
>
>I also think I stumbled onto what I thought was an ICS or 192.168.0.1 issue
>that I posted in another thread,
>but now think it really is the uPnP router feature/setup.
>I have that feature disabled on my local routers,
>so never really saw it pop up on Windows Network Connections (XP).
>
>So - I read about what uPnP does,
>and wondering if and when it really should be enabled ?

The short answer is that uPNP allows a application to request a port
forward or other router configuration changes without manual
configuration.

Some routers have bugs that allow malicious software to have more power
than they should, but as a rule this type of exploit needs malicious
software already running on the PC anyway, so it's like being a little
bit pregnant, there's little practical difference between being
compromised and being more compromised.

That being said, I'd turn it off and configure port forwarding manually
in most configurations.

In message <(E-Mail Removed)> John Navas
<(E-Mail Removed)> was claimed to have wrote:

>>The short answer is that uPNP allows a application to request a port
>>forward or other router configuration changes without manual
>>configuration.
>>
>>Some routers have bugs that allow malicious software to have more power
>>than they should, but as a rule this type of exploit needs malicious
>>software already running on the PC anyway, so it's like being a little
>>bit pregnant, there's little practical difference between being
>>compromised and being more compromised.
>
>That "rule" is incomplete -- there are also _external_ exploits.

Sure, but external exploits are on the wrong side of the NAT / firewall
to open a port using UPnP.

If the router is buggy enough to accept UPnP requests from outside,
you've likely got other design flaws that will bite you long before this
one does.