On Mon, Apr 08, 2002 at 11:56:29AM +0200, Henrik Nordstrom wrote: > > By the same way as you firewalling policy knows to allow the user to > go out on port 80. You have a policy saying that users X & Y are > allowed to punch such holes for port 456 under certain given > conditions.
By definition there are no "defined" ports. Because the UPnP device has to allocate ports out to a whole lan of clients wanting (for instance) a listener, the same port cannot be used by all listeners. From the previous definition of how Messenger uses UPnP, a broker on the .NET network is responsible for telling others what ports and addresses are listening. If there are no "defined" ports then "users X & Y are allowed to punch such holes for port 456 under certain given conditions." becomes more difficult. As a security administrator what other "given conditions" are there? > UPnP is just the tool, not the policy on how it may be used. But the tool has to be capable of (being involved in) enforcing the policy. I see no way for the UPnP server of doing this at this point. I have not read the spec yet, so I should probably stop arguing and either read the spec or wait to see how it all pans out. b. -- Brian J. Murrell
msg00609/pgp00000.pgp
Description: PGP signature
