[PULL] UPnP

[Matt Corallo]

I wrote a patch for UPnP via miniupnpc.  Currently it is just for UNIX, but shouldn't be too hard to get running on OSX.  Some people have mentioned that Windows has its own native library for UPnP which we should use.  Currently UPnP is on off by default and can be easily turned on with -upnp but that is up for debate (actually poll).  See the pull request here: https://github.com/bitcoin/bitcoin/pull/133.

UPDATE: The patch now works for OSX and Windows and includes a WXUI switch for enabling/disabling UPnP at runtime.  Note that the windows version still uses miniupnpc (not the native windows libraries, does anyone feel very strongly about this?).  
As I couldn't get miniupnpc to compile on Windows, the makefile is designed to use the binary version published on the website (which includes the library against which bitcoin is linked, upnpc-exe-win32-20110215.zip).  To get the relevant headers, however you need to download the original source archive (miniupnpc-1.5.20110215.tar.gz) and copy *.h to C:\upnpc-exe-win32-20110215\miniupnpc.  Note that the UNIX/OSX versions expect version 1.5 (slightly different UPNP_AddPortMapping definition).  
Also, the translations of the copyright notice in the about dialog need changed before this should be pulled.  Currently only dutch has been translated (thanks joepie91).

UPDATE 2: Added translations by community members for French, Spanish and German (plus existing Dutch) and added Russian, Portuguese and Italian translations from Google Translate.  Anyone had time to review the code and have suggestions or think it is ready?

UPDATE 3: Italian translation updated thanks to Joozero.  Anyone have comments on the code?

[1715656007]

1715656007

[1715656007]

1715656007

[1715656007]

1715656007

[theymos]

It should not be enabled by default. Opening 8333 significantly increases network usage without any benefit to the node.

[jgarzik]

It should not be enabled by default. Opening 8333 significantly increases network usage without any benefit to the node.

Well, it benefits the network, which benefits the node.

But I agree:  it should be off by default.

[Matt Corallo]

It should not be enabled by default. Opening 8333 significantly increases network usage without any benefit to the node.

I completely disagree.  The more nodes which are connectible the harder any kind of Sybil attack becomes which just benefits the network.  Any user who has a legitimate reason why they don't want incoming connections will already either have UPnP off on their router or be able to disable it in the client.

[theymos]

I completely disagree.  The more nodes which are connectible the harder any kind of Sybil attack becomes which just benefits the network.  Any user who has a legitimate reason why they don't want incoming connections will already either have UPnP off on their router or be able to disable it in the client.

Think of all those users in Canada and Australia who will have their limited bandwidth siphoned away without any warning...

After Bitcoin runs in lightweight client mode by default, it would make sense to ask the user about triggering UPnP if they enable "supernode" mode.

[Luke-Jr]

Learn from FreeBSD and other decent OS. Stuff is off by default. Stuff opening ports to world wild web is definitely off by default.

Erm, no. Services may be disabled by default, certainly, but once you start (for example) Apache, it listens to port 80 by default. You don't have to jump through extra hoops to configure a port. Likewise, distros won't auto-launch bitcoind by default, but when the user does so, they should reasonably expect it to listen.

An unfounded possible vulnerability is no excuse to make things harder for the user than they have to be. There could just as well be a vulnerability in the transaction code, or anywhere else that is going to be exposed to all nodes regardless. If you don't trust the bitcoin wallet you're using to be secure, you shouldn't be using it period.

[mndrix]

It seems reasonable to me to start with UPnP disabled by default.  As long as enabling it in the client is easy enough to do, the network will benefit because some nodes will "opt-in" that wouldn't have before.  We can change the default later, after we gain more confidence about remote vulnerabilities.

[Gavin Andresen]

It seems reasonable to me to start with UPnP disabled by default.  As long as enabling it in the client is easy enough to do, the network will benefit because some nodes will "opt-in" that wouldn't have before.  We can change the default later, after we gain more confidence about remote vulnerabilities.

Who knows enough about wxWidgets to add a checkbox to the Settings UI for "Enable UpNP" (grayed out #ifndef UPNP...)?  Wanna coordinate with BlueMatt to get that done?

[ArtForz]

One more consideration.

Can someone guarantee that there is not a single buffer overflow or some other vulnerability in bitcoin code present and future? And put a 21m BTC bond to make such guarantee worthwhile too? If not than we'd better have this off by default.

Otherwise, consider the risk of a 0 day exploit coming up and someone cleaning up balances of all nodes accepting incoming connections. This would be the end of bitcoin.

Without UPnP by default only supernodes would get robbed and they should know better than keep any decent money anywhere near node accepting connections. This still would be nasty but not fatal.

There is simply no argument against this risk assessment. Case closed.


P.S. vote whatever you want 'upnp on' decision will be vetoed either by Gavin or by Satoshi himsef. So do not rush selling all your BTC's just yet.

In a remote buffer overflow scenario all nodes participating in the normal p2p network are pretty much fucked, no matter if they accept incoming connections or not.

Consider the following scenario:
Attacker exploits bug and disables all public nodes allowing incoming connections.
Nodes *not* allowing incoming connections see their outgoing connections count dropping and try to connect to new peers.
Only nodes left accepting incoming connections are under control of the attacker and exploit same bug in nodes connecting to them.
Whoops.

[Mike Hearn]

I suspect most people running Linux at home are already either not using wifi NATs or have set themselves up in a DMZ.

UPnP is definitely a good thing, but it'll have the most impact for OS X and Windows users.

As to security, UPnP only has any effect on residential connections. It's already widely used by very popular software like Skype. Blanket arguments that it's a bad thing or should be off by default don't make a whole lot of sense to me. The people who need it most are the same people who won't know what it is and thus won't switch it on.

[HostFat]

It's ok to set it OFF by default, but I think that it is a good idea to show it with a wizard at the first start of the gui. ( example: emule )

[ShadowOfHarbringer]

Learn from FreeBSD and other decent OS. Stuff is off by default. Stuff opening ports to world wild web is definitely off by default.

Erm, no. Services may be disabled by default, certainly, but once you start (for example) Apache, it listens to port 80 by default. You don't have to jump through extra hoops to configure a port. Likewise, distros won't auto-launch bitcoind by default, but when the user does so, they should reasonably expect it to listen.

An unfounded possible vulnerability is no excuse to make things harder for the user than they have to be. There could just as well be a vulnerability in the transaction code, or anywhere else that is going to be exposed to all nodes regardless. If you don't trust the bitcoin wallet you're using to be secure, you shouldn't be using it period.

It is primary function of Apache to listen on port 80 and it is still not using UPnP. It is not primary function of bitcoin to listen on port 8333 while breaking out holes in badly configured routers/firewalls. Your argument is flawed. Try again.

Vladimir is 100% right.

Everything that is not needed for an application's primary function to function, should be turned off by default.

Also, UPnP is overall one big security hole. If somebody enables it, he should know what he is doing. By enabling UPnP by default, you are making computer-illiterate people create security holes.

[m0Ray]

I think that bitcoin must use a random port and encrypt its traffic. If it will be so, I see no evil in UPnP.

[ShadowOfHarbringer]

I think that bitcoin must use a random port and encrypt its traffic. If it will be so, I see no evil in UPnP.

I already suggested that here:
http://bitcointalk.org/index.php?topic=2909.0

However that is not as useful as i initially thought.

[m0Ray]

Once more I describe the problem I mean important.

The transaction originator isn't anonymous when originating node is sniffed. The sniffer can certainly detect if the transaction is originated by the sniffed node or it is just retranslated.
The truly anonymous bitcoin node must mix its original transactions in time with retranslated ones, randomize them, send dummy packets along with them etc...
Statistical and pattern analysis is widely used by secret services and other advanced criminals. Don't forget it.

So every bitcoin connection must use asymmetric cryptography and conform a so-called normal distribution. Or else everyone will be statistically detected and...

[Gavin Andresen]

So every bitcoin connection must use asymmetric cryptography and conform a so-called normal distribution. Or else everyone will be statistically detected and...

Preventing that type of statistical network analysis attack is what Tor and i2p are for.  If you require that level of anonymity, run bitcoin via a proxy to communicate over those networks.

[jgarzik]

Latest gnutella release adds support for UPNP and NAT-PMP... 

[Matt Corallo]

Bump as the pull is finally proper.  Comments?

[sebastian]

Voted "Off by default".

Reason: Since UPnP is something which can open incoming holes in a firewall, I think it should be off by default, and IF some user, which knows the consequences of enabling it, can enable it.

The reason is that Bitcoin in a such case will be very responsible for that computer's main security, if it has access to disable the firewall in a router (which UPnP is). For example, lets say there comes a exploit that allows someone to send a specifically crafted packet to bitcoin client on port 8333, and cause the bitcoin client to push out a UPnP packet opening arbiritary ports on the router. Dont give bitcoin too much abilities by default.

Also have safeguards in place that makes sure bitcoin CANNOT send out UPnP packets if its disabled in the interface. In other words, check in many places that UPnP is enabled before allowing a UPnP through, in many places, so even if a hacker manage to bypass a UPnP check via a exploit, there will be numerous other checks that needs to be bypassed too.

Read more here about the security consequences of UPnP:
http://www.grc.com/sn/sn-003.htm

And more here about how good security devices NAT:es are:
http://www.grc.com/nat/nat.htm

[Luke-Jr]

More FUD. UPnP is not a security problem. NAT is not a security mechanism. If someone can exploit Bitcoin to send arbitrary packets, UPnP support is not going to make it much easier. UPnP is a hack to fix a hack (NAT). Neither should have ever existed, but UPnP brings things back to how they are supposed to be normally.

[sebastian]

Luke-Jr: So you are saying that computers "are supposed" to be exposed to the internet with all these worms and such auto-infecting any computer it stumbles upon by attacking random IP adresses?

In the past, the security of NAT was really not necessary, but in the today era, NAT is a essential security that provides inbound protection. Without a NAT or some sort of firewall before a computer, the computer would pretty much get totally owned in about 15 minuters of connection of to the internet, even if you are not touching the computer.

Even router packaging advertises the natural NAT firewall function by a picture of a large padlock with the word "firewall" under it.

I think a UPnP function could be there, but make sure its OFF by default. Or even better, dont have any UPnP function at all, and the end user has simply to do port forwarding manually, its not rocket science to go to http://192.168.0.1 (or whats applicable for their router) and do port forwarding of 8333 to their computer's IP adress. Then we keep code amount and possible exploit vectors at a minimum.

I wish that the stupid idea "UPnP" never got invented at all.


Yes! I know that NAT was not intended* to be a firewall from the beginning, its just a positive "bi effect" from NAT:ing multiple computers together since the NAT does not know where to send unsolicited traffic. Its not a "bug" that you call it in other threads. Call it a positive effect.

If you dont want that effect, you can always put a PC in the DMZ zone of the router. But then, if you do that, prepare for that PC to be owned by every active worm out there on the internet circulating. And then that worm will spread to all other PCs in your network since its only a switch on the LAN side of the NAT.


* At the time where NATs where invented, firewalls wasn't really necessary, the virus/worm population on the internet was relatively low. So thats why the NATs where not intended to act as firewalls. It just come as a useful feature later when virus/worm population on internet got a little too high.

[Luke-Jr]

Luke-Jr: So you are saying that computers "are supposed" to be exposed to the internet with all these worms and such auto-infecting any computer it stumbles upon by attacking random IP adresses?

Yes, computers are supposed to be connected to the internet. And people are supposed to keep their systems secure. Possibly run a firewall, if they're a target or for extra piece of mind.

In the past, the security of NAT was really not necessary, but in the today era, NAT is a essential security that provides inbound protection. Without a NAT or some sort of firewall before a computer, the computer would pretty much get totally owned in about 15 minuters of connection of to the internet, even if you are not touching the computer.

NAT is not security at all. In theory, NATs *should* pass all inbound connections-- most just don't know how. A firewall is something completely different.

If the user has a firewall, UPnP should not override it. UPnP is to fix the flaw that NATs don't know where to forward connections, nothing else.

[sebastian]

Im not saying NATs are supposed to be firewalls/security devices.
I say that the "firewall feature" in a NAT is just a bonus, that have come extremely useful.

How many dedicated hardware firewalls are sold at today's consumer hardware stores? Its zero, sometimes a store *might* sell one brand of hardware firewall. Thats because NATs provide enough protection, so hardware firewalls sells extremely bad at a consumer store.

And firewalls are really necessary. Try connecting a PC to the internet, without NAT, without firewall, without any protection ever. You will see that the PC gets "owned" in the matter of minutes if not under just one hour, even if you dont touch the PC. All those worms out of the internet are scanning and attacking random IPs without any specific "targeting".

A NAT just drops these attacks so they will never reach the PC. You have to deliberately surf into a infected site or download/accept a infected file to get infected.


I just dont understand, why use UPnP at all? Whats the problem of the end user surfing to their router administration page and opening up 8333 for their bitcoin client? Its a simple and straightforward process of opening a incoming port in a router.

[Luke-Jr]

I just dont understand, why use UPnP at all? Whats the problem of the end user surfing to their router administration page and opening up 8333 for their bitcoin client? Its a simple and straightforward process of opening a incoming port in a router.

Because they shouldn't have to, and for most people it isn't simple.

If Windows is vulnerable without a firewall, then it should simply be banned from the internet. Or ISPs can charge Windows users an extra fee for firewalling service.

[jgarzik]

As long as UPnP is off by default, it's just an easy way for the user to proactively drill a hole.  The bitcoin network will benefit from UPnP users, and other P2P technologies such as bittorrent clients already use UPnP.

[Matt Corallo]

Although I disagree, the latest version now has UPnP off by default.  Any other comments/concerns people have?

[Mike Hearn]

I still think it should be on by default for Windows/Mac. UNIX can keep it off as it's not likely to make sense there. But otherwise this is great stuff ... hope it gets in soon.

[Steve]

I'm not in favor of the makefile switches, #ifdefs and such...I'd much prefer to build a single flavor of the executable that has support for UPNP...whether it's on or not by default is a separate question.  Keep it simple for end users by having a single executable that can support UPNP if desired rather than having different executables (one which has support compiled in and one which doesn't).  If this was done for even a few features, it would quickly get out of hand.

[Luke-Jr]

Official binaries can easily be a single feature-set without breaking the ability to compile without it.