[PULL] UPnP

[Matt Corallo]

I wrote a patch for UPnP via miniupnpc.  Currently it is just for UNIX, but shouldn't be too hard to get running on OSX.  Some people have mentioned that Windows has its own native library for UPnP which we should use.  Currently UPnP is on off by default and can be easily turned on with -upnp but that is up for debate (actually poll).  See the pull request here: https://github.com/bitcoin/bitcoin/pull/133.

UPDATE: The patch now works for OSX and Windows and includes a WXUI switch for enabling/disabling UPnP at runtime.  Note that the windows version still uses miniupnpc (not the native windows libraries, does anyone feel very strongly about this?).  
As I couldn't get miniupnpc to compile on Windows, the makefile is designed to use the binary version published on the website (which includes the library against which bitcoin is linked, upnpc-exe-win32-20110215.zip).  To get the relevant headers, however you need to download the original source archive (miniupnpc-1.5.20110215.tar.gz) and copy *.h to C:\upnpc-exe-win32-20110215\miniupnpc.  Note that the UNIX/OSX versions expect version 1.5 (slightly different UPNP_AddPortMapping definition).  
Also, the translations of the copyright notice in the about dialog need changed before this should be pulled.  Currently only dutch has been translated (thanks joepie91).

UPDATE 2: Added translations by community members for French, Spanish and German (plus existing Dutch) and added Russian, Portuguese and Italian translations from Google Translate.  Anyone had time to review the code and have suggestions or think it is ready?

UPDATE 3: Italian translation updated thanks to Joozero.  Anyone have comments on the code?

[1714857826]

1714857826

[theymos]

It should not be enabled by default. Opening 8333 significantly increases network usage without any benefit to the node.

[jgarzik]

It should not be enabled by default. Opening 8333 significantly increases network usage without any benefit to the node.

Well, it benefits the network, which benefits the node.

But I agree:  it should be off by default.

[Matt Corallo]

It should not be enabled by default. Opening 8333 significantly increases network usage without any benefit to the node.

I completely disagree.  The more nodes which are connectible the harder any kind of Sybil attack becomes which just benefits the network.  Any user who has a legitimate reason why they don't want incoming connections will already either have UPnP off on their router or be able to disable it in the client.

[theymos]

I completely disagree.  The more nodes which are connectible the harder any kind of Sybil attack becomes which just benefits the network.  Any user who has a legitimate reason why they don't want incoming connections will already either have UPnP off on their router or be able to disable it in the client.

Think of all those users in Canada and Australia who will have their limited bandwidth siphoned away without any warning...

After Bitcoin runs in lightweight client mode by default, it would make sense to ask the user about triggering UPnP if they enable "supernode" mode.

[Luke-Jr]

Learn from FreeBSD and other decent OS. Stuff is off by default. Stuff opening ports to world wild web is definitely off by default.

Erm, no. Services may be disabled by default, certainly, but once you start (for example) Apache, it listens to port 80 by default. You don't have to jump through extra hoops to configure a port. Likewise, distros won't auto-launch bitcoind by default, but when the user does so, they should reasonably expect it to listen.

An unfounded possible vulnerability is no excuse to make things harder for the user than they have to be. There could just as well be a vulnerability in the transaction code, or anywhere else that is going to be exposed to all nodes regardless. If you don't trust the bitcoin wallet you're using to be secure, you shouldn't be using it period.

[mndrix]

It seems reasonable to me to start with UPnP disabled by default.  As long as enabling it in the client is easy enough to do, the network will benefit because some nodes will "opt-in" that wouldn't have before.  We can change the default later, after we gain more confidence about remote vulnerabilities.

[Gavin Andresen]

It seems reasonable to me to start with UPnP disabled by default.  As long as enabling it in the client is easy enough to do, the network will benefit because some nodes will "opt-in" that wouldn't have before.  We can change the default later, after we gain more confidence about remote vulnerabilities.

Who knows enough about wxWidgets to add a checkbox to the Settings UI for "Enable UpNP" (grayed out #ifndef UPNP...)?  Wanna coordinate with BlueMatt to get that done?

[ArtForz]

One more consideration.

Can someone guarantee that there is not a single buffer overflow or some other vulnerability in bitcoin code present and future? And put a 21m BTC bond to make such guarantee worthwhile too? If not than we'd better have this off by default.

Otherwise, consider the risk of a 0 day exploit coming up and someone cleaning up balances of all nodes accepting incoming connections. This would be the end of bitcoin.

Without UPnP by default only supernodes would get robbed and they should know better than keep any decent money anywhere near node accepting connections. This still would be nasty but not fatal.

There is simply no argument against this risk assessment. Case closed.


P.S. vote whatever you want 'upnp on' decision will be vetoed either by Gavin or by Satoshi himsef. So do not rush selling all your BTC's just yet.

In a remote buffer overflow scenario all nodes participating in the normal p2p network are pretty much fucked, no matter if they accept incoming connections or not.

Consider the following scenario:
Attacker exploits bug and disables all public nodes allowing incoming connections.
Nodes *not* allowing incoming connections see their outgoing connections count dropping and try to connect to new peers.
Only nodes left accepting incoming connections are under control of the attacker and exploit same bug in nodes connecting to them.
Whoops.

[Mike Hearn]

I suspect most people running Linux at home are already either not using wifi NATs or have set themselves up in a DMZ.

UPnP is definitely a good thing, but it'll have the most impact for OS X and Windows users.

As to security, UPnP only has any effect on residential connections. It's already widely used by very popular software like Skype. Blanket arguments that it's a bad thing or should be off by default don't make a whole lot of sense to me. The people who need it most are the same people who won't know what it is and thus won't switch it on.

[HostFat]

It's ok to set it OFF by default, but I think that it is a good idea to show it with a wizard at the first start of the gui. ( example: emule )

[ShadowOfHarbringer]

Learn from FreeBSD and other decent OS. Stuff is off by default. Stuff opening ports to world wild web is definitely off by default.

Erm, no. Services may be disabled by default, certainly, but once you start (for example) Apache, it listens to port 80 by default. You don't have to jump through extra hoops to configure a port. Likewise, distros won't auto-launch bitcoind by default, but when the user does so, they should reasonably expect it to listen.

An unfounded possible vulnerability is no excuse to make things harder for the user than they have to be. There could just as well be a vulnerability in the transaction code, or anywhere else that is going to be exposed to all nodes regardless. If you don't trust the bitcoin wallet you're using to be secure, you shouldn't be using it period.

It is primary function of Apache to listen on port 80 and it is still not using UPnP. It is not primary function of bitcoin to listen on port 8333 while breaking out holes in badly configured routers/firewalls. Your argument is flawed. Try again.

Vladimir is 100% right.

Everything that is not needed for an application's primary function to function, should be turned off by default.

Also, UPnP is overall one big security hole. If somebody enables it, he should know what he is doing. By enabling UPnP by default, you are making computer-illiterate people create security holes.

[m0Ray]

I think that bitcoin must use a random port and encrypt its traffic. If it will be so, I see no evil in UPnP.

[ShadowOfHarbringer]

I think that bitcoin must use a random port and encrypt its traffic. If it will be so, I see no evil in UPnP.

I already suggested that here:
http://bitcointalk.org/index.php?topic=2909.0

However that is not as useful as i initially thought.

[m0Ray]

Once more I describe the problem I mean important.

The transaction originator isn't anonymous when originating node is sniffed. The sniffer can certainly detect if the transaction is originated by the sniffed node or it is just retranslated.
The truly anonymous bitcoin node must mix its original transactions in time with retranslated ones, randomize them, send dummy packets along with them etc...
Statistical and pattern analysis is widely used by secret services and other advanced criminals. Don't forget it.

So every bitcoin connection must use asymmetric cryptography and conform a so-called normal distribution. Or else everyone will be statistically detected and...

[Gavin Andresen]

So every bitcoin connection must use asymmetric cryptography and conform a so-called normal distribution. Or else everyone will be statistically detected and...

Preventing that type of statistical network analysis attack is what Tor and i2p are for.  If you require that level of anonymity, run bitcoin via a proxy to communicate over those networks.

[jgarzik]

Latest gnutella release adds support for UPNP and NAT-PMP... 

[Matt Corallo]

Bump as the pull is finally proper.  Comments?

[sebastian]

Voted "Off by default".

Reason: Since UPnP is something which can open incoming holes in a firewall, I think it should be off by default, and IF some user, which knows the consequences of enabling it, can enable it.

The reason is that Bitcoin in a such case will be very responsible for that computer's main security, if it has access to disable the firewall in a router (which UPnP is). For example, lets say there comes a exploit that allows someone to send a specifically crafted packet to bitcoin client on port 8333, and cause the bitcoin client to push out a UPnP packet opening arbiritary ports on the router. Dont give bitcoin too much abilities by default.

Also have safeguards in place that makes sure bitcoin CANNOT send out UPnP packets if its disabled in the interface. In other words, check in many places that UPnP is enabled before allowing a UPnP through, in many places, so even if a hacker manage to bypass a UPnP check via a exploit, there will be numerous other checks that needs to be bypassed too.

Read more here about the security consequences of UPnP:
http://www.grc.com/sn/sn-003.htm

And more here about how good security devices NAT:es are:
http://www.grc.com/nat/nat.htm

[Luke-Jr]

More FUD. UPnP is not a security problem. NAT is not a security mechanism. If someone can exploit Bitcoin to send arbitrary packets, UPnP support is not going to make it much easier. UPnP is a hack to fix a hack (NAT). Neither should have ever existed, but UPnP brings things back to how they are supposed to be normally.