The UPnP Forum have this week released a Device Class Profile for setting up networks for inter-network operation and remote access. This is mainly to permit:
a) UPnP devices to work across multiple logical networks and
b) UPnP methods to be used for inter-network configuration
What is involved
The standard encompasses public-network-discovery mechanisms like STUN for determining the type of upstream NAT device in the Internet network and dynamic DNS for establishing the IP address for the main network’s fully-qualified Internet name. Some of these standards are implemented through VoIP setups to permit discovery of the VoIP network.
It also involves the establishment of secure VPN or DirectAccess (IPv6 over IPv4) tunnels between networks for this purpose. This doesn’t depend on a particular tunnelling method like PPTP, IPSec or SSL, but is more about establishing the tunnels between the networks.
There is also the establishment of UPnP “device relays” at each end of the tunnel so that UPnP entities (devices or services) in one network can be seen by similar entities in another network.
The standard also includes methods to permit replicated setup and teardown of devices and services between both networks. This would happen when the link is established or torn down or as UPnP devices come on line and go off line while the link is alive.
The-access or client network can be a simple single-subnet private network such as a home network, small-business network or public-access network. Larger corporate networks can qualify if the firewall at the network’s edge doesn’t specifically exclude UPnP Remote Access.
The master network which the remote device is visiting must be a simple single-subnet private network such as a home network or small-business network. The remote access server can be part of the network-Internet “edge” device like the typical "VPN endpoint” router sold to small businesses or can be a separate piece or hardware or software existing on that same network. In the latter case, the server would have to work properly with a UPnP-compliant router (which most routers sold through the retail channel are) and obtain the network’s outside IP address and set up port-forward rules through that same device.
The value of UPnP Remote Access with corporate networks needs to be assessed, both in the context of network security for high-value data as well as interaction with established VPN setups. This can also include issues like the “other” network gaining access to UPnP devices on the local network or particular devices or device classes being visible across the tunnel.
What needs to happen
This standard needs to permit the user to establish or simple yet secure credential-delivery method for VPNs that extend the small networks. This may involve implementing methods similar to either use of a PIN when pairing Bluetooth devices, “push-push” WPS –style configuration or, for “deploy then establish” setups, an email-based system similar to what is being used to confirm user intent when people sign up for Internet forums and social networks; or other similar practices.
The latter situation would appeal to setups where, at one end of the link, there isn’t likely to be a regular client computer in place, such as CCTV and telemetry applications or remote servers.
Compliant systems may also need to support two or more different methods to cater for whether the logical networks are in the same building or afar; or for whether the user prefers to deploy the equipment then configure it remotely or configure all the equipment at one location before deploying it.
Why would this technology end up being useful
One main reason for this development would be to extend the UPnP technologies to VoIP setups. This would then allow for home and small business to benefit from corporate-class telephony setups like tie-lines, common phone books, logical extensions and the like as well as easy-to-implement VoIP telephony.
Another application would be to enable access to existing UPnP devices in other locations. The common reason would be to benefit from multimedia content held at home from a hotel room or to synchronise such content between NAS boxes installed at home and a vacation property. Other applications that come to mind would include remote management of UPnP devices that are part of building control, safety and security such as central heating or alarm systems.
Parts of this standard may be implemented by router and remote-access software vendors as a way of establishing a “box-box” or “box-PC” VPN setup between two small networks like a home network and a small-office network. This could allow the small-business operator to benefit from the VPN setup that big businesses often benefit from, thus allowing for increased yet secure network flexibility.