I mean UPnP is a horrible spec but it’s a stop gap for restoring the fundamental capability of internet-connected devices in residential settings. All p2p apps (Tailscale for instance) need to act as a server temporarily and allow incoming traffic. Without the capability you’re a second class citizen, so to say. It’s infantilizing the user.
Now, you can of course open the ports yourself, but this is inaccessible to the vast majority of users due to undiscoverable, inconsistent and complicated UX. Most people don’t know what a port is.
Let me tell you about family members that have a mac because "they don't want the hassle of a windows laptop". They also don't want the hassle of not having uPnP, that setting is going to be turned on whether you know better or not.
> Let me tell you about family members that have a mac because "they don't want the hassle of a windows laptop".
They are not wrong. E.g. It amazes me how much pain and suffering Microsoft expects users to endure just to use a printer. It is not lost on my stepmother that her Windows machine has endless problems setting up and printing to her Brother laser printer, but her iPhone just sees it without having to be told.
Printer companies sabotage printers. If you go through the standard Windows route (Devices > Add > Printer) you'll get most printers working quickly and reliably. In fact, if you plug in a USB cable, the printer will most likely Just Work (TM) after a few seconds of driver fetching.
They want you to use their shitty apps and shitty software, though. HP is the worst at this (they cover up the USB port, and will only allow you a limited amount of prints before you need the activate the printer through an app).
Windows has plenty of printer problems (like its print spooler that needs a serious security overhaul which would break loads of printers) but the worst of it only seems to show up if you follow the manual and install the crapware, including apps, that printer manufacturers want to shovel onto your devices.
Disabling UPnP makes your system more secure, but unless you also disable all NAT ALGs in your router, you're still exposed to its dangers.
I don't think most routers have a setting for that, so if infected devices are part of your security model, it would be wise to assume NAT is entirely non-functional because of [NAT slipstream attacks](https://samy.pl/slipstream/). An infected device can modify the router's NAT table to effectively act like UPnP, except they don't provide a user interface for you to audit.
If you're NAT free (i.e. only use IPv6) disabling UPnP can be a decent security measure if you're willing to manually do all of your firewall exclusions, but honestly host firewalls are the only reliable protection method for most people these days.
+1. I also have had it disabled for ages. What features am I missing out on? When I look at the UPnP docs it talks about uses for which I have other mechanisms.
VoIP and video calls have lower quality and higher latency without UPnP since this often forces webRTC to tunnel through a TURN server. Networks that have neither IPv6 nor UPnP are just broken
Or you could use STUN and just send packets to a peer. Or use v6. Or anything from RFC6544. The reason UPnP is popular is so many home router people implemented it. If you have a real router, you have more options. As I pointed out, I have a real router and talk to people who have real routers that support things other than a 2008 version of UPnP.
Which is to say, you do not REQUIRE UPnP for webRTC. But yes, if you have a crap router given to you by your ISP (looking at you, SBC and Comcast) then UPnP may be your best bet. My point is you don't NEED UPnP if you have a real router.
I should be saying... thx for bringing me up to speed on this. UPnP is obviously not something I spend a lot of time on.
Now, you can of course open the ports yourself, but this is inaccessible to the vast majority of users due to undiscoverable, inconsistent and complicated UX. Most people don’t know what a port is.