Analysis: Put out the welcome mat for UPnP

Back in May, I began looking into Universal Plug and Play, a specification that allows home network devices to self-discover, self configure and communicate easily with one another. While the specification shows great promise on paper, the politics behind its adoption are puzzling.

On the one hand, the UPnP spec is relatively old, completed in 1999. The UPnP Forum enjoys support from more than 460 computer and consumer electronics companies, including titans Intel Corp., Microsoft Corp., Sony Corp. and Koninklijke Philips Electronics NV, which serve on its steering committee.

Yet, not many hardware vendor members have written the spec into their products. Even odder, at the recent Connections 2002 home networking conference in Dallas, Salim AbiEzzi, UPnP architect and Microsoft lead program manager, Windows Networking, gave a UPnP presentation that focused mainly on UPnP Version 2.0.

Now Version 2.0 is at least two or three years away, and isn't backwards compatible with Version 1.0. Microsoft is building Version 2.0 to work with its .Net services, which are not only far off, but their role in the home is fuzzy. The audience was clearly confused: Why care about Version 1.0, when Microsoft is pushing Version 2.0 so hard? Will it abandon support for 1.0, people wondered?

Since then, I've found some answers. The UPnP specification comprises several definitions, specific code written for each type of device to communicate with the others. Though the base spec has been finished since 1999, several definitions are now in various stages of development for Internet gateways (a definition that encompasses broadband modems and gateways and routers), printers, scanners and audio-visual gear. The first to be completed, Internet Gateways, allows UPnP compliant applications like Microsoft's Messenger, NetMeeting, and many of its games to work through NAT routers and firewalls (a feature called NAT traversal).

D-Link Corp. stands out as the only small office/home office (SOHO) network vendor to support the Internet Gateway definition in a broad range of routers, broadband modems and gateways. Linksys provides UPnP in a few broadband routers and switches, while NetGear Inc., SMC Networks Inc. and others promise support but are dragging their feet. Why? D-Link manufacturers its own products, and OEMs its products to other vendors. Some others rely on other Taiwan original device manufacturers who aren't educated about or don't want to invest in UPnP or deal with Microsoft. And those vendors who already have NAT traversal built into their products see no value.

Also important, two security flaws discovered in Microsoft's implementation of UPnP's Internet Gateway definition last fall gave the entire spec a black eye. Even though they've both been patched (so to speak), many are still nervous about using UPnP to control traffic passing through a firewall.

"The first UPnP implementations don't have proper safeguards for network security," says Tim Higgins, who runs, a site dedicated to SOHO networking.

"I don't like that UPnP will open ports in a user's firewall without either asking permission, or tell the user that ports have been opened," he says. "A lot of the implementation is up to the application, which must be made UPnP-aware, and is responsible for both opening the ports and closing them when it's done. If an application crashes before it can close the ports, the UPnP device, such as a router, will leave the ports open until the application closes them again, or someone reboots the router."

D-Link and Linksys Group Inc. are aware of the problem and say their UPnP routers are shipped UPnP enabled, but the ports are closed unless you put a UPnP enabled device on the LAN side of the network. "The router will automatically open the correct ports on the LAN side for the device to work," a Linksys spokesperson explains. "This doesn't cause a security risk because the router does not open or has no open ports on the WAN side unless you open them yourself."

Even with the bad publicity, In-Stat/MDR analyst Mike Wolf points out, "There's not all that much interest [in UPnP] right now. Consumers aren't asking for it, as they don't have any idea what it is."

However, that's certain to change quickly as UPnP audiovisual equipment, printers and scanners become available in the coming months.

The printer spec will do away with printer device drivers once and for all. Attach the printer to the PC and it works. As compelling, UPnP will enable devices to print that never could before, like set top boxes and PDAs. You can print documents from your handheld, or print program guides off your TV. Pretty sweet.

The audiovisual spec will allow stereos with a built-in Ethernet port to play MP-3 files from a networked PC. Today, Philips offers a shelf stereo system with an Ethernet port that lets you play Internet radio only (Model SW-I 1000). But in August, it will offer a UPnP-upgradable model (via Web download; MC-I 200) that will let you integrate the stereo into the home network, so you can play and send music from your PC.

According to a June report from Jupiter Media Metrix Inc., ("Jupiter Research Home Networking") music will emerge as the surprise killer application for home networks. The report found that one-third of broadband users want to listen to their PC music files on a home stereo. And the only way to do this today is with UPnP.

Last, since Connections 2002, Microsoft has ceased evangelizing Version 2.0, and vaguely acknowledged that it may have contributed to the lackluster adoption of Version 1.0. At a recent UPnP steering committee meeting, Microsoft stated that UPnP Version 1.0 is the standard for the foreseeable future and will be supported in current and future versions of Windows. (Translated, I think this means Microsoft will build Version 1.0 into "LongHorn"- the next Windows version - not Version 2.0.) It added that vendors need to make their own decision between delivering a Version 1.0 product today or waiting what could be years to bring a Version 2.0 product to market.

Why the turnaround? According to Andrew Liu, UPnP Forum co-chairman of the marketing committee and business development manager at Intel, one reason could be that Microsoft "was getting whacked with its own standard." Initially, the company wasn't active in the AV group, and didn't add UPnP support for its Media Player. So the UPnP Forum helped MusicMatch add UPnP to its competing media player. As a result, Liu says, "Microsoft has announced support for Media Player and is playing catch up."