"box wants to make a Skype call with somebody,"
You can run skype without UPnP - so not going to be an issue. Worse case the call is just relayed if how skype punches hole does not work..
Because grandma's router these days most likely has UPnP disabled anyway, what grandma is going to figure out how to enable UPnP?
Here is article about udp hole punching - to be honest skype can be a pain to shutdown because of how it works.
And again - worse case calls are just done via relay.http://resources.inf...-hole-punching/ How Skype does it
Skype uses the UDP hole punching technique to allow communication between users who are behind NAT. However, Skype does not use a separate server to act as a third party host. Rather it uses its users computers to act as a third party host. Any client which has a publicly reachable IP can become the third party host. Hence this may increase the load on Skype’s users as they are responsible for initiating the connection between the users who are behind NAT. Sometimes UDP hole punching may not be possible due to various reasons like port randomization by the NAT. In the cases where UDP hole punching is not possible, the third party host (i.e., a Skype user’s system having a globally reachable IP address) is used to relay the whole communication between the users who are behind NAT.
edit: This protocol has been a plague from its get go.. No security, you don't auth you don't even have be identified -- unless vendor has put in its own controls on it anything can create a hole in your router. This allows for all kinds of nasty stuff to happen, you could have a web exploit that user goes to website - browser gets exploited and send upnp traffic to its router which then could open up ports, and they don't have to be to that box they could just be used to create your own onion router to bounce traffic for.
Nothing really saying that the traffic you forward has to be to an inside address, could be to another public IP.
There is a good paper on UPnP that was published on sane back in 2006 -- yes that was years after this garbage was allowed to infect the internet.. http://www.sane.nl/s...l-papers/R6.pdf
Now I agree there needs to be something simple for the common user to be able to let their software open up unsolicited traffic.. How about just simple PSK that is setup on the router, and then you can put that into the application that needs to open up traffic - the skype example. That is better than what is in play now.. You sure an the hell should not need to up traffic to anything other than requesting IP.
Just amazing that we are still dicking with this nonsense..