New ZeroConf Spec

Hervé Fache Herve at lucidia.net
Tue Jul 18 19:02:23 BST 2006 

On 7/18/06, Ian Jackson <ian at davenant.greenend.org.uk> wrote:
> Loïc Minier writes ("Re: New ZeroConf Spec"):
> > On Mon, Jul 17, 2006, Ian Jackson wrote:
> > >  * avahi would be an additional piece of software exposed directly and
> > >    permanently to hostile network traffic initiated outside the [host]
> >
> >  I think the DHCP client was already mentionned.  Other software is
> >  permanently connected to Internet hosts, for example for network time
> >  updates, or to check for security updates.
>
> The the ntp client and the software updater do not sit and listen
> constantly for incoming data from the network.  They only look for it
> when they are engaged in a query.  This makes them a much smaller
> target.  Of course, security problems in these do need to be worried
> about and fixed, but these programs are not as exposed as the kernel
> precisely because they aren't listening all of the time.
>
> Of course you can install an ntpd which _will_ listen all of the time,
> but it's not the default.
>
> >  One problem that has been mentionned multiple times in this discussion
> >  is "avahi exposed on the Internet" versus "avahi visible from my local
> >  network".
>
> It is not really possible for the system to tell reliably whether its
> ethernet interface is exposed to the Internet or is only on `a local
> network' (whatever that might mean, but presumably something with less
> hostile traffic).

In some cases, it is: 10.0.0.0/24 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16

> If it were possible to tell and the intent is to treat `friendly local
> network' differently from `direct connection to global Internet via eg
> DSL' or `unsecured ad-hoc wifi' or whatever, then this should be
> explained in the spec, obviously: the spec should say how the
> different things will be distinguished and how they will be treated.
>
> Sebastian Dröge writes ("Re: New ZeroConf Spec"):
> > avahi only listens on interfaces that have the MULTICAST flag set by
> > default which is from what I know almost never (unless manually set) the
> > case for internet interfaces.
>
> For avahi to work on any interface, it must listen on that interface.
> The technical details of how this is enabled, which include setting
> any relevant flags including enabling multicast, are not really very
> relevant, are they ?
>
> The proposal in the new ZeroConf spec is to provide an easy way for
> the user to enable avahi including setting the appropriate interface
> flags etc., and all of the security ramifications of all of the
> relevant system changes should be considered.
>
> Ian.
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>


-- 
In a world without walls and fences, who needs Windows and Gates?

More information about the ubuntu-devel mailing list