New ZeroConf Spec
Dan Kegel
dank at kegel.com
Thu Jul 20 22:59:36 BST 2006
On 7/20/06, Florian Zeitz <Florian.Zeitz at gmx.de> wrote:
> > I don't use Avahi, so perhaps I've been misled. But according to what I
> > understand from descriptions on this mailing list, it will keep an open
> > listen on a known UDP port, accepting any packet fed to it, all of which
> > are capable of altering its knowledge of the Domain Name System. If all
> > of this is correct, then I don't know why we're arguing about whether it
> > has secuirty issues or not: it is _trivial_ to demonstrate how DNS
> > poisioning can lead to serious problems for the unwary (and even the
> > wary) user.
> >
> Actually that is not the way I understood zeroconf, or at least not as
> the main point behind it. AFAIK it's main purpose is to advertise
> services to other users on the network.
And to *receive* those advertisements, in a highly indiscriminate manner.
ANYBODY can advertise a service, even a rogue node.
And there is *no* security built into Avahi that can protect users from
accidentally using a rogue service offered by a compromosed node on the local
network.
- Dan
More information about the ubuntu-devel
mailing list