New ZeroConf Spec

Dan Kegel dank at
Sat Jul 22 15:24:23 BST 2006

On 7/22/06, Hervé Fache <Herve at> wrote:
> Exactly my point: Avahi over SSL with some keys-based security layer
> would make me feel a lot more comfortable.
> But it is possible/easy enough on on peer-to-peer type of network
> service? Every machine would need to be given the public keys of all
> the other trusted machines on the network, in a secure way (USB
> key/floppy) AIUI.

How about having a "network password" which was known to all
authorized machines, and is used to validate all incoming avahi packets.
Sure, it's bad security, but maybe it's better than no security.
We'd have to make it easy to retrieve if the user forgot it,
which makes the security even worse.  For instance, we could
save it in a noisy image of the sort used by CAPTCHA filters,
and show that image on request.    It's total crap, but better than nothing.

And how about the suggestion in
that IPSec would help? describes how to turn IPsec
on between two OpenBSD machines, and it doesn't sound too bad.
Could we set up Avahi to ignore any incoming packets that were not
protected by IPSec, but let every other service use plain old non-IPSec packets?
That might be easier than cobbling up an authentication method just for
- Dan

More information about the ubuntu-devel mailing list