New ZeroConf Spec
dank at kegel.com
Sun Jul 23 00:46:50 BST 2006
On 7/22/06, Patrick McFarland <diablod3 at gmail.com> wrote:
> > > > http://www.securityfocus.com/infocus/1859 describes how to turn IPsec
> > > > on between two OpenBSD machines, and it doesn't sound too bad.
> > > > Could we set up Avahi to ignore any incoming packets that were not
> > > > protected by IPSec, but let every other service use plain old non-IPSec
> > > > packets? That might be easier than cobbling up an authentication
> > > > method just for Zeroconf.
> > >
> > > Probably not without a firewall to do that filtering for you... and
> > > setting up IPSec.
> > Yes. And I'm saying that's the kind of thing we'd have
> > to do (automatically, behind the scenes) to make it
> > safe to deploy Avahi.
> Wait, Ubuntu can automatically do IPsec? How?
Can't now, but I can imagine doing a limited automatic setup
just for Avahi. It would prompt for a "network password" at installation
time, and then secure only Avahi packets with IPSec. It would be
really dumb, but might suffice to keep the neighbor kid from spoofing
a printer (or worse) on you.
More information about the ubuntu-devel