New ZeroConf Spec
diablod3 at gmail.com
Sun Jul 23 03:16:30 BST 2006
On Saturday 22 July 2006 19:46, Dan Kegel wrote:
> On 7/22/06, Patrick McFarland <diablod3 at gmail.com> wrote:
> > > > > http://www.securityfocus.com/infocus/1859 describes how to turn
> > > > > IPsec on between two OpenBSD machines, and it doesn't sound too
> > > > > bad. Could we set up Avahi to ignore any incoming packets that were
> > > > > not protected by IPSec, but let every other service use plain old
> > > > > non-IPSec packets? That might be easier than cobbling up an
> > > > > authentication method just for Zeroconf.
> > > >
> > > > Probably not without a firewall to do that filtering for you... and
> > > > setting up IPSec.
> > >
> > > Yes. And I'm saying that's the kind of thing we'd have
> > > to do (automatically, behind the scenes) to make it
> > > safe to deploy Avahi.
> > Wait, Ubuntu can automatically do IPsec? How?
> Can't now, but I can imagine doing a limited automatic setup
> just for Avahi. It would prompt for a "network password" at installation
> time, and then secure only Avahi packets with IPSec. It would be
> really dumb, but might suffice to keep the neighbor kid from spoofing
> a printer (or worse) on you.
That printer example doesn't work for devices that are internet appliances...
such as printers that provide smb printer services and plug directly into the
network (ie, not requiring a host computer). They, obviously, don't do ipsec.
> - Dan
Patrick McFarland || www.AdTerrasPerAspera.com
"Computer games don't affect kids; I mean if Pac-Man affected us as kids,
we'd all be running around in darkened rooms, munching magic pills and
listening to repetitive electronic music." -- Kristian Wilson, Nintendo,
More information about the ubuntu-devel