Wunschkonzert, Ponyhof und Abenteuerspielplatz

(Disclaimer: I am not an Ubuntu user myself. But I happen to be the lead developer of Avahi.)

It came to my attention that Ubuntu is discussing whether to enable Zeroconf/Avahi in default installations. I would like to point out a few things:

The "No Open Ports" policy: This policy (or at least the way many people interprete it) seems to be thought out by someone who doesn't have much experience with TCP/IP networking. While it might make sense to enforce this for application-level protocols like HTTP or FTP it doesn't make sense to apply it to transport-level protocols such as DHCP, DNS or in this case mDNS (the underlying protocol of Zeroconf/Avahi/Bonjour):

Even the simplest DNS lookup requires the opening of an UDP port for a short period of time to be able to recieve the response. This is usually not visible to the administrator, because the time is too short to show up in netstat -uln, but nonetheless it is an open port. (UDP is not session-based (like TCP is) so incoming packets are accepted regardless where they come from)
DHCP clients listen on UDP port 68 during their entire lifetime (which in most cases is the same as the uptime of the machine). DHCP may be misused for much worse things than mDNS. Evildoers can forge DHCP packets to change IP addresses and routing of machines. This is definitely something that cannot be done with mDNS.

All three protocols, DNS, DHCP and mDNS, require a little bit of trust in the local LAN. They (usually) don't come with any sort of authentication and they all are very easy to forge. The impact of forged mDNS packets is clearly less dangerous than forged DHCP or DNS packets. Why? Because mDNS doesn't allow you to change the IP address or routing setup (which forged DHCP allows) and because it cannot be used to spoof host names outside the .local domain (which forged DNS allows).

Enforcing the "No Open ports" policy everywhere in Ubuntu would require that both DNS and DHCP are disabled by default. However, as everybody probably agrees, this would be ridiculous because a standard Ubuntu installation couldn't even be used for the most basic things like web browsing.

Oh, and BTW: DNS lookups are usually done by an NSS plugin which is loaded by the libc into every process which uses gethostbyname() (the function for doing host name resolutions). So, in effect every single process that uses this function has an open port for a short time. And the DNS client code runs with user priviliges, so an exploit really hurts. dhclient (the DHCP client) runs as root during the entire runtime, so an exploit of it hurts even more. Avahi in contrast runs as its own user and chroot()s.

It is not my intention to force anyone to use my software. However, enforcing the "No Open Ports" policy unconditionally is not a good idea. Currently Ubuntu makes exceptions for DHCP/DNS and so it should for mDNS.

I do agree that publishing all kinds of local services with Avahi in a default install is indeed problematic. However, if the "No Open Ports" policy is enforced on all other application-level software, there shouldn't be any application that would want to register a service with Avahi.

Starting Avahi "on-demand" is not an option either, because it offers useful services even when no local application is accessing is. Most notably this is host name resolution for the local host name. (Hey, yeah, Zeroconf is more than just stealing music.)

Remember: Zeroconf is about Zero Configuration. Requiring the user to toggle some obscure configuration option before he can use Zeroconf would make it a paradox. Zeroconf was designed to make things "just work". If it isn't enabled by default it is impossible to reach that goal.

Oh, and I enabled commmenting in my blog, if anyone wants to flame me on this...

posted at: 20:59 | path: /projects | permanent link to this entry | 37 comments

Posted by Ken VanDine at Wed Jul 26 22:38:39 2006
I agree with you completely and great work on avahi! We ship Foresight Linux with avahi enabled by default and have received lots of positive feedback.

Posted by Chris Eagan at Wed Jul 26 23:11:23 2006
As an ubuntu user, I didn't even realize that I was missing out on using Zeroconf and Avahi. Seeing as ubuntu is supposed to be designed with zero configuration in mind, I feel this feature should just be there by default. No discussion required. BTW: How do I go about manually enabling these on my Dapper installation? It is still pretty easy even if not on by default, correct?

Posted by beza1e1 at Wed Jul 26 23:30:55 2006
sudo aptitude install avahi-daemon avahi-dnsconfd

That should do it for you, Chris.

I fully agree btw. Zeroconf is one of the coolest things in networking and Ubuntu doesn't ship it? I'm an Ubuntuuser, but i can enable it myself.

Posted by matt at Wed Jul 26 23:34:00 2006
I too have been following this discussion for a bit. I have been keeping tabs on avahi for quite sometime now, sinc ei think its an exciting technology. I think its bad enough that rhythmbox in ubuntu (dapper) doesn't depend on avahi-daemon. This is really quite bad from a user standpoint, I mean, rhythmbox advertises DAAP sharing, and theres a prefrence pane to enable/disable it. the thing is it does nothing without avahi-daemon installed....and theresno info anywhere telling "regular" users to install it. this is just one example.

i would love to see avahi on by default with edgy (6.10) and would love to see it well integrated (ie: Gaim support, Nautilus support etc)ITs really odd to see how this has progressed, considering Vino (the built in gnome vnc server for display :0) will, once the daemon is present, advertise its presence.

regardless of how Ubuntu proceeds, keep up the excelent work. Avahi/mDNS is an idea whos time has come, and hopefully it gets embraced widley.

Posted by Dan Kegel at Wed Jul 26 23:51:58 2006
You wrote:
> The "No Open Ports" policy... (or at least the way many people interprete it) seems to be thought out by someone who doesn't have much experience with TCP/IP networking

Be careful who you call ignorant.
Sure, DNS listens to the network.
But mDNS (and the whole philosophy
behind it) listen to and trust
the network more eagerly than DNS does.
The window of vulnerability is quite a bit
wider with mDNS.

> It is not my intention to force anyone to use
> [Avahi]. ...
> Starting Avahi "on-demand" is not an option ...

You're contradicting yourself there.
It sounds like you want to force everyone
to install Avahi and listen to mDNS packets,
right?

Posted by Lennart at Thu Jul 27 00:10:17 2006
Dan:

First of all I didn't call anyone ignorant.

Second: DNS clients accept responses from every host on the Internet, regardless of the address of the DNS server the client sent the request to. This is by design. In contrast, mDNS traffic is not routable and Avahi doesn't accept mDNS data originating from hosts outside the local subnet. This makes it much harder to make it accept forged mDNS traffic from the Internet.

If you can forge DNS traffic you can redirect all websites on the Internet to your own sites. With mDNS you cannot do this. All you can forge is .local.

Both DNS and mDNS are insecure by design if they aren't used with any sort of authentication. The comparison which one is more dangerous is a waste of time. Just be fair: mDNS should be treated much the same as traditional DNS when it comes to security policies.

Third: You are of course free to disable Avahi if you don't like it (and apparently you really don't). It's not exactly "forcing" if the user is free to disable and uninstall Avahi. I didn't say that Ubuntu should make Avahi such an integral part of the distribution that it cannot be removed/disabled anymore!

Posted by Dennis at Thu Jul 27 00:10:48 2006
dhclient doesn't run as root in Ubuntu :)

Posted by Lennart at Thu Jul 27 00:13:58 2006
Dennis: It doesn't? It does so on Debian (which is what I am using). I am sorry if I was unjust to Ubuntu.

Posted by Pete at Thu Jul 27 00:27:24 2006
From the discussion I have seen, it sounds like Avahi is not going to be included in the name of security.

I think what is going to happen is all the "EasyUbutnu" style tools are going to be adding a checkbox for this. "Make networking good". From there it will eventually get rolled into Ubuntu proper.

I don't have hopes for seeing this sort of usability in 6.10, but I can't believe people would allow it to be ignored past two releases. Hopefully someone with the right authority will get this figured out for Edgy.

Posted by Kurt Pfeifle at Thu Jul 27 00:57:45 2006
.

Thanks, Lennart!

Very well written pleading!

Avahi is not the only victim. Ubuntu's "no ports open!"-policy has also badly hurt CUPS, and considerably reduced out-of-the-box usability and comfort for users.

CUPS servers use UDP broadcasts to announce available and shared printers to their potential CUPS clients on the same LAN. CUPS clients use a setting of "Browsing On" in their cupsd.conf to make them notice these broadcast UDP announcements. Note, that this setting on its own does not make a cupsd announce his own local printers (that would require to additionally specify "BrowseAddress"), and does not turn it into a CUPS server!.

CUPS.org ships default config settings of "Browsing On" and BrowseAddress commented out. This makes perfect CUPS clients, which work out of the box, and enabling them to print with "zero configuration" (no printer installation required, no client installation necessary either) should they discover a CUPS server near them.

(Some GUI apps however stupidly and wrongly rely on a valid "client.conf" to tell them which CUPS server to use, and will still not see the printers. But an "lpstat -p" would show a list of available printers regardless. KDEPrint and kprinter will work out of the box as well. The "client.conf" file is meant for spoolerless printing, or for people who understand what they do; it is not meant by the CUPS developers to be the means for all clients to use.)

The justification of "no open ports!" was used to disable zero configuration printing for Ubuntu CUPS clients, and likewise, I'd say that reasoning was thought out by someone who didn't have much experience with CUPS networking at the time it was originally imposed.

And if this policy is kept up for much longer (now that the responsible people know better how CUPS really works), then they'll do it because they value a real life ease of use for their users less than they value some theoretical level of security. (Yes, it is a weighing+balancing between these two goals. Currently, the practical result is more like "you can't use your system for printing, but at least it is super-secure". Not something that will make world domination more easy...)

Cheers,
Kurt
[ now expecting to be accused of calling other people "ignorant"... ]

.

Posted by Solarion at Thu Jul 27 02:16:42 2006
The only thing I can think of for excluding is the Windows UPNP vulnerability, which seems to be a similar system to ZeroConf.

Posted by Richard Godbee at Thu Jul 27 03:37:19 2006
The only real similarity between Zeroconf and UPnP is the use of the same IPv4 link-local addressing scheme in the absence of some other source of network configuration (DHCP server, manual settings, etc.).

See also:
http://www.zeroconf.org/ZeroconfAndUPnP.html

Posted by Thiago Macieira at Thu Jul 27 08:35:31 2006
> DNS clients accept responses from every host
> on the Internet, regardless of the address of
> the DNS server the client sent the request to.
> This is by design

This is not accurate. The DNS implementation in libresolv will connect(2) to the IP address of the destination server. This means it will accept only the reply coming from that IP address.

Whether that can be forged or not, it's another story. Though a simple "iptables" rule at your border firewall should do it.

mDNS, by contrast, simply cannot connect(2) to an IP address. It's been designed for a totally different purpose.

Posted by Murray Cumming at Thu Jul 27 09:18:32 2006
I have no idea about the technical pros and cons, but I really hope that Ubuntu find a way to use Avahi. It can make such a difference to the user experience. I lose a little more hope every time I have to type in a host name, IP address, or port number.

Posted by Loïc Minier at Thu Jul 27 10:19:11 2006
Just for the record, Rhythmbox in Debian "Recommends" avahi, which means it should get installed if you install Rhythmbox. However, the maintainer of the task installing the GNOME desktop decided to only pull Rhythmbox, and not avahi-daemon.

So neither Ubuntu nor Debian has avahi in default installs. You might get avahi automatically in Debian if you use a good enough package manager (aptitude for example), and install Rhythmbox separately.

Posted by Lennart at Thu Jul 27 12:46:08 2006
Thiago: you're right, libresolv does use connect(). Sorry for the confusion.

Posted by Andrew at Thu Jul 27 14:12:30 2006
The thing with the current "No open ports" policy is that a box with a default install, plugged in to a network but otherwise unused, has an extremely low profile for someone to attack. Yes, when DNS lookups occur, traffic from foreign hosts is accepted. Similarly, making an HTTP request to a foreign host requires processing bytes from them, and who knows what evil payload someone might have inserted into them -- but these things only happen when necessary (i.e. someone explicitly opens a bookmark in a web browser, or whatever).

I think the principle isn't so much about the technical details of what an "open port" is, as having the least possible things accessible for someone to attack. If I were arguing to have Avahi enabled in the default install, I wouldn't do it by nitpicking about DNS and DHCP, but by arguing as convincingly as I could that Avahi represented a minimal risk, and then arguing that the benefits far outweigh the risk.

Meanwhile, I expect Ubuntu will keep doing its best to be secure by default.

Posted by Lennart at Thu Jul 27 14:32:15 2006
Andrew:

Quoting you: "but these things only happen when necessary"

Of course. The question is, what is considered "necessary"? Isn't Zeroconf as "necessary" as DHCP-based IP address configuration?

Posted by Eyal Oren at Thu Jul 27 15:31:12 2006
Lennart, did you mention your points on the ubuntu-devel list (I couldnt find it there)? That might be useful, since chances are that they don't read this blog.

Posted by Lennart at Thu Jul 27 15:44:53 2006
Eyal: I didn't, but someone apparently did:

https://lists.ubuntu.com/archives/ubuntu-devel/2006-July/019506.html

Posted by Nonnano at Thu Jul 27 17:16:01 2006
Valid points, nice post. Ubuntu (and other distro builders) have still a lot to learn about the importance of things being automatic AND what true security means (consistency, sound principles etc)

Posted by Franklin Angulo at Thu Jul 27 18:46:18 2006
I have problems printing with CUPS.
How do I fix this. easy way.

thanks

Posted by Lennart at Thu Jul 27 18:53:53 2006
Franklin: Go and ask the CUPS developers! This is not CUPS support forum.

Posted by benito at Thu Jul 27 23:04:21 2006
I think the Ubuntu "No open ports!" policy is quite good and acceptable. Look at win**s: It does think for you, and configures much things automatically. But look at security: sypware, virus, etc...

Sometimes it's better to just type in a host/port and don't make things happen automatically. The only problem I see with this is that it would need documentation wich is not always there.

If Avahi is capable of preventing any access to our home network (e.g. not listening on the internet), then it would be great to include it. If not, it is not wise IMHO to include it juts because of some more confort.

You decide.

Posted by Cefiar at Fri Jul 28 04:04:59 2006
I think part of the "No Open Ports" Policy is really just to make sure that nothing that is enabled by default could allow something in. This is to stop something that "could" be added without being checked.

As you've mentioned with DHCP and DNS, there are exceptions to this, and that means they've been looked into and qualified as exceptions. I'd be sure it's just a matter of it being qualified so that it's not considered a risk. And even if you are the author and have looked into the effects yourself, you are looking at your own code, so you don't really have an independant viewpoint on this. For their own satisfaction, they need to have trust in the code. That really only comes from review and testing. That said, if you help them review the code, and show them you're willing to help, that will help engender the necessary trust.

That said, from a recent Windows install I watched, it ASKS you if you are directly connected to the internet, or you are on a private network, and sets things up accordingly. I'm starting to think that such a network config wizard (at startup, or configuration of a new connection) is becoming a necessity for Ubuntu (and other distributions). If you've got a live IP address, then stuff like Zero Config wouldn't be enabled (it'd still be installed, just not running on that interface), and if you are on a private network, then it could be enabled.

Posted by Martin Pitt at Mon Jul 31 19:22:55 2006
Let's get there, but not with a too fast pace:

https://lists.ubuntu.com/archives/ubuntu-devel/2006-July/019680.html

Posted by Matt Zimmerman at Thu Sep 21 20:10:48 2006
I addressed several of your points in the email thread on ubuntu-devel, and wasn't aware of this blog entry until now. In the future, it would be better to participate in the discussion than to comment on it from afar, so that your points can be addressed directly.

Cheers...

Posted by Lennart at Sun Oct 1 20:41:45 2006
Matt: I am not an Ubuntu guy. I am not a member of their mailing lists. Hence it's not that easily possible to post there for me. In the respective mailing list thread my blog story was linked more than once, hence I see no problem with doing it the way I did. Please understand that I wasn't intrested in taking part on a back-and-forth discussion on the Ubuntu ML. I am not an Ubuntu user, I don't know much about Ubuntu, so why should anyone listen to me when I discuss on the MLs as a "foreigner"?

I laid out my few points in this blog story, so that everyone could read it, regardless if he was an Ubuntu user or not. The points are relevant for non-Ubuntu people the same way as for Ubuntu people.

Posted by samantha at Thu Jan 11 10:12:55 2007
Just installed Edgy 6.10. Turned no ZeroConf in KDE. So how come I can't see printers in the printer config using it? How exactly can I see my Rendezvous printer using this setup. It sure isn't automatic or just turning on a single config. So what is all the fuss and how do I make this work?

Posted by Lennart at Fri Feb 2 21:08:36 2007
samntha: Right now upstream CUPS doesn't support Zeroconf/Bonjour/Avahi out of the box. Hence, please configure your printer the traditional way. See http://linuxprinting.org for more information.

Posted by Nina at Wed Apr 15 08:17:45 2009
I have a Macbook pro(leopard), and I've been hacked in the past. My knowledge of computers is outdated. Overall, is this 224.0.0.251 ok to see using little snitch taking into account my situation?
What other recommendations can anyone offer to secure my network/laptop? I had someone recently set up the network so no other computer could use it. Is this sufficient?
Thanks for your input.
Nina

Posted by Nina at Wed Apr 15 08:17:52 2009
I have a Macbook pro(leopard), and I've been hacked in the past. My knowledge of computers is outdated. Overall, is this 224.0.0.251 ok to see using little snitch taking into account my situation?
What other recommendations can anyone offer to secure my network/laptop? I had someone recently set up the network so no other computer could use it. Is this sufficient?
Thanks for your input.
Nina

Posted by spirals at Fri Apr 24 22:53:29 2009
So I just do not want something running that would connect to anything I do not OK so how in simple language do i turn this thing off throwing burst of messages about dropped packets when I bring my linux machine up stand alone (no Internet direct link) for security. 224.0.0.251 I do not want. ???

Posted by Renee at Sat May 16 08:56:36 2009
In summary, how can one protect themself from their data being accessed when mdns shows the 224.0.0.251 using a mac book pro with leopard? is there a software to resolve this issue? If so, any feedback would be appreciate.
Happy Computing,
Renee

Posted by Renee at Sat May 16 08:56:40 2009
In summary, how can one protect themself from their data being accessed when mdns shows the 224.0.0.251 using a mac book pro with leopard? is there a software to resolve this issue? If so, any feedback would be appreciate.
Happy Computing,
Renee

Posted by irish at Sun Sep 6 13:34:57 2009
I disagree zeroconf usage !!! That's all

Posted by Mitur Binesderti at Tue Sep 7 02:02:41 2010
It's kind of ironic that your software "requir[es] the user to toggle some obscure configuration option" before it will work with Apple's version or anyone else that uses the .local domain.

Leave a Comment:

It should be obvious but in case it isn't: the opinions reflected here are my own. They are not the views of my employer, or Ronald McDonald, or anyone else.

Please note that I take the liberty to delete any comments posted here that I deem inappropriate, off-topic, or insulting. And I excercise this liberty quite agressively. So yes, if you comment here, I might censor you. If you don't want to be censored your are welcome to comment on your own blog instead.

レナート Wunschkonzert, Ponyhof und Abenteuerspielplatz ﻟﻴﻨﺎﺭﺕ

Wed, 26 Jul 2006

ZeroConf in Ubuntu