レナート   PID EINS!   ﻟﻴﻨﺎﺭﺕ

Wed, 26 Jul 2006

ZeroConf in Ubuntu

(Disclaimer: I am not an Ubuntu user myself. But I happen to be the lead developer of Avahi.)

It came to my attention that Ubuntu is discussing whether to enable Zeroconf/Avahi in default installations. I would like to point out a few things:

The "No Open Ports" policy: This policy (or at least the way many people interprete it) seems to be thought out by someone who doesn't have much experience with TCP/IP networking. While it might make sense to enforce this for application-level protocols like HTTP or FTP it doesn't make sense to apply it to transport-level protocols such as DHCP, DNS or in this case mDNS (the underlying protocol of Zeroconf/Avahi/Bonjour):

All three protocols, DNS, DHCP and mDNS, require a little bit of trust in the local LAN. They (usually) don't come with any sort of authentication and they all are very easy to forge. The impact of forged mDNS packets is clearly less dangerous than forged DHCP or DNS packets. Why? Because mDNS doesn't allow you to change the IP address or routing setup (which forged DHCP allows) and because it cannot be used to spoof host names outside the .local domain (which forged DNS allows).

Enforcing the "No Open ports" policy everywhere in Ubuntu would require that both DNS and DHCP are disabled by default. However, as everybody probably agrees, this would be ridiculous because a standard Ubuntu installation couldn't even be used for the most basic things like web browsing.

Oh, and BTW: DNS lookups are usually done by an NSS plugin which is loaded by the libc into every process which uses gethostbyname() (the function for doing host name resolutions). So, in effect every single process that uses this function has an open port for a short time. And the DNS client code runs with user priviliges, so an exploit really hurts. dhclient (the DHCP client) runs as root during the entire runtime, so an exploit of it hurts even more. Avahi in contrast runs as its own user and chroot()s.

It is not my intention to force anyone to use my software. However, enforcing the "No Open Ports" policy unconditionally is not a good idea. Currently Ubuntu makes exceptions for DHCP/DNS and so it should for mDNS.

I do agree that publishing all kinds of local services with Avahi in a default install is indeed problematic. However, if the "No Open Ports" policy is enforced on all other application-level software, there shouldn't be any application that would want to register a service with Avahi.

Starting Avahi "on-demand" is not an option either, because it offers useful services even when no local application is accessing is. Most notably this is host name resolution for the local host name. (Hey, yeah, Zeroconf is more than just stealing music.)

Remember: Zeroconf is about Zero Configuration. Requiring the user to toggle some obscure configuration option before he can use Zeroconf would make it a paradox. Zeroconf was designed to make things "just work". If it isn't enabled by default it is impossible to reach that goal.

Oh, and I enabled commmenting in my blog, if anyone wants to flame me on this...

posted at: 20:59 | path: /projects | permanent link to this entry | comments


It should be obvious but in case it isn't: the opinions reflected here are my own. They are not the views of my employer, or Ronald McDonald, or anyone else.

Please note that I take the liberty to delete any comments posted here that I deem inappropriate, off-topic, or insulting. And I excercise this liberty quite agressively. So yes, if you comment here, I might censor you. If you don't want to be censored you are welcome to comment on your own blog instead.


Lennart Poettering <mzoybt (at) 0pointer (dot) net>
Syndicated on Planet GNOME, Planet Fedora, planet.freedesktop.org, Planet Debian Upstream. feed RSS 0.91, RSS 2.0
Archives: 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013

Valid XHTML 1.0 Strict!   Valid CSS!