river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: roadmap
Date Wed, 03 Feb 2010 03:07:34 GMT
This is why upnp ICD will remain a Home Gateway implementation in the 
near future:  Cisco doesn't support upnp.

Information from http://www.sbbi.net/site/upnp/index.html

Security problems

Some security problems have been found with some UPNP™ implementations ( 
guess who :o) ). Most of the security flaws are implementation 
independant and do not concern UPNPLib. However a DDOS attack can be 
acheived due to a protocol flaw. UPNPLib has been developped to do not 
allow ( or at least limit ) such kind of attacks. You can read more 
about it here <http://www.goland.org/Tech/upnp_security_flaws.htm>. The 
official MS bug report is here 
<http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx> and 
the security bulletin 
<http://www.eeye.com/html/Research/Advisories/AD20011220.html> from the 
company that discovered the issue.

UPNPLib is not concerned with these flaws, future will tell if UPNPLib 
other security issues will be found.

Devices security

Another problem with UPNP™ is that there is no protocol built-in ACL to 
define who can access and send orders to UPNP™ devices.

UPNP™ forum came with a solution 
<http://www.upnp.org/standardizeddcps/security.asp> to fix this issue 
but unfortunatly we did not find devices compliant with this spec to 
integrate this ACL and security layer in the library. We hope we will be 
able to do it anytime soon with some other tools.

This means that this library will not work with devices implementing and 
using such security services.



Peter Firmstone wrote:
> Good call Gregg, an Apache v1.1 library for Upnp already exists, this 
> will be a good start: http://www.sbbi.net/site/upnp/index.html
>
> How's this for a Preferred order for publicly visible services:
>
>   1. Public Address
>   2. Upnp NAT - All the home routers
>   3. STUN TCP - The majority of Enterprise NAT / Firewalls
>   4. TURN TCP - Whatever is left over.
>
> Where / how should this integrate with secure JERI and the utility 
> services (DnsSdRegistrar, JeriUpnp, JeriRendezvous, JeriRelay), 
> Abstracted from any Service utilising it?
>
> Should it be an SPI?
>
> Cheers,
>
> Peter.


Mime
View raw message