From: Audun T. <tor...@co...> - 2000-11-13 22:25:07
|
I've been looking at this and was thinking a firewall would be the right approach for a home network too. However, what if you want to control any of your devices from a remote location (I can think of lots of devices I'd like to check in on when I'm outside the house)? I guess the multicast data could be encrypted too, but that would quickly complicate things... are there any plans to do this for UPnP 2.0? /audun > It is true that UPnP 1.0 does not offer any kind of native security > features (this is being worked on in UPnP 2.0), but in the meantime, > the default security for your home network (namely, a firewall of > some sort) should be more than sufficient to protect your UPnP > network. So, a valid answer to questions (2) and (3) below could be > "a firewall". > > Is any home user out there *not* going to run a firewall? If they > don't have one, then all of their machines are at risk, not just the > UPnP devices. > > -Preston > > > > UPnP v1.0 does not offer any kind of security. > > Answers to your specific questions are below. > > > > > (1) discovery: how do you limit the broadcast of > > > your exposed UpnP services > > > to a target set of users? > > > > The UPnP v1.0 specification mandates the the > > Time-To-Live (TTL) for the broadcast should be set to > > 4, although Windows Millennium uses a TTL of 1. The > > multicast address is administratively scoped, but I > > don't think that will get used much. The UPnP SDK for > > Linux uses a TTL value of 4 as the specification > > states but offers no additional functionality. > > > > > (2) how do you prevent a hacker from using an > > > exposed UPnP service without > > > permission? > > > > Unfortunately, you cannot, at least with the base 1.0 > > protocols. If a control point can discover a device, > > it can access it. Devices are free to implement > > services that would perform authentication, but this > > is not specified nor is anything like this > > implementated in the UPnP SDK for Linux. > > > > > (3) how do you prevent a hacker from intercepting > > > and munging a UPnP service > > > transaction? > > > > Again, you cannot. The core UPnP 1.0 protocols do not > > offer any way to validate that a request came from a > > particular control point that is authorized to perform > > the action. > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Calendar - Get organized for the holidays! > http://calendar.yahoo.com/ > _______________________________________________ > UPnP-SDK-discuss mailing list > UPn...@li... > http://lists.sourceforge.net/mailman/listinfo/upnp-sdk-discuss |