Re: GUPnP and Zones

From: Ludovic Ferrandis <ludovic ferrandis linux intel com>
To: Mark Ryan <mark d ryan linux intel com>
Cc: gupnp-list gnome org
Subject: Re: GUPnP and Zones
Date: Tue, 23 Apr 2013 17:38:32 +0200

Hi Mark,

On 22/04/2013 13:53, Mark Ryan wrote:

Hi All,

I've been thinking about security a bit lately, from the point of view
of the client and not the server.

Obviously, we don't want to run a DMS or a DMR on any Wifi Network we
connect to.  However, it occurs to me that we don't want to run the
control points on public networks either as doing so might introduce an
attack vector, i.e., someone could create a fake server that forces the
clients to  download and parse dodgy XML files. They could also send
dubious notify messages to the port opened up by the control point to
receive notifications.  I could be being over paranoid here, but it
seems to me that it's not safe to run any UPnP client on a public
network.  It's also a waste of resources to do so.

Now Rygel already partially addresses this issue.  It allows the user to
restrict its services to a list of network address or SSIDs.  As far as
I know, none of the clients, e.g., gupnp-av, dLeyna, allow users to
restrict their use in this way.    In addition, by default, Rygel's
trusted network list is blank which means that its services are
available on all connected network interfaces, unless the user
specifically changes this behaviour.

A solution to this problem discussed in the past was to take advantage
of zone support in the various context managers.  However, at the time
this support was only being discussed and had not been actually
implemented.  The good news now is that it seems that Network Manager,
in conjunction with firewalld, now support the concept of zones. (
http://lwn.net/Articles/484506/ ).

The question is, how can we take advantage of zone support in
GUPnP/Rygel/dLeyna.

One suggestion discussed on IRC was to do all the interface filtering in
GUPnP rather than in Rygel or the control points.  By default, GUPnP
would only expose contexts that belong to a whitelist of trusted zones,
e.g., "'trusted', 'home', 'work', and 'internal'", assuming zones are
supported by the underlying network manager.  However, this behaviour
could be overridden by clients by calling a new GUPnP API.  GUPnP
clients could restrict the network interfaces used by specifying a
combination of zones, ip address or SSIDs.  To quote from IRC

phako> so you can say eth0, zone "Home" and SSID MyCompanysWifi

Perhaps the default list of zones/interfaces could be overridden by a
compile time option to give distributions control over the default
behaviour.  Also, I think these strings, e.g., "trusted", might come
from firewalld and if you were using a different firewall you might want
to specify a different set of default zones.

So what do people think about this?  Does this seem like a sensible plan?

Regards,

Mark

_______________________________________________
gupnp-list mailing list
gupnp-list gnome org
https://mail.gnome.org/mailman/listinfo/gupnp-list

About Network Zone, I didn't read doc for now, but I hope we can workwith 'Network Zone predefined type' and not only with the Zone name.It will be a nightmare to manage with localization. But I think this isour least problem.

The main goal of Network Zone, it to manage the firewall rulesdifferently, depending of the 'Zone' selected.In case we are working with a network manager that support Network Zone,we don't have anything to do. I explain.


Everything could be done just by changing the firewall rules. Ex:

First case: 'Trusted' networks. All ports open, incoming & outgoing.Rygel could publish and dLeyna can discover and use DMS/DMR.

Second case: 'Public' networks. SSDP port closed (among others) and allincoming ports blocked. dLeyna won't be able to discover any DMS/DMR andRygel will not be seen outside the firewall.

Third case: 'Home' network. All outgoing port open, all incoming (exceptSSDP) port blocked. dLeyna could discover DMS/DMR, and will be able toestablish communication with DMS/DMR.

Fourth case: 'Work' network. All ports < 10000 open incoming & outgoing.SSDP will works, but if Rygel is using dynamic port attribution and runwith a port > 10000, we will be able to see it, but not to communicatewith it.

IMHO, Network Zone is a nice to have information, but we don't haveanything to do. We should let the firewall do it's job.At least, we need to work with the Network Manager team so they canmanage UPnP/DLNA rules in the firewall for the various predefined Zone.

The only case we should manage Network Zone, is for optimization, toprevent the DMS for ex to broadcast SSDP packet that will be blocked bythe firewall.But I'm not sure it worth the effort. We are going to add code andpotentially bugs, for a minimal gain.

This is off topic I think, but for system that don't have Network Zone,a new component could simulate it, in the simplest way, by associating aZone to a new interface. But that means a new daemon, UX, Storage... Notsure it worth the effort either.

There is also another way to provide some protection/privacy, it's byusing the Network Type information, eg, Ethernet, Wifi, 2/3/4G, etc...Maybe you don't want to run a DMC on a 2G network, but why not on a 4Gnetwork (if you have a unlimited data plan, you have sufficient bandwidth)

You want your DMS to run only on Ethernet network type.
...
This information could easily be made public.


Ludo

--
Ludovic Ferrandis
Open Source Technology Center
Intel Corporation

Follow-Ups:
- Re: GUPnP and Zones
  - From: Mark Ryan

References:
- GUPnP and Zones
  - From: Mark Ryan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]