openslp-doc 1.2.1-11 / usr / share / doc / openslp-doc / html / ProgrammersGuide / Security.html

This file is indexed.

/usr/share/doc/openslp-doc/html/ProgrammersGuide/Security.html is in openslp-doc 1.2.1-11.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="GENERATOR" content="Mozilla/4.76C-CCK-MCD Caldera Systems OpenLinux [en] (X11; U; Linux 2.4.2 i686) [Netscape]">
   <title>OpenSLP Programmers Guide - Security</title>
</head>
<body text="#000000" bgcolor="#FFFFFF" link="#0000EF" vlink="#51188E" alink="#FF0000">

<h1>
Writing Secure SLP&nbsp;Enabled Applications
<hr WIDTH="100%"></h1>

<h3>
Introduction</h3>
Major changes were made to the OpenSLP 0.8.x codebase to add SLPv2 message
authentication support for OpenSLP 0.9.0.&nbsp;&nbsp; Until this time,
there were no plans to ever implement SLPv2 security due to the ideas expressed
in a internal Caldera document entitled "OpenSLP and SLPv2 Authentication".&nbsp;&nbsp;&nbsp;
The document&nbsp; (<a href="openslp_security_whitepaper.html">full text
available</a>) mostly references and draws conclusions from discussion
from the srvloc@srvloc.org mailing list.&nbsp;&nbsp; The following is the
concluding paragraphs of the document.
<br>&nbsp;
<blockquote><i>For those that are not willing to endure the tedium of reading
the entire mailing list discussion,&nbsp; the conclusion was eventually
made (at least by the author) that though SLP authentication may be&nbsp;
appropriate in some specialized SLP deployments, it is probably not beneficial
in normal network computer environments.&nbsp;&nbsp;&nbsp; This conclusion
is based on the following premises:</i></blockquote>

<ul>
<ul>
<li>
<i>Implementation of SLP authentication in the absence of public key infrastructure
standards would require enough manual configuration to invalidate all claims
SLP has to increased usability.</i></li>

<li>
<i>Common helper protocols DNS, DHCP, IP, even ARP are currently insecure
for usability reasons.&nbsp;&nbsp; SLP fits into this category of protocols
where lack of security may be considered a feature when it allows for maximal
usability.</i></li>

<li>
<i>Given the lack of security in the above mentioned (and other) protocols
self-established authentication of end to end communication is required
anyway for secure communication of network software entities.</i></li>

<li>
<i>In the presence of appropriate end to end security mechanisms,&nbsp;
SLP related security attacks are limited to the realm of "denial of service"
or "disruptions" -- even when no authentication is implemented in SLP.&nbsp;&nbsp;
In other words there is not a risk of compromise of confidential information
that can be attributed to SLP as long as appropriate end to end security
is established.</i></li>
</ul>
<i></i>
<p><br><i>So, for the OpenSLP project, there are not any plans to implement
SLPv2 security.&nbsp;&nbsp; (This may change in the future depending on
the success of ongoing PKI standardization efforts.)&nbsp;&nbsp; There
are, however, many things that could be done to reduce opportunities for
"denial of service attacks" or other malicious SLP related disruptions.&nbsp;&nbsp;
These will be addressed in future versions of OpenSLP.&nbsp;&nbsp;&nbsp;
Also, in order to inform developers about the importance of writing secure
applications, plans have been made to include an SLP&nbsp;Security HOWTO
as part of the OpenSLP&nbsp;Documentation.</i></ul>
The existence of SLPv2 authentication in OpenSLP <b>does not </b>eliminate
the need to provide secure end-to-end communication for service specific
protocols&nbsp;&nbsp; (read the <a href="openslp_security_whitepaper.html">full
text</a> of the paper if you don't know what I'm talking about here).&nbsp;
OpenSLP&nbsp;security does not do any good at all if the authentication,
integrity, and/or privacy of service specific communication weak.
<br>&nbsp;
<h3>
Who should read this document?</h3>
If you are a developer that writes SLP enabled software, you should read
this document.&nbsp; If you are a system or network administrator that
is concerned with how to setup and maintain secure SLP&nbsp;installations,
you should read the <a href="../UsersGuide/Security.html">Security section
of the OpenSLP&nbsp;Users guide.</a>
<br>&nbsp;
<br>&nbsp;
<p>*** PLEASE&nbsp;PATIENT&nbsp;UNTIL&nbsp;I&nbsp;GET&nbsp;SOME&nbsp;TIME&nbsp;TO&nbsp;WRITE&nbsp;THE&nbsp;REST&nbsp;OF&nbsp;THIS&nbsp;DOCUMENT
***
</body>
</html>

APT Browse - Built by Thomas Orozco.