Automatic discovery of managed devices supporting the Redfish Scalable Platform Management API may be accomplished using the Simple Service Discovery Protocol (SSDP). This protocol allows for network efficient discovery without resorting to ping-sweeps, router table searches, or restrictive DNS naming schemes. Use of SSDP is optional, and if implemented, shall allow the user to disable the protocol through the 'Manager Network Service' resource.
My questions is, given the security concerns around SSDP, I was wondering if there are other supported discovery mechanisms for Redfish? Whether using other common Service Discovery Protocol is permissible by the spec?
Would it be possible to please cite the security concerns around SSDP? Most of the issues we've reviewed before have been UPnP specific, and have nothing to do with SSDP. The only security concern we've seen specific to SSDP are using it for DDOS attacks, but those tend to be mitigated by settings on switches to not propagate responses to the victim.
Thanks for your response. That's correct, I should have been more specific in my question that my concerns were around DoS/DDoS attacks; I did not find any other vulnerabilities either. Since the committee has evaluate and decided on SSDP, I'm sure you must have evaluated it well.
I'm fairly new to this, so I wasn't aware of solutions to avoid such attacks by configuring the switches correctly (I do understand that preventing a DoS/DDoS without hampering support for valid users is more complex, and that's not the premise of my question).
I do however would like to know if there are other SDP's that might be supported, e.g. DNS-SD/ zeroconf.
At the moment there are not any other discovery protocols that we've agreed upon. However, if there's a desire for something other than SSDP, we can discuss it internally to see if it's something we can incorporate.
The Zeroconf addressing is an earlier step to the service discovery process. We discussed this today and as we've already got "AddressOrigin" in the IPv4 and IPv6 Address objects, it would be simple to add "AutoConfig" (or similar) as another possible value for AddressOrigin.
Then we'd need to add a property or two to EthernetInterface to show support and allow configuration of the Auto-configuration (Zeroconf) functionality.