|
|
Post by cprabhudesai on Jul 29, 2019 15:15:03 GMT
Reading about Service Discovery in Section 8.4 (Redfish 1.6.1) and Section 12.4 (Redfish 1.7.0), it seems that they are identical and mention the following: My questions is, given the security concerns around SSDP, I was wondering if there are other supported discovery mechanisms for Redfish? Whether using other common Service Discovery Protocol is permissible by the spec? Best, Chinmay |
|
|
|
Post by mraineri on Jul 30, 2019 18:23:17 GMT
Would it be possible to please cite the security concerns around SSDP? Most of the issues we've reviewed before have been UPnP specific, and have nothing to do with SSDP. The only security concern we've seen specific to SSDP are using it for DDOS attacks, but those tend to be mitigated by settings on switches to not propagate responses to the victim.
|
|
|
|
Post by cprabhudesai on Aug 2, 2019 16:27:48 GMT
mraineri, Thanks for your response. That's correct, I should have been more specific in my question that my concerns were around DoS/DDoS attacks; I did not find any other vulnerabilities either. Since the committee has evaluate and decided on SSDP, I'm sure you must have evaluated it well. I'm fairly new to this, so I wasn't aware of solutions to avoid such attacks by configuring the switches correctly (I do understand that preventing a DoS/DDoS without hampering support for valid users is more complex, and that's not the premise of my question). I do however would like to know if there are other SDP's that might be supported, e.g. DNS-SD/ zeroconf. Best, Chinmay
|
|
|
|
Post by mraineri on Aug 5, 2019 12:15:29 GMT
At the moment there are not any other discovery protocols that we've agreed upon. However, if there's a desire for something other than SSDP, we can discuss it internally to see if it's something we can incorporate.
|
|
|
|
Post by francine on Sept 11, 2020 15:30:45 GMT
|
|
|
|
Post by jautor on Sept 15, 2020 20:54:05 GMT
Hi Francine,
The Zeroconf addressing is an earlier step to the service discovery process. We discussed this today and as we've already got "AddressOrigin" in the IPv4 and IPv6 Address objects, it would be simple to add "AutoConfig" (or similar) as another possible value for AddressOrigin.
Then we'd need to add a property or two to EthernetInterface to show support and allow configuration of the Auto-configuration (Zeroconf) functionality.
Would that provide an answer to your use case?
Jeff
|
|
|
|
Post by ratagupt on Oct 29, 2020 14:05:31 GMT
@mike jautor: OpenBMC also supports DNS-SD/ zeroconf(Avahi) for service discovery, There should be a way to enable /disable mdns-sd service in Redfish |
|
|
|
Post by josephreynolds1 on Oct 29, 2020 15:17:11 GMT
|
|
|
|
Post by mraineri on Oct 29, 2020 15:17:48 GMT
Since those are non-standard discovery methods, they would require the usage of OEM properties to enable/disable that.
|
|
