<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!-- #BeginTemplate "../../../openslp.dwt" -->
<!--
Pristine 1.0
Design copyright Matt Dibb 2006
www.mdibb.net
Please feel free to use and modify this template for use on your site. I dont mind
if you use it for your personal site or a commercial site, but I do insist that it is
not sold or given away in some "50,000 Templates!" package or something like that.
-->
<head profile="http://www.w3.org/2005/10/profile">
<meta http-equiv="Content-Language" content="en-gb" />
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" />
<link rel="stylesheet" type="text/css" href="../../../site.css" />
<link rel="stylesheet" type="text/css" href="../../../print.css" media="print" />
<link rel="alternate" type="application/rss+xml" title="OpenSLP…Recent Activity" href="http://www.sourceforge.net/export/rss2_keepsake.php?group_id=1730" />
<link rel="alternate" type="application/rss+xml" title="OpenSLP…News" href="http://www.sourceforge.net/export/rss2_projnews.php?group_id=1730" />
<link rel="alternate" type="application/rss+xml" title="OpenSLP…File Releases" href="http://www.sourceforge.net/api/file/index/project-id/1730/mtime/desc/limit/20/rss" />
<link rel="alternate" type="application/rss+xml" title="OpenSLP…Reviews" href="http://www.sourceforge.net/projects/openslp/reviews_feed.rss" />
<link rel="shortcut icon" href="../../../images/openslp_favicon_256color_48px.ico" />
<!-- #BeginEditable "Page%20Style%20and%20Scripts" -->
<!-- #EndEditable -->
<!-- #BeginEditable "Page%20Title" -->
<title>OpenSLP Programmers Guide - Security</title>
<!-- #EndEditable -->
</head>
<body>
<div id="content">
<div id="header">
<a href="http://openslp.org/">
<img src="../../../images/openslp_logo_web_color_150px.jpg" alt="" /></a>
</div>
<div id="body">
<!-- #BeginEditable "Left%20Navigation%20-%20Context%20Specific" -->
<!-- #EndEditable -->
<div id="links">
<p><a href="../../../index.html">About</a><br/>
what is openslp</p>
<p><a href="../../../download.html">Download</a><br/>
how to get openslp</p>
<p><a href="../../../contribute.html">Contribute</a><br/>
how to help out</p>
<p><a href="../../../documentation.html">Documentation</a><br/>
how to find out more</p>
<p><a href="../../../credits.html">Credits</a><br/>
who to blame</p>
<p><a href="http://sourceforge.net/projects/openslp"><img src="http://sflogo.sourceforge.net/sflogo.php?group_id=1730&type=2" alt="Get OpenSLP at SourceForge.net. Fast, secure and Free Open Source software downloads"/></a></p>
</div>
<div id="main">
<!-- #BeginEditable "Page%20Content" -->
<h2>Writing Secure SLP Enabled Applications<br />
<span id="breadcrumbs"><a href="index.html">OpenSLP Programmer's Guide</a> » Misc. Information » <a href="Security.html">Writing Secure SLP Enabled Applications</a></span></h2>
<h3>Introduction</h3>
<p>Major changes were made to the OpenSLP 0.8.x codebase to add
SLPv2 message authentication support for OpenSLP 0.9.0.
Until this time, there were no plans to ever implement SLPv2
security due to the ideas expressed in a internal Caldera
document entitled "OpenSLP and SLPv2 Authentication". The
document (<a href="../../security/openslp_security_whitepaper.html">full
text available</a>) mostly references and draws conclusions
from discussion from the srvloc@srvloc.org mailing list.
The following is the concluding paragraphs of the document.</p>
<blockquote><i>For those that are not willing to endure the tedium of reading
the entire mailing list discussion, the conclusion was eventually made (at
least by the author) that though SLP authentication may be appropriate in
some specialized SLP deployments, it is probably not beneficial in normal
network computer environments. This conclusion is based on the following
premises:</i></blockquote>
<ul>
<li><i>Implementation of SLP authentication in the absence of public key
infrastructure standards would require enough manual configuration to invalidate
all claims SLP has to increased usability.</i></li>
<li><i>Common helper protocols DNS, DHCP, IP, even ARP are currently insecure for
usability reasons. SLP fits into this category of protocols where lack of
security may be considered a feature when it allows for maximal usability.</i></li>
<li><i>Given the lack of security in the above mentioned (and other) protocols
self-established authentication of end to end communication is required anyway
for secure communication of network software entities.</i></li>
<li><i>In the presence of appropriate end to end security mechanisms, SLP related
security attacks are limited to the realm of "denial of service" or
"disruptions" -- even when no authentication is implemented in SLP. In other
words there is not a risk of compromise of confidential information that can be
attributed to SLP as long as appropriate end to end security is established.</i></li>
</ul>
<p><i>So, for the OpenSLP project, there are not any plans to implement
SLPv2 security. (This may change in the future depending on the
success of ongoing PKI standardization efforts.) There are, however,
many things that could be done to reduce opportunities for "denial of service
attacks" or other malicious SLP related disruptions. These will be
addressed in future versions of OpenSLP. Also, in order to
inform developers about the importance of writing secure applications, plans
have been made to include an SLP Security HOWTO as part of the
OpenSLP Documentation.</i></p>
<p>The existence of SLPv2 authentication in OpenSLP <b>does not </b>
eliminate the need to provide secure end-to-end
communication for service specific protocols (read the
<a href="../../security/openslp_security_whitepaper.html">
full text</a> of the paper if you don't know what I'm
talking about here). OpenSLP security does not do any good
at all if the authentication, integrity, and/or privacy of
service specific communication weak.</p>
<h3>Who should read this document?</h3>
<p>If you are a developer that writes SLP enabled software, you
should read this document. If you are a system or network
administrator that is concerned with how to setup and
maintain secure SLP installations, you should read
<a href="../UsersGuide/Security.html">the Security section of the OpenSLP Users guide</a>.</p>
<p>*** PLEASE BE PATIENT UNTIL I GET SOME TIME TO WRITE THE REST OF THIS DOCUMENT ***</p>
<p id="breadcrumbs0">Prepared by: <a href="http://www.calderasystems.com">Caldera Systems Inc</a><br />
Maintained by: <a href="http://www.openslp.org/">openslp.org</a></p>
<!-- #EndEditable -->
</div>
</div>
<div id="footer">
Copyright © 2011 <a href="http://www.openslp.org/">openslp.org</a>. All Rights Reserved.<br/>
Design by <a href="http://www.mdibb.net" title="Website of Matt Dibb">Matt Dibb</a>
2006. <a href="http://jigsaw.w3.org/css-validator/check/referer" title="Validate CSS">CSS</a>
<a href="http://validator.w3.org/check/referer" title="Validate XHTML">XHTML</a>
<br/>Courtesy of <a href="http://www.openwebdesign.org">Open Web Design</a>
& <a href="http://seo-services.us">seo</a>
</div>
</div>
</body>
<!-- #EndTemplate -->
</html>
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-release
>
by-pkgid
>
7f3cf0ce551979d4886ecd4fa3b092cf
>
files
>
47
