📄 security.html
字号:
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"><html><head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="GENERATOR" content="Mozilla/4.76C-CCK-MCD Caldera Systems OpenLinux [en] (X11; U; Linux 2.4.2 i686) [Netscape]"> <title>OpenSLP Programmers Guide - Security</title></head><body text="#000000" bgcolor="#FFFFFF" link="#0000EF" vlink="#51188E" alink="#FF0000"><h1>Writing Secure SLP Enabled Applications<hr WIDTH="100%"></h1><h3>Introduction</h3>Major changes were made to the OpenSLP 0.8.x codebase to add SLPv2 messageauthentication support for OpenSLP 0.9.0. Until this time,there were no plans to ever implement SLPv2 security due to the ideas expressedin a internal Caldera document entitled "OpenSLP and SLPv2 Authentication". The document (<a href="openslp_security_whitepaper.html">full textavailable</a>) mostly references and draws conclusions from discussionfrom the srvloc@srvloc.org mailing list. The following is theconcluding paragraphs of the document.<br> <blockquote><i>For those that are not willing to endure the tedium of readingthe entire mailing list discussion, the conclusion was eventuallymade (at least by the author) that though SLP authentication may be appropriate in some specialized SLP deployments, it is probably not beneficialin normal network computer environments. This conclusionis based on the following premises:</i></blockquote><ul><ul><li><i>Implementation of SLP authentication in the absence of public key infrastructurestandards would require enough manual configuration to invalidate all claimsSLP has to increased usability.</i></li><li><i>Common helper protocols DNS, DHCP, IP, even ARP are currently insecurefor usability reasons. SLP fits into this category of protocolswhere lack of security may be considered a feature when it allows for maximalusability.</i></li><li><i>Given the lack of security in the above mentioned (and other) protocolsself-established authentication of end to end communication is requiredanyway for secure communication of network software entities.</i></li><li><i>In the presence of appropriate end to end security mechanisms, SLP related security attacks are limited to the realm of "denial of service"or "disruptions" -- even when no authentication is implemented in SLP. In other words there is not a risk of compromise of confidential informationthat can be attributed to SLP as long as appropriate end to end securityis established.</i></li></ul><i></i><p><br><i>So, for the OpenSLP project, there are not any plans to implementSLPv2 security. (This may change in the future depending onthe success of ongoing PKI standardization efforts.) Thereare, however, many things that could be done to reduce opportunities for"denial of service attacks" or other malicious SLP related disruptions. These will be addressed in future versions of OpenSLP. Also, in order to inform developers about the importance of writing secureapplications, plans have been made to include an SLP Security HOWTOas part of the OpenSLP Documentation.</i></ul>The existence of SLPv2 authentication in OpenSLP <b>does not </b>eliminatethe need to provide secure end-to-end communication for service specificprotocols (read the <a href="openslp_security_whitepaper.html">fulltext</a> of the paper if you don't know what I'm talking about here). OpenSLP security does not do any good at all if the authentication,integrity, and/or privacy of service specific communication weak.<br> <h3>Who should read this document?</h3>If you are a developer that writes SLP enabled software, you should readthis document. If you are a system or network administrator thatis concerned with how to setup and maintain secure SLP installations,you should read the <a href="../UsersGuide/Security.html">Security sectionof the OpenSLP Users guide.</a><br> <br> <p>*** PLEASE PATIENT UNTIL I GET SOME TIME TO WRITE THE REST OF THIS DOCUMENT***</body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -