[mythtv] Proposed change to Network Communications

Derek Atkins warlord at MIT.EDU
Fri Mar 10 15:40:03 UTC 2017 

OUCH!   NO...

Some of us actually have public IP addresses on our network!!

-derek

Peter Bennett <pgbennett at comcast.net> writes:

> On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
>
>     Do not get me wrong, I think IPv6 is the now, and
>     IPv4 is legacy/dead.  But the myth protocol has been
>     regularly stated by the MythTV elders as not being
>     public Internet ready, and only with stateful protection
>     (or someone who knows how to configure firewall rules)
>     should one consider running the device on the public
>     Internet.  Changing the defaults to run IPv6 publicly
>     will require stepping up the other parts of the protocol
>     (one mitigation short of authentication might be to set
>     the TTL for the myth protocol to something like 3,
>     (just like DTCP-IP), which is more or less "in the
>     residence" for 98% of the users).
>     
> Thinking about this some more, I came up with an addition to the previous
> proposal.
>
> Keep the "Listen on all ip addresses" checkbox that I proposed.
>
> Whether or not "Listen on all ip addresses" is checked, check the sender of
> all incoming connections. If the sender is a public IP address, simply ignore
> the connection.
>
> Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
> Internet". Default this to unchecked. When this is unchecked, only provide
> private ip addresses from the below list in the drop down boxes for IP
> address. When it is checked, provide all ip addresses in the drop down and
> bypass the sender ip address check.
>
> The following IP addresses are the private ip addresses that would be allowed.
> Everything else would be rejected.
>
> 192.168.0.0 - 192.168.255.255
> 172.16.0.0 - 172.31.255.255
> 10.0.0.0 - 10.255.255.255
> 127.0.0.1 (local loop-back)
> 169.254.0.0 - 169.254.255.255 (link-local)
> ::1 (local loop-back)
> fe80::/10 (link-local)
> fc00::/7 (unique local)
>
> For UDP - just ignore messages from ip addresses not on the list. As far as I
> can see, UDP is only used for one purpose in MythTV. In the frontend it is
> used for Airplay, where audio data is received and played. If you are playing
> some sound, somebody on the internet could send you some audio data if they
> spoof the sending address. The backend does not bind UDP so nothing could be
> sent to it via UDP.
>
> Peter
>
> _______________________________________________
> mythtv-dev mailing list
> mythtv-dev at mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-dev
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the mythtv-dev mailing list