[mythtv] Proposed change to Network Communications
Peter Bennett
pgbennett at comcast.net
Thu Mar 9 21:35:58 UTC 2017
On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
> Do not get me wrong, I think IPv6 is the now, and
> IPv4 is legacy/dead. But the myth protocol has been
> regularly stated by the MythTV elders as not being
> public Internet ready, and only with stateful protection
> (or someone who knows how to configure firewall rules)
> should one consider running the device on the public
> Internet. Changing the defaults to run IPv6 publicly
> will require stepping up the other parts of the protocol
> (one mitigation short of authentication might be to set
> the TTL for the myth protocol to something like 3,
> (just like DTCP-IP), which is more or less "in the
> residence" for 98% of the users).
Thinking about this some more, I came up with an addition to the
previous proposal.
Keep the "Listen on all ip addresses" checkbox that I proposed.
Whether or not "Listen on all ip addresses" is checked, check the sender
of all incoming connections. If the sender is a public IP address,
simply ignore the connection.
Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
Internet". Default this to unchecked. When this is unchecked, only
provide private ip addresses from the below list in the drop down boxes
for IP address. When it is checked, provide all ip addresses in the drop
down and bypass the sender ip address check.
The following IP addresses are the private ip addresses that would be
allowed. Everything else would be rejected.
192.168.0.0 - 192.168.255.255
172.16.0.0 - 172.31.255.255
10.0.0.0 - 10.255.255.255
127.0.0.1 (local loop-back)
169.254.0.0 - 169.254.255.255 (link-local)
::1 (local loop-back)
fe80::/10 (link-local)
fc00::/7 (unique local)
For UDP - just ignore messages from ip addresses not on the list. As far
as I can see, UDP is only used for one purpose in MythTV. In the
frontend it is used for Airplay, where audio data is received and
played. If you are playing some sound, somebody on the internet could
send you some audio data if they spoof the sending address. The backend
does not bind UDP so nothing could be sent to it via UDP.
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mythtv.org/pipermail/mythtv-dev/attachments/20170309/6ec305ae/attachment.html>
More information about the mythtv-dev
mailing list