Nicolas Williams writes: > On Thu, Aug 30, 2007 at 08:09:44PM +0200, Casper.Dik at Sun.COM wrote: > > > > >Norm Jacobs writes: > > >> John Plocher wrote: > > >> > Darren J Moffat wrote: > > >> > Q: is there anything I could do to you or find out about you at this > > >> > point, before any print jobs are sent? > > >> NO > > > > > >Not quite true. You'll have an open UDP port to receive those SNMP > > >replies. If a Bad Guy on the network can forge packets that cause > > >your daemon to malfunction, then he can potentially get access to > > >whatever privileges your daemon has. > > > > > >It's _at least_ the classic open-port problem. > > > > And it's detected in port scans which generally upsets customers. > > What if the software uses only "connected" UDP sockets? Will UDP > datagrams sent to that port by nodes which are not the remote side of a > connected UDP socket elicit an ICMP?
How are you going to use a "connected" UDP socket when the point of this project is to _discover_ nodes on the network, and thus the daemon doesn't already know what addresses those nodes have and cannot formulate a viable connect() call? This is a broadcast-query-listen-for-answers sort of mechanism, not a direct query. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
