Hello Lance. UPnP is mostly used for local discovery. However, it is not limited to local discovery, as recent vulnerabilities have shown [1]. It permits you to go as far out as IGMP allows you to go. In networks supporting IP-TV, IGMP is allowed in all routers from the home firewall all the way to the video servers.
So, if UPnP is to be used, it's important to define security measures to avoid undesired exposal of devices: For instance, only respond to UPnP requests from the local network, and ignore other types of requests. Sincerely, Peter Waher [1] http://leaksource.wordpress.com/2013/02/01/upnp-vulnerability-exposes-50-million-network-enabled-devices-to-be-hacked-controlled-remotely/ -----Original Message----- From: Lance Stout [mailto:[email protected]] Sent: den 20 maj 2013 13:51 To: XMPP Standards Subject: Re: [Standards] Using .well-known/ to supplement XEP-0156 On May 19, 2013, at 7:09 PM, Yusuke DOI <[email protected]> wrote: > > (2013-05-19 03:13), Peter Waher wrote: >> What about the UPnP method? Using SSDP? Creating some well defined >> UPnP Device interface for XMPP Servers & XMPP Clients, perhaps >> exposing the features of each device at the same time? Saves time as >> you don't have to do service discovery on each device. > > UPnP is not for browsers and I think this is not what Lance needs. Right, a .well-known/ document would be the easier/faster win since that uses technology readily available in browsers without the need for any plugins, and it follows the recent standards trends (POSH, Webfinger, BrowserID/Persona, etc). So I want to push to get that sorted out and standardized first. That said, I do like the idea of using UPnP, so Peter if you have ideas on what that would look like, please share. I'm not familiar enough with how it works yet. Is it only intended for local network discovery? -- Lance
