Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy SSDP #56

Open
mike-joseph opened this issue Jul 25, 2021 · 1 comment
Open

Proxy SSDP #56

mike-joseph opened this issue Jul 25, 2021 · 1 comment

Comments

@mike-joseph
Copy link

Thanks for a great and straightforward solution to this problem space!

One issue I have, however, is how the responses for SSDP/DIAL are handled. A client on VLAN A (192.168.1.0/24) might multicast an SSDP/DIAL search, with its normal unicast source IP (192.168.1.100:34534 -> 239.255.255.250:1900). The relay retransmits this search as-is and an interested IOT device on VLAN B (192.168.2.0/24) responds from its unicast IP to the original unicast source IP (192.168.2.154:59423 -> 192.168.1.100:34534). The problem is that a stateful firewall handling traffic between the VLANs has not "seen" the original request (because it is not application-aware for SSDP/DIAL) and therefore the response is disallowed unless all traffic is permitted from the IOT VLAN to the client VLAN, but that is not really desirable.

I think this problem could be resolved by changing the relay's behavior with respect to SSDP/DIAL to allow a "proxy" mode in which the relay enqueues the SSDP request and transmits a new request on the forwarding VLANs using its own IP as the source. The relay could forward unicast responses back to the original client's unicast IP. Since SSDP/DIAL responses include the Location field inside the protocol message, the source IP of the reply shouldn't matter to the client. When the client attempts to connect to the IOT device at the Location address, the firewall can see this as an authorized user->IOT connection and track it appropriately.

Thoughts?

@vvd170501
Copy link
Contributor

Hi @mike-joseph!

You may try using the --ssdpUnicastAddr option (with an address belonging to VLAN B).
With this option enabled, the relay treats SSDP packets almost as you described, except that the source IP of a SSDP response is not modified. This may or may not be an issue, depending on your firewall configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants