Apple seeks standard to appease angry university net managers

ATLANTA -- Under fire from its customers in the higher education market, Apple has proposed creating a new industry standard that would fix problems with its Bonjour zero configuration networking technology that is causing scalability and security problems on campus networks.

RELATED: Aruba Networks' answer to Bonjour issues 

APPLE FAMILY TREE: Apple platforms throughout the years 

Apple described how such a standard could be used at an Internet Engineering Task Force (IETF) meeting held in Atlanta this week. Apple and other vendors including Xirrus, Check Point and IBM support the idea of creating an IETF working group to improve network services like Apple's Bonjour and Linux Avahi, which use an existing IETF protocol called Multiicast DNS (MDNS). The new working group would be called MDNS Extensions or MDNSext.

Bonjour is Apple's marketing name for zero configuration networking, which allows a MacBook user to easily log into a local network and find an available printer. Behind the scenes, Bonjour provides automatic address assignment, looks up the host name and delivers available network services.

Bonjour uses MDNS, which transports DNS queries in a zero configuration way but only across local networks, not campus or enterprise networks. When it is deployed on large networks - particularly wired and wireless networks run by universities - Bonjour creates a flood of MDNS traffic, causing headaches for network managers.

"We targeted Bonjour at home networks, but over the last 10 years Multicast DNS - what Apple calls Bonjour - has become very popular," said Stuart Cheshire, an Apple networking engineer who created Bonjour and wrote the MDNS specifications. "Every network printer uses Bonjour. TiVo, home video recorders and cameras use it. IPads and iPhones use it, and we are starting to get a lot of demand from customers that they won't be able to print from iPads to a printer in the next building."

Cheshire admitted that Apple is responding to demands from university network managers that the company fix Bonjour and related technologies such as AirPrint for printing over Wi-Fi networks and AirPlay for streaming audio and video so they will work better over enterprise networks.

In August, the Educause Higher Ed Wireless Networking Admin Group published an open petition to Apple seeking improved support for Bonjour, AirPlay and AirPrint on large, campus networks. The petition has 750 signatures.

The petition notes that Apple represents half of all devices on university networks. It cites increasing demand among campus users for Apple TVs that use AirPlay for presentations and personal use. It also cites increasing user demand for AirPrint from devices such as iPads.

"Limitations of Apple's Apple TV, Airplay and Bonjour technologies make it very difficult to support these scenarios on our standards-based enterprise networks," the petition said.

The higher ed community has asked Apple to fix several aspects of these technologies including: making Apple TVs accessible from Apple client devices across multiple IPv4 and IPv6 subnets; improving Bonjour so that it will work in a scalable way in large enterprise wireless and wired networks; adding support for wireless encryption and authentication methods to Apple TV; and the use of enterprise Authentication, Authorization and Accounting services for Apple devices including Apple TV.

In general, university network managers want Bonjour, AirPlay and AirPrint to be scalable to thousands of devices, to work with wired and wireless networks from different vendors, to not negatively impact network traffic, to be easily manageable on an enterprise scale and to be provided at a reasonable cost.

In response to some of these concerns, Cheshire proposed to the IETF that MDNS be changed to allow for small multicast domains to be created on a large network, without losing the zero configuration and service discovery features.

Cheshire pointed out that several vendors - Xirrus, Aruba , Cisco, Aerohive and Ruckus - are selling Bonjour proxy devices to help enterprise customers by relaying multicast traffic across large networks, but that these devices are making the multicast flooding problem worse.

"The software that already exists in Apple Bonjour and Linux Avahi has some wide-area capabilities. We have some tools to build with, but we have not put it together right,'' Cheshire said. "The question is whether there is interest in the IETF to step in and do it better"

Representatives of Xirrus, Cisco and CheckPoint said they were interested in seeing this work go forward at the IETF.

'We would much rather put our development efforts into a standard protocol," said Aaron Smith, Director of Software, Applications and Services at Xirrus. "We are really heavy into the education market; nearly half of our engagements are in K-12 or higher ed. We're very interested in this kind of approach, especially if Multicast DNS would work better on Wi-Fi."

"I fully support this work," said Check Point Fellow Bob Hinden. "It's a real problem today. It's going to be worse with multiple subnets in the home."

Kerry Lynn from the IEEE outlined the requirements for a new standard that would fix MDNS

"We need to build something that's scalable, usable and deployable," Lynn said. "It needs to enable DNS-based service discovery across lots of links. It needs to work with both local and global use. And it needs to be scalable in terms of network traffic."

Thomas Narten, who works on Internet Technology and Strategy at IBM, led the discussion about creating an MDNSext working group. Narten said he expects the IETF to make progress on creating a standard fix to the Bonjour problem between now and when the IETF meets again in Orlando in March.

"There's a recognition of the problem and a willingness to work on it," Narten said. "We have to figure out how best to get to a solution. The universities are hurting; they're seeing this problem for real."

Read more about lan and wan in Network World's LAN & WAN section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IBMXirrussecurityeducationIETF AtlantaApple Bonjourindustry verticalszero configurationLAN & WANIETF AppleApple

More about Aerohive NetworksAppleAruba Wireless NetworksAruba Wireless NetworksCheck Point Software TechnologiesCheck Point Software TechnologiesCiscoEducauseIBM AustraliaIEEEIETFInternet Engineering Task ForceLANLinuxTechnologyTiVoTiVoXirrus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Carolyn Duffy Marsan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place