IT groups petition Apple to "fix" Bonjour protocol
It's time for Apple to make it's Bonjour and AirPlay technologies enterprise friendly. That's the contention of a group of college and university IT managers who are finalizing a petition that urges Apple to adapt both for enterprise networks.
The proposed changes, they say, would make it easier for IT to provision, manage and secure Bonjour-enabled networking of Apple products. But the changes also would make more Apple's networking more useable for iPad and iPhone owners. On campus, or at the office, they want the same kind ease of access and use they have at home. They want to connect easily over enterprise networks with resources such as printers running Apple's AirPrint protocol, or use Apple's AirPlay wireless multimedia streaming, and to marry iOS devices with flat-panel displays or high-def speakers via Apple TV, or with projectors. And today, they often can't do that because of how enterprise networks are designed.
Not everyone agrees about what should be changed. And some network professionals argue that the petition, in effect, asks Apple to scrap Bonjour and craft an entirely new and more complex discovery mechanism, which few seem to think is likely.
The petition drive began earlier this month, at the WLAN listserv group at Educause, a non-profit group that focuses on higher education IT. A draft of the final text, completed over the past weekend is available on a Facebook group. But dissatisfaction with Bonjour and AirPlay has been simmering for a long time.
Apple had not yet responded to a request for comment as this story was posted.
Bonjour, originally called Rendezvous when introduced in the early 2000's, is Apple's latest implementation of "zero configuration networking" or Zeroconf, which is a group of open protocols to automatically and quickly set up an IP network, without having to set up services such as Dynamic Host Configuration Protocol or DNS. More background is online, at a page maintained by Stuart Cheshire, Zeroconf's pioneer who was later hired by Apple.
Zeroconf and its Bonjour iteration are intended to let computers attach to a network, find each other and communicate usefully "without needing a man in a white lab coat to set it all up for you," as Cheshire says. He identifies four main requirements for Zeroconf, and the services used to meet these requirements in implementations like Bonjour:
+ Allocate addresses without a DHCP server, using IPv4 Link-Local Addressing.
+ Translate between names and IP addresses without a DNS server, using Multicast DNS.
+ Find services, like printers, without a directory server, using DNS Service Discovery.
+ Allocate IP Multicast addresses without a MADCAP (Multicast Address Dynamic Client Allocation Protocol) server, a future project.
And it needs to do all this without causing harm when the computers are part of larger, configured networks.
Bonjour is what gives Apple products their plug and play networking capabilities - they just network when they're connected to the same LAN. AirPlay builds on this, by letting iOS devices and Macs stream multimedia files, or selected Web-based content, via an Apple TV box to AirPlay enabled speakers or flatpanel displays, all with just a few finger taps or mouse clicks. It's very compelling in the small Wi-Fi networks typically found at home, for example. But it's not so compelling today on larger, more complex networks, at least as they are designed today.
The explosion of iOS devices on campuses, and in businesses, along with Apple TV and AirPlay, is generating a huge demand by users. They want the same kind of simple connectivity they get at home but in their class rooms, conference rooms, and dormitories.
"[T]oday's users also want to drag the likes of Apple TV and other AirPlay/Bonjour-enabled toys into the classroom and conference room," writes Lee Badman, wireless technical lead at Syracuse University, an Educause member. He's also a blogger for Network Computing, where he recently posted an overview of the Bonjour issues driving the petition. "Indeed, Apple promotes it: 'AirPlay Mirroring is made for an audience. Because with a click, what's on your Mac is also on your HDTV. It's easy to set up with Apple TV. Show web pages and videos to friends on the couch, share lessons with a classroom, or present to a conference room.' The problem is, these Apple devices are far from being good network citizens."
"With growing user demands, higher education network managers are attempting to unify their voices and ask for Apple to step up to the plate," Badman writes. "Kludgy workarounds and dedicated networks for a handful of devices are not sustainable solutions."
Among the key problems, according to the petitioners:
+ Apple's AirPlay wireless content streaming doesn't work when Apple clients and Apple TVs are on different IP subnets, which is a feature of most enterprise networks.
+ Bonjour technologies "do not work in a scalable, sustainable fashion between different IP subnets," and workarounds such as Wide-Area Bonjour (DNS-SD) and Dynamic DNS have scaling and security problems.
+ Many education institutions routinely disable IP multicast, an essential part of Bonjour.
+ Apple TV doesn't support WPA2-Enterprise authentication and encryption, and its single-password security is hackable.
For some of these problems, there are workarounds, but they entail redesigning networks, creating dedicated networks for Bonjour/AirPlay connections, and the like. Some commercial products are appearing from WLAN vendors to address Bonjour shortcomings. Aerohive announced in March its Bonjour Gateway, which makes advertised services available throughout an entire layer-3 network. Aruba's AirGroup feature, also announced in March and due to be released later this year, lets the WLAN controller listen for Bonjour's multicast DNS messages, identify the users and their access privileges, and direct the request to a nearby Apple AirPrint printer, for example.
Yet not everyone agrees with the petitioners' assessment of Bonjour. The protocol is very well designed for what it is in fact designed to do, says Benjamin Levy, principal with Solutions Consulting, a Los Angeles technology services firm that specializes in enterprise Apple deployments. The problems identified by the petitioners "identify the specific strengths of, and reasons for, Bonjour as weaknesses," he says. "It wasn't designed to cross subnets, and its method of discovery uses multicast and multicast DNS, so, umm, huh? Remember that Bonjour is really ZeroConf and Zeroconf is open. It's not just Apple devices."
"Bonjour was intended as a lightweight resource discovery mechanism for a local area network without needing to set up a directory service," agrees William Green, director networking and telecommunications, at University of Texas at Austin. And that's the point, he adds. "Enterprises consist of many local area networks - we have over 3,500 - so those discovery mechanisms do not work well, or at all, depending on routing," he says.
Levy notes that Apple TV's lack of WPA2-Enterprise support isn't related to Bonjour and AirPlay and can be fixed by Apple updating the device's firmware. "In that event, what they're really making is a feature request, and Apple pays attention to those," Levy says. "I think Apple would pay very real attention to feature requests that move more Apple TVs into boardrooms and classrooms as viable replacements for projectors and so on."
UT's Green again agrees. But the lack of WPA2-Enterprise support is one more missing piece in Apple's whole enterprise networking puzzle. "The lack of support is a problem for enterprises that track people individually via WPA2-Enterprise," Green says. "Some schools go as far as to drop them on different networks and provide them different services based on their login ID. We do not do that at my institution, but we do account for their actions and quarantine that way."
Education IT groups clearly are tired of having to constantly and awkwardly work around Bonjour.
Abilene Christian University, which began widespread deployment of iPhones and iPod touch devices starting in late 2007, set up separate SSIDs and VLANs for Bonjour services, says Arthur Brant, ACU's director of networking service. Originally just for faculty, the professors had to manually connect each Bonjour device to the correct SSID, via a captive portal provided by the WLAN controller. Apple TV adds to the complexity.
"We did have to manually set up the Apple TVs within the captive portal registry so that they could connect - and stay connected - to this dedicated SSID," Brant says. "This was an acceptable process when we had half a dozen Apple TVs, but not something that scales to hundreds of Apple TVs. This solution was, again, 'functional.' but the faculty/staff limitation proved to be the next hurdle we had to cross."
Then students wanted to use Apple's AirPlay mirroring to show their iPhone 4S or iPad screen on a flat-panel display through Apple TV. ACU has to set up yet another dedicated SSID, which authenticates users against ACU's network access control (NAC).
Universities and colleges are also finding that hundreds or thousands of Bonjour-enabled devices are constantly using the multicast protocol to find each other. The result is an astonishing amount of discovery traffic. Aruba Networks says that some of its higher education WLAN customers have found that Bonjour can account for 90% of the WLAN traffic at some times. Mathew Gast, Aerohive Networks director of product management, counted 400 Bonjour services available when visiting one customer.
"Now, having 400-plus services on a single VLAN isn't a problem," he wrote in a blog post. "After all, that network was running fine. It's having 400 services on the first VLAN, another 400-odd services on the second VLAN, and so on. If you blindly share everything, you will give an appropriate meaning to the word 'flood' as your network drowns in multicast."
The University of Washington had to disable multicast in a few areas due to excessive multicast/broadcast traffic, says David Morton, UW's director of mobile communications. "This breaks Bonjour so we try to limit the areas where we have to implement these measures."
Breaking Bonjour is a problem. "From a user's perspective, it is difficult to understand why it works at home, but not on our network," Morton says. "We've had several discussions with Apple about this issue and would love to see them offer a solution."
"Even if you could get multicast to work on a large scale, would you really want to be presented with a list of 500 Apple TVs, presuming the software could even handle that, or 1,000 printers?" asks William Green, at the University of Texas, which disabled multicast. "And would you want just anyone to be able to connect to all those Apple TVs? Suppose someone projected something inappropriate: How would you find out who did it to educate them on proper use of the resource?"
The alternatives are awkward, he says: cabling iPads directly to classroom Apple TV boxes, and with multiple groups, cabling through a complex and expensive switching system; or setting up separate Wi-Fi access points that aren't part of the campus WLAN. "This creates support problems and authentication difficulties, usually limiting it to instructor-use only," Green says.
These IT managers are not optimistic that Apple will decide to make their jobs easier.
"Whether or not Apple will make such a change, I honestly don't know," says ACU's Brant. "In your typical home or consumer network scenario, Bonjour works great....I personally believe that the target segment for the Apple TV is the consumer space, and so I really don't see Apple changing course with their Bonjour service, because it meets the needs of the consumer market."
John Cox covers wireless networking and mobile computing for Network World.
Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.