New ONVIF Profile Q Aims To Change Discovery and Default Passwords

Author: John Honovich, Published on Jan 13, 2015

ONVIF is gearing up to release a new profile, called Q.

They market it as providing "quick configuration and installation, providing innate discoverability and reliable device monitoring and event management capabilities."

However,

  • How is Profile Q different than the current Profile S?
  • What are the big changes / additions in Profile Q?
  • How will requirements in discovery and default passwords impact manufacturers and systems?

Inside, we answer these questions based on a discussion with the engineers contributing to this upcoming Profile.

***** ** ******* ** ** ******* * *** *******, ****** Q.

**** ****** ** ***********"***** ************* *** ************, ********* ****** *************** *** ******** ****** monitoring *** ***** ********** ************."

*******,

  • *** ** ******* * ********* **** *** ******* ******* *?
  • **** *** *** *** ******* / ********* ** ******* *?
  • *** **** ************ ** ********* *** ******* ********* ****** ************* and *******?

******, ** ****** ***** ********* ***** ** * ********** **** the ********* ************ ** **** ******** *******.

[***************]

Profile * ** ******* * *** *

******* * ** *** *** *********** ** ******* * (*********) and * (*********). *** ***** ************* **** ******* * *** we ***** ****** **** ***** ****** **** ******** * ** also ******* *.

* ** ******** ******* ** *** *********, ************ *** **********. It **** *** ******* *********, ****** *************, ****** *********, ***, i/o, ***. *** ** **** ******* ** ******* *. ** that ***, ******* * ** ****** ******* ** ** ** enhancement ** ******* *.

*** ***** *** **** ** **** *** ****** ****, ********** * ******* ********* *.* ************* ** ********* ****. ** **** ******* *** *** ******** *****.

Requires ********

*****, ** ****** ************* ****** **** * **** ******* ** ways ** ** **********, **** ********* ********* ********* *** **** some **** *** * ***** ** *******. ******* ** ****, it *** ** ********* ** ********* **** ********* ******* ***, at *****, ******** *** *** ** ********* / **** *** each ************ **** ***** ***** ********** ** ******* *******.

******* * **** *** ******* ********** ******* ** ******* **********, aka**** ************* **********, ***** ** **** ***** *** ********* * ***.*.*.* ******* if * ******* ******* *** *** ** ******** ** * DHCP ******.

** **** ************* ***** ******* *, *** *** ******* *** the **** ********* ********, ** ****** ******** *** ******** *** probability ** ******* *** ** ******* / ******* ** * local *******. *******, ** ************* ********* *** * ********* ********, it ***** ******* **** ** ****** ** ** ****** **** Profile *.

Requires ** ******* ********

**** ** ******* ***** **** ****-***** ******* ** *********, *.*., admin/admin ** *****/****, ***. (*** ***** ****** ******* ******** *********).

******* * ******** *********** ****. **** ******* *, * ****** will *** **** *** ******* ******** *** **** *** ***** connects, ** * ******* *****, *** *** **** ******** ** setup * ********. *** ***** ******** **** ****, **** ** how **** ** ** (***: ** ****** ********* - ****, *****, *******).

***** **** ************* ***** **** * ******* ********, **** ***** require **** ** ****** ***** *********** ******** ********.

***** ** **** ****** ***** ****** *********, ***** ***** **** this **** ******** ******** ***** ** ** ********* **** ******** in *** ******* ******** *** ******* **** ******.

Other ******* * ******* ************

*** ***** *** **** *** ******** ********* *******. ***** *** a *** ***** ************ / ******** ***** ******:

  • **** ***** ********** ************ **** ** ********* *****, **** ** last ***** *** **** ****** *** **** **** ***************.
  • ********** *********** ** **** *************** ***** *** ****** ************ ******.
  • **** *** ******** *** **** ***, ******* * **** ******* restricts **** **** ****** *** **** ******* ** ****** ******** / ********.

Impact ** ***** ******* *

*** *** *** ******** ** ******* * ***** ******* * notable **** ****** ** ***** ** *******. *******, **** **** require ************* ****** **** ******* * ***, ** ***** **, changing **** ** ***** ***** **********.

** ****** ******* * ** ** ******** ****** *** *** of **** *** ** **** * *** ***** *** ******** to ******.

 

Comments (15)

With Profile Q, a device will not have any default password and when one first connects, in a default state, you are then required to setup a password.

Good. I've long been an advocate of this.

Hi John,

Just a question and a few notes:

question: "Eliminates requirement of time synchronization which has caused connectivity issues." - are you talking about requirement to device to have NTP ON, or requirement to use HTTP-Digest (that is not so fragile to time syncronisation), or something else?

note1: from ONVIF press-release they say about 6 month validation period, and keeping in mind (a) their tick-tack scheme of releases winter/summer and (b) their practice of having something implemented by key players before releasing drafts, there is a high probability that there will be devices with official Profile Q conformance at the end of this summer.

note2: ONVIF-style Discovery is also an obligatory part of Profile S, but Profile Q requires it to be turned ON by default and after so-called "hard factory reset". In conunction with DHCP/ZeroConf, ONVIF client can reliably discover all new devices and there is no need for manual IP assignment

note3: the easiest position have manufactures that have no own VMS - they do not need any significant changes (as all features of Profile Q should be already in-place). Issues that you are highlighting are more not about devices itself, but about infrastructure/ecosystem.

I have a question, is ONVIF manufacturer driven? Is Axis, for example, driving the standard? I like what I see but it does seem to be what Axis is doing already on their own product. it would be nice when you arrive at a site where there are several different manufacturers product represented to just have one unified program for configuration, firmware updates, logging of data, etc. if only this profile went a bit further.

is ONVIF manufacturer driven?

the short answer is yes.

long answer: It is driven by a small group of active members (about 20 companies - if you look into most of onvif specs, you will find the same names), and direction appoved by all full and contributing members (about 50 companies). Details can be found on their site, in rules of membership and in organizational structure.

Regarding ZeroConf and the "169.xxx.xxx.xxx" addressing point. They are not the same thing. The "169.xxx.xxx.xxx" is called "Link-Local" and is the self-assigned address you get when no DHCP server is availablea and you don't have a static addess.

ZeroConf is a way to announce and/or discover what address you DO have, whether it's DHCP, Static, or Link-Local, using multicast DNS (mDNS). However, before ZeroConf, Link-Local addresses were, in my opinion, not useful, because what good was having a device get an address on the local network if you couldn't find out what it was.

does it require hostname to resolve ip address? - seems yes.

how common for cameras to be shipped with different hostnames? - seems no.

and onvif cliens are using ws-discovery to navigate local network devices, and it know nothing about ip address origin.

so from onvif perspective - zeroconf is just linklocal, moreover their specs sometimes refer it as linklocal instead of zeroconf.

i am even not sure that devices that are claiming zeroconf functionality have mdns inside.

Zeroconf is, at its core, network service advertisement and discovery using multicast-DNS.

Link-local addressing predates Zeroconf discovery by almost a decade. Windows has supported it since Windows 98. I would say that most people's first exposure to it was when their Windows machines couldn't connect to the network, they checked their settings and saw an address beinging with 169.xxx. I know I did, I did not know what the 169 meant until years later. Link-local is often thought to be part of Zeroconf, because they're often used together. That, and link-local addresses are useless unless there is some discovery method in use, so I think that's why they are often confused.

A few years back, I implemented Zeroconf on Mercury's access control boards. I would be very interested in how other devices implemented it. That said without mDNS, a device should not be claiming Zeroconf support.

practically the same for me. Never heard about it until now, while seen 169... quite frequently.

but let me repeat - onvif is using ws-discovery which is MS way of doing the same thing using multicast but with xml flavour. And it is not using hostname but is using service uid, which is unique (typically MAC-based). Which toheter are doing profile q magic - working just from the shelf.

i have an ssh access for a few cameras from different vendors - so tomorrow i will check them for mdns support.

I'm surprised that there's no mention in the article about Profile Q's support for Transport Layer Security with secure communication via certificate/key authentication between device/client.

Any reason for this omission? I was under the impression that secure comms was a big part of Profile Q.

imho because tls is optional for this profile. Practically, profile q is focusing on device first 5 minutes after first out-of-the-shelf power up. So if device support tls, profile q dictate howto exchange/create keys.

if you need tls - please wait for profile a, that is focusing on really secure communications.

ONVIF Response:

Profile Q requires the manufacturer to enable TLS if the device supports it. It is known as a CONDITIONAL requirement. We expect all future profiles will also be able to also leverage Profile Q conformant to allow the quick install elements and the advanced security elements that are available there.

Ah, that would make sense. Thanks for the info.

Official ONVIF Response:

Q: Does it require hostname to resolve ip address?

A: This is DNS. Covered in section 7.2.1. So, yes.

Q: How common for cameras to be shipped with different hostnames? - seems no.

A: Regardless of how a camera is shipped, hostname -> IP address is dependent on an installer setting up DNS records.

Many manufacturs ship cameras with the hostname set to model-serial (e.g. MODEL-SERIAL).

Q: ONVIF clients are using ws-discovery to navigate local network devices, and it know nothing about ip address origin. How does Profile Q help?

ONVIF clients broadcast a WS-Discovery PROBE request over multicast. Cameras respond with their scopes.

When a WS-Discovery device joins the network (boot, CAT5 connection, etc.), it broadcasts a WS-Discovery HELLO over multicast. Clients can listen for these packets, and immediately send a PROBE to the specific device to determine if it’s of interest.

Q: So from an ONVIF perspective - zeroconf is just linklocal, moreover their specs sometimes refer it as linklocal instead of zeroconf. Whats the difference?

A: ZeroConfiguration and IPv4 LinkLocal are used interchangeably, although technically IPv4 LinkLocal is just a subset of ZeroConfiguration. The ProfileQ spec intends for ZeroConfiguration to be defined as IPv4 LinkLocal (from Section 9: “… IPv4 Link Local Address (defined as ZeroConfiguration capability) …”).

Q: Do devices that are claiming zeroconf functionality have mdns inside?

ZeroConfiguration includes the concept of multicast DNS. IPv4 LinkLocal does not. Profile Q intends the latter.

Let us know if you have any more questions!

Thank you A for official clarification. I was not hoping that my rhetoric excersise about mdns redundancy will have a such direct reaction.

btw, as you are representing manufacturer and you are undisclosed: may you put the light on the real pain level of upgrading existent product to profile Q? was it hard/easy for you? or maybe you are not aiming this profile at all?

ONVIF Response:

Manufacturers who have a good ONVIF Profile S, G or C implementation already may find Profile Q a very incremental addition to their product's capabilities. In other words they may very well be supporting the majority of functions specified already.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Large US University End-User Video Surveillance Interview on Mar 18, 2019
Schools have become targets in modern days of active shooters and terrorist fears. The need for video and access security is high. Universities...
ONVIF Favorability Results 2019 on Mar 15, 2019
In the past decade, ONVIF has grown from a reaction to the outside Cisco-lead PSIA challenge, to being the de facto video surveillance standard...
City Physical Security Manager Interview on Mar 14, 2019
This physical security pro is the Physical Security Manager for the City of Calgary. He is a criminologist by training with an ASIS CPP credential....
Arcules Favorability Results 2019 on Mar 08, 2019
Arcules has amazing advantages. Tens of millions of funding from Canon. Unlimited access to Milestone's source code (see our test results). But...
Church Technology Director Security Interview on Mar 07, 2019
With 40+ years of experience in IT from a wide array of verticals, including US and foreign military, and large corporate and industrial settings,...
Cable Firestopping Installation Guide on Mar 06, 2019
Installing cables through firewalls is a critical installation issue. Failing to properly seal a penetration can cause smoke and fire to spread,...
Prysm PSIM Profile on Mar 05, 2019
A decade ago, PSIM promised significant potential but has always suffered from significant problems. Now, a number of PSIMs have either gone out of...
Verified Response Discontinued in Silicon Valley San Jose on Feb 28, 2019
Almost all security alarms are false. This has driven some municipalities to require verified response before dispatching police. However, now San...
Police Department Surveillance Manager Interview on Feb 28, 2019
Former Memphis PD Surveillance Manager, Lt. Joseph Patty retired months ago, but kept busy during his decades on the force, working to build up...
Salient CompleteView 20/20 VMS Tested on Feb 27, 2019
In IPVM's last test of Salient 3 years ago, we found various problems and deficiencies. Now, Salient says their new CompleteView 20/20 "unified...

Most Recent Industry Reports

Retired Mercury President Returns As Open Options President on Mar 18, 2019
Open Options experienced major changes in 2018, including being acquired by ACRE and losing its President and General Manager, John Berman who...
Large US University End-User Video Surveillance Interview on Mar 18, 2019
Schools have become targets in modern days of active shooters and terrorist fears. The need for video and access security is high. Universities...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
ONVIF Favorability Results 2019 on Mar 15, 2019
In the past decade, ONVIF has grown from a reaction to the outside Cisco-lead PSIA challenge, to being the de facto video surveillance standard...
Hanwha Aerospace / Techwin Korean Tax Evasion Raid on Mar 15, 2019
A Hanwha group subsidiary was raided as part of a tax evasion probe. While a Korean news media report listed the raided entity as 'Hanwha...
Installation Course - Last Chance on Mar 14, 2019
This is the last chance to register for the March Installation course. This is a unique installation course in a market where little practical...
City Physical Security Manager Interview on Mar 14, 2019
This physical security pro is the Physical Security Manager for the City of Calgary. He is a criminologist by training with an ASIS CPP credential....
US Drafting Separate Rule for NDAA Dahua/Hikvision 'Blacklist' on Mar 14, 2019
The most debated provision of the NDAA ban of Dahua, Hikvision, Huawei, et al. is the so-called 'blacklist' provision which would ban any company...
OpenALPR Acquired By Mysterious Novume on Mar 13, 2019
Startup OpenALPR has been acquired by Novume, a company virtually unknown in the industry. While there are many LPR providers (see our directory),...
Milestone Machine Learning Camera Auto-Setting Examined on Mar 13, 2019
Milestone wants to improve image quality using Machine Learning to solve the problem of "a camera doesn't know what it is being used for",...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact