New ONVIF Profile Q Aims To Change Discovery and Default Passwords

By: John Honovich, Published on Jan 13, 2015

ONVIF is gearing up to release a new profile, called Q.

They market it as providing "quick configuration and installation, providing innate discoverability and reliable device monitoring and event management capabilities."

However,

  • How is Profile Q different than the current Profile S?
  • What are the big changes / additions in Profile Q?
  • How will requirements in discovery and default passwords impact manufacturers and systems?

Inside, we answer these questions based on a discussion with the engineers contributing to this upcoming Profile.

***** ** ******* ** to ******* * *** profile, ****** *.

**** ****** ** ***********"***** ************* *** ************, providing ****** *************** *** reliable ****** ********** *** event ********** ************."

*******,

  • *** ** ******* * different **** *** ******* Profile *?
  • **** *** *** *** changes / ********* ** Profile *?
  • *** **** ************ ** discovery *** ******* ********* impact ************* *** *******?

******, ** ****** ***** questions ***** ** * discussion **** *** ********* contributing ** **** ******** Profile.

[***************]

Profile * ** ******* * *** *

******* * ** *** and *********** ** ******* S (*********) *** * (recording). *** ***** ************* just ******* * *** we ***** ****** **** every ****** **** ******** Q ** **** ******* S.

* ** ******** ******* on *** *********, ************ and **********. ** **** not ******* *********, ****** configuration, ****** *********, ***, i/o, ***. *** ** that ******* ** ******* S. ** **** ***, Profile * ** ****** thought ** ** ** enhancement ** ******* *.

*** ***** *** **** to **** *** ****** spec, ********** * ******* ********* 1.0 ************* ** ********* here. ** **** ******* the *** ******** *****.

Requires ********

*****, ** ****** ************* choose **** * **** variety ** **** ** be **********, **** ********* discovery ********* *** **** some **** *** * fixed ** *******. ******* of ****, ** *** be ********* ** ********* find ********* ******* ***, at *****, ******** *** VMS ** ********* / know *** **** ************ goes ***** ***** ********** or ******* *******.

******* * **** *** require ********** ******* ** support **********, ******* ************* **********, ***** ** **** known *** ********* * 169.x.x.x ******* ** * dynamic ******* *** *** be ******** ** * DHCP ******.

** **** ************* ***** Profile *, *** *** thereby *** *** **** discovery ********, ** ****** simplify *** ******** *** probability ** ******* *** IP ******* / ******* on * ***** *******. However, ** ************* ********* use * ********* ********, it ***** ******* **** to ****** ** ** comply **** ******* *.

Requires ** ******* ********

**** ** ******* ***** have ****-***** ******* ** passwords, *.*., *****/***** ** admin/1234, ***. (*** ***** ****** ******* ******** directory).

******* * ******** *********** this. **** ******* *, a ****** **** *** have *** ******* ******** and **** *** ***** connects, ** * ******* state, *** *** **** required ** ***** * password. *** ***** ******** with ****, **** ** how **** ** ** (see: ** ****** ********* - Axis, *****, *******).

***** **** ************* ***** have * ******* ********, this ***** ******* **** to ****** ***** *********** password ********.

***** ** **** ****** never ****** *********, ***** hopes **** **** **** decrease ******** ***** ** an ********* **** ******** in *** ******* ******** and ******* **** ******.

Other ******* * ******* ************

*** ***** *** **** the ******** ********* *******. There *** * *** other ************ / ******** worth ******:

  • **** ***** ********** ************ such ** ********* *****, time ** **** ***** and **** ****** *** last **** ***************.
  • ********** *********** ** **** synchronization ***** *** ****** connectivity ******.
  • **** *** ******** *** been ***, ******* * more ******* ********* **** user ****** *** **** changes ** ****** ******** / ********.

Impact ** ***** ******* *

*** *** *** ******** of ******* * ***** address * ******* **** points ** ***** ** cameras. *******, **** **** require ************* ****** **** Profile * ***, ** doing **, ******** **** of ***** ***** **********.

** ****** ******* * to ** ******** ****** the *** ** **** and ** **** * few ***** *** ******** to ******.

 

Comments (15)

With Profile Q, a device will not have any default password and when one first connects, in a default state, you are then required to setup a password.

Good. I've long been an advocate of this.

Hi John,

Just a question and a few notes:

question: "Eliminates requirement of time synchronization which has caused connectivity issues." - are you talking about requirement to device to have NTP ON, or requirement to use HTTP-Digest (that is not so fragile to time syncronisation), or something else?

note1: from ONVIF press-release they say about 6 month validation period, and keeping in mind (a) their tick-tack scheme of releases winter/summer and (b) their practice of having something implemented by key players before releasing drafts, there is a high probability that there will be devices with official Profile Q conformance at the end of this summer.

note2: ONVIF-style Discovery is also an obligatory part of Profile S, but Profile Q requires it to be turned ON by default and after so-called "hard factory reset". In conunction with DHCP/ZeroConf, ONVIF client can reliably discover all new devices and there is no need for manual IP assignment

note3: the easiest position have manufactures that have no own VMS - they do not need any significant changes (as all features of Profile Q should be already in-place). Issues that you are highlighting are more not about devices itself, but about infrastructure/ecosystem.

I have a question, is ONVIF manufacturer driven? Is Axis, for example, driving the standard? I like what I see but it does seem to be what Axis is doing already on their own product. it would be nice when you arrive at a site where there are several different manufacturers product represented to just have one unified program for configuration, firmware updates, logging of data, etc. if only this profile went a bit further.

is ONVIF manufacturer driven?

the short answer is yes.

long answer: It is driven by a small group of active members (about 20 companies - if you look into most of onvif specs, you will find the same names), and direction appoved by all full and contributing members (about 50 companies). Details can be found on their site, in rules of membership and in organizational structure.

Regarding ZeroConf and the "169.xxx.xxx.xxx" addressing point. They are not the same thing. The "169.xxx.xxx.xxx" is called "Link-Local" and is the self-assigned address you get when no DHCP server is availablea and you don't have a static addess.

ZeroConf is a way to announce and/or discover what address you DO have, whether it's DHCP, Static, or Link-Local, using multicast DNS (mDNS). However, before ZeroConf, Link-Local addresses were, in my opinion, not useful, because what good was having a device get an address on the local network if you couldn't find out what it was.

does it require hostname to resolve ip address? - seems yes.

how common for cameras to be shipped with different hostnames? - seems no.

and onvif cliens are using ws-discovery to navigate local network devices, and it know nothing about ip address origin.

so from onvif perspective - zeroconf is just linklocal, moreover their specs sometimes refer it as linklocal instead of zeroconf.

i am even not sure that devices that are claiming zeroconf functionality have mdns inside.

Zeroconf is, at its core, network service advertisement and discovery using multicast-DNS.

Link-local addressing predates Zeroconf discovery by almost a decade. Windows has supported it since Windows 98. I would say that most people's first exposure to it was when their Windows machines couldn't connect to the network, they checked their settings and saw an address beinging with 169.xxx. I know I did, I did not know what the 169 meant until years later. Link-local is often thought to be part of Zeroconf, because they're often used together. That, and link-local addresses are useless unless there is some discovery method in use, so I think that's why they are often confused.

A few years back, I implemented Zeroconf on Mercury's access control boards. I would be very interested in how other devices implemented it. That said without mDNS, a device should not be claiming Zeroconf support.

practically the same for me. Never heard about it until now, while seen 169... quite frequently.

but let me repeat - onvif is using ws-discovery which is MS way of doing the same thing using multicast but with xml flavour. And it is not using hostname but is using service uid, which is unique (typically MAC-based). Which toheter are doing profile q magic - working just from the shelf.

i have an ssh access for a few cameras from different vendors - so tomorrow i will check them for mdns support.

I'm surprised that there's no mention in the article about Profile Q's support for Transport Layer Security with secure communication via certificate/key authentication between device/client.

Any reason for this omission? I was under the impression that secure comms was a big part of Profile Q.

imho because tls is optional for this profile. Practically, profile q is focusing on device first 5 minutes after first out-of-the-shelf power up. So if device support tls, profile q dictate howto exchange/create keys.

if you need tls - please wait for profile a, that is focusing on really secure communications.

ONVIF Response:

Profile Q requires the manufacturer to enable TLS if the device supports it. It is known as a CONDITIONAL requirement. We expect all future profiles will also be able to also leverage Profile Q conformant to allow the quick install elements and the advanced security elements that are available there.

Ah, that would make sense. Thanks for the info.

Official ONVIF Response:

Q: Does it require hostname to resolve ip address?

A: This is DNS. Covered in section 7.2.1. So, yes.

Q: How common for cameras to be shipped with different hostnames? - seems no.

A: Regardless of how a camera is shipped, hostname -> IP address is dependent on an installer setting up DNS records.

Many manufacturs ship cameras with the hostname set to model-serial (e.g. MODEL-SERIAL).

Q: ONVIF clients are using ws-discovery to navigate local network devices, and it know nothing about ip address origin. How does Profile Q help?

ONVIF clients broadcast a WS-Discovery PROBE request over multicast. Cameras respond with their scopes.

When a WS-Discovery device joins the network (boot, CAT5 connection, etc.), it broadcasts a WS-Discovery HELLO over multicast. Clients can listen for these packets, and immediately send a PROBE to the specific device to determine if it’s of interest.

Q: So from an ONVIF perspective - zeroconf is just linklocal, moreover their specs sometimes refer it as linklocal instead of zeroconf. Whats the difference?

A: ZeroConfiguration and IPv4 LinkLocal are used interchangeably, although technically IPv4 LinkLocal is just a subset of ZeroConfiguration. The ProfileQ spec intends for ZeroConfiguration to be defined as IPv4 LinkLocal (from Section 9: “… IPv4 Link Local Address (defined as ZeroConfiguration capability) …”).

Q: Do devices that are claiming zeroconf functionality have mdns inside?

ZeroConfiguration includes the concept of multicast DNS. IPv4 LinkLocal does not. Profile Q intends the latter.

Let us know if you have any more questions!

Thank you A for official clarification. I was not hoping that my rhetoric excersise about mdns redundancy will have a such direct reaction.

btw, as you are representing manufacturer and you are undisclosed: may you put the light on the real pain level of upgrading existent product to profile Q? was it hard/easy for you? or maybe you are not aiming this profile at all?

ONVIF Response:

Manufacturers who have a good ONVIF Profile S, G or C implementation already may find Profile Q a very incremental addition to their product's capabilities. In other words they may very well be supporting the majority of functions specified already.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China PRC Government New National Video Surveillance Standards on May 14, 2019
The People's Republic of China (PRC) government has released a new set of overarching standards for authorities to follow when they install video...
Access Control Request to Exit (RTE) Tutorial on May 13, 2019
For access controlled doors, especially those with maglocks, 'Request to Exit', or 'RTE' devices are required to override electrified locks to...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...
ADT's Top Dealer "The Defenders" Sued 20+ Times on May 07, 2019
ADT's largest authorized dealer, The Defenders, has been sued more than 20 times since 2012, IPVM has verified through analyzing legal...
Ranking Manufacturer Favorability 2019 on May 06, 2019
24 manufacturer's favorability was ranked based on 170+ integrators feedback. Voting plus in-depth comments revealed insights on which brands were...
Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many years. The company is developing their own cameras, their own VMS, their...
Camera Configuration Manager Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision on May 01, 2019
Which camera manufacturer has the best management tool? We tested 6 manufacturers - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision to find...
Verkada Gets Half Billion Dollar Valuation on Apr 26, 2019
Last week, when we profiled Verkada (The Fastest Growing Video Surveillance Sales Organization Ever - Verkada), we predicted they would raise $40...
Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...
Amazon Marketing Pro Installs of Amazon Security Systems on Apr 25, 2019
Is Amazon a threat to conventional providers like ADT, Vivint and Brinks Home Security? Many say no. Now, Amazon is advertising free in-home...

Most Recent Industry Reports

Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Inside Look Into Scam Market Research on May 17, 2019
Scam market research has exploded over the last few years becoming the most commonly cited 'statistics' for most industries, despite there clearly...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Panasonic 32MP Multi Imager Camera Tested (WV-X8570N) on May 16, 2019
Panasonic has released their first multi imager models including the 32MP (4x4K) WV-X8570N, claiming "Extreme image quality for evidence capturing...
Trump Signs 'Huawei Ban' - Executive Order Targeting Foreign Adversary Technology on May 16, 2019
US President Donald Trump has signed an executive order targeting technology provided by 'foreign adversaries', in what is widely being called a...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
San Francisco Face Recognition Ban And Surveillance Regulation Details Examined on May 14, 2019
San Francisco passed the legislation 8-1 today. While the face recognition 'ban' has already received significant attention over the past few...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Hikvision VP On Muslim Oppression on May 14, 2019
Hikvision has won tens of millions of dollars, at least, in direct contracts with the Chinese government that oppresses Muslims, including a forced...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact