New ONVIF Profile Q Aims To Change Discovery and Default Passwords

Author: John Honovich, Published on Jan 13, 2015

ONVIF is gearing up to release a new profile, called Q.

They market it as providing "quick configuration and installation, providing innate discoverability and reliable device monitoring and event management capabilities."

However,

  • How is Profile Q different than the current Profile S?
  • What are the big changes / additions in Profile Q?
  • How will requirements in discovery and default passwords impact manufacturers and systems?

Inside, we answer these questions based on a discussion with the engineers contributing to this upcoming Profile.

***** ** ******* ** ** ******* * *** *******, ****** Q.

**** ****** ** ***********"***** ************* *** ************, ********* ****** *************** *** ******** ****** monitoring *** ***** ********** ************."

*******,

  • *** ** ******* * ********* **** *** ******* ******* *?
  • **** *** *** *** ******* / ********* ** ******* *?
  • *** **** ************ ** ********* *** ******* ********* ****** ************* and *******?

******, ** ****** ***** ********* ***** ** * ********** **** the ********* ************ ** **** ******** *******.

[***************]

Profile * ** ******* * *** *

******* * ** *** *** *********** ** ******* * (*********) and * (*********). *** ***** ************* **** ******* * *** we ***** ****** **** ***** ****** **** ******** * ** also ******* *.

* ** ******** ******* ** *** *********, ************ *** **********. It **** *** ******* *********, ****** *************, ****** *********, ***, i/o, ***. *** ** **** ******* ** ******* *. ** that ***, ******* * ** ****** ******* ** ** ** enhancement ** ******* *.

*** ***** *** **** ** **** *** ****** ****, ********** * ******* ********* *.* ************* ** ********* ****. ** **** ******* *** *** ******** *****.

Requires ********

*****, ** ****** ************* ****** **** * **** ******* ** ways ** ** **********, **** ********* ********* ********* *** **** some **** *** * ***** ** *******. ******* ** ****, it *** ** ********* ** ********* **** ********* ******* ***, at *****, ******** *** *** ** ********* / **** *** each ************ **** ***** ***** ********** ** ******* *******.

******* * **** *** ******* ********** ******* ** ******* **********, aka**** ************* **********, ***** ** **** ***** *** ********* * ***.*.*.* ******* if * ******* ******* *** *** ** ******** ** * DHCP ******.

** **** ************* ***** ******* *, *** *** ******* *** the **** ********* ********, ** ****** ******** *** ******** *** probability ** ******* *** ** ******* / ******* ** * local *******. *******, ** ************* ********* *** * ********* ********, it ***** ******* **** ** ****** ** ** ****** **** Profile *.

Requires ** ******* ********

**** ** ******* ***** **** ****-***** ******* ** *********, *.*., admin/admin ** *****/****, ***. (*** ***** ****** ******* ******** *********).

******* * ******** *********** ****. **** ******* *, * ****** will *** **** *** ******* ******** *** **** *** ***** connects, ** * ******* *****, *** *** **** ******** ** setup * ********. *** ***** ******** **** ****, **** ** how **** ** ** (***: ** ****** ********* - ****, *****, *******).

***** **** ************* ***** **** * ******* ********, **** ***** require **** ** ****** ***** *********** ******** ********.

***** ** **** ****** ***** ****** *********, ***** ***** **** this **** ******** ******** ***** ** ** ********* **** ******** in *** ******* ******** *** ******* **** ******.

Other ******* * ******* ************

*** ***** *** **** *** ******** ********* *******. ***** *** a *** ***** ************ / ******** ***** ******:

  • **** ***** ********** ************ **** ** ********* *****, **** ** last ***** *** **** ****** *** **** **** ***************.
  • ********** *********** ** **** *************** ***** *** ****** ************ ******.
  • **** *** ******** *** **** ***, ******* * **** ******* restricts **** **** ****** *** **** ******* ** ****** ******** / ********.

Impact ** ***** ******* *

*** *** *** ******** ** ******* * ***** ******* * notable **** ****** ** ***** ** *******. *******, **** **** require ************* ****** **** ******* * ***, ** ***** **, changing **** ** ***** ***** **********.

** ****** ******* * ** ** ******** ****** *** *** of **** *** ** **** * *** ***** *** ******** to ******.

 

Comments (15)

With Profile Q, a device will not have any default password and when one first connects, in a default state, you are then required to setup a password.

Good. I've long been an advocate of this.

Hi John,

Just a question and a few notes:

question: "Eliminates requirement of time synchronization which has caused connectivity issues." - are you talking about requirement to device to have NTP ON, or requirement to use HTTP-Digest (that is not so fragile to time syncronisation), or something else?

note1: from ONVIF press-release they say about 6 month validation period, and keeping in mind (a) their tick-tack scheme of releases winter/summer and (b) their practice of having something implemented by key players before releasing drafts, there is a high probability that there will be devices with official Profile Q conformance at the end of this summer.

note2: ONVIF-style Discovery is also an obligatory part of Profile S, but Profile Q requires it to be turned ON by default and after so-called "hard factory reset". In conunction with DHCP/ZeroConf, ONVIF client can reliably discover all new devices and there is no need for manual IP assignment

note3: the easiest position have manufactures that have no own VMS - they do not need any significant changes (as all features of Profile Q should be already in-place). Issues that you are highlighting are more not about devices itself, but about infrastructure/ecosystem.

I have a question, is ONVIF manufacturer driven? Is Axis, for example, driving the standard? I like what I see but it does seem to be what Axis is doing already on their own product. it would be nice when you arrive at a site where there are several different manufacturers product represented to just have one unified program for configuration, firmware updates, logging of data, etc. if only this profile went a bit further.

is ONVIF manufacturer driven?

the short answer is yes.

long answer: It is driven by a small group of active members (about 20 companies - if you look into most of onvif specs, you will find the same names), and direction appoved by all full and contributing members (about 50 companies). Details can be found on their site, in rules of membership and in organizational structure.

Regarding ZeroConf and the "169.xxx.xxx.xxx" addressing point. They are not the same thing. The "169.xxx.xxx.xxx" is called "Link-Local" and is the self-assigned address you get when no DHCP server is availablea and you don't have a static addess.

ZeroConf is a way to announce and/or discover what address you DO have, whether it's DHCP, Static, or Link-Local, using multicast DNS (mDNS). However, before ZeroConf, Link-Local addresses were, in my opinion, not useful, because what good was having a device get an address on the local network if you couldn't find out what it was.

does it require hostname to resolve ip address? - seems yes.

how common for cameras to be shipped with different hostnames? - seems no.

and onvif cliens are using ws-discovery to navigate local network devices, and it know nothing about ip address origin.

so from onvif perspective - zeroconf is just linklocal, moreover their specs sometimes refer it as linklocal instead of zeroconf.

i am even not sure that devices that are claiming zeroconf functionality have mdns inside.

Zeroconf is, at its core, network service advertisement and discovery using multicast-DNS.

Link-local addressing predates Zeroconf discovery by almost a decade. Windows has supported it since Windows 98. I would say that most people's first exposure to it was when their Windows machines couldn't connect to the network, they checked their settings and saw an address beinging with 169.xxx. I know I did, I did not know what the 169 meant until years later. Link-local is often thought to be part of Zeroconf, because they're often used together. That, and link-local addresses are useless unless there is some discovery method in use, so I think that's why they are often confused.

A few years back, I implemented Zeroconf on Mercury's access control boards. I would be very interested in how other devices implemented it. That said without mDNS, a device should not be claiming Zeroconf support.

practically the same for me. Never heard about it until now, while seen 169... quite frequently.

but let me repeat - onvif is using ws-discovery which is MS way of doing the same thing using multicast but with xml flavour. And it is not using hostname but is using service uid, which is unique (typically MAC-based). Which toheter are doing profile q magic - working just from the shelf.

i have an ssh access for a few cameras from different vendors - so tomorrow i will check them for mdns support.

I'm surprised that there's no mention in the article about Profile Q's support for Transport Layer Security with secure communication via certificate/key authentication between device/client.

Any reason for this omission? I was under the impression that secure comms was a big part of Profile Q.

imho because tls is optional for this profile. Practically, profile q is focusing on device first 5 minutes after first out-of-the-shelf power up. So if device support tls, profile q dictate howto exchange/create keys.

if you need tls - please wait for profile a, that is focusing on really secure communications.

ONVIF Response:

Profile Q requires the manufacturer to enable TLS if the device supports it. It is known as a CONDITIONAL requirement. We expect all future profiles will also be able to also leverage Profile Q conformant to allow the quick install elements and the advanced security elements that are available there.

Ah, that would make sense. Thanks for the info.

Official ONVIF Response:

Q: Does it require hostname to resolve ip address?

A: This is DNS. Covered in section 7.2.1. So, yes.

Q: How common for cameras to be shipped with different hostnames? - seems no.

A: Regardless of how a camera is shipped, hostname -> IP address is dependent on an installer setting up DNS records.

Many manufacturs ship cameras with the hostname set to model-serial (e.g. MODEL-SERIAL).

Q: ONVIF clients are using ws-discovery to navigate local network devices, and it know nothing about ip address origin. How does Profile Q help?

ONVIF clients broadcast a WS-Discovery PROBE request over multicast. Cameras respond with their scopes.

When a WS-Discovery device joins the network (boot, CAT5 connection, etc.), it broadcasts a WS-Discovery HELLO over multicast. Clients can listen for these packets, and immediately send a PROBE to the specific device to determine if it’s of interest.

Q: So from an ONVIF perspective - zeroconf is just linklocal, moreover their specs sometimes refer it as linklocal instead of zeroconf. Whats the difference?

A: ZeroConfiguration and IPv4 LinkLocal are used interchangeably, although technically IPv4 LinkLocal is just a subset of ZeroConfiguration. The ProfileQ spec intends for ZeroConfiguration to be defined as IPv4 LinkLocal (from Section 9: “… IPv4 Link Local Address (defined as ZeroConfiguration capability) …”).

Q: Do devices that are claiming zeroconf functionality have mdns inside?

ZeroConfiguration includes the concept of multicast DNS. IPv4 LinkLocal does not. Profile Q intends the latter.

Let us know if you have any more questions!

Thank you A for official clarification. I was not hoping that my rhetoric excersise about mdns redundancy will have a such direct reaction.

btw, as you are representing manufacturer and you are undisclosed: may you put the light on the real pain level of upgrading existent product to profile Q? was it hard/easy for you? or maybe you are not aiming this profile at all?

ONVIF Response:

Manufacturers who have a good ONVIF Profile S, G or C implementation already may find Profile Q a very incremental addition to their product's capabilities. In other words they may very well be supporting the majority of functions specified already.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
European Mega Security Firm Verisure Pushing Security Fog on Sep 17, 2018
The European mega security firm Verisure (Securitas Direct), with a reported 2 million customers, is pushing security fog, as shown in this BBC...
October 2018 Camera Course on Sep 13, 2018
Today is the last day to save $50 on the October 2018 Camera Course, register now. This is the only independent surveillance camera course,...
Stanley Security Acquires 3xLogic, Kushner Becomes Product President on Sep 10, 2018
Stanley Security acquired 3xLogic a few months ago. However, the company has still not officially publicly announced it, leading many to wonder...
IP Camera Cable Termination Guide on Sep 06, 2018
Terminating cables properly is critical to network performance, but it can be a tricky task with multiple steps. Fortunately, this task is easy to...
Dell Launches IoT for Surveillance on Sep 05, 2018
Historically, Dell has been a PC and server provider (e.g., "Dude, you're getting a Dell") and widely used for surveillance storage. However, in...
JCI / Napco Integration Battle on Aug 30, 2018
JCI and Napco are firing salvos at each other over integration issues which both sides blame on the other. The bigger problem is that central...
Directory Of 110+ Video Management Software (VMS) Suppliers on Aug 30, 2018
This directory provides a list of Video Management Software providers to help you see and research what options are available. Listing...
Inputs/Outputs For Video Surveillance Guide on Aug 24, 2018
While many cameras have Input/Output (I/O) ports, few are actually used and most designers do not even consider them. However, a good understanding...
Synology Surveillance Station VMS Tested on Aug 22, 2018
With so many low-cost NVRs and enterprise VMSes, is there any place in the market for NAS-based VMSes? Recently, IPVM bought a Synology NAS for...

Most Recent Industry Reports

BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...
Chinese Government Praises Hikvision For Following Xi Jinping on Sep 17, 2018
The Chinese government council responsible for managing China's state-owned companies praised Hikvision’s obedience to China’s authoritarian leader...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact