Can anyone hijack the Caching service?

Haven't tried this, but try blocking address to <https://lcdn-registration.apple.com/lcdn/register> (either the URL, or the server) from all but your authorized caching server at your firewall; basically, blacklist that URL for most users.

There is no 'registering as the local caching server'.

In order to make a client computer read from your caching server instead of Apple's server you change a setting inside that computer to point to your server. So you need physical contact with the client computer. Other people can set up their own caching servers if they want but client computers will never discover them.

So you need not be worried about this.

sorry simon, that's not how i read it.

if they are on the same network, with the same external IP, then any caching server will register with apple and become one of a pool of local caching servers. there is no client configuration required. the client is informed of the local cache IP addresses by apple.

i'm interested in the security aspect of it all. does the client run md5 checksums on the updates downloaded from the cache? what is the mechanism?

Sorry, I was confusing it with Software Update Server.

However, I have a solution to your question. Set up ListenRanges and ListenRangesOnly as detailed in these ocuments:

http://support.apple.com/kb/HT5590#ListenRangesExplanation

https://help.apple.com/advancedserveradmin/mac/3.0/#apd5E1AD52E-012B-4A41-8F21-8 E9EDA56583A

If you do that, then your caching server will respond only to clients in the IP ranges you specify and will ignore requests from any other computers.

you've still missed the point. that config applies to the server. the question is about the clients, using a caching server that is not under your control. all your answer does is stop the server serving clients you do not control, a vastly different scenario.

we need more info from apple to be able to answer the rogue cachine server question.