On Sun, Jun 28, 2015 at 1:01 AM, Jonathan Bennett <[email protected]>
wrote:
> Yes, this would be an excellent addition. There is precedent on the
>> fwknopd side of things to acquire SPA data via non-pcap means, and the
>> safest right now - for those that consider linking against libpcap to be a
>> security risk - is the UDP listener mode. I think reading from a log is
>> another strategy that is right in line with this since fwknopd would not
>> need to sniff the wire or listen on a socket. At the same time, it
>> preserves the crypto model of SPA itself. The "single" part of SPA would
>> not be preserved, but this is already the case with both the TCP and HTTP
>> sending modes in the client.
>>
>> For implementation, on the server side, for Apache log reading mode we
>> should skip linking against libpcap at compile time just as for the UDP
>> listener mode.
>>
>
> Would we want this only available in a build that doesn't support pcap? I
> can understand that it would be difficult to watch both a log and pcap at
> the same time, but it would be useful for a single binary to support both
> modes, depending on a flag in the config.
>
Ok, agreed that it would be nice to support reading from the Apache log in
the default build of fwknop depending on a config flag. Some users may want
to enable this mode, but also not link against libpcap at the same time.
So, what we could do is add a new argument --without-libpcap to disable
linking against libpcap to the autoconf script. This way, those users who
are willing to recompile can have a non-libpcap version of fwknopd, but
everyone else can have the ability to read from the Apache log if they want
it by default. Actually this same stance should be extended to the UDP
server mode too. This should satisfy both camps and provide the greatest
usability at the same time.
>
>
>> For the client, I think we should probably leverage SSL/TLS via wget
>> (when it supports it) just as for the IP resolution stuff instead of
>> linking against an SSL library.
>>
> Wget is quite ubiquitous, and since we already use it, would be perfect.
>
Agreed.
>
>
>> At least, this would be for the C client, but other clients could use
>> different strategies. What would be the right way to do this in your
>> Android client?
>>
> Android has a built-in http/https connection function. It should take a
> few lines of code there to add https support.
>
Excellent.
>
>> Would you like to open an issue on github on the fwknop repository for
>> this feature? It would be nice to get this maybe even into 2.6.7.
>>
> I've opened issue #160 to track this.
>
Cool. I'll try to get this into 2.6.7.
--Mike
>
> Thanks,
> Jonathan
>
>
>
>> Thanks,
>>
>> --Mike
>>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
