On Sun, Jun 28, 2015 at 8:32 AM, Michael Rash <[email protected]>
wrote:
>
>
> On Sun, Jun 28, 2015 at 1:01 AM, Jonathan Bennett <[email protected]>
> wrote:
>
>> Yes, this would be an excellent addition. There is precedent on the
>>> fwknopd side of things to acquire SPA data via non-pcap means, and the
>>> safest right now - for those that consider linking against libpcap to be a
>>> security risk - is the UDP listener mode. I think reading from a log is
>>> another strategy that is right in line with this since fwknopd would not
>>> need to sniff the wire or listen on a socket. At the same time, it
>>> preserves the crypto model of SPA itself. The "single" part of SPA would
>>> not be preserved, but this is already the case with both the TCP and HTTP
>>> sending modes in the client.
>>>
>>> For implementation, on the server side, for Apache log reading mode we
>>> should skip linking against libpcap at compile time just as for the UDP
>>> listener mode.
>>>
>>
>> Would we want this only available in a build that doesn't support pcap? I
>> can understand that it would be difficult to watch both a log and pcap at
>> the same time, but it would be useful for a single binary to support both
>> modes, depending on a flag in the config.
>>
>
> Ok, agreed that it would be nice to support reading from the Apache log in
> the default build of fwknop depending on a config flag. Some users may want
> to enable this mode, but also not link against libpcap at the same time.
> So, what we could do is add a new argument --without-libpcap to disable
> linking against libpcap to the autoconf script. This way, those users who
> are willing to recompile can have a non-libpcap version of fwknopd, but
> everyone else can have the ability to read from the Apache log if they want
> it by default. Actually this same stance should be extended to the UDP
> server mode too. This should satisfy both camps and provide the greatest
> usability at the same time.
>
One quite note - I went back to check, and the UDP server mode is actually
available via configuration already. That is, even if fwknopd links against
libpcap, the UDP server can be configured to acquire SPA packet data
instead of sniffing the wire. This is the default stance. When fwknop is
compiled with the --enable-udp-server switch to the autoconf script, only
then is libpcap disabled.
Thanks,
--Mike
>
>
>>
>>
>>> For the client, I think we should probably leverage SSL/TLS via wget
>>> (when it supports it) just as for the IP resolution stuff instead of
>>> linking against an SSL library.
>>>
>> Wget is quite ubiquitous, and since we already use it, would be perfect.
>>
>
> Agreed.
>
>
>>
>>
>>> At least, this would be for the C client, but other clients could use
>>> different strategies. What would be the right way to do this in your
>>> Android client?
>>>
>> Android has a built-in http/https connection function. It should take a
>> few lines of code there to add https support.
>>
>
> Excellent.
>
>
>>
>>> Would you like to open an issue on github on the fwknop repository for
>>> this feature? It would be nice to get this maybe even into 2.6.7.
>>>
>> I've opened issue #160 to track this.
>>
>
> Cool. I'll try to get this into 2.6.7.
>
> --Mike
>
>
>
>>
>> Thanks,
>> Jonathan
>>
>>
>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
