Re: Fwd: Indianz.com NEWS BRIEFS: APRIL 1, 2001
On Wed, Apr 04, 2001 at 09:15:56AM +0700, Rahmat M. Samik-Ibrahim wrote: > * RFC 3093 on Firewall Enhancement Protocol > http://www.faqs.org/rfcs/rfc3093.html > > Internet Transparency via the end-to-end architecture of the Internet > has allowed vast innovation of new technologies and services [1]. > However, recent developments in Firewall technology have altered this > model and have been shown to inhibit innovation. We propose the > Firewall Enhancement Protocol (FEP) to allow innovation, without > violating the security model of a Firewall. With no cooperation from > a firewall operator, the FEP allows ANY application to traverse a > Firewall. Our methodology is to layer any application layer > Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets > over the HyperText Transfer Protocol (HTTP) protocol, since HTTP > packets are typically able to transit Firewalls. I was disappointed in this RFC, since it doesn't actually work; typically the user who is trapped on the inside of the firewall only can initial HTTP connections, and so you have to play some polling games (and ideally encapsulate multiple packets as part of the HTTP GET response for efficiency's sake) in order to process packets from the outside of the firewall making it back into inside-firewall user. Of course, in order to be practical you'd also want to add some encryption plus some varying steganography so that you can evade firewall vendors trying to detect and prevent such http tunnelling requests. I had talked about this with a few folks a year or two ago as a possible April 1st RFC, but we had wanted to back it up with real, live running code which demonstrated something which could actually work. ah, well, so many interesting projects, so little time - Ted
Re: Fwd: Indianz.com NEWS BRIEFS: APRIL 1, 2001
> Not having seen an RFC come over the transom yesterday or today, > here is an alternative. > http://216.218.205.86/april1.asp Are you sure? 1 April Special * RFC 3091 on Pi Digit Generation Protocol * RFC 3092 on Etymology of "Foo" * RFC 3093 on Firewall Enhancement Protocol --- * RFC 3091 on Pi Digit Generation Protocol http://www.faqs.org/rfcs/rfc3091.html This protocol is intended to provide the Pi digit generation service (PIgen), and be used between clients and servers on host computers. Typically the clients are on workstation hosts lacking local Pi support, and the servers are more capable machines with greater Pi calculation capabilities. The essential tradeoff is the use of network resources and time instead of local computational cycles. * RFC 3092 on Etymology of "Foo" http://www.faqs.org/rfcs/rfc3092.html Approximately 212 RFCs so far, starting with RFC 269, contain the terms `foo', `bar', or `foobar' as metasyntactic variables without any proper explanation or definition. This document rectifies that deficiency. * RFC 3093 on Firewall Enhancement Protocol http://www.faqs.org/rfcs/rfc3093.html Internet Transparency via the end-to-end architecture of the Internet has allowed vast innovation of new technologies and services [1]. However, recent developments in Firewall technology have altered this model and have been shown to inhibit innovation. We propose the Firewall Enhancement Protocol (FEP) to allow innovation, without violating the security model of a Firewall. With no cooperation from a firewall operator, the FEP allows ANY application to traverse a Firewall. Our methodology is to layer any application layer Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets over the HyperText Transfer Protocol (HTTP) protocol, since HTTP packets are typically able to transit Firewalls. This scheme does not violate the actual security usefulness of a Firewall, since Firewalls are designed to thwart attacks from the outside and to ignore threats from within. The use of FEP is compatible with the current Firewall security model because it requires cooperation from a host inside the Firewall. FEP allows the best of both worlds: the security of a firewall, and transparent tunneling thought the firewall. regards, -- Rahmat M. Samik-Ibrahim - VLSM-TJT - http://rms46.vlsm.org --- The Kappa likes getting cucumber --- Budum... Budum...
Fwd: Indianz.com NEWS BRIEFS: APRIL 1, 2001
Not having seen an RFC come over the transom yesterday or today, here is an alternative. http://216.218.205.86/april1.asp Enjoy, Eric
