ietf
[Top] [All Lists]

Re: Fwd: Indianz.com NEWS BRIEFS: APRIL 1, 2001

2001-04-04 11:20:05
On Wed, Apr 04, 2001 at 09:15:56AM +0700, Rahmat M. Samik-Ibrahim wrote:
* RFC 3093 on Firewall Enhancement Protocol
  http://www.faqs.org/rfcs/rfc3093.html

  Internet Transparency via the end-to-end architecture of the Internet
  has allowed vast innovation of new technologies and services [1].
  However, recent developments in Firewall technology have altered this 
  model and have been shown to inhibit innovation.  We propose the
  Firewall Enhancement Protocol (FEP) to allow innovation, without
  violating the security model of a Firewall.  With no cooperation from
  a firewall operator, the FEP allows ANY application to traverse a
  Firewall.  Our methodology is to layer any application layer
  Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets
  over the HyperText Transfer Protocol (HTTP) protocol, since HTTP
  packets are typically able to transit Firewalls.  

I was disappointed in this RFC, since it doesn't actually work;
typically the user who is trapped on the inside of the firewall only
can initial HTTP connections, and so you have to play some polling
games (and ideally encapsulate multiple packets as part of the HTTP
GET response for efficiency's sake) in order to process packets from
the outside of the firewall making it back into inside-firewall user.

Of course, in order to be practical you'd also want to add some
encryption plus some varying steganography so that you can evade
firewall vendors trying to detect and prevent such http tunnelling
requests.

I had talked about this with a few folks a year or two ago as a
possible April 1st RFC, but we had wanted to back it up with real,
live running code which demonstrated something which could actually
work.....  ah, well, so many interesting projects, so little time....

                                                - Ted



<Prev in Thread] Current Thread [Next in Thread>