Re: SOAP/XML Protocol and filtering, etc.

On Sun, 06 May 2001 22:34:17 PDT, Mark Nottingham said:
> My original question was whether this behaviour was useful; although
I don't think it is..

> firewalls can (and some undoubtably will) break open the XML to try
> and figure out what's inside, SOAPAction gives those who merely wish
> to have some reasonable control over what SOAP messages pass into and
> out of their network.
No, it doesn't provide reasonable control.  Since the whole *point* of
a firewall is to stop malicious packets, and since a packet can simply
label itself as "non-malicious", it leaks too much.

We *already* have too many networks out there run by people who think
that because they've installed a firewall, they're secure.  I'm going
to have to protest tooth-and-nail any proposal that will give even a
HINT to "the unwashed masses" that they can say "We installed a firewall
that implements SOAP, we dont have to worry about bad SOAP packets".

I have *NO* objections to implementing SOAPAction so that software can
use it as a "hint" for possible fast-pathing or special handling of some
sort (for instance, to flag it as SOAP-compliant so a SOAP handler can
be loaded, or to flag it as "priority" for expedited handling, or for
purposes similar to 'content-type:'.  If somebody comes across a good
way to use SOAPAction: headers to make the Akamai node across the hall
from me do even more cool caching things, I'll encourage that ;)

I only object to the implication that it's reasonable to use it for
yes/no decisions in a firewall or other security context.
-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

pgpoRbkYbl8Ph.pgp
Description: PGP signature