[fi-rg] [Fvga-wg] New document on a protocol specificatin for dynamic opening of firewall ports

Wed Jan 28 10:05:50 CST 2009

dear Gian Luca,

thanks for your input.
And last time I include fi-rg at ogf.org into the recepients list.
(So think about subscribing to fvga-wg at ogf.org)

ad 1.)
I thought of this also. Therefore I added the 0001 and 0002 PathCntl 
messages, where both sides
could ask for a reply, that the corresponding partner is available. We 
could add something like "any
xxx seconds a NOOP as to be send and a reply has to acknowledge this."
(See "Control Session commands and replies" on page 11 and also "keep 
alive testing" on Page 18/19)

ad 2.)
Should be no problem to add. This would allow also to check if both have 
the same view.
The problem which remains is, that the firewall may have a third view. 
It could have denied
requested, which client and server have agreed on. Or it could have 
crashed and has loosed
all information. So checking between both end points is the half truth only.

We have to see if HMAC rely assures that noone in the middle can change 
packets. If this would be possible,
then any message could be appened by a encrypted checksum. Since both 
sides exchange a shared key
within the authentication part. This could be used to really check if 
something has been changed on the path.
But may be Hashed Mesage Authentication Code (HMAC is enough).
We have to ask PSC which developed SSH NONE Cipher.
I hope to have someone from PSC at the WG meeting in Catania. We are 
just checking this.

best regards

Ralph

Gian Luca Volpato schrieb:
> Hello Everybody,
>
> first of all I would like to thank Ralph for having produced this 
> first draft of the document.
> In my opinion the general concept of FiTP is a very good starting 
> point for the development of a dynamic firewall configuration system.
> I just have two global remarks:
>
> 1)
> If I understand correctly there is no timeout for the validity of a 
> granted access rule. A rule is valid until the auth_PI explicitly 
> removes it or until the FiTP control connection is ended (and 
> consequently all rules are removed).
> What happens if the auth_PI crashes? Is there an automatic recovery 
> procedure that removes all granted access rules in the firewall?
>
> 2)
> Would it be useful to add a FiTP command that allows the user_PI to 
> request the list of all the currently granted access rules?
> This list would contain all the rules that the auth_PI has granted to 
> the user_PI.
> I am not sure such a command is useful, but it could be used to check 
> and maintain synchronization between auth_PI and user_PI.
>
>
> Kind regards
> /Gian Luca
>
>
>
> On Jan 23, 2009, at 15:45 , Ralph Niederberger wrote:
>
>> Dear all,
>>
>> our mailing list has been very quiet for a long time, so I would like
>> to start a discussion on a document I created in the last weeks.
>> Of course this one is only a first draft and needs a lot of work to
>> be finished. But I thought it would be better to describe the whole
>> concept of the protocol to be defined than just talking about some
>> fragmentary ideas. Of course the whole document can be modified,
>> but better to have something to discuss on than having no initial
>> idea.
>>
>> I would propose that we will have discussions on this doument in our
>> FVGA-WG session in Catania in March, but would prefer to
>> get some feedback already before.
>>
>> I will present the idea behind this document at our session and asked
>> already Chris Rapier from Pittsburgh Supercomputing Center to give a
>> talk about "HPN SSH with NONE Cipher". He has not decided yet to
>> come, but I hope he will do so.
>>
>> If he cannot make it I will try to summarize the ideas behind.
>>
>> Waiting for your comments and best regards
>>
>> Ralph
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> fvga-wg mailing list
> fvga-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/fvga-wg
>   

-- 

***************************************************
 Ralph Niederberger
 Juelich Supercomputing Centre
 Institute for Advanced Simulation

 Phone:  +49 2461 61-4772
 Fax:    +49 2461 61-6656
 E-Mail: r.niederberger at fz-juelich.de
 WWW:    http://www.fz-juelich.de/jsc/

 JSC is the coordinator of the
 John von Neumann Institute for Computing
 and member of the
 Gauss Centre for Supercomputing
***************************************************

 Forschungszentrum Jülich GmbH
 52425 Jülich

 Sitz der Gesellschaft: Jülich
 Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
 Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
 Dr. Sebastian M. Schmidt 

***************************************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6022 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/fi-rg/attachments/20090128/bd2e7719/attachment.bin 