Re: Fwd: Indianz.com NEWS BRIEFS: APRIL 1, 2001

[Theodore Tso <tytso at mit.edu>]

On Wed, Apr 04, 2001 at 09:15:56AM +0700, Rahmat M. Samik-Ibrahim wrote:
> * RFC 3093 on Firewall Enhancement Protocol
>   http://www.faqs.org/rfcs/rfc3093.html
> 
>   Internet Transparency via the end-to-end architecture of the Internet
>   has allowed vast innovation of new technologies and services [1].
>   However, recent developments in Firewall technology have altered this 
>   model and have been shown to inhibit innovation.  We propose the
>   Firewall Enhancement Protocol (FEP) to allow innovation, without
>   violating the security model of a Firewall.  With no cooperation from
>   a firewall operator, the FEP allows ANY application to traverse a
>   Firewall.  Our methodology is to layer any application layer
>   Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets
>   over the HyperText Transfer Protocol (HTTP) protocol, since HTTP
>   packets are typically able to transit Firewalls.  

I was disappointed in this RFC, since it doesn't actually work;
typically the user who is trapped on the inside of the firewall only
can initial HTTP connections, and so you have to play some polling
games (and ideally encapsulate multiple packets as part of the HTTP
GET response for efficiency's sake) in order to process packets from
the outside of the firewall making it back into inside-firewall user.

Of course, in order to be practical you'd also want to add some
encryption plus some varying steganography so that you can evade
firewall vendors trying to detect and prevent such http tunnelling
requests.

I had talked about this with a few folks a year or two ago as a
possible April 1st RFC, but we had wanted to back it up with real,
live running code which demonstrated something which could actually
work.....  ah, well, so many interesting projects, so little time....

						- Ted