Table of Contents

1.  Helpful Reading
2.  The Problem
3.  One Solution: Application Proxy
4.  BEEP Environment
5.  TUNNEL Profile
6.  Connections
7.  Start an Operation
8.  Pass Data
9.  Example
10.  Example
11.  Configuration Options

1. Helpful Reading

TUNNEL Profile

BEEP I-Ds:

• draft-ietf-beep-framework-11 (RFC 3080)
• draft-ietf-beep-tcpmapping-06 (RFC 3081)

2. The Problem

Security clashes with convenience.

Firewalls block all access, but

We want to be able to authorize some access.

How do we distinguish?

3. One Solution: Application Proxy

Runs on firewall machine.

Accepts connections,

   authorizes request,

      establishes requested connection,

         forwards data across firewall.

Makes a stile, not a hole.

4. BEEP Environment

Encryption, Authentication, Applications are orthogonal.

Proxy application reuses standard mechanisms.

(Hence, proxy spec only discusses proxying.)

5. TUNNEL Profile

Defines three basic operations:

• Connect to next machine,
• Start an operation there,
• Pass data transparently.

6. Connections

Two ways to address next hop.

• Source routing:
• IP + Port
• FQDN + Port
• FQDN + SRV
• Hop-by-Hop Routing:
• Profile URI
• Endpoint URI

7. Start an Operation

Originator may or may not require BEEP on final connection.

Empty <tunnel/> element says to require TUNNEL at endpoint.

No empty <tunnel/> element says no BEEP required.

Nested non-empty <tunnel> says more hops to go.

8. Pass Data

Intermediate proxies pass data transparently

  starting immediately after <ok/> element.

Allows TLS to be end-to-end.

9. Example

10. Example

11. Configuration Options

Require Authentication:

• TLS Certificate
• SASL Password

Disallow some routes or routing modes

    (Hide FQDN/IP from sniffers)

Require end-to-end TLS

    (Hide data from proxies)