TOC |
|
TOC |
TOC |
TUNNEL Profile
BEEP I-Ds:
TOC |
Security clashes with convenience.
Firewalls block all access, but
We want to be able to authorize some access.
How do we distinguish?
TOC |
Runs on firewall machine.
Accepts connections,
authorizes request,
establishes requested connection,
forwards data across firewall.
Makes a stile, not a hole.
TOC |
Encryption, Authentication, Applications are orthogonal.
Proxy application reuses standard mechanisms.
(Hence, proxy spec only discusses proxying.)
TOC |
Defines three basic operations:
TOC |
Two ways to address next hop.
TOC |
Originator may or may not require BEEP on final connection.
Empty <tunnel/> element says to require TUNNEL at endpoint.
No empty <tunnel/> element says no BEEP required.
Nested non-empty <tunnel> says more hops to go.
TOC |
Intermediate proxies pass data transparently
starting immediately after <ok/> element.
Allows TLS to be end-to-end.
TOC |
<tunnel fqdn="proxy2.example.com" port="12345" <tunnel endpoint="idxp:AcctDeptMgr"/> </tunnel>
TOC |
i p1 p2 mgr -xport-> <greet> -TUNNEL-> -xport-> <greet> -TUNNEL-> -xport-> <greet> -TUNNEL-> <---ok---- <---ok---- <---ok---- <------- greeting ----->
TOC |
Require Authentication:
Disallow some routes or routing modes
(Hide FQDN/IP from sniffers)
Require end-to-end TLS
(Hide data from proxies)