Re: User and Ports: For a firewall solution

Alan Cox (alan@lxorguk.ukuu.org.uk)
Mon, 20 Apr 1998 16:28:33 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Linux Lists: "Re: 2.0.34 & cyclades driver"
Previous message: Chris Evans: "Re: [patch 2.1.97] more capabilities support"

> If I understood your question well, this is also possible for any normal
> host based firewall. You can give any IP to your laptop and enjoy that
> hosts privileges. Also, I have designed to include authentication and
> hence the mention of local auth module in my posting.

Nod, but you then appear to be keying that to port numbers which is insecure
so you are saying 'change the kernel to do XYZ' when doing XYZ doesn't help.

> > and verification at the boundary points too. In that case the boundary
> > points can generate IP-AH frames with MD5 signatures based on authentication
> > data provided.
>
> Can you please elaborate this point. This will be really very useful.
> I will appreciate it.

If the machine your mobile agent connects to was extended to support one
of the authentication protocols for IP frames. IP-AH is an IP extension
that ends frames with

[IP-HEADER][IP-AH header][MD5 data][Packet]

so you can have the mobile host talk to the FA which then sends packets
that are signed and include user auth info. In fact you could probably
skip MD5 and hide the data in other ways providing you strip it at thee
firewall itself. IP-AH has an RFC. (IP authentication header)

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Linux Lists: "Re: 2.0.34 & cyclades driver"
Previous message: Chris Evans: "Re: [patch 2.1.97] more capabilities support"