Re: Transparent vs. Non-transparent AGs/SPFs/whatever

[Woody Weaver <woody () wiltelnsi com>]

At 03:21 PM 9/22/98 -0700, Ryan Russell wrote:
[...]
> So here's my question:
>
> If I want transparency, am I essentially stuck trying to
> determine protocol strictly by port number?  If I want to permit
> people out to arbitrary port numbers, am I stuck with the
> equivalent of a circuit-level proxy?
>
>                         Ryan

Are we speaking theoretically?  

You pose a question
> If I've got a transparent proxy, or some SPF, how is it supposed to
> know that when I connect to port 2300, I want the telnet protocol
> instead of HTTP, FTP, or something else?

You can use the "oh, its you, Bob" approach: poll the users, find out that
Bob occasionally talks to some.host:2300 using telnet, and then add the
state to your AG that connections that are identified as coming from Bob to
some.host on port 2300 should use the telnet proxy to connect.

The reason that transparent proxies can "get away" with using a telnetd
proxy to intervene in conversations on port 23 is (1) that they have been
given information that a telnet session is about to take place, and (2)
they have been given authority to monitor that telnet session and ensure
that the only information passed complies with the expected protocols of
telnet.

But the guts of your question are based in 
> There are obviously some clues in the data stream as to what the
> protocol is, but trying to figure it out on the fly won't scale very well.

It is necessary and sufficient that the AG acquire the information on the
nature of the traffic the user is trying to invoke, and acquire the
authority to monitor and moderate that traffic.  If you have a complete
list of protocols that users are permitted, and can unambiguously assign
them based upon information available to the AG, and have application
proxies for each of those protocols, then yes you can do what you want.

Note that "information available to the AG" can include table based
information (i.e. the note that Bob uses telnet to connect to FW1 on 259 at
partner.firewall.com) or it can include transaction state (i.e. after the
handshake the remote side sent us a "login:" prompt) or it can include
anything else you can think of, including a non-transparent butler on the
client workstation that signals the AG what the user is trying to do.
Comparing this against the effort of non-transparent proxies is left as an
exercise for the reader.  :)

--woody
--
Robert Wooddell Weaver               email:  woody () wiltelnsi com
Network Engineer                     voice:  510.358.3972
Williams Communication Data Group    pager:  510.702.4334