shapj@us.ibm.com wrote:
>
> >Hang on - no networking API has a notion of hosts _or_ interfaces. They
> >have a notion of IP numbers, surely?
>
> Yes, but the IP number is 1-1 with some particular interface.
I'm afraid not. A single interface can have multiple IPs.
> >From the *inside*, there is only one host. When you enumerate all of the
> IP addresses of a given machine, you get all of them without regard to host
> name.
>
> The host name returned by 'getLocalHost()' is referred to as the
> "canonical" host name. There is only one per machine.
Although this is technically correct, in a sense[1], I refer you to, for example, the sendmail documentation to see that in real life it is not as simple as this.
[1] I say in a sense because to some extent it is up to the system administrator to decide which hostname is "canonical", and that decision may actually depend on the application to which the information is being imparted.
> > If port numbers are being remapped as well, how can the Vat and
> > VLS cooperate to figure out a port number by which others can contact the
> > Vat's listen port?
>
> They cannot. In general, under these conditions, the port number used by
> an outside connection must be different from the port number used by an
> internal connection. In practice, remapping of port numbers is rare, and
> is used for protocols like FTP that build a back connection.
>
> >It seems to me that if A is currently talking to B and wants to be able
> >to talk to B again in the future, then it is up to B to tell A how to do
> >that... (e.g. "use domain name X" or "connect to port Y on IP Z")
>
> In the face of proxies and firewalls, this is simply not in general
> possible. Preventing this is, to some degree, the whole *point* of a
> firewall.
Not at all. A firewall's primary function is not to prevent the _discovery_ of methods by which one can connect (that would be the depracated "security by obscurity") - it is to prevent the connections themselves. If the connection is allowed, the method by which one discovers it depends on the firewall, local host configuration, DNS/DHCP policy, etc. What I was trying to say, not very clearly, was that it isn't possible, in general, to figure this out from the usual "known facts", so the destination has to provide some hints (probably derived from some configuration the sysadmin did).
> It's also why a rash of products are now figuring out how to tunnel through
> HTTP. Prediction: pretty soon http will be disabled by all sensible
> firewalls.
I really doubt this is likely. However, sensible firewall admins _also_ dictate how HTTP can be used. Using it to tunnel is abuse from where I'm sitting.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi