[E-Lang] VLS for everyone

Bill Frantz frantz@pwpconsult.com
Sat, 24 Mar 2001 11:25:49 -0800 

At 1:49 AM -0800 3/23/01, Tyler Close wrote:
>What exactly are the issues with firewalls that are related to the VLS
>service? I really can't think of any. The VLS server is sitting on an
>outside box with a permanent IP address. The VLS server is not behind
>a firewall. The client may be behind a firewall, but it is connecting
>out to the VLS server. It's easy enough for this outbound connection
>to be just an HTTP GET operation.

The major issues with firewalls are concerned with what address and port do
you report to the outside world for a vat behind a firewall which is
registering.  Consider the common (thanks to DSL) case of a Network Address
Translating (NAT) firewall.  A vat using that firewall will probably have
an IP address like 192.168.0.3.  When it goes thru the firewall, the
address will be translated to some IP address assigned by the ISP (call it
12.33.44.55).  The originating port number may also be translated as well
(to avoid duplicates on other machines inside the firewall).

So, when the vat goes to register, it sends a message saying that it is at
192.168.0.3:3469, since it listens on the E protocol standard port.  The
first VLS simply registered the vat as being at 192.168.0.3:3469.  With
that address, no network routers would route the packets since that range
is reserved for private network use.  (Thanks to Sidney Markowitz who first
experienced this "feature", and first explained what was happening.)

A small improvement comes if the VLS uses the sending IP address rather
than the one specified in the message for registration.  That at least gets
back to the gateway at the last level of network address translation,
although we still don't know what port to connect to.

I understand that a SOCKS (sp?) firewall supports a protocol for getting a
port to support connections from the outside.  A protocol like that is
needed for FTP, where the FTP server builds connections to the client to
actually transfer the files.

Tyler suggests a protocol that runs on HTTP.  An initial design for such a
protocol can be found at:
<http://www.erights.org/elib/distrib/vattp/DataCommThruFirewalls.html>.
Please comment.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz       | Microsoft Outlook, the     | Periwinkle -- Consulting
(408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
frantz@netcom.com | hard disk.                 | Los Gatos, CA 95032, USA