IPP Mail Archive: RE: IPP> TES: Mandatory IPP notification a

RE: IPP> TES: Mandatory IPP notification agreement

From: McDonald, Ira (imcdonald@sharplabs.com)
Date: Thu Jun 22 2000 - 11:33:25 EDT

  • Next message: don@lexmark.com: "Re: IPP> TES: Mandatory IPP notification agreement"

    Hi Carl,

    You made an excellent point at the end of your note below.

    A sophisticated application layer gateway (ALG) is necessary
    for any INDP targets accessible over the Internet but 'obscure'
    because of NAT (network address translation), Windows connection
    sharing, etc.

    And the problem of configuring the ALG to handle the *particular*
    choice of security measures (one-time-passwords and so on) mandated
    in each different customer environment is intractable in my
    opinion.

    I like INDP, but I consider it only plausibly an intranet solution.
    The IESG and the IAB are certainly alive to the loss of opacity
    in the public Internet and won't miss the security implications
    for INDP. Has anyone read the I-D on an SNMP ALG for NAT boxes?
    This stuff is often more bother than it's worth...

    Cheers,
    - Ira McDonald, consulting architect at Xerox and Sharp
      High North Inc

    -----Original Message-----
    From: kugler@us.ibm.com [mailto:kugler@us.ibm.com]
    Sent: Wednesday, June 21, 2000 3:09 PM
    To: ipp@pwg.org
    Subject: Re: IPP> TES: Mandatory IPP notification agreement

    [Added subject line and this P.S.:]

    henrik.holst@i... wrote:
    >
    > Well it was my understanding that we didn't agree on a mandatory method.
    > And the INDP method
    > won't go through a firewall, so if you are searching for a mandatory
    method
    > I would say MAILTO.

    I agree, INDP won't go through firewalls.

    ---------------------- Forwarded by Carl Kugler/Boulder/IBM on 06/21/2000
    04:07 PM ---------------------------

    From: Carl Kugler on 06/21/2000 03:39 PM

    To: ipp@pwg.org
    cc:
    From: Carl Kugler/Boulder/IBM@IBMUS
    Subject:

    "Zehler, Peter" <Peter.Zehler@u...> wrote:
    ...
    > My preference is that INDP be mandated. I feel that programmatic
    > notification is critical to the development of robust IPP applications.
    One
    > of those applications would be QUALDOCS. In the definition of IPP, and
    its
    > associated notification mechanism, I am concerned primarily with client
    > /server communications. End user notification, while useful, is not my
    > primary objective. It is true that infrastructure will have to be
    > configured to allow this traffic to pass. The same is true of outbound
    IPP
    > requests. I imagine that most of our printers will also implement mailto.
    I
    > have no objections to allowing both, but I think only one should be
    > mandated.
    >
    ...

    Actually, in many cases the infrastructure does not have to be configured
    to allow outbound IPP requests. I've always been able to connect to IPP
    Printers on the Internet with an IPP client here inside the IBM firewall.
    (In fact, I remember connecting my client to your Printer a few years ago!)
    We run a SOCKS Internet gateway here, and I can make a TCP connection to
    any host:port on the Internet.

    "McDonald, Ira" <imcdonald@s...> wrote:
    ...
    > Lastly, Peter you jumped from port filtering by firewalls
    > to MIME type filtering - but the latter requires that the
    > firewall have an Application Layer Gateway (ALG) to figure
    > out the protocol and THEN to find the MIME type inside the
    > protocol envelope.
    >
    > Personally, I agree with Henrik about selecting email as
    > the IPP mandatory notification method.
    >

    Most firewalls allow insiders to make outbound connections (perhaps
    indirectly), but prevent outsiders from making inbound connections. Very
    few corporate firewall administrators would be willing to simply open a
    port and allow anybody to make inbound connections to arbitrary addresses
    inside the firewall. Here at IBM, making an inbound connection requires
    full-blown authentication, encryption, one-time passwords, etc. (by
    strictly enforced corporate policy). We use Aventail for this. Also, in
    many cases, machines inside a firewall are simply not addressable from
    outside, due to network address translation (NAT), IP Masquerading, Windows
    connection sharing, etc. You'd need a really sophisticated
    application-level gateway to deal with these issues.

         -Carl



    This archive was generated by hypermail 2b29 : Thu Jun 22 2000 - 11:41:39 EDT