Geoff Mulligan writes:
>sjg @
quick .
com .
au said:
>> One thing to note - SPF and crypto do not mix.
>What! Certainly SPF and crypto do mix. Take a look at Sunscreen. It is a
>stateful packet screen AND supports strong crypto through the use of SKIP.
Link level crypto, sure. Not everyone likes that though.
I was refering to folk trying to use SSLftp, where the connection is
authenticated and encrypted at the application level. Because a SPF
cannot look inside the payload in such a case, the dynamic opening of
ports will fail.
>Maybe you meant to say that NAT and crypto do not mix, but again depending on
Funny, you're the 2nd person to suggest that. But no, I mean exactly
what I said. Think about it - why would NAT be a problem? Because the
SPF cannot look inside the payload (for the port command to translate
the address and open a window for the return data connection to the
listed port). Turn off NAT, and what changes - the SPF cannot look
inside the payload so see the port command - to open a window for the
return data connection. The result is the same with or without NAT,
the SPF does not allow the in-bound connection.
--sjg
--
Simon J. Gerraty <sjg @
quick .
com .
au>
#include <disclaimer> /* imagine something _very_ witty here */
Follow-Ups:
References:
|
|
