At 01:06 PM 6/9/97 EDT, Ryan Russell/SYBASE wrote:
>Yes, I don't believe the SPFs will fragment, keep
>seperate window sizes, etc.. Unless the layer 2 networks
>on each size are significantly different.
An SPF can not keep seperate window sizes. By definition, there is only
one TCP session in an SPF where there are two sessions in a PROXY. Thus,
in a SPF, the end nodes are responsible for handling window sizes not the
SPF. A SPF is at the lowest level still a router (maybe a bridge). On the
otherhand, a proxy can do this as each session will have seperate windowing
and everything else.
For example, I have seen where an HTTP proxy would receive 3 each 500 (or
so) byte packets in and turn around an forward on a 1500 (or so) byte
packet. An SPF can not do this as. An SPF can not do this as only end
nodes can de-fragment. Also, this did not appear to be so much a
defragmentation issue as it was a process of "store-review-forward" which
created the de-fragmentation benefit.
>
>No, I don't think that there is anything an SPF
>can block (in the data stream) that a proxy
>can't. But, I will claim that the opposite is true, too.
>
>From my understanding when looking at some of the different technologies,
was that many SPF are based more on HEX pattern matching using offsets in
the packet. Whereas, a proxy actually processes the data as data versus
HEX bytes. If this is true (please let me know one way or the other), than
I would think it would be very difficult to write a good set of SPF filters
to do higher layer decisions (i.e. URL logging, checking.....). A true
proxy on the otherhand could be written to do this and provide a much
easier user interface for writing the rulesets. For example, to determine
which URL's cannot be visited, could be simply listed in a file versus.
On the otherhand, maybe something like FW-1's Inspect language may help
this by provindg a "front end" to this programming.
Greg
>From my understanding when looking at some of the different technologies,
was that many SPF are based more on HEX pattern matching using offsets in
the packet. Whereas, a proxy actually processes the data as data versus
HEX bytes. If this is true (please let me know one way or the other), than
I would think it would be very difficult to write a good set of SPF filters
to do higher layer decisions (i.e. URL logging, checking.....). A true
proxy on the otherhand could be written to do this and provide a much
easier user interface for writing the rulesets. For example, to determine
which URL's cannot be visited, could be simply listed in a file versus.
On the otherhand, maybe something like FW-1's Inspect language may help
this by provindg a "front end" to this programming.
Greg
============================================================================
Gregory Otto e-mail gdo @
newf .
com
New Frontier Consulting WWW http://www.newf.com
Houston, Texas Voice (713) 718-1358
============================================================================
Follow-Ups:
|
|
