On Wed, 11 Dec 1996, Justin Mason wrote:
> The protocol standardization process is just reaching the stage where
> firewalls are becoming an issue, and tunnelling the IIOP protocol
> through a more popular protocol (such as HTTP) to get through firewalls
> on the client-side is a popular solution; in fact, it may even become a
> standard!
This would be bad since it would mean that IIOP would be completely
blocked by many firewalls with no opportunity to unblock it. That's
because many firewalls filter traffic going through port 80 to make sure
it is only valid HTML. This means that Javascript and/or Java apps may be
stripped out of the stream.
You would be better off communicating with IANA at
http://www.iana.org/iana to get a specific TCP port number set aside for
IIOP to pass through. It is easy for a firewall admin to open up such a
port if they want to allow IIOP and if there are security issues raised by
IIOP then people can create proxy filters to examine the IIOP data stream
for illegal activities.
> This is already how the Java JDK 1.1 Remote Method Invocation (RMI) system
> suggests doing RMI through firewalls (see end for URL).
That's because Java is so limited and so tied to the web. CORBA on the
other hand is a general purpose object invocation system and should not be
hamstrung in this way.
> Our solution, instead, involves using SOCKS to traverse a client-side
> firewall, and using an IIOP application proxy to talk to CORBA
> servers.
This is somewhat more reasonable but not everyone uses SOCKS. If you are
going to create an IIOP proxy it would be best to have this run on the
firewall like the various TIS firewalls toolkit proxies do. For an example
of a commercial protocol doing this look at raproxy from
http://www.realaudio.com It takes very little effort to get an official
port number assigned to you and if your software can be invoked on any
port number and talk different port numbers out either side of the proxy
then it will be almost infinitely flexible.
> Could you mail on some comments? A perspective from the firewalls lobby
> could stop the HTTP tunnelling proposal getting into the CORBA
> standards documentation.
You really should talk to the Realaudio folks. Their initial attempt was a
rather silly UDP based method that was difficult to use through firewalls.
They listened to the firewall critics, i.e. the corporate market, and
fixed things. As a result they have now become a standard whereas
competing systems like Truespeech, who won't release and info to assist
operating through a firewall, are languishing.
Basically, if the IIOP folks don't do the job properly they will end up
having to redo their work because the corporate market is just to big to
throw away like this.
Michael Dillon - Internet & ISP Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael @
memra .
com
Follow-Ups:
References:
|
|
