Geoff Mulligan writes:
> sjg @
> > Link level crypto, sure. Not everyone likes that though. I was
> > refering to folk trying to use SSLftp, where the connection is
> > authenticated and encrypted at the application level. Because a SPF
> > cannot look inside the payload in such a case, the dynamic opening of
> > ports will fail.
> And how is an SPF different from a proxy in this case, unless you are saying
> the proxy is participating in the encryption.
An application proxy would pretty much have to; if it were just relaying
encrypted traffic without decrypting and understanding it, it would
arguably be more appropriate to call it an generic proxy.
Generic proxies (like SOCKS) could also handle this case, but without
having to participate in the encryption, since there's a way for the proxy
to know about things like FTP data connections that need to be accepted
and the client to know what addresses to use.
Marc VanHeyningen marcvh @
Internet Security Architect