[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [certi-dev] RE: CERTI security features / was: HLA Plugin for XPlane
From: |
Eric Noulard |
Subject: |
Re: [certi-dev] RE: CERTI security features / was: HLA Plugin for XPlane |
Date: |
Mon, 18 Aug 2008 15:32:54 +0200 |
2008/8/18 Gotthard, Petr <address@hidden>:
> Hi Martin, Hi everybody,
> thank you for your offer. The people behind firewalls/gateways often get
> their public IP dynamically assigned, so the simple workaround wouldn't
> work. I'm afraid the changes in CERTI are inevitable. Here goes my
> (prioritized) summary:
>
> 0) connection tunneling
> allow people to use HTTP/SOCKS proxy for accessing the RTIG
Petr did already submit a patch to CERTI
https://savannah.nongnu.org/patch/?6561
interested people should add themself to this tracker.
In the short term we may try to use SSH tunnel facilty
with current RTIG.
http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html
> 1) access control
> encrypted authentication very early in the session initiation
> prevent people from accessing the RTIG
> preferrably integrable with LDAP and/or other authentication services
Access control is a good thing I would consider it to be outside
CERTI scope and using secured (i.e. encrypted) LDAP access and/or
other public key infrastructure would be good.
>
> 2) connection security
> prevent people from eavesdropping the RTIA--RTIG communication
> prevent people from disturbing the RTIA--RTIG communication
>
> 3) RTIA--RTIG protocol version check
> prevent people with incompatible RTIA version from connecting to RTIG
>
> The 0) is an absolute requirement. The 1) may be necessary for running
> RTIG in public Internet.
> Some of 2) is described in several ONERA papers on this issue:
> http://www.cert.fr/francais/deri/siron/cv/articles.html and implemented
> in CERTI (using GSSAPI). I don't know what's the status of this
> implementation.
Pierre will certainly answer this.
The fact is we didn't use GSSAPI work recently so at best it
has been "untested" for a while :=(.
Erk