> From: John Martin <jmartin@netapp.com>
> ...
> But one very common mis-conception I have noticed is about the point at
> which redirection occurs. In my experience, the redirection takes place
> only at either source or destination, or more specifically, at a point
> which is under the same administrative control as the end-user or (e.g.)
> the web server itself.
You're mistaken, as America Online's SMTP redirection proxies demonstrate.
As I pointed out in the main IETF list, AOL is openly redirecting all SMTP
traffic from their dialups and nominally IP-addresed to the Internet at
large to boxes operated by AOL. Currently those seem to boxes do no
more than add SMTP Received: headers, but realsoonnow are supposed to
added an X-Apparently-From: header and to filter the entire message if
the box considers it spam.
For at least a year, I think HTTP redirection proxies have been operated by
some ISP's, justified by the familiar efficiency reasoning.
In both cases the ISP must be viewed as a third party, and in
security terms, a man in the middle.
> A lot of the recent discussion on the IETF list seemed to assume that this
> happened "somewhere in the middle". I'm not saying this is not possible,
> just that it is not happening today (to my knowledge).
In the main IETF list I quoted some of AOL's words on the subject and
pointed to others. Again, this differs from what many ISP's (e.g.
UUNet) have done, configuring their routers to block all TCP packets
from their customers to distant port 25's.
> In the future, I
> think that it will get more, not less difficult to do this too - e.g. when
> traffic is already tagged / labelled it will be more difficult to intercept
> in the middle of its path.
I don't see how tagging or labeling might prevent such games by third
parties, unless you mean something based on encryption, and even then a
secret shared only by the endpoints and used for something like a message
authentication code (MAC) is required. Otherwise a man in the middle can
replace or modify tags, labels, and MAC's just as it does IP addresses.
IP addresses can be viewed as tags or labels.
> In the meantime, there are many other ways to redirect clients to the
> closest proxy. One common way is to simply use the DNS to give a response
> dependant on the client's source IP address (for either the proxy or the
> destination web server); many corporates do this today already - Akamai
> have built a whole business out of it.
Yes, and no one I know really objects to those techniques...well, sometimes
I grumble about it when one of Akamai's servers hiccups as seems to be
happening a lot this week. And some of those techniques make it between
hard and impossible to save useful bookmarks.
Vernon Schryver vjs@rhyolite.com
This archive was generated by hypermail 2b29 : Thu Nov 18 2004 - 11:21:28 MST