W3C home > Mailing lists > Public > www-http-ng-comments@w3.org > July to September 1998

SMUX comments

From: Matthew Squire <Matthew_Squire@BayNetworks.COM>
Date: Fri, 24 Jul 1998 14:46:55 -0400
Message-Id: <3.0.32.19980724144654.0073d6c4@bl-mail1.corpeast.baynetworks.com>
To: www-http-ng-comments@w3.org

Jim, Henrik - 

I wanted to throw in a quick comment on SMUX.  The possibility of an SMUX
protocol (or something similar) has me worried.  Specifically, the goal:
  "* allow mulitple protocols to be multiplexed over same TCP connection"

Its a beautiful goal in an ideal world, but a great many of us spend our
electonic lives behind firewalls.  The possibility of combining multiple
protocols over a single TCP port is perpendicular to the basic premise of
firewall security.  In order to do per protocol policy enforcement, I would
have to scan the TCP SMUX stream, jumping from one smux header to the next
while checking the protocol (killing the TCP connection on violation, or
worse, trying to adjust the TCP windows).  If I have more than one firewall
into my site, than I can't do it at all because I might not see the whole
stream.   The only realistic option that I have, as both a builder of
routers and as a site administrator, is to not allow the SMUX protocol
across a firewall.  If SMUX isn't allowed across firewalls, then it won't
reach businesses, and if it can't reach into businesses, what's the point?

Unless we either restrict the protocols to http/http-ng, or come up with an
easy way to apply per protocol filtering, then I can't see how this idea
will float.  Unfortunately, the latter requirement seems to degenerate into
something along the lines of sharing congestion info across TCP control
blocks (rfc 2xxx).  

Of course, this is just one opinion...

- Matt
Received on Friday, 24 July 1998 14:40:22 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 13:07:28 EDT