- From: Jim Gettys <jg@pa.dec.com>
- Date: Fri, 24 Jul 1998 14:10:00 -0700
- To: Matthew_Squire@baynetworks.com (Matthew Squire)
- Cc: www-http-ng-comments@w3.org
Thanks for the comments.... Just so you know, I used to be responsible for Digital's second largest Internet gateway/firewall (CRL), which is also where we did our Web proxying work (Win Treese did that work, but I kibitzed). I'm very aware of the issues involved, as a result (it was my neck if something bad happened to Digital if Win and I did something wrong). The presumtion is an application level relay process is involved at the firewall. The point behind naming the protocols on each MUX session is exactly to enable application level filtering; since, for most situations that MUX is intended to be used, the protocol is identified as well as TCP/UDP ports, or by an abstract name, it is possible to build an appication relay process for MUX that uses the protocol names to enforce policies exactly as they would be enforced for native protocols. See the Atoms and Protocol ID section of the specification; each session, at the time it is opened, has the protocol name associated with it. So, for example, if you are using HTTP, you would normally identify the session as HTTP (i.e. port 80); the relay can then apply the boundary policy just as it would for un-multiplexed HTTP. Hope this helps; I could add a section to a future draft clarifying firewall proxies. - Jim -- Jim Gettys Digital Industry Standards and Consortia Compaq Computer Corporation Visting Scientist, World Wide Web Consortium, M.I.T. http://www.w3.org/People/Gettys/ jg@w3.org, jg@pa.dec.com
Received on Friday, 24 July 1998 17:09:40 UTC