TCP/IP Over HTTP 126
Nick Towers sends news of a nifty new RFC that has just come out - RFC 3093, the Firewall Enhancement Protocol, promises to reduce the hassle of setting up a firewall by tunneling any TCP/IP application over HTTP.
"Ninety percent of baseball is half mental." -- Yogi Berra
Oh sure, I agree (Score:1)
In fact, theres still time. Open the door when I knock, theres a good chap.
My dream worthless TCP/IP carrier (Score:2)
I bet it could be done with a module to the Linux kernel.
Seriously. You have a box with no network card or other connectivity except a floppy drive. You fire up Netscape and try to access Slashdot.org.
It writes the TCP syn packet to the floppy and beeps. You take the disk and put it into a box with real connectivity. It then reads the packet off the disk and sends the request. Slashdot responds and you have a TCP connection. It writes the confirmation to the disk and you take it back to the other box.
The unconnected box sees there's a connection and writes a packet containing the HTTP request. Then you take the disk over to the other box and it sends it and gets the responce. Probably the whole page would come without any further disk swaps, except the images.
So you take the disk, which now has the Slashdot home page, to the unconnected box and it gets read in via the TCP floppy stack. Netscape then requests the immages, so the Syn packets for those TCP connections all get written to the disk.
Repeat the previous couple steps for all the images. Repeat the whole process every time you access a story or other doc!
Heck, you could even do telnet connections that way, if you run the disk back and forth between every few words you type. And you wouldn't see what you type until you bring the disk back with the responce.
Question to kernel gurus: Am I correct in assuming that that would not be terribly difficult to implement? If I didn't have more important things to do, I'd almost be motivated to try it.
It's funny cause it's true. (Score:1)
This would be funny if it weren't basically true (Score:3)
All hail the Printer Working Group!
Re:RFC 31337 (Score:1)
Now, *that* was *really* boring...
t_t_b
--
I think not; therefore I ain't®
Re:SOAP parody (Score:2)
enough with the april fools crap already (Score:1)
This isn't an April Fool's joke! (Score:2)
Very interesting how "well used/abused" (depending on your perspective) HTTP is, and how stupid many firewalling policies are.
SOAP parody (Score:4)
I think this RFC is actually a parody of SOAP, as chronicaled in Bruce Schneier's June 2000 Crypto-Gram [counterpane.com].
-"Zow"
Re:enough with the april fools crap already (Score:1)
Re:A lot more, actually :) (Score:2)
[faqs.org]
RFC748 - Telnet randomly-lose option.
*sigh*
A lot more, actually :) (Score:5)
Re:SOAP parody (Score:1)
I've you're a hacker that wanted to continue sending secret information from within a firewall to outside the firewall, they could do exactly what the RFC described (the may save some time by simply sending it to some CGI script, but implementing full IP is certainly an option)
Firewalls, on outgoing connections, really provide no security at all, but make any kind of efficiency in a new IP-based protocol impossible
Erwin
httptunnel (Score:1)
Benefits only firewall vendors (Score:1)
Cheers,
Tomas
===========
RFC3092 - everything2 (Score:2)
see RFC 1149 (There's nothing new in the world...) (Score:2)
Re:Daylight savings...(OT) (Score:1)
Guess what the "Daylight" means?
(actually, you could choose a lot more than those, but I don kno whi yod wa-whallaballa bing bang shleebin gurkin flam, flam, flam, flam,
gooooooooooooooooone...
--
Re:enough with the april fools crap already (Score:1)
Re:Benefits only firewall vendors (Score:2)
Excuse me? I restrict what traffic is allowed outbound and require authentication on port 80 since it restricts most applications that aren't proxy aware.
Here's the issue. If someone were to get something inside the firewall, I want to make goddamn sure it doesn't make it's way back out. I'd rather deal with a situation where something has tried to get out but couldn't and then clean up the mess rather than wonder if something got out in the process.
That is all. Feel free to argue back
Re:question (Score:1)
Give me Avian Carriers anyday... (Score:2)
Not to mention the follow-up RFC update with QoS [isi.edu]
jsockets (Score:1)
Wheeee (Score:2)
CONNECT some.other.server:theport
Anyway, I don't think it would take a lot of voodoo to get the kernel to handle this transparently.
--
TCP over HTTP eh? (Score:2)
Oh wait, that wasn't funny.
Re:enough with the april fools crap already (Score:3)
Re:My dream worthless TCP/IP carrier (Score:1)
Umm... (Score:3)
Re:Fun, Fun, Fun!!! (Score:1)
Parrot is obviously the language this should be implemented in!
Two more (Score:3)
Re:enough with the april fools crap already (Score:1)
use LaTeX? want an online reference manager that
Re:enough with the april fools crap already (Score:1)
wasn't there some rule about not making jokes past midday on 01-04?
use LaTeX? want an online reference manager that
Re:They must be serving via Win95 (Score:3)
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
I want Exceed on my Windows Terminal Server! (Score:1)
Re:This is brilliant (Score:1)
of course you realize that, at this point, depending what media you're transmiting this over, you can't fit anything more than headers into a packet. and maybe not even that.
sean
Don't forget last year's classic... (Score:4)
Re:yeah this is an april fools joke (Score:3)
You are so wrong. HTTP uses TCP. Therefore, TCP over HTTP would be fine, technically (if senseless)
As for your assertion that TCP could not be implemented on top of UDP anyway, think about this --- TCP is implemented on top of IP. IP is an _unreliable_ protocol as well. It's perfectly possible to implement a reliabl protocol on top of UDP or any other unrealiable protocol using the types of mechanisms TCP does.
Subtle humor rocks. (Score:2)
(Although I was hoping for a goatse.cx story....)
----
"Here to discuss how the AOL merger will affect consumers is the CEO of AOL."
Re:They must be serving via Win95 (Score:1)
Daylight savings...(OT) (Score:2)
Re:question (Score:1)
Wait a minute...let's look at those odds again:
1 out of 100 tests is inaccurate. No tests give a false negative. That means that, out of every 100 tests, 1 is a false positive.
Out of every 100,000 tests is a true positive.
By a, 1,000 out of every 100,000 tests will be a false positive.
Therefore only 1 out of every 1,000 people who test positive will have the disease.
So, in other words, I'm going to get the same number of projects done as I was before--none of 'em!
Wanna see my resume [smcvt.edu]? I'm looking for a summer job.
Re:question (Score:1)
Grrr....remind me to apply a cluestick to FrontPage at the earliest convenience. The problem, quite simply, is that our "wonderful" personalweb server is no longer accessible to post via any method other than FrontPage (so far as I can determine...it certainly isn't SMB-accessible anymore). So I'm limited to posting with FrontPage, which leaves me somewhat at its mercy for links...grrr....this is why I like Emacs much, much better for HTML tasks.
granted, I am a blooming idiot for not checking that first, but I threw the page up in .5 seconds while I was in a lab (no FP on my personal PC, thank God) and forgot that FrontPage likes to do things like that.
Why no HTML? It's not a layout language, and all the people I've talked to have preferred either Word or PDF format.
Re: fixed it, at new address (Score:1)
Okay, I now have my resume [kevinbroderick.com] up on my box, rather than the local "personal page" server. That should work (no FrontPage involved this time).
Re:enough with the april fools crap already (Score:1)
Re:They must be serving via Win95 (Score:1)
Re:A lot more, actually :) (Score:2)
SOAP is the real joke (Score:1)
Re:This is brilliant (Score:1)
My brain is dribbling out of my ears ...
Thankfully, desktop supercomputers like the one mentioned here [slashdot.org] exist to carry us into the brave new world of security by massively recursive recursion. :)
It doesn't have to be an april fools joke (Score:3)
I have seen firewalls that are overly strict, but they allow HTTP or HTTPS through them. If you have a host on the outside and a client on the inside, you can setup a PPP connection using stunnel between the two machines. Then you can do anything you like (including display a browser from the outside host back, run icq, etc. The cool thing is, if you use stunnel you can encapsulate it over https. This gives you the ability to have a secure, non-monitored, encryted connection to the outside host.
Goto www.stunnel.org [stunnel.org] and you'll actually find examples of tunneling ppp (and thus tcp/ip) over HTTPS.
--
Twivel
Re:This is brilliant (Score:1)
Oh, and BTW:
IP has the function to fragment large packets.
Even better! (Score:1)
Re:A Better April Fools Joke (Score:1)
Re:Umm... (Score:2)
And yes, I know that HTTP runs over TCP/IP. SSH runs over TCP/IP and it does TCP/IP tunnelling. Damn handy as well. Removes a lot of the NAT problems with VNC, while encrypting your connection.
Re:question (Score:2)
43rd Law of Computing: Anything that can go wr
Re:This is brilliant (Score:1)
-
Re:Oh sure, I agree (Score:2)
Of course, then I could see encrypting the http stream by encapsulating an ssh stream in it... Then I'd pick up my email via:
Of course, trying to do UDP under these circumstances would be a travesty.
--
Re:Not to be picky but.... (Score:2)
They originally called them Standard Time and Savings Time, but the abbreviations were too confusing.
--
Re:yeah this is an april fools joke (Score:1)
Re:Daylight savings...(OT) (Score:1)
April Fools (Score:1)
Other very "insightful" RFCs (Score:1)
And also, don't miss this very interesting RFC called the Etimology of foo [isi.edu], with more than useful information about the foobar!
At least, these are _technical_ April Fools jokes
You're tired of Slashdot ads? Get junkbuster [junkbusters.com] now!
Re:question (Score:2)
Re:Will the madness ever end? (Score:2)
nice resume (Score:1)
Re:Umm... (Score:2)
We wish to thank the many Firewall vendors who have supported our work to re-enable the innovation that made the Internet great, without giving up the cellophane fig leaf of security that a Firewall provides.
Hmm, I think maybe that is the point. That companies deploying firewalls should just give up on trying to protect against such things?uh... (Score:1)
ok I feel stupid. (Score:1)
stateless though? (Score:1)
Set up the server then... (Score:1)
You can run PPP over GNU httptunnel [gnu.org]. The same thing, really, but no joke.
actualy... (Score:2)
He's wrong, but, so are you (although in a much more subtle manner). HTTP is supposed to be transport independent. You could do it over a raw teletype if you wanted to. But when you use HTTP on the web, you are making TCP connections
Rate me on Picture-rate.com [picture-rate.com]
another use (Score:2)
Written by a real SOB (Score:1)
Protocol Descriptions ROCK! (Score:1)
TCP_UP - The 16-bit TCP Urgent Pointer, encoded as the hex representation of the value of the field. The hex string MUST be capitalized since it is urgent.
Heeehehehe... I can just imagine someone actually reading this and trying to immpl. it hehe.. oh the horror.
Chris
Maybe... (Score:1)
Re:yeah this is an april fools joke (Score:1)
Still, it would certainly be possible to tunnel TCP over UDP just as it is possible to use IP as the transport for TCP.
Someone of the German computer magazine c't even experimented with TCP-over-DNS. (The background is that a company provided a toll-free 0800 number for IP access but with firewalls so that you could only access support web servers ... and resolve arbitrary domain names. No, it wasn't an April issue.)
Re: This is brilliant (Score:1)
yeah this is an april fools joke (Score:1)
It's an April Fools Joke. The RFC was written 1, APRIL 2001. It is not written well, and it was obviously done in a hurry.
It mentions many times over that "we respect the right of people to use a firewall"; yet the RFC proposes circumventing a firewall completely at every level. It is a JOKE.
What's more is, and I'm sure somebody could argue this; but HTTP uses UDP connections. The entire TCP/IP Protocol suite requires TCP connections which are more complicated than simple UDP - using HTTP a true TCP connection is impossible.
The pranksters are probably network admins themselves, and thought it would be funny to write an RFC that claims employees on an internal network are actually smart enough to decide which of their programs are good - which is why the mention, "Best of all, no need to bother a network admin".
Just thought I'd mention it so I can start hating every idiot who posts on this one. [myhometechie.com]
Re:question (Score:2)
Hope you're not looking for a job in computers, but I wouldn't know because the link to your resume points to a file on your hard drive; probably behind an un-firewall enhanced firewalled system.
Or it could just be you don't have a webserver running on J:\.
I've got a new protocol for you... (Score:1)
Re:yeah this is an april fools joke (Score:1)
How 'bout ditching TCP/IP in favour of ATM?
Flame off
;-)
Re:enough with the april fools crap already (Score:1)
Recursive protocols (Score:2)
Wait ... Spam does that now with the ask off questions.
we are doomed
Check out the Vinny the Vampire [eplugz.com] comic strip
If this was true... (Score:1)
Not entirely April Fools. (Score:2)
http://www.nocrew.org/software/httptunnel.html [nocrew.org]
Re:My dream worthless TCP/IP carrier (Score:2)
Re:Daylight savings...(OT) (Score:3)
Re:enough with the april fools crap already (Score:1)
Yeah - worse still, it's 6:54am 02/04/01 here in Australia... Somebody tell'em it's bad luck to make April Fools jokes when it's no longer April Fools day...
wasn't there some rule about not making jokes past midday on 01-04?
Re:enough with the april fools crap already (Score:3)
1. . The idea behind it is that the units, days, months, years, go in ascending order of magnitude. The US system, in all its wisdom, uses an apparantly random order.
Ascending order seems backwards to me. When you name file versions by changing the date and you sort the files by name, then the files end up in some weird order. I name files using the descending order 01-04-01 (I guess today is a bad example).
The date format I use isn't mm-dd-yy because it's a random order. I use mm-dd-yy because that is what all of my coworkers, family, and clients use. I know that it bothers most people, but i _do_ live in the U.S. so I date things according to the way that the U.S. does it.
3. As far as your question goes, here's an answer: The US does it the way that they do because of what you said April, 02, 2001 -> 04-02-02. We didn't switch it back so that it would 'make more sense' in the same way that microsoft will never put the 'shut down' command anywhere but within the 'start' menu. People are just used to it.
By the way, mod me as a troll if you like, but Slashdot April Fool's addition sucks this year.
Re:question (Score:2)
I know I'd spend my time figuring out how a test can be 99% accurate and NEVER give a false negative.
XML is a better wrapper (Score:2)
But no matter what the approach, the overhead would mean this is only useful when all options have been exhausted. (e.g., You have an application that goes straight TCP/IP and cant be changed AND the firewall administrator will not open another port for you.)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~
Re:question (Score:2)
or something, just ignore me.. i'm going to go stare at a shiny object now.
Not to be picky but.... (Score:2)
This is brilliant (Score:3)
Er... Well, y'know. You can't make an omelette without um... destroying a forest. Or something.
They must be serving via Win95 (Score:2)
Trolls throughout history:
Use SSL instead (Score:2)
There are quite a few commercial products that use this trick.
RFC 31337 (Score:2)
RFC 31337 [antioffline.com] you better recognize
Re:April Fools (Score:2)
They have something that does TCP/IP over e-mail, of all things. Getting into the network stack wouldn't be *that* difficult, unless you lacked root on the box. It seems less viable, though, when taking into consideration often environments in which strict Tcp access controls are implemented very rarely can administrator access be had on the users NT machine.
While it may just be an RFC, it still could be implemented. It struck me as kind of neat. What seems so outrageous about it?
Introducing AFLP... (Score:2)
Obviously a prank... (Score:2)
3.4 TCP Header Compression
Compressing TCP headers in the face of a protocol such as this one
that explodes the size of packets is silly, so we ignore it.
4.0 Security Considerations
Since this protocol deals with Firewalls there are no real security
considerations.
5.0 Acknowledgements
We wish to thank the many Firewall vendors who have supported our
work to re-enable the innovation that made the Internet great,
without giving up the cellophane fig leaf of security that a Firewall
provides.
You are correct (Score:2)