[Spread-users] changing topology, security, and firewalls

Ben Laurie ben at algroup.co.uk
Mon Apr 1 11:21:55 EST 2002

"Clark C . Evans" wrote:
> Hello.  I have yet to try spread, but I have a question
> about topology changes.  When a new deamon is added to
> the system is there any way to notify the other deamons
> short of changing their configuration file and re-starting
> them?  For instance, can I send a SIGINT and this would
> tell the deamon to re-read its configuration file?
> Secondly, I must say that I'm very interested in security
> approaches (esp ones with an open source license).   It
> seems that there are two concerns: (a) secure connections
> between segments, and (b) security within a segment.  From
> what I understand (a) would be a TCP layer connection, where
> (b) is UDP packets.  I suppose the simplest way to cover this
> sort of thing is to use OpenSSL at a layer just above spread
> does this make sense?

If you mean in the sense of using SSL to secure the links, then it works
for a) but not b) - SSL doesn't do UDP (let alone multicast).

OpenSSL is, of course, a general purpose crypto library, so it is
certainly possible to use it to do the security in other ways (as
Cristina has mentioned, Secure Spread does exactly that).

> Third, I was wondering if communication between segments
> could be implemented using asymmetric HTTP/HTTPS over port 80/443.
> This has the distinct advantage of allowing messages to jump
> over a firewall in small organizations where a system administrator
> is hard to come by (or non-existant).  Yes, it is not the best
> approach, but you'd be suprized how many small organizations
> have a dumb firewall that only allows TCP port 80/443 outgoing
> connections (no incoming connections of any type).

Clearly you can configure Spread to use whatever ports you like. There's
no need to use HTTP or HTTPS, since the firewall usually only concerns
itself with the port number, not the content of the packets.



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

More information about the Spread-users mailing list