[Spread-users] Tunnels

Jonathan Stanton jonathan at cnds.jhu.edu
Wed Jan 9 10:46:13 EST 2002

I am not quite sure I understand what you are looking for, I think spread
does part of what you want already, but it may not be a complete solution.

You want to run a Spread configuration with several segments located at
different sites network wise and have them send point-to-point messages to
connect the various sites? Spread does do this. If you configure several
segmenst Spread will NOT use broadcast/multicast to communicate, but will
use unicast UDP packets between the sites and multicast only within a site.
So if routing is available to reach the other sites, it should work, with
one caveat. The one caveat is that the traffic will not be secured, it will
be sent in the clear. So if you need the spread traffic to be private it
will not be sufficient.

We are working on an integrated Secure Spread product that will provide
traffic encryption and authentication in the daemon. Contact Yair Amir
<yairamir at spreadconcepts.com> if you are interested in this.

Probably the best solution for private ip addresses with security today is
to use IP in IP tunneling (maybe with IPSEC) between your routers on each
private segment. That will appear to spread as if the segments are directly 
connected (the traffic will have the right source addresses) and IPSEC or
equivelent provides the security. I thought the overhead of this was
reasonable, but maybe this is the solution you are referring to below as
being a lot of overhead.

Hope this helps,


On Tue, Jan 08, 2002 at 09:55:12AM -0800, Mark Anacker wrote:
> I've got spread segments happily running on a couple of private-IP, isolated
> subnets.  I'd like to link them together into a larger network via a
> TCP-over-SSH tunnel.  Spread as is stands now doesn't seem to handle
> inter-segment communications with anything other than broadcasts - UDP or
> Mcast.  
> I can, of course, stick a client on each end to forward the local segment's
> messages to the other end, but that's going to be a bit ugly.  The messages
> going to the remote segment will appear to come from the tunneling client,
> rather than the true sender.  Or I could set up a VPN ov erhte TCP
> connection and have Spread broadcast over that, but this adds a lot of
> protocol overhead that I'd just as soon avoid if I can.
> Any chance of adding point-to-point tunneling to the spread daemon directly?
> -- 
> Mark Anacker
> Senior Software Architect
> Copyright 2002, LizardTech, Inc. All rights reserved.  Unauthorized
> disclosure prohibited.
> _______________________________________________
> Spread-users mailing list
> Spread-users at lists.spread.org
> http://lists.spread.org/mailman/listinfo/spread-users

Jonathan R. Stanton         jonathan at cs.jhu.edu
Dept. of Computer Science   
Johns Hopkins University    

More information about the Spread-users mailing list