[Spread-users] Tunnels

Jonathan Stanton jonathan at cnds.jhu.edu
Wed Jan 9 11:10:18 EST 2002


On Wed, Jan 09, 2002 at 10:58:19AM -0500, Guido van Rossum wrote:
> > You want to run a Spread configuration with several segments located at
> > different sites network wise and have them send point-to-point messages to
> > connect the various sites? Spread does do this. If you configure several
> > segmenst Spread will NOT use broadcast/multicast to communicate, but will
> > use unicast UDP packets between the sites and multicast only within a site.
> > So if routing is available to reach the other sites, it should work,
> > [...]
> 
> But the Spread FAQ says that Spread doesn't work over firewalls,
> period.  If it only uses point-to-point for long haul networks,
> shouldn't it work if you punch the right holes in the firewalls, or
> when using secure tunneling software like VPNs?
> 
> --Guido van Rossum (home page: http://www.python.org/~guido/)
> 

It probably should not read that strongly in the FAQ. I'll check it. 

Spread communicates using UDP (both unicast and multicast) between the
daemons and TCP between clients and daemons. Spread is actually fairly well
behaved with regards to ports, so it definitely should work if the right
ports are opened up on the firewal. It requires several (I believe 2
currently) sequential ports to be opened to bidirectional UDP traffic on
the firewall.

If all you do is open the firewall Spread should work, but it is possible
for malicious packets that are sent to spread to cause misbehavior (it
should not creash or allow buffer overflows, or other bad behavior) but
since the daemon has no way of knowing that the packet is from the wrong
person (without message signing or equivelent) it will accept it and the
message can break the semantics and data guarantees normally provided.

That is why we claim Spread should only be run on "secured" networks. A VPN
should be a good solution to this problem.

Jonathan

-- 
-------------------------------------------------------
Jonathan R. Stanton         jonathan at cs.jhu.edu
Dept. of Computer Science   
Johns Hopkins University    
-------------------------------------------------------





More information about the Spread-users mailing list