[Spread-users] Tunnels

[Guido van Rossum]

> Spread communicates using UDP (both unicast and multicast) between the
> daemons and TCP between clients and daemons. Spread is actually fairly well
> behaved with regards to ports, so it definitely should work if the right
> ports are opened up on the firewal. It requires several (I believe 2
> currently) sequential ports to be opened to bidirectional UDP traffic on
> the firewall.
> 
> If all you do is open the firewall Spread should work, but it is possible
> for malicious packets that are sent to spread to cause misbehavior (it
> should not creash or allow buffer overflows, or other bad behavior) but
> since the daemon has no way of knowing that the packet is from the wrong
> person (without message signing or equivelent) it will accept it and the
> message can break the semantics and data guarantees normally provided.
> 
> That is why we claim Spread should only be run on "secured" networks. A VPN
> should be a good solution to this problem.
> 
> Jonathan

Thanks.  I understood from the previous message in this thread that
there's also the possibility that Spread uses TCP between daemons on
different subnets?  How does one configure that?  That seems safer
when using a VPN than UDP...

--Guido van Rossum (home page: http://www.python.org/~guido/)