>>>>> "Rick" == Rick Jones <[email protected]> writes:
Rick> What are the issues/benefits/downfalls one way or t'other
Rick> between the two schemes - over ssh and a specific connection -
Rick> when it comes to making certain that this thing forwarding
Rick> captured traffic isn't simply chasing its own tail forwarding
Rick> captures of its forwarding of captures of its fowarding of
Rick> captures...
The issue is threefold:
1) libpcap, does not currently expose itself to the network in
through sockets. Any new code (particularly "server" code)
would increase risk.
(Yes, tcpdump has lots of vulnerabilities to buffer overflows,
but pcap doesn't really have the same issue, since it never
looks in the packets it captures)
2) anything we do which is "native", will be wrong for some use, and
any security we write will be wrong, and need to be extended, and
then will become complicated and brittle...
3) therefore, it's better to reuse the existing tools, which already
come in a variety of flavours (ssh, ssl, kerberos, passport,
https, oauth, socks, raw, rlogin, ...) rather than inventing
something new.
The push back is usually from the microsoft platform, designed only really to
load word, doesn't really provide any way to combine differing tools in new
ways. Ironically, windows has some of the best integrated security
authorization in the form of kerberos enabled AD, but doesn't provide a
simple equivalent to "ssh remotehost command" that uses AD.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
