Create an Account
username: password:
 
  MemeStreams Logo

RE: Slashdot | Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release
search
Home Agent Weblogs Social Network Post Help About


RE: Slashdot | Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release
by Reknamorken at 1:22 pm EST, Nov 19, 2002

Decius wrote:
] Reknamorken wrote:
]
] ] They will both receive/process packets going through. Just
] ] block the packets on the secondary in and out. It will
] ] maintain it's own state. Roughly anyway.
] ]
] ] Failover by having the secondary just stop being blocked.
]
] Thats a novel idea, but this tool doesn't help you do that.
]
] You either put the firewalls on broadcast MACs ala stonebeat
] or you have hubs. Firewalls see all traffic and perform all
] functions. Offline firewall can't write anything to the
] network.
]
] I think this is actually trickier then it sounds. The offline
] firewall is going to pick certain port numbers/sequence
] numbers for packets and the responding packets it sees on the
] network aren't going to correspond to that because the online
] firewall is making different choices for those things. So you
] have to coax the offline firewall to store its state
] information by spying on the online firewall and pulling these
] peices of information out. I think it probably ends up being
] easier to just have the online firewall TELL the offline
] firewall what it needs to know. No screwing around with
] parsing packets. No possibility that the two get out of sync.
]
]
] This also doesn't work at all for stuff in encrypted tunnels
] nor for the actual key data for encrypted tunnels.
]
] BTW, this is the best converstation on memestreams to date.
] Props. :)

Hrm... Why would the firewall mess with the sequence numbers? I guess it depends on the firewall. A PIX would, but a Checkpoint wouldn't, would it? I mean, the Layer 3+ stuff is all handled by the endpoints isn't it??

Although, now that you bring it up, the spying idea is really good. I bet you $$ this fixes the problems with state updates happening every 100ms (like Checkpoint). The secondary could stay completely up to date. It's not the like the CPU is doing anything important while it's offline anyway. I guess there is a chance of synchronization problems, but it seems unlikely. Also, it doesn't seem like they can get too far out of sync.

This Dan Kaminsky fellow is quite bright. He's in SF. I was thinking about contacting him....

RE: Slashdot | Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release

Thread [8] - Reply

  
 
Powered By Industrial Memetics