[olsr-dev] IPC-Protocol / GUI
Ignacio García Pérez
(spam-protected)
Thu Nov 18 18:10:12 CET 2004
> >I would really like the IPC plugin to be able to serve several clients
> >concurrently. However, I realize this poses some problems, since
> the plugin
> >I was thinking about was a "read only" pluging, that is, all
> clients receive
> >information but don't change a thing. If the IPC interface
> allows changing
> >OLSRD configuration, for example, either we trust the clients or we only
> >allow the first client to issue "write" operations...
> >
> >
>
> You are right - we have a security problem.
> The IPC plugin could bind to a trusted (configured) interface instead of
> binding to all.
> May be we should add a password protection in combination with simple
> ACLs. Example: User x1 with password y1 has the right to read and write,
> user x2 with password y2 is only allowed to read and all other are not
> allowed to connect.
> But how to prevent password sniffing ? Thats where it is getting
> complicated ... ;-)
If you start following that path, you'll end implementing your own
authentication / encryption scheme, which I believe is not convenient. This
is what I would do:
1- Assume all IPC clients are trusted.
2- Implement a "only one client can write" mechanism merely as a mean to
avoid accidental interference between two clients.
3- If you want security, either:
3.1- Allow restriction of client IPs in the configuration file (yeah, not
very secure).
3.2- Or use iptables to do so (not very secure too).
3.3- Or use SSL.
Regarding the last point, SSL should definitely be a compilation option,
since it may not be available or convenient in certain platforms. We have
OpenSSL and dropbear, the second being a lightweight alternative.
Regards.
Nacho.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
More information about the Olsr-dev
mailing list