Re: [certi-dev] RE: CERTI security features / was: HLA Plugin for XPlane

[Eric Noulard]

2008/8/18 Gotthard, Petr <address@hidden>:
> Hi Martin, Hi everybody,
> thank you for your offer. The people behind firewalls/gateways often get
> their public IP dynamically assigned, so the simple workaround wouldn't
> work. I'm afraid the changes in CERTI are inevitable. Here goes my
> (prioritized) summary:
>
> 0) connection tunneling
> allow people to use HTTP/SOCKS proxy for accessing the RTIG

Petr did already submit a patch to CERTI
https://savannah.nongnu.org/patch/?6561
interested people should add themself to this tracker.

In the short term we may try to use SSH tunnel facilty
with current RTIG.
http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html

> 1) access control
> encrypted authentication very early in the session initiation
> prevent people from accessing the RTIG
> preferrably integrable with LDAP and/or other authentication services

Access control is a good thing I would consider it to be outside
CERTI scope and using secured (i.e. encrypted) LDAP access and/or
other public key infrastructure would be good.

>
> 2) connection security
> prevent people from eavesdropping the RTIA--RTIG communication
> prevent people from disturbing the RTIA--RTIG communication
>
> 3) RTIA--RTIG protocol version check
> prevent people with incompatible RTIA version from connecting to RTIG
>
> The 0) is an absolute requirement. The 1) may be necessary for running
> RTIG in public Internet.
> Some of 2) is described in several ONERA papers on this issue:
> http://www.cert.fr/francais/deri/siron/cv/articles.html and implemented
> in CERTI (using GSSAPI). I don't know what's the status of this
> implementation.

Pierre will certainly answer this.
The fact is we didn't use GSSAPI work recently so at best it
has been "untested" for a while :=(.


Erk