[hobbit] Requesting a common encrypted port number for hobbit client/server

Henrik Stoerner henrik at hswn.dk
Tue Aug 21 12:44:44 CEST 2007


On Tue, Aug 21, 2007 at 04:36:46AM -0500, T.J. Yang wrote:
> If hb encryption via stunnel is implemented then  a port for plaintext 
> redirection is needed.

No, you need to configure your clients to use the encrypted port.
Or do some firewall redirecting of the traffic to the encrypted service.

> What is the impact of  mixing  bb encrypted message and hb encrypted 
> message protocols on same port number ? and I don't believe Quest publish 
> the bb message encryption protocol.

I have no idea how Quest implements encryption in the commercial BB
version. Most likely the Hobbit and BB encryption mechanisms will not
be compatible - I don't see this as a problem, Hobbit clients have never
been compatible with BB. The mechanism I see for Hobbit is like this:

   CLIENT                 SERVER
   --------------         ---------------------
   Connect to server
                          Accept connection
   Send "STARTTLS\n"
                          Send "OK\n"
   Perform TLS handshake  Perform TLS handshake
   (Validate server cert) (Validate client cert)
   Exchange data          Exchange data

Which is similar to how quite a few of the standard Internet protocols
implement a "TLS upgrade" of the communication.

The certificate validation is optional, but quite trivial to implement.
So this will also allow for fine-grained control over who can feed data
into Hobbit.

Regarding the request for a dedicated port number: The problem is that I
really do not believe IANA would be willing to assign a port number for
Hobbit - it would be against their stated policy of not assigning
different portnumbers for the plain-text and encrypted versions of an
application-layer protocol. Since BB already has a port number
assignment, getting a new one for Hobbit doesn't seem likely.


Henrik




More information about the Xymon mailing list