Legacy Issue Number: 2869
There may be some network topologies where the traversal
algorithm is not sufficient for a firewall to find a server. This is due to
an unstated assumption that all addresses within the outermost inbound
firewall are addressable from the outermost inbound firewall. Consider for
example the following topology:
Firewall A--------- -----*Firewall
Service Network (DMZ)
Assume that the addresses on the service network are
globally routable addresses, Network B uses RFC 1597 addresses and Network C
uses RFC 1597 addresses. This topology could be possible, say for a
government agency that has sub-agencies that share some resources (service
network) but maintain separately administrated networks. In this case the
outermost inbound firewall for a server on Network B or C is Firewall A.
However, when new target is invoked on Firewall A, it won"t know from the
host address whether to open a connection to Firewall B or Firewall C.
There are several possible solutions to this problem:
1) Explicitly state the assumption described in the
2) Mandate that implementations allow for the
configuration of the next inbound firewalls
3) Mandate that servers on Network B or C in such
configurations use Firewall B or C as the outermost inbound firewall.
There may be other solutions to this problem. These were
the ones that immediately presented themselves.
Reported: CORBA 2.3.1 — Tue, 24 Aug 1999 04:00 GMT
Disposition: Deferred — CORBA 3.4
This proposal was generated automatically by request of the Task Force Chair Adam Mitz.
Updated: Wed, 1 Feb 2023 21:59 GMT
CORBA34 — Traversal algorithm not sufficient
- Key: CORBA34-316
- OMG Task Force: CORBA 3.4 RTF