-
Key: CORBA35-307
-
Legacy Issue Number: 2869
-
Status: open
-
Source: Anonymous
-
Summary:
Summary: Description:
There may be some network topologies where the traversal
algorithm is not sufficient for a firewall to find a server. This is due to
an unstated assumption that all addresses within the outermost inbound
firewall are addressable from the outermost inbound firewall. Consider for
example the following topology:-----*Firewall
B*-----Network B
Internet -----Firewall A--------------*Firewall
C*-----Network CService Network (DMZ)
Assume that the addresses on the service network are
globally routable addresses, Network B uses RFC 1597 addresses and Network C
uses RFC 1597 addresses. This topology could be possible, say for a
government agency that has sub-agencies that share some resources (service
network) but maintain separately administrated networks. In this case the
outermost inbound firewall for a server on Network B or C is Firewall A.
However, when new target is invoked on Firewall A, it won"t know from the
host address whether to open a connection to Firewall B or Firewall C.Proposed Solution:
There are several possible solutions to this problem:
1) Explicitly state the assumption described in the
description section
2) Mandate that implementations allow for the
configuration of the next inbound firewalls
3) Mandate that servers on Network B or C in such
configurations use Firewall B or C as the outermost inbound firewall.There may be other solutions to this problem. These were
the ones that immediately presented themselves. -
Reported: CORBA 2.3.1 — Tue, 24 Aug 1999 04:00 GMT
-
Updated: Wed, 6 Dec 2023 23:05 GMT