[occi-wg] Comments on draft OGF protocol description requested

Ralph Niederberger r.niederberger at fz-juelich.de
Wed Apr 22 03:58:52 CDT 2009

Dear all,

my name is Ralph Niederberger. I am one of the chairs of the FVGA-WG at
OGF. We are currently investigating in designing a new protocol for
dynamic opening of ports within firewalls by authorized user applications.

Sorry for crossposting to all of the infrastructure-area mailing lists, 
but I would
like to get feedback from all of you concerning a draft protocol we are 
preparing within our group. And because our area-directors did not 
provide me with
information on an infrastructure-area mailing list, where I could send 
it once, I had to
send it to all RG/WGs

The draft description I have appended to this email.

It would be very helpful, if you could comment on this proposal, so that 
Firewall Virtualisation for Grid Applications - Work Group can work on
your comments at the next OGF meeting.

We know that there are many other developments, which already have tried to
solve this issue, but have not seen any solution, which is widely used 
provides a similar easy to use interface and broad range of usability.

Our intention is to get as much as possible feedback, so that we can 
decide as
soon as possible, if the direction we are going is the right one or if 
we have missed
anything  important.

Dependent on your feedback, we would like to go for this solution or 
change the
draft accordingly.

Then we would like to start the following steps in parallel:
a.) Getting in touch with IETF for standardization issues.
b.) Implementation of a first very limited prototype (showing that it 
works as suggested).

Step b could be separated into different parts:
b1.) prototype implementation for linux iptables
b2.) prototype in close cooperation with a Firewall developer (-> a 
first FiTP aware firewall).
     Anyone having contact to these guys would be fine.
b3.) Communication prototypes for out of band signalling, i.e. for 
firewalls which are FiTP
     unaware. So the auth server has to start a subroutine for firewall 
configuration (via CLI,
     special firewall managament software, https, ...)
     b3 could be done for several firewall systems, e.g. Cisco Pix, 
Checkpoint, ...
    Here we would need experts having access to those kinds of firewalls 
within test environments.

Next steps are very dependent on the outcome of steps a.) and b.) above.

I would like to thank you all in advance for your feedback.

best regards

Ralph Niederberger


 Ralph Niederberger
 Juelich Supercomputing Centre
 Institute for Advanced Simulation

 Phone:  +49 2461 61-4772
 Fax:    +49 2461 61-6656
 E-Mail: r.niederberger at fz-juelich.de
 WWW:    http://www.fz-juelich.de/jsc/

 JSC is the coordinator of the
 John von Neumann Institute for Computing
 and member of the
 Gauss Centre for Supercomputing

 Forschungszentrum Jülich GmbH
 52425 Jülich

 Sitz der Gesellschaft: Jülich
 Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
 Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
 Dr. Sebastian M. Schmidt 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: GFD-R.xxx-V2.7.2.doc
Type: application/msword
Size: 304128 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/occi-wg/attachments/20090422/dce9d206/attachment.doc 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5143 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/occi-wg/attachments/20090422/dce9d206/attachment.bin 

More information about the occi-wg mailing list