[standards-jig] Dialback options

Iain Shigeoka iainshigeoka at yahoo.com
Fri Feb 8 17:08:53 UTC 2002


On 2/7/02 10:00 PM, "Ashvil" <ashvil at i3connect.net> wrote:

> I have one question on dialback part of the protocol.
> 
> How can a server behind a socks firewall or NAT join the Jabber server
> network and use S2S?
> 
> Can we have another mechanism in the protocol for doing S2S without using
> dialback.

Sure, you can simply accept the connection without dialback authentication.
I think jabberd still accepts non-dialback s2s connections.

> I am looking for a solution that allows a company to run an internal jabber
> servers behind a NAT that connect to another main corporate jabber server
> outside the firewall that handles the external send/receive of
> messages/presence.
> 
> User A <--> sales.acme.com <--> acme.com <--> jabber.org <--> User B
> 
> Can the Jabber protocol and current server handle this configuration.
> if so, How?

You can either configure or tweak the source to cause the acme.com server to
accept s2s connections from sales.acme.com without doing dialback.  If
sales.acme.com is behind a NAT/firewall, but connects to acme.com in some
secure way then this should not be a major security problem.

For example, if sales.acme.com enters a RAS port on the acme.com server.
Another option is to use VPN software to create a secure virtual network
between the sales.acme.com an acme.com machines.  This will allow you to
securely non-dialback s2s since only sales.acme.com can access acme.com
through this manner.  Many VPNs can bridge firewalls and NATs so this would
likely be the most secure method.

Finally, if you're a coder you can simply modify the s2s module on both
servers to use a different server authentication method.  Since this is a
known connection between two servers you control it would be easy to use PKI
cryptography to establish an authenticated connection.  Create a set of keys
for each server, and do a simple challenge-response using each server's
public and private keys.  The key being that just for this one s2s
connection you don't need to be standard Jabber S2S because this is between
two well known servers so interoperability is not an issue.

Hope that helps.

-iain


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




More information about the Standards mailing list