[standards-jig] Dialback options

Iain Shigeoka iainshigeoka at yahoo.com
Sat Feb 9 00:09:27 UTC 2002

On 2/8/02 2:07 PM, "David Waite" <mass at akuma.org> wrote:

> Iain Shigeoka wrote:
>> On 2/7/02 10:00 PM, "Ashvil" <ashvil at i3connect.net> wrote:
>>> How can a server behind a socks firewall or NAT join the Jabber server
>>> network and use S2S?
>> Sure, you can simply accept the connection without dialback authentication.
>> I think jabberd still accepts non-dialback s2s connections.
> Remember though that non-dialback connections are deprecated, and
> should/will go away in the future. Without dialback, there is nothing to
> prevent address spoofing.

Thanks for the reminder David.  Although, I hope that non-dialback
connections aren't removed until we can come up with an alternative to
dialback (for both security and practical reasons such as these.)

> It would be nice if other authentication methods were available (such as
> certs)

Yes.  This is partially my fault as I had sorta volunteered to kickstart
Jabber security discussions and have not done so yet.  My only defense is
that I have been looking at JabberNG issues which can hopefully be back
standardized for 1st Gen Jabber use...  ;)

We had been discussing SASL on the security-jig and I have been studying it
in the context of a JNG.  I think it may suit our purposes well.  In
addition, we can roll TLS support in using SASL and dump the SSL/raw socket
Jabber connections for both c2s and s2s.  Using a single port and
negotiating authentication and transport security seems to be a nice
alternative to the current setup.  In addition, with SASL we can flexibly
plug into existing security infrastructure such as kerberos and hopefully
accommodate single sign on standards as they emerge.  I'm still distracted
with JNG thoughts though so if someone else wants to take the ball and run
with it...


Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the Standards mailing list