[176] in WWW Security List Archive
Re: Source-routed URLs
daemon@ATHENA.MIT.EDU (Peter J Churchyard)
Sat Oct 1 21:34:39 1994
Date: Sat, 1 Oct 94 15:04:17 EDT
From: Peter J Churchyard <pjc@tis.com>
To: lazear@gateway.mitre.org, www-security@ns1.rutgers.edu
Reply-To: Peter J Churchyard <pjc@tis.com>
The URL's you quote are used by my HTTP/Gopher proxy. They are not
as far as I know truely valid URL's. For non proxy aware clients I
re-write the URL's to route the request via the proxy and the proxy
then after performing its normal permission checks, passes the request
on and re-writes the response. I can do this besause the Gopher and
WWW clients should do little to no processing on the URL/Selector.
The URL specification states that the %xx form is a way of encoding
characters that would otherwise be invalid in a URL. Gopher selectors
often contain spaces which are encoded as %20 the colon is encoded
as %3a and the @ is %40 so the ftp example is really
gopher://host.sys.com/0ftp:ftp.host.sys2.com@/dir/file
In Gopher speak
Name=
Host=host.sys.com
Port=70
Path=ftp:ftp.host.sys2.com@/dir/file
Gopher servers treat the ftp:host@file as a command to access an ftp
server. You need to be aware of the differences between what the client
and servers do in the WWW and Gopher worlds.
WWW Gopher ProxyClient
-----------------------------------------------------------
Telnet Client Client Client
FTP Client Server Proxy
WAIS Client Server ?
PH (CSO) Client Client ?
Both http and gopher servers will run programs to process special
format URL/selectors.
Peter Churchyard.
> In doing some proxy testing related to firewalls, I have a
> question about how URLs are "stacked" to provide source routing and
> indirection. The schemes that I see seems to be fairly new and I'd
> like some clarification.
>
> There are two constructs. The one used by HTTP seems to be merely to
> prepend the protocol and host part of each hop's URL to the front of
> the destination URL. Each hop receives the stacked URLs and strips
> off its part of the address, passing on the remaining part of the
> URL, until a hop realizes that the destination file is local.
> An example of going through a relay to the document on a real system:
>
> http://relay.sys.org/http://real.sys.org/document.html
>
>
>
> The other construct is used by Gopher and uses percent signs to
> separate pieces. This construct is less clear to me. Here's a
> live example of such a URL:
>
> gopher://host.sys.com/0ftp%3aftp.host.sys2.com%40/dir/file
>
> Could someone please explain the percent construct?
>
> Could we also discuss why the two constructs for stacking URLs
> need to be different? Is there an effort to make them the same?
> Is this an area for an IETF working group?
>
> While some may scoff at needing source routed URLs, because they
> think that firewalls are a temporary solution, I believe that
> firewalls are always going to be needed in some form and that
> the indirection provided by stacked URLs are crucial to living
> with firewalls and other policy-enforcement mechanisms.
>
> Walt
>
> PS - Unfortunately, WAIS does not use URLs, so their destination description
> is different. Within the "source route" part, they separate hops with
> colons, but at least they can do indirection, which helps steer queries
> to firewalls and beyond.
>
> PPS - What is the sharp-sign construct, by the way? In a URL, it appears
> after the document filename:
>
> http://host.sys.com/directory/document.html#Directives
>
