httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug MacEachern <do...@opengroup.org>
Subject Re: [NEWTOY] flow-00
Date Tue, 09 Jun 1998 13:15:09 GMT
Dean Gaudet <dgaudet@arctic.org> wrote:

> Oh it may be obvious, but I tend to think of the Request-URI and the
> client IP address as "headers"... and in that sense anything I've said
> about headers (for storage/matching/whatever) applies to them. 
> 
> The flow engine would not perform any DNS lookups.  So it can't "deny from
> *.mil" for example.  But it can deny from specific IP addresses... so the
> back-end does the lookup and inserts an IP address into the auth record.
> 
> I can't figure out a way to support rfc1413 crud at the flow level, it is
> a per-connection value that is expensive to calculate.  I've been ignoring
> it.  Hey Doug, can you give us a brief overview on how the DCE stuff works
> -- is it similar to rfc1413 in that when you get a connection you have to
> go do an expensive lookup to determine who the connection is?

I'll try, it's been ~7 months since I've been anywhere near DCE :-/
The DCE RPC protocol carries a PAC (Privledge Attribute Certificate)
with it to identify the client.  Expense depends on the security level
and a bit on the DCE name service configuration, etc.  Generally, at
the high level API, DCE clients and servers never do a DNS lookup
themselves, but there may be a bit of DNS happening "under the hood".
A client will preform a DCE nameservice lookup and obtain a "binding
handle" that's used for rpc calls (with the pac stuffed in there
somewhere).  On the server side, there are several levels of pac
checks that can happen.  Most of which involve another rpc to a
security server.  There may be even more rpcs to lookup additional
info (based on pac) in the DCE registry.  In the case of mutual
authentication, the client will also authenticate the server, another
rpc to the security server.  The DCE runtime does it's own caching in
certain areas and applications tend to add more caching of their own
to speed things up.  You get the idea, rpcs happening left and right,
in general, a single DCE RPC call is rather heavy.    

-Doug

Mime
View raw message