[Freedombox-discuss] public + private http services

Subject: [Freedombox-discuss] public + private http services
From: anders.jackson@gmail.com (Anders Jackson)
Date: Mon, 15 Jul 2013 17:59:51 +0200
Message-id: <[🔎] CACXJ-BgYsuQoeXD8o0eeNp_oaykRygYSv=EwHndnjxz-J01R2w@mail.gmail.com>
In-reply-to: <[🔎] CAM-YhhDiW8j1uEPZYxLuDh4DDmhAzGtgs=De7HiNwZVfJLMjqw@mail.gmail.com>
References: <[🔎] 51E38319.8030803@riseup.net> <[🔎] 20130715103150.12592.98377@bastian.jones.dk> <[🔎] CAM-YhhDiW8j1uEPZYxLuDh4DDmhAzGtgs=De7HiNwZVfJLMjqw@mail.gmail.com>

Den 15 jul 2013 14:55 skrev "Nick Daly" <nick.m.daly at gmail.com>:
>
> > Quoting Timur Mehrvarz (2013-07-15 07:05:29)
> >> Hi, is there an agreed upon best practice on how to separate public
> >> http services from those that shall only be accessible on the private
> >> network? Private only services could be offered on a separate port and
> >> the firewall would ensure that access to this port is shielded. One
> >> could also offer public + private services on the same port, but make
> >> sure - within the code - that private services will only respond to
> >> requests coming from the internal network. Any other options? How do
> >> you prefer to handle this? Thanks.
>
> Which private network do you mean?  I can think of two:
>
> 1. The internal network (intranet) that my FreedomBox runs on (the
> home network, with IPs usually in the range of 192.168...).

In my LAN I got 2000::/3 or fe80::/10. We should not ignore IPv6, as that
is just a way of building infrastructure that's not old even before we start

> 2. The private network produced by my authenticated friends connecting
> to my FreedomBox to use services I provide.

IpSec is part of IPv6, so that should be a possible solution. We "just"
need to distribute keys.

> 1 is easy: we're serving services on the internal network, so we can
> ignore the larger Internet all together.
>
> 2 is more difficult but can be accomplished through a number of tools
> like SSH forwarding, Tor Hidden Services, or GNUnet applications.  In
> that case, you're looking to authenticate the user before providing
> the service.  In case 1, authentication was assumed by the fact that
> the user was on your network (assuming your network is secure...).
>
> Different use cases could require different methods, and we'd better
> make sure we plan for supporting at least one of the common methods
> for v2, at least.  Jonas, could you put up a wiki page detailing your
> thoughts on the goals of first few releases?  I think they're pretty
> much what I was thinking, but they might be a little more developed.
>
> On Mon, Jul 15, 2013 at 5:31 AM, Jonas Smedegaard <dr at jones.dk> wrote:
> > Good idea to try map out what are best practices for different contexts.
>
> Jonas, I concur!  I think the mailing list might be a good place for
> discussing the ideas though, a more permanent wiki page seems
> appropriate when we have more solid solutions.
>
> Nick ___________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130715/d9f7b093/attachment.html>

Reply to:

Follow-Ups:
- [Freedombox-discuss] public + private http services
  - From: eugen@leitl.org (Eugen Leitl)

References:
- [Freedombox-discuss] public + private http services
  - From: timur.mehrvarz@riseup.net (Timur Mehrvarz)
- [Freedombox-discuss] public + private http services
  - From: dr@jones.dk (Jonas Smedegaard)
- [Freedombox-discuss] public + private http services
  - From: nick.m.daly@gmail.com (Nick Daly)

Prev by Date: [Freedombox-discuss] Why plug servers and not smart phones?
Next by Date: [Freedombox-discuss] public + private http services
Previous by thread: [Freedombox-discuss] Fwd: public + private http services
Next by thread: [Freedombox-discuss] public + private http services
Index(es):
- Date
- Thread