IPP Mail Archive: RE: IPP> Some observations from the IPP BOF in the IETF

RE: IPP> Some observations from the IPP BOF in the IETF

rdebry@us.ibm.com
Tue, 17 Dec 1996 10:00:45 -0500

Classification:
Prologue:
Epilogue:

I have been thinking about this issue and the proposal to split out the
MIME-type encoding as a separate RFC. I don't know if firewalls look at the
MIME type of data being passed through or not (the Content-Type header of the
entity body). However, if we encode the entire IPP message in a new MIME type,
say something like IPP/Mixed, then it at least offers firewall administrators
to shut of printing through the firewall based on MIME type. I also like this
approach because it allows us to completely define the semantics and syntax of
the content, without worrying about baggage from currently defined MIME-types.
One example of baggage that I object to is the requirement to use boundary
strings in Multipart-mixed messages. Lengths are much better!
---------------------- Forwarded by Roger K Debry/Boulder/IBM on 12/17/96 07:46
AM ---------------------------

ipp-owner @ pwg.org
12/17/96 06:06 AM

To: ipp @ pwg.org@internet
cc:
Subject: RE: IPP> Some observations from the IPP BOF in the IETF

is that if nothing is changed in the firewall, printing would
work. If some paranoid companies want to prevent
printing to printers outside the company (I assume these
same companies have disabled all the scanners in
their fax machines, turned off outgoing e-mail and
no longer allow outbound snail mail in opaque envelopes)
then they can get new firewall software or turn off HTTP
completely. That is their policy decision. For the rest of
us, we don't have to worry about getting a firewall update,
loading new client software on thousands of machines,
etc. The intent is to make adding Internet printing support
easy for those that want it.

DON

To: babakj%MICROSOFT.com @ interlock.lexmark.com (Babak Jahromi) @ SMTP,
cmanros%cp10.es.xerox.com @ interlock.lexmark.com ("'Carl-Uno Manros'") @ SMTP
cc: ipp%pwg.org @ interlock.lexmark.com ("'ipp@pwg.org'") @ SMTP (bcc: Don
Wright)
From: manros%mindspring.com @ interlock.lexmark.com (Carl-Uno Manros) @ SMTP
Date: 12/16/96 11:06:35 PM
Subject: RE: IPP> Some observations from the IPP BOF in the IETF

At 08:06 PM 12/16/96 -0800, Babak Jahromi wrote:
>>7) Our concept of using HTTP to avoid Firewalls seem to be flawed. I spoke
>>to several security specialists about it and they called us naive. They
>>pointed out that any firewall provider worth its salt would use IPP as a
>>good excuse to sell their customers a new version of their firewall -
>>whichever way we do it.
>>
>Carl,
>
>Could you be more specific here? If we stick to the basic HTTP, how can
>the firewall provider tell what the HTTP command really transporting?
>And how can they convince their customers that they need a new firewall
>that works better by poking into the HTTP commands to search for IPP
>stuff?
>
>Thanks,
>Babak
>

Babak,

The main argument given to me was that a number of security concious
organizations are prohibiting the delivery of data out from their
organization e.g. via FTP, while allowing HTTP on the basis that it is
normally used to get data in from the outside, but gives out very little
data. If we start using IPP to send out big print files, these
organizations will start getting worried and looking for a stopgap solution,
until they find a way to dig into the HTTP flow for details. A short term
solution might be to quite simply have the firewall stop the use of HTTP
altogether.

Carl-Uno