IPP Mail Archive: RE: IPP> review of IPP documents

IPP Mail Archive: RE: IPP> review of IPP documents

RE: IPP> review of IPP documents

Paul Moore (paulmo@microsoft.com)
Fri, 29 May 1998 17:41:07 -0700

You miss the point - I agree totally about the penetration issue. I think
this is a bad reason for doing anything.

The proxy issue is quite different - the most common scenario in commercial
networks is that the users are not connected to the Internet at all (hence
firewalls dont enter the debate). Proxies enable these users to access
internet resources. (this is not a terminology issue - they are
fundamentally differnt things). By making IPP use http:80 then IPP printer
become another Internet resource accessible via my proxy.

Punching a hole in the firewall is missing the point - they can do whatever
they like to the firewall - it does not change what I can access from my
desktop. My PC can only reach those things that my proxy knows how to deal
with. If I took the proxy away I could not reach anything. This is the
inverse case from the case where my desktop is connected to the internet via
a firewall - I you take the firewall out of the loop I would be able to do
anything.

I cannot ping your machine from my desktop, this has nothing to do with the
MS firewall settings.

> -----Original Message-----
> From: Keith Moore [SMTP:moore@cs.utk.edu]
> Sent: Friday, May 29, 1998 5:31 PM
> To: Paul Moore
> Cc: 'Keith Moore'; ipp@pwg.org; moore@cs.utk.edu
> Subject: Re: IPP> review of IPP documents
>
> > Typically (take MS for example). The firewall and the proxy are quite
> > differnt things. The proxy is an enabler and the firewall is a
> protector.
>
> okay...slightly different use of terminology.
>
> insisting on IPP using port 80 just to be able to tunnel through
> firewalls/proxies simply will not fly ...it leads to an arms race.
> (not to mention that everybody will want to use port 80, which
> is clearly unworkable)
>
> if your employer wants you to be able to use external printers,
> they can punch a hole in their firewall, or add a proxy, to
> allow you to talk to the default IPP port.
>
> we can't let the existence of NAT boxes dictate the whole architecture.
>
> Keith