[Xorp-hackers] Re: xorp for wireless authentication/access
Luigi Rizzo
luigi@iet.unipi.it
Wed, 17 Dec 2003 09:00:45 -0800
my opinion on that is that there is not going to be a common API.
Just the way stateless filtering is expressed varies a lot
(some have hash tables, some have maps, some have lists),
not to mention stateful and 'extra stuff' that the firewall can do.
However -- it seems that here you have a very specific problem at
hand, so it would be conceivable to provide a few calls:
redirect_unauthenticated_user()
open_services_to_this_mac_address(mac_address)
delete_all_permissions_for_this_mac_address(mac_address)
which are then translated into machine dependent set of calls
to the firewall. And think of a general API only when/if you
will ever need it.
cheers
luigi
On Wed, Dec 17, 2003 at 11:25:03AM +0000, Mark Handley wrote:
>
> Adam and I have been discussing the idea of writing XORP components to
> provide access control and authentication for wireless users. This
> would use transparent HTTP redirect to a web page on the router itself
> to allow users to authenticate themselves - basically the same method
> used by lots of wireless hotspots.
>
> This isn't all that hard to do in principle - the hardest part would
> probably be unifying all the various components (firewall, dhcpd,
> httpd) under the XORP rtrmgr and configuration files.
>
> But this raises one question which we don't know how to answer: what
> should the FEA's API be for firewall functionality? Comparing what is
> available on various platforms (especially FreeBSD and Linux), it
> seems that there isn't a whole lot of commonality between iptables and
> ipfw2. So creating a common API without dumbing it down to the lowest
> common denominator seems difficult.
>
> Does anyone have any thoughts on this?
>
> Cheers,
> Mark