[Xorp-hackers] Re: xorp for wireless authentication/access

Luigi Rizzo luigi@iet.unipi.it
Wed, 17 Dec 2003 09:00:45 -0800


my opinion on that is that there is not going to be a common API.
Just the way stateless filtering is expressed varies a lot
(some have hash tables, some have maps, some have lists),
not to mention stateful and 'extra stuff' that the firewall can do.
 
However -- it seems that here you have a very specific problem at
hand, so it would be conceivable to provide a few calls:

        redirect_unauthenticated_user()
        open_services_to_this_mac_address(mac_address)
        delete_all_permissions_for_this_mac_address(mac_address)

which are then translated into machine dependent set of calls
to the firewall. And think of a general API only when/if you
will ever need it.

	cheers
	luigi

On Wed, Dec 17, 2003 at 11:25:03AM +0000, Mark Handley wrote:
> 
> Adam and I have been discussing the idea of writing XORP components to
> provide access control and authentication for wireless users.  This
> would use transparent HTTP redirect to a web page on the router itself
> to allow users to authenticate themselves - basically the same method
> used by lots of wireless hotspots.
> 
> This isn't all that hard to do in principle - the hardest part would
> probably be unifying all the various components (firewall, dhcpd,
> httpd) under the XORP rtrmgr and configuration files.
> 
> But this raises one question which we don't know how to answer: what
> should the FEA's API be for firewall functionality?  Comparing what is
> available on various platforms (especially FreeBSD and Linux), it
> seems that there isn't a whole lot of commonality between iptables and
> ipfw2. So creating a common API without dumbing it down to the lowest
> common denominator seems difficult.
> 
> Does anyone have any thoughts on this?
> 
> Cheers,
> 	Mark