[Xorp-hackers] Re: xorp for wireless authentication/access
Mark Handley
M.Handley@cs.ucl.ac.uk
Wed, 17 Dec 2003 19:34:41 +0000
>my opinion on that is that there is not going to be a common API.
>Just the way stateless filtering is expressed varies a lot
>(some have hash tables, some have maps, some have lists),
>not to mention stateful and 'extra stuff' that the firewall can do.
That's my concern too.
>However -- it seems that here you have a very specific problem at
>hand, so it would be conceivable to provide a few calls:
>
> redirect_unauthenticated_user()
> open_services_to_this_mac_address(mac_address)
> delete_all_permissions_for_this_mac_address(mac_address)
>
>which are then translated into machine dependent set of calls
>to the firewall. And think of a general API only when/if you
>will ever need it.
This would work for this application.
But a XORP router *is* going to have to be able to do fairly general
firewalling.
Perhaps the solution here is to clone Juniper's firewall CLI, map this
into an API to the FEA for the basic firewall functionality, and fix
up everything in the FEA to map this to native calls. This would give
us basic functionality, but not the bells and whistles.
For specific functionality like the wireless auth, we could provide
higher-level calls like those above.
And then if you really need the bells and whistles, provide a bypass
mechanism to access the platform's native interface directly, albeit
non-portably.
Cheers,
Mark