[9fans] circular logic (was webdav...)

[9fans] circular logic (was webdav...)

[Russ Cox]

non-http protocols are dangerous.
therefore we'll only allow http.

only http is allowed.
therefore we'll tunnel everything over http.

Re: [9fans] circular logic (was webdav...)

[Jonathan Sergent]

On Monday, Nov 4, 2002, at 14:27 US/Pacific, Russ Cox wrote:
> non-http protocols are dangerous.
> therefore we'll only allow http.

This is an oversimplification.  The companies that I know that have
this problem are actually in a situation where they have an internal
network that is not directly routed to the Internet at all, and all
traffic must pass through application-layer gateways (aka proxies).
The protocols which are proxied tend to vary.  But everyone proxies
HTTP in this environment.

There often isn't an intent to stop the use of other applications; just
no resources (time and money) to explicitly enable them.

It seems to me like this sort of thing is going away and becoming less
common, not more common.

(If everyone used Plan 9 and people could just import /net, this
problem wouldn't exist... people in these environments would just
tunnel everything over 9P!  Is this any more acceptable?)

> only http is allowed.
> therefore we'll tunnel everything over http.

So often this is a matter of resources; if the application developer
knows that in some situations only HTTP is allowed, but doesn't want to
write everything for both cases, said application developer will tend
to just do everything over HTTP so that it "just works" for people on
weird networks.


--jss.

Re: [9fans] circular logic (was webdav...)

[Russ Cox]

>> non-http protocols are dangerous.
>> therefore we'll only allow http.
>
> This is an oversimplification.  The companies that I know that have
> this problem are actually in a situation where they have an internal
> network that is not directly routed to the Internet at all, and all
> traffic must pass through application-layer gateways (aka proxies).
> The protocols which are proxied tend to vary.  But everyone proxies
> HTTP in this environment.

Not everyone.  I bet there are places where the proxies
are mag tapes moved from outside machines to inside
machines (and not vice versa).

> There often isn't an intent to stop the use of other applications; just
> no resources (time and money) to explicitly enable them.

Come on.  Buy a router that does ip filtering.  They all do.
HTTP proxies would have to be changed to admit WebDAV
(they added new verbs!), so we're talking about modifications
either way.  My point was that it makes more sense just to
open another port.

> (If everyone used Plan 9 and people could just import /net, this
> problem wouldn't exist... people in these environments would just
> tunnel everything over 9P!  Is this any more acceptable?)

No, it's not.  It would be just as dumb (although more convenient
for me) to allow only 9P through a firewall.

> > only http is allowed.
> > therefore we'll tunnel everything over http.
>
> So often this is a matter of resources; if the application developer
> knows that in some situations only HTTP is allowed, but doesn't want to
> write everything for both cases, said application developer will tend
> to just do everything over HTTP so that it "just works" for people on
> weird networks.

If you're actually _using_ HTTP then fine.  Tunneling WebDAV
over HTTP requires changing all the proxies because you're
really speaking WebDAV/HTTP, which bears only a passing
resemblance to HTTP.  Who says the weird networks are going
to allow WebDAV/HTTP through?

My point was that it's work either way.  It's dumb that WebDAV
and friends are trying to pretend that it's not.

Russ

Re: [9fans] circular logic (was webdav...)

[presotto]

[-- Attachment #1: Type: text/plain, Size: 16 bytes --]

Welcome XML/SOAP

[-- Attachment #2: Type: message/rfc822, Size: 1536 bytes --]

From: "Russ Cox" <rsc@plan9.bell-labs.com>
To: 9fans@cse.psu.edu
Subject: [9fans] circular logic (was webdav...)
Date: Mon, 4 Nov 2002 17:27:09 -0500
Message-ID: <e04993ce13f45ec2fd65ad090a407258@plan9.bell-labs.com>

non-http protocols are dangerous.
therefore we'll only allow http.

only http is allowed.
therefore we'll tunnel everything over http.

Re: [9fans] circular logic (was webdav...)

[Skip Tavakkolian]

It is a circuitous approach -- forced by many external factors -- that
gets to the right solution (eventually).  Something like: the
proxy/firewall device doesn't know the protocol, therefore the IT
department wont allow it, which forces the HTTP tunneling, which gives
the system/protocol a chance to become popular, which makes it a
legitimate protocol and gets it on the vendors' radars, which is then
supported, obviating the need for tunneling.

> non-http protocols are dangerous.
> therefore we'll only allow http.
>
> only http is allowed.
> therefore we'll tunnel everything over http.