The TUNNEL profile is a profile of BEEP. In BEEP, transport
security, user authentication, and data exchange are orthogonal.
Refer to Section 8 of [2] for a discussion of this.
However, the intent of the TUNNEL profile is to allow bidirectional
contact between two machines normally separated by a firewall. Since
TUNNEL allows this connection between BEEP peers, and BEEP peers can
offer a range of services with appropriate greetings, the TUNNEL
profile should be configured with care. It is reasonable to strictly
limit the hosts and services that a proxy is allowed to contact. It
is also reasonable to limit the use of the TUNNEL profile to
authorized users, as identified by a SASL profile.
Negotiation of a TLS profile in an end-to-end manner after a TUNNEL
has been established will prevent intermediate proxies from observing
or modifying the cleartext information exchanged, but only if TLS
certificates are properly configured during the negotiation. The
proxy could mount a "man in the middle" attack if public key
infrastructure is not deployed.
In some environments, it is undesirable to expose the names of
machines on one side of a firewall in unencrypted messages on the
other side of that firewall. In this case, source routing (using the
"fqdn", "ip4", "ip6", "port" and "srv" attributes) can route a
connection to the firewall proxy, with an innermost "profile" or
"endpoint" attribute which the firewall proxy understands. Local
provisioning can allow a proxy to translate a particular "profile"
or "endpoint" element into a new source route to reach the desired
service. This can prevents two attacks:
o Attackers sniffing packets on one side of the firewall cannot see
IP addresses or FQDNs of machines on the other side of the
firewall; and,
o Attackers cannot exhaustively attempt to connect to many FQDNs or
IP addresses via source routing and use the error messages as an
indication of whether the queried machine exists. For this attack
to be prevented, the proxy must allow only "profile" or "endpoint"
connections, always refusing to even attempt source-routed
connections. This latter attack can also be thwarted by requiring
a SASL identification before allowing a TUNNEL channel to be
started, but this can have higher overhead.
