profile
Click on the red underlined text to get to the source
...
The TUNNEL profile provides a mechanism for cooperating BEEP peers to
form an application-layer ...
... destination.
In one use of this profile, a BEEP peer implementing the TUNNEL
profile is co-resident with a firewall ...
... In one use of this profile, a BEEP peer implementing the TUNNEL
profile is co-resident with a firewall. An initiating machine inside
the firewall ...
... starts anew.
Another use for this profile is to limit connections to outside
servers based on the user identity ...
... inadequate levels of authorization have been established. It is also
possible to use the TUNNEL profile to anonymize the true source of a
BEEP connection, in much the way a NAT ...
... semantics described in Section 4 may seem complex, the
results are actually relatively simple. A few examples will show the
operation and use of this profile. In these examples, the machine
attempting to establish the connection is named "initial", while the
...
...
[4] This greeting may include the TLS profile, allowing initial and
final to communicate without proxy1 understanding or interfering
without being caught.
...
... service can be expected to lead to this error.) The same
would result if the destination did not support the TUNNEL profile.
initial proxy1 proxy2 final
...
... Profile Example ...
... This example shows the initiator connecting through two proxys. The
initial machine knows there is a server offering the SEP2 profile
somewhere beyond proxy1, but it need not know where. Proxy1 has been
locally configured to know that all SEP2 servers are beyond proxy2.
...
... choice for SEP2 services. Note that "final" does not necessarily
need to offer the requested profile in its initial greeting.
initial proxy1 proxy2 final
...
... TUNNEL element looks like this:
<tunnel profile="http://xml.resource/org/profiles/SEP2"/>
Note the lack of an innermost no-attribute <tunnel ...
... element looks like this:
<tunnel profile="http://xml.resource/org/profiles/SEP2"/>
Note the lack of an innermost no-attribute <tunnel> element ...
... tunnel fqdn="proxy2.example.com" port="604">
<tunnel profile="http://xml.resource/org/profiles/SEP2"/>
</tunnel ...
... endpoint" is intended to route to a particular
server, while "profile" is intended to route to a particular service.
...
... starting with an underline and
separated by a period, such as "_sep._tcp". The format of the
"profile" attribute is a URI [5]. The format of the "endpoint ...
...
Alternately, if the outermost element has a "profile" attribute, then
it must have no nested elements. The proxy ...
... is responsible for determining the appropriate routing to reach a
peer serving the BEEP profile indicated by the URI in the attribute's
value. Rather than source routing ...
... element has no nested elements, but it does
have attributes other than "profile" or "endpoint", then this peer is
the final BEEP ...
... BEEP greeting, or
the BEEP greeting offered does not include the TUNNEL profile, then
this too is treated as an error: the initiating transport connection
...
... element, and the identified server is
contacted and offers a BEEP greeting including the TUNNEL profile,
then the outermost element from the "tunnel ...
... the session, the semantics for the TUNNEL profile are ill-defined.
The TUNNEL profile MUST NOT be advertised in any greetings after
...
... semantics for the TUNNEL profile are ill-defined.
The TUNNEL profile MUST NOT be advertised in any greetings after
transport security has been negotiated.
...
... tunnel" is reserved by IANA for use with this
profile. Hence, the "srv" attribute "_tunnel._tcp" MAY be used as a
default for finding the appropriate address ...
...
This section lists the three-digit error codes the TUNNEL profile may
generate.
...
... (E.g., next hop could be contacted, but
malformed greeting or no TUNNEL profile advertised.)
553 Parameter invalid
...
... discussion of this.
However, the intent of the TUNNEL profile is to allow bidirectional
contact between two machines normally separated by a firewall ...
... offer a range of services with appropriate greetings, the TUNNEL
profile should be configured with care. It is reasonable to strictly
limit the hosts and services ...
... services that a proxy is allowed to contact. It
is also reasonable to limit the use of the TUNNEL profile to
authorized users, as identified by a SASL profile ...
... connection to the firewall proxy, with an innermost "profile" or
"endpoint" attribute which the firewall ...
... proxy understands. Local
provisioning can allow a proxy to translate a particular "profile"
or "endpoint" element ...
... A.1 Registration: BEEP Profile ...
...
The IANA has registered the profiles specified in this section and
has selected an IANA-specific URI ...
... A single well-known port, 604, is allocated by the IANA to the TUNNEL
profile.
Protocol Number ...
... Rose, Greg Matthews, and Ben Feinstein.
Inspiration for this profile comes from the Intrusion Detection
Working Group ...