[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replicate through an VPN ?

To: Howard Chu <hyc@symas.com>
Subject: Re: Replicate through an VPN ?
From: Su Tam Nguyen <sutamnguyen@gmail.com>
Date: Mon, 10 Oct 2005 14:05:48 +0700
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Jhhva2EwvFA3rjrJFmKOAbAb+jF1HsFblq+inFcaR9F9q0F5cDrYLHcASwJYarCqs51477ujGn65xMdcDCgMbZTSElqGfsRQ6PYri3//I8fiiNo5UyCGeUsxjYT4emu1rfjctb013+GL3Ur+hpOBumDxEaJlK/kAtojUO/OJW/A=
In-reply-to: <4347FEEA.4080507@symas.com>
References: <514dcbf50510080137i7ec1fb7fpab2f964822fa74bd@mail.gmail.com> <4347FEEA.4080507@symas.com>

Hi,
Thanks for your reply.

> Why tear down the VPN at all, what resource cost is associated with
keeping it up all the time?

I just want the VPN to be active when needed. By this way, malicious users
can not probe our network to know about the VPN. The resource cost is not
the factor I care.

> What if a malicious user intercepts the message from the master that
signals the slave to create the VPN?

The signals from the master to slave will be authenticated to avoid this
theat.

> Why use a VPN at all, why not just use TLS?

I want to use IPSec to authencicate all packets.

So, could you show me how can I find where the "kick off replication" code
is ?
BTW, I use OpenVPN to implement the VPN.
Thank you !
Su Tam Nguyen.

On 10/9/05, Howard Chu <hyc@symas.com> wrote:
>
> Su Tam Nguyen wrote:
> > Hi all,
> > I intend to make the synchronization between master and slave server
> through
> > an VPN built before, and after this work complete, the VPN will be
> disable
> > too. So, this VPN is just active on demand.
> > I want to know when the synchronization starts, and stop. Before the
> > begining of this, the master will create an VPN and signal to the slave
> to
> > do the same thing. After exchange information on this VPN, the VPN will
> > collapse.
> > I have started slapd and slurpd with the highest debug mode (-d 65535)
> and
> > got some information when the replication happen, but it seems not
> enough
> > for me.
> > Could anyone tell me about where the concerned code is , or suggest
> another
> > way to do so ?
> > Thanks in advance !
> > Su Tam Nguyen
> >
> Why tear down the VPN at all, what resource cost is associated with
> keeping it up all the time? Using a VPN implies at least some concern
> about malicious users on the intervening networks. What if a malicious
> user intercepts the message from the master that signals the slave to
> create the VPN?
>
> Why use a VPN at all, why not just use TLS?
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/
>
>

Follow-Ups:
- Re: Replicate through an VPN ?
  - From: Michael Ströder <michael@stroeder.com>

References:
- Replicate through an VPN ?
  - From: Su Tam Nguyen <sutamnguyen@gmail.com>
- Re: Replicate through an VPN ?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: JDBC brigde sorting
Next by Date: Problems extract LDIF!!
Index(es):
- Chronological
- Thread