RE: [squid-users] benefits of WCCP ?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 8 Dec 2002 23:29:10 +0100 (CET)

On Sun, 8 Dec 2002, Nigel Clarke wrote:

> WCCP v1 works, but it does not work well. I've used this protocol in Cisco
> < -- > Cacheflow implementations, Foundry < -- > Cacheflow and
> Cisco < -- > Cisco implementations.

The main weakness of the WCCPv1 protocol in therms of redirection of HTTP
traffic is security, not functionality for intercepting port 80.

As WCCPv1 lacks any security component it is the responsibility of the
user to make sure his routers and cache servers are adequately firewalled
to avoid malicious users spoofing WCCP traffic with the intent of
disrupting or stealing web traffic.

The basic design of WCCPv2 is the same as WCCPv1, only extended with
security in the WCCP control messages and a lot of increased flexibility
to allow additional uses beyond simple interception of port 80 traffic.

For transparent interception of port 80 the biggest advantages of WCCPv2
is (in order of preference)
 * Security of WCCP control messages with a password based signature
preventing malicious users to mess with your router unless they know the
secret password.
 * The ability to use direct routing avoiding the GRE/WCCP encapsulation
to locally attached cache server.

There is a lot of other small changes, but not very important for the
majority of people who want to simply intercept port 80 traffic.

Any inherent stability issues in WCCPv1 not related to authentication or a
particular vendors implementation is by design present in WCCPv2 as well.

For a complete summary of the improvements of the WCCPv2 protocol compared
to WCCPv1 see the WCCPv2 internet draft.

Regards
Henrik
Received on Sun Dec 08 2002 - 15:29:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:55 MST