G. Pape
ipsvd
ipsvd - benefits
One daemon for each service
Powerful client-based instructions
Secure DNS client library
Reliable service management and logging
Small footprint SSL support (on Linux and MacOSX)
Small code size
One daemon for each service
Unlike other projects also handling IP services through inetd-compatible
server programs that provide one daemon to handle several services on
multiple server addresses (ipaddress:port), ipsvd provides
daemons that handle one server address only.
Setting up one service daemon for each server address separates the
configurations of services, allows to apply different memory and other
resource limits easily, and supports running in changed root directories.
ipsvd instructions optionally can be shared.
Powerful client-based instructions
ipsvd allows flexible dynamic instructions and fast static
instructions.
Dynamic instructions defined through a directory can be adjusted on the fly
through other programs and the administrator.
The filesystem's file and directory permissions can be used to grant and
restrict access to the configuration.
For mostly static instructions, an instructions directory can be compiled
into a constant data base for faster
lookup.
Based on ipsvd's client-based
instructions, the process state of the
server program can be altered, the per-client concurrency can be adjusted,
connections can be denied, and even a completely different server program
can be started for special clients, see some
examples.
Clients are identified by their IP address and through IP address ranges, by
the fully qualified domain name the client's IP address reverse-resolves
and parts if it, and by host names currently resolving to the client's IP
address (to identify clients through dynamic DNS names), see
ipsvd instructions for details.
Secure DNS client library
The ipsvd programs use the
djbdns client library
to query the DNS.
This DNS client library is known to be
secure yet very
convenient.
Reliable service management and logging
The daemons provided by the ipsvd package normally are run by a
runsv supervisor
process, and started and managed through its control interface.
The runit packages provides
service supervision and a
reliable logging facility.
Small footprint SSL support
On Linux and MacOSX the ipsvd package optionally provides the
sslio program to encrypt a network connection
using the SSLv3 implementation of the
matrixssl library.
This can be used to add SSLv3 functionality to server programs that do not
support SSL, and to replace a built-in SSL support of a server program.
See the examples.
If linked statically with the SSL library and the
diet libc, the
sslio program is less than 70k of size and has
this ps xuw output on my system:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
nobody 22906 0.2 0.0 192 160 ? S 13:22 0:00 sslio
Small code size
One of the ipsvd project's principles is to keep the code size small.
This minimizes the possibility of bugs introduced by programmer's fault,
and makes it more easy for security related people to proofread the source
code.
As of version 0.9.2 of ipsvd, the source is about 1400 lines of C
code.
The small size and memory footprint of the programs makes the ipsvd
package well suited for embedded systems.
Gerrit Pape <pape@smarden.org>
$Id: benefits.html,v 1.5 2005/02/20 14:48:02 pape Exp $