<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>ipsvd - benefits</title>
</head>
<body>
<a href="http://smarden.org/pape/">G. Pape</a><br>
<a href="index.html">ipsvd</a><br>
<hr>
<h1>ipsvd - benefits</h1>
<hr>
<a href="#separation">One daemon for each service</a><br>
<a href="#instruct">Powerful client-based instructions</a><br>
<a href="#libdjbdns">Secure DNS client library</a><br>
<a href="#runit">Reliable service management and logging</a><br>
<a href="#ssl">Small footprint SSL support</a> (on Linux and MacOSX)<br>
<a href="#smallcode">Small code size</a>
<hr>
<a name="separation"><h3>One daemon for each service</h3></a>
Unlike other projects also handling IP services through inetd-compatible
server programs that provide one daemon to handle several services on
multiple server addresses (<tt>ipaddress:port</tt>), <i>ipsvd</i> provides
daemons that handle one server address only.
Setting up one service daemon for each server address separates the
configurations of services, allows to apply different memory and other
resource limits easily, and supports running in changed root directories.
<i>ipsvd</i> instructions optionally can be shared.
<hr>
<a name="instruct"><h3>Powerful client-based instructions</h3></a>
<i>ipsvd</i> allows flexible dynamic instructions and fast static
instructions.
Dynamic instructions defined through a directory can be adjusted on the fly
through other programs and the administrator.
The filesystem's file and directory permissions can be used to grant and
restrict access to the configuration.
For mostly static instructions, an instructions directory can be compiled
into a <a href="http://cr.yp.to/cdb.html">constant data base</a> for faster
lookup.
<p>
Based on <i>ipsvd</i>'s client-based
<a href="ipsvd-instruct.5.html">instructions</a>, the process state of the
server program can be altered, the per-client concurrency can be adjusted,
connections can be denied, and even a completely different server program
can be started for special clients, see some
<a href="examples.html#instruct">examples</a>.
<p>
Clients are identified by their IP address and through IP address ranges, by
the fully qualified domain name the client's IP address reverse-resolves
and parts if it, and by host names currently resolving to the client's IP
address (to identify clients through dynamic DNS names), see
<a href="ipsvd-instruct.5.html">ipsvd instructions</a> for details.
<hr>
<a name="libdjbdns"><h3>Secure DNS client library</h3></a>
The <i>ipsvd</i> programs use the
<a href="http://smarden.org/pape/djb/">djbdns client library</a>
to query the DNS.
This DNS client library is known to be
<a href="http://cr.yp.to/djbdns/res-disaster.html">secure</a> yet very
<a href="http://cr.yp.to/djbdns/qualify.html">convenient</a>.
<hr>
<a name="runit"><h3>Reliable service management and logging</h3></a>
The daemons provided by the <i>ipsvd</i> package normally are run by a
<a href="http://smarden.org/runit/runsv.8.html">runsv</a> supervisor
process, and started and managed through its control interface.
The <a href="http://smarden.org/runit/">runit</a> packages provides
<a href="http://smarden.org/runit/benefits.html#supervision">
service supervision</a> and a
<a href="http://smarden.org/runit/benefits.html#log">
reliable logging facility</a>.
<hr>
<a name="ssl"><h3>Small footprint SSL support</h3></a>
On Linux and MacOSX the <i>ipsvd</i> package optionally provides the
<a href="sslio.8.html">sslio</a> program to encrypt a network connection
using the SSLv3 implementation of the
<a href="http://www.matrixssl.org">matrixssl</a> library.
This can be used to add SSLv3 functionality to server programs that do not
support SSL, and to replace a built-in SSL support of a server program.
See the <a href="examples.html#tcp">examples</a>.
<p>
If linked statically with the SSL library and the
<a href="usedietlibc.html">diet libc</a>, the
<a href="sslio.8.html">sslio</a> program is less than 70k of size and has
this <tt>ps xuw</tt> output on my system:
<pre>
 USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
 nobody   22906  0.2  0.0   192  160 ?        S    13:22   0:00 sslio
</pre>
<!--
If linked statically with the SSL library and dynamically against the
<a href="http://www.gnu.org/directory/GNU/glibc.html">glibc</a>, it' about
80k of size.
-->
<hr>
<a name="smallcode"><h3>Small code size</h3></a>
One of the <i>ipsvd</i> project's principles is to keep the code size small.
This minimizes the possibility of bugs introduced by programmer's fault,
and makes it more easy for security related people to proofread the source
code.
As of version 0.9.2 of <i>ipsvd</i>, the source is about 1400 lines of C
code.
<p>
The small size and memory footprint of the programs makes the <i>ipsvd</i>
package well suited for embedded systems.
<hr>
<address><a href="mailto:pape@smarden.org">
Gerrit Pape &lt;pape@smarden.org&gt;
</a></address>
<small>$Id: benefits.html,v 1.5 2005/02/20 14:48:02 pape Exp $</small>
</body>
</html>