Is there any defintion of the protocol used between the gateway and auth server to verify users and communicate.  I see lots of good information in the Intoduction.txt defining classes and sort of a high level abstract of what goes on between the gateway and the auth server, but i don't see message formats, transport mechanisms, state machine things, and what not.

I think there is a place for this as lots of people are trying to write c versions of the gateway to run on embedded hardwares and defining independently of the source code things referred to in it; like the ticket, what punching the ticket means, what http codes are sent back forth and what they mean, etcetera, could be really helpful.    

I have started below with some VERY rough beginnings after looking
through the gateway src for too many hours.  

=== Terminology ===

 connection:: A transport layer virtual circuit established between two programs for the purpose of communication.;

 message:: The basic unit of NOCAT communication, consisting of a HTTP GETs, POSTs, REDIRECTs and status codes.;

 ticket:: The concept describing the nocat state information passed between gateways and clients, clients and auth servers, auth servers and gateways.  Tickets can be punched, authenticated, verified, thrown in someone's face, and so much more.;
 
 gateway:: A program implementing the gateway side of the nocat protocol;

 auth server:: A program implementing the auth server side of the nocat protocol.;
    
 * NOCAT Message 

  i. Message Types 

NOCAT messages consist HTTP Gets, POSTs, REDIRECTs, and status codes sent from the gateway to auth server and auth server to gateway.
 
  * NOCAT HTTP REDIRECTs  
   Redirects are used by the gateway and auth server.  The Gateway uses http 302 page moved or redirect to get the 
      client to the auth server for authentication, and also to pass along state information(a nocat ticket) about the client.  

   The format of the http 302 message is as follows.

   {{{HTTP/1.1 302 Moved  
Location: https://AuthServiceAddr/cgi-bin/login?token=token_value&timeout=timeout_value&redirect=original_destination_url_of_client&mac=clients_mac_address
<html>
<body bgcolor="white" text="black">
You should be redirected now.  If not, click <a href="https://auth.nocat.net/cgi-bin/login?token=%241%241%24HQPsTAITd3i2jrLKlchyq%2f&timeout=600&redirect=http%3a%2f%2farchives%2emath%2eutk%2eedu%2ftopics%2fnumberTheory%2ehtml&mac=00%3a02%3a2D%3a1E%3a4F%3a25">here.</a>
</body>
</html>}}}

  The AuthServiceAddr comes from the nocat.conf file on the gateway.  The token,timeout,redirect,and mac are part of a NOCAT conceptcalled a ticket.   

  * NOCAT HTTP POST

  The format of the nocat http post request is as follows.

  {{{POST, mac_address
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Timeout    IdleTimeout  
Token      clients_token 
Mode       renew|possibly something else  
Mac        clients_mac 
User       username 
Action     Permit|DENY|possibly something else  
line=-----BEGIN PGP SIGNATURE----- }}}

  Posts are used by the auth server.  The auth server sends an http post message to a gateway after the authentication process    has been completed for a user.  (To complete this part someonewill have to look through the auth server code).  The Post will have a destiantion ip address of the gateway that generated the ticket, a uri of the client|users mac gotten from the redirect issued by this gateway to the client, a timeout matching the IdleTimeout from nocat.conf(i think), the token contained in the redirect request which started the authentication of this user, the mode of this ticket, the username gotten during the actual clients https ineraction with the auth server(the one inputed at the auth server login page), the action that the gateway is supposed to take for this user|client, and all of it wrapped in pgp signature of the auth server. 

  *  NOCAT HTTP GETs

  Nocat http gets are received by both the gateway and auth servers.

  The gateway receives http gets when a user is asking to be logged out.  The logout request will have a destination ip address of the gateway a user is wanting to logout from, and a uri of /logout. Other data might be included in the get but is ignored by the gateway.  

  Upon receiving logout request the gateway will modify it's the firewall rules to denial for that user|mac|client. Once the firewall modifications have been completed and the state for that peer|user|client updated the gateway will send an HTTP 302 redirect(page moved) to the user with a url of LogoutURL taken from the nocat.conf file. 

  The auth server receives gets from the user|client after they have been redirected by a gateway.  Possibly other gets are received by the auth server but someone will have to examine that code to see.

  The format of the gets received by the auth server that i know of match the Location in the redirect messages sent by a gateways.

  * NOCAT HTTP status code

  http 302 redirects are used by the gateway and auth server.  The gateway uses http redirect to send users to the auth servers loging.html page.

  http 200 ok message are sent by gateways and auth servers.  The gateway uses ok messages after having punched a ticket received by an auth server.  This tells the auth server that the ticket associated with this socket was successfully punched.  Meaning the pgp stuff was verified, the user ticket info like tokens and mac addresses matched and that the firewall rules have been modified for that user|mac according to the action contained in the nocat http post request that opened this socket.

  HTTP/1.1 400 Session Expired messages are sent by gateways in response to auth server posts for which there is no state information.

 * NOCAT Ticket 

 The format of a ticket is in name value pairs serperated by ='s signs put into either an HTTP POST or REDIRECT messages.  Also when a tickets as been authenticated for a user the uri field of the post messages sending the ticket back to the gateway will contain the mac of the user|client.  This is also in the name value pairs and maybe is redundant? 

 The redirect messages are sent by gateways after receiving connections on the NOCAT port with destination ip addresses other then itself.  See the Firewall section for information on how these request are made to arrive here.  
                 
 When a gateway receives messages with destination ip address other then itself, a ticket is generated containing a radomly generated token, a timeout which comes from the LoginTimeout directive in the nocat.conf file, a redirect to the original url the client requested which is the url of the request received on the nocat port by the gateway  which started this process, and the mac of the client. 

 * NOCAT States.

  i. NOCAT gateway states

   a. a Locked

         When a gateway is in LOCKED state the firewall rules are the same
         as CLOSED state.  So the firewall will redirect clients to the 
         gateway port with their original destination ip address.  When 
         the gateway is locked down it should reply with a NOCAT HTTP 
         redirect sending the users to a url explaining something about 
         the lockdown.

      5.1.b Closed 

         When a gateway is closed the firewall rules send every http connection
         to the nocat port GatewayPort with their original destination ip
         addresses.  The gateway then 

      5.1.c Open

         When a gateway is open it is only open for individual clients|users|macs.
         A gateway who has an open state in it's relationship to a client has
         firewall rules allowing that client to pass through according to the
         action put onto the ticket by the auth server.  So i guess when a gateway
         is open to a client you could just say that that client is in authenticated
         state.

   5.2 NOCAT client states

      5.2.a Unknown

         When a client is unknown to a gateway it can be 802.11 associated, have an
         ip address received from dhcp server running on gateway, or many other things,
         but it cannot have any nocat state or information about itself 

      5.2.b Authenticating

         When a client is logging in it has state information about it self in the
         gateway.  This state information is in i guess the form of a ticket.  The
         client has sent some outbound traffic which was redirected via firewall rules
         to the gateway listening on the GatewayPort.  The gateway then created a 
         ticket for the client, gave it to him, and the client is logging into the
         auth server mentioned in the ticket.  

      5.3.c Authenticated

         The client has been issued a ticket, presented the ticket to an auth server,
         been authenticated by that auth server, the auth server has forwarded
         (NOCAT http post) that ticket to the originating gateway, the gateway has
         punched(verified the contents and action put on the ticket by that auth
         server) the ticket and opened up it's firewall rules for that client|mac|user
         accordingly.  

      5.4.d Unauthenticated

         The client has state information in the gateway as well as the gateways auth
         server.  However he was unable to be authenticated.  He has gone through
         identical processes to an authenticated user, except the ticket was not
         punched by the gateway.  Rather the gateway found and action put onto the
         ticket by the auth server of; deny, bar, kickout, call the police, or something.

   5.3 Ticket states

      5.3.a Issued

      5.3.b Punched

6 NOCAT Firewall interactions
----
[CategorySoftware]