From owner-freebsd-chat Wed Dec 17 13:44:08 1997 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA16703 for chat-outgoing; Wed, 17 Dec 1997 13:44:08 -0800 (PST) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from anlsun.ebr.anlw.anl.gov (anlsun.ebr.anlw.anl.gov [141.221.1.2]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id NAA16104 for ; Wed, 17 Dec 1997 13:38:39 -0800 (PST) (envelope-from cmott@srv.net) Received: from darkstar.home (dialin1.anlw.anl.gov [141.221.254.101]) by anlsun.ebr.anlw.anl.gov (8.6.11/8.6.11) with SMTP id OAA04764; Wed, 17 Dec 1997 14:38:25 -0700 Date: Wed, 17 Dec 1997 14:37:53 -0700 (MST) From: Charles Mott X-Sender: cmott@darkstar.home To: Nate Williams cc: Marc Slemko , chat@FreeBSD.ORG Subject: Re: Support for secure http protocols In-Reply-To: <199712171926.MAA13503@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Dec 1997, Nate Williams wrote: > > I still think port 22 encapsulation of crypto has alot of advantages. I > > acknowledge it doesn't do everything, but suppose a divert socket daemon > > exists which does the following. On outgoing traffic, it checks whether a > > remote host has sshd. If so, it redirects all traffic to that host > > through port 22 using port forwarding. This builds on techniques which > > already exist in natd and ppp -alias. > > Unfortunately, things don't work that way. The only time 'automatic' > use of the old ports occur is on unix (not Wintel), and *only* when you > are first setting up the connection (again, only on Unix.) This is > intended as a replacement for rsh, which doesn't exist on Wintel boxes. I don't think you understand what I am talking about. See paragraph below. I know what ssh does. I also know what tcp does. > > > Clients could be completely decoupled from crypto (they wouldn't even have > > to know about ssh port forwarding) . > > Actually, they do. To enable port forwarding, you must connect to > 'localhost', and not to the normal host you want to connect to. Read my posting more carefully. Note the reference to natd and ppp -alias. Suppose a packet is is destined for a remote host. In principle, outbound packets can be selectively redirected via NAT type processing to a local port brought up by ssh. When a new connection is needed a new ssh port forwarding relationship could be established (or perhaps when ssh is started up a group of ports could be snarfed up and reused as necessary). Or a new ssh connection with a desired port forwarding relationship can be established for each connection. What I don't know is whether port forwarding relationships can be dynamically created and destroyed during a single ssh session. Probably not, but desirable. This process as described is transparent to the client. I honestly think your comments were condescending without being knowledgable. Of all people, you should be aware that I understand networking at a detailed level. Charles Mott