Date: Thu, 18 Dec 1997 14:17:30 -0800 From: "Jason Fesler" <jfesler@calweb.com> To: "Charles Mott" <cmott@srv.net>, "Nate Williams" <nate@mt.sri.com> Cc: "Marc Slemko" <marcs@znep.com>, <chat@FreeBSD.ORG> Subject: Re: Support for secure http protocols Message-ID: <005101bd0c02$bc0d2d50$3387adcf@devnull.calweb.com>
next in thread | raw e-mail | index | archive | help
I've been following this thread with some interest; I'm interested in doing something a bit similiar. I'm contemplating the tought of setting up SSH end-to-end, and running ppp -direct over the SSH'd TCP connection. Only one tunnel would need to be made; from there, you have a routable interface, that you can route subnets at. The cool part of this, is that *any* connection routed via that PPP link, will be happy. HTTP.. pop.. whatever. And, it's using easily available parts that aren't proprietory to some router. Downside: Commercial use of SSH. Server is $495, client is $99 - bare minimum needed to make this work. However, it's a might bit cheaper than what Datafellows want for their version of a VPN - something like 10 times as expensive. -----Original Message----- From: Charles Mott <cmott@srv.net> To: Nate Williams <nate@mt.sri.com> Cc: Marc Slemko <marcs@znep.com>; chat@FreeBSD.ORG <chat@FreeBSD.ORG> Date: Wednesday, December 17, 1997 2:03 PM Subject: Re: Support for secure http protocols >On Wed, 17 Dec 1997, Nate Williams wrote: >> > I still think port 22 encapsulation of crypto has alot of advantages. I >> > acknowledge it doesn't do everything, but suppose a divert socket daemon >> > exists which does the following. On outgoing traffic, it checks whether a >> > remote host has sshd. If so, it redirects all traffic to that host >> > through port 22 using port forwarding. This builds on techniques which >> > already exist in natd and ppp -alias. >> >> Unfortunately, things don't work that way. The only time 'automatic' >> use of the old ports occur is on unix (not Wintel), and *only* when you >> are first setting up the connection (again, only on Unix.) This is >> intended as a replacement for rsh, which doesn't exist on Wintel boxes. > >I don't think you understand what I am talking about. See paragraph >below. I know what ssh does. I also know what tcp does. > >> >> > Clients could be completely decoupled from crypto (they wouldn't even h ave >> > to know about ssh port forwarding) . >> >> Actually, they do. To enable port forwarding, you must connect to >> 'localhost', and not to the normal host you want to connect to. > >Read my posting more carefully. Note the reference to natd and ppp >-alias. Suppose a packet is is destined for a remote host. In principle, >outbound packets can be selectively redirected via NAT type processing to >a local port brought up by ssh. When a new connection is needed a new ssh >port forwarding relationship could be established (or perhaps when ssh is >started up a group of ports could be snarfed up and reused as necessary). >Or a new ssh connection with a desired port forwarding relationship can be >established for each connection. > >What I don't know is whether port forwarding relationships can be >dynamically created and destroyed during a single ssh session. Probably >not, but desirable. > >This process as described is transparent to the client. > >I honestly think your comments were condescending without being >knowledgable. Of all people, you should be aware that I understand >networking at a detailed level. > >Charles Mott >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005101bd0c02$bc0d2d50$3387adcf>