From owner-freebsd-chat Thu Dec 18 14:17:31 1997 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA27291 for chat-outgoing; Thu, 18 Dec 1997 14:17:31 -0800 (PST) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from mail.calweb.com (mail.calweb.com [208.131.56.11]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA27266 for ; Thu, 18 Dec 1997 14:17:11 -0800 (PST) (envelope-from jfesler@calweb.com) Received: by mail.calweb.com (8.8.6/8.8.6) with SMTP id OAA23713; Thu, 18 Dec 1997 14:16:57 -0800 (PST) X-SMTP: helo devnull from jfesler@calweb.com server @devnull.calweb.com ip 207.173.135.51 Message-ID: <005101bd0c02$bc0d2d50$3387adcf@devnull.calweb.com> From: "Jason Fesler" To: "Charles Mott" , "Nate Williams" Cc: "Marc Slemko" , Subject: Re: Support for secure http protocols Date: Thu, 18 Dec 1997 14:17:30 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been following this thread with some interest; I'm interested in doing something a bit similiar. I'm contemplating the tought of setting up SSH end-to-end, and running ppp -direct over the SSH'd TCP connection. Only one tunnel would need to be made; from there, you have a routable interface, that you can route subnets at. The cool part of this, is that *any* connection routed via that PPP link, will be happy. HTTP.. pop.. whatever. And, it's using easily available parts that aren't proprietory to some router. Downside: Commercial use of SSH. Server is $495, client is $99 - bare minimum needed to make this work. However, it's a might bit cheaper than what Datafellows want for their version of a VPN - something like 10 times as expensive. -----Original Message----- From: Charles Mott To: Nate Williams Cc: Marc Slemko ; chat@FreeBSD.ORG Date: Wednesday, December 17, 1997 2:03 PM Subject: Re: Support for secure http protocols >On Wed, 17 Dec 1997, Nate Williams wrote: >> > I still think port 22 encapsulation of crypto has alot of advantages. I >> > acknowledge it doesn't do everything, but suppose a divert socket daemon >> > exists which does the following. On outgoing traffic, it checks whether a >> > remote host has sshd. If so, it redirects all traffic to that host >> > through port 22 using port forwarding. This builds on techniques which >> > already exist in natd and ppp -alias. >> >> Unfortunately, things don't work that way. The only time 'automatic' >> use of the old ports occur is on unix (not Wintel), and *only* when you >> are first setting up the connection (again, only on Unix.) This is >> intended as a replacement for rsh, which doesn't exist on Wintel boxes. > >I don't think you understand what I am talking about. See paragraph >below. I know what ssh does. I also know what tcp does. > >> >> > Clients could be completely decoupled from crypto (they wouldn't even h ave >> > to know about ssh port forwarding) . >> >> Actually, they do. To enable port forwarding, you must connect to >> 'localhost', and not to the normal host you want to connect to. > >Read my posting more carefully. Note the reference to natd and ppp >-alias. Suppose a packet is is destined for a remote host. In principle, >outbound packets can be selectively redirected via NAT type processing to >a local port brought up by ssh. When a new connection is needed a new ssh >port forwarding relationship could be established (or perhaps when ssh is >started up a group of ports could be snarfed up and reused as necessary). >Or a new ssh connection with a desired port forwarding relationship can be >established for each connection. > >What I don't know is whether port forwarding relationships can be >dynamically created and destroyed during a single ssh session. Probably >not, but desirable. > >This process as described is transparent to the client. > >I honestly think your comments were condescending without being >knowledgable. Of all people, you should be aware that I understand >networking at a detailed level. > >Charles Mott >