From owner-freebsd-chat  Wed Dec 17 07:29:49 1997
Return-Path: <owner-freebsd-chat@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id HAA18256
          for chat-outgoing; Wed, 17 Dec 1997 07:29:49 -0800 (PST)
          (envelope-from owner-freebsd-chat@FreeBSD.ORG)
Received: from anlsun.ebr.anlw.anl.gov (anlsun.ebr.anlw.anl.gov [141.221.1.2])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id HAA18244
          for <chat@freebsd.org>; Wed, 17 Dec 1997 07:29:36 -0800 (PST)
          (envelope-from cmott@srv.net)
Received: from darkstar.home (dialin1.anlw.anl.gov [141.221.254.101]) by anlsun.ebr.anlw.anl.gov (8.6.11/8.6.11) with SMTP id IAA03973; Wed, 17 Dec 1997 08:29:31 -0700
Date: Wed, 17 Dec 1997 08:29:00 -0700 (MST)
From: Charles Mott <cmott@srv.net>
X-Sender: cmott@darkstar.home
To: Marc Slemko <marcs@znep.com>
cc: chat@FreeBSD.ORG
Subject: Re: Support for secure http protocols
In-Reply-To: <Pine.BSF.3.95.971216234716.18840T-100000@alive.znep.com>
Message-ID: <Pine.BSF.3.96.971217073751.6934A-100000@darkstar.home>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> IPsec is really the solution to a more generic solution.  I don't see any
> room for a hack like this between the two, except in very specialized
> situations.
[...]
> 
> A lot of work is going into IPsec.  Commercial and non-commercial
> implementations are available, although somewhat lacking in key
> management.  That is a far better solution.

I still think port 22 encapsulation of crypto has alot of advantages.  I
acknowledge it doesn't do everything, but suppose a divert socket daemon
exists which does the following.  On outgoing traffic, it checks whether a
remote host has sshd.  If so, it redirects all traffic to that host
through port 22 using port forwarding.  This builds on techniques which
already exist in natd and ppp -alias. 

Clients could be completely decoupled from crypto (they wouldn't even have
to know about ssh port forwarding) . If checking for ssh on the fly is too
slow, then this could be diabled and a static list of addresses having
port 22 support could be used.  This would be good for e-mail and and
company databases. 

A secure server would only listen on port 22 and have all its other ports
walled off from the outside world.  Servers could also be optionally
secure.

Also, if IP tunneling were embedded in ssh (is it already?), that would
solve another big problem all in one coherent framework.  And UDP port 22
support would be nice, too.

Charles Mott