Date: Thu, 18 Dec 1997 15:52:53 -0700 (MST) From: Charles Mott <cmott@srv.net> To: Jason Fesler <jfesler@calweb.com> Cc: Nate Williams <nate@mt.sri.com>, Marc Slemko <marcs@znep.com>, chat@FreeBSD.ORG Subject: Re: Support for secure http protocols Message-ID: <Pine.BSF.3.96.971218153907.552A-100000@darkstar.home> In-Reply-To: <005101bd0c02$bc0d2d50$3387adcf@devnull.calweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If you disable IP forwarding from the pppd at the far end of the link (e.g. no proxy arp) then traffic will be limited and encrypted to that particular server. That's actually a pretty clean solution and decidedly superior to what I was suggesting. One could even have a login account for ssh which goes directly to ppp. I'm glad someone derived something positive from this thread. It felt like I was being continuously bombarded by rotten tomatoes -- the usual case when one suggests or tries to develop a new idea. Charles Mott On Thu, 18 Dec 1997, Jason Fesler wrote: > I've been following this thread with some interest; I'm interested in > doing something a bit similiar. I'm contemplating the tought of setting > up SSH end-to-end, and running ppp -direct over the SSH'd TCP > connection. Only one tunnel would need to be made; from there, > you have a routable interface, that you can route subnets at. The cool > part of this, is that *any* connection routed via that PPP link, will be > happy. > HTTP.. pop.. whatever. And, it's using easily available parts that aren't > proprietory to some router. > > Downside: Commercial use of SSH. Server is $495, client is $99 - bare > minimum needed to make this work. However, it's a might bit cheaper than > what Datafellows want for their version of a VPN - something like 10 times > as expensive. > > -----Original Message----- > From: Charles Mott <cmott@srv.net> > To: Nate Williams <nate@mt.sri.com> > Cc: Marc Slemko <marcs@znep.com>; chat@FreeBSD.ORG <chat@FreeBSD.ORG> > Date: Wednesday, December 17, 1997 2:03 PM > Subject: Re: Support for secure http protocols > > > >On Wed, 17 Dec 1997, Nate Williams wrote: > >> > I still think port 22 encapsulation of crypto has alot of advantages. > I > >> > acknowledge it doesn't do everything, but suppose a divert socket > daemon > >> > exists which does the following. On outgoing traffic, it checks > whether a > >> > remote host has sshd. If so, it redirects all traffic to that host > >> > through port 22 using port forwarding. This builds on techniques which > >> > already exist in natd and ppp -alias. > >> > >> Unfortunately, things don't work that way. The only time 'automatic' > >> use of the old ports occur is on unix (not Wintel), and *only* when you > >> are first setting up the connection (again, only on Unix.) This is > >> intended as a replacement for rsh, which doesn't exist on Wintel boxes. > > > >I don't think you understand what I am talking about. See paragraph > >below. I know what ssh does. I also know what tcp does. > > > >> > >> > Clients could be completely decoupled from crypto (they wouldn't even h > ave > >> > to know about ssh port forwarding) . > >> > >> Actually, they do. To enable port forwarding, you must connect to > >> 'localhost', and not to the normal host you want to connect to. > > > >Read my posting more carefully. Note the reference to natd and ppp > >-alias. Suppose a packet is is destined for a remote host. In principle, > >outbound packets can be selectively redirected via NAT type processing to > >a local port brought up by ssh. When a new connection is needed a new ssh > >port forwarding relationship could be established (or perhaps when ssh is > >started up a group of ports could be snarfed up and reused as necessary). > >Or a new ssh connection with a desired port forwarding relationship can be > >established for each connection. > > > >What I don't know is whether port forwarding relationships can be > >dynamically created and destroyed during a single ssh session. Probably > >not, but desirable. > > > >This process as described is transparent to the client. > > > >I honestly think your comments were condescending without being > >knowledgable. Of all people, you should be aware that I understand > >networking at a detailed level. > > > >Charles Mott > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971218153907.552A-100000>