Hi, Current in Section 9.5.2 Proxy Forwarding The SSH connection protocol allows for proxy forwarding of other protocols such as SNMP, POP3, and HTTP. This may be a concern for network administrators who wish to control the access of certain ... Proposed The SSH connection protocol allows for proxy forwarding of other protocols such as POP3, and HTTP. This may be a concern for network administrators who wish to control the access of certain applications by users located outside of their physical location. Essentially, the forwarding of these protocols may violate site specific security policies as they may be undetectably tunneled through a firewall. Implementors SHOULD provide an administrative mechanism to control the proxy forwarding functionality so that site specific security policies may be upheld.If no one objects to this minor change then I'll let the RFC Editor know to use this update.
Thanks, Chris On Thu, 8 Sep 2005, Jeffrey Hutzelman wrote:
On Thursday, September 08, 2005 15:39:18 +0200 Tom Petch <nwnetworks%dial.pipex.com@localhost> wrote:I see, belatedly, that secsh-arch still has a reference to SNMP and proxy forwarding in it. Since isms has now chosen to pursue SNMP over SSH and since proxy forwarding is a significant feature of SNMP and since, as far as I can establish, the reference in secsh-arch has no relationship to any of this whatsoever, I think that 'SNMP' should be elided from the document before it spreads havoc and confusion (already widespread in and around isms:-(Given that the SNMP-over-SSH work being done in ISMS currently takes the form of a subsystem rather than a connection-forwarding channel, I'm inclined to agree. Removing the mention of SNMP as an example does not meaningfully change the document, but will likely avoid considerable confusion in the future.-- Jeff