Re: [saag] draft-kwatsen-reverse-ssh submission for review

[Juergen Schoenwaelder <j.schoenwaelder%jacobs-university.de@localhost>]

On Thu, May 12, 2011 at 07:49:53PM -0700, Kent Watsen wrote:
 
> The need for the port 830 assignment was only to facilitate filtering.  As RFC 4742 says:
> 
>    In order to allow NETCONF traffic to be easily identified and
>    filtered by firewalls and other network devices, NETCONF servers MUST
>    default to providing access to the "netconf" SSH subsystem only when
>    the SSH session is established using the IANA-assigned TCP port
>    <830>.  Servers SHOULD be configurable to allow access to the netconf
>    SSH subsystem over other ports.
> 
> I suppose IETF may feel a similar need to facilitate filtering on a per SSH-based service, but I wouldn't recommend this as port-based filtering is no longer practical (e.g. consider the number of HTTP-based protocols).  Application-based firewalls with deep-inspection capability are needed these days.  In either case, to the original question, there isn’t a *need* for more than one IANA assigned port, since SSH already has a mechanism built into it for the client to select which protocol/subsystem to run on a channel.
> 

The subsystem is selected through the encrypted channel, something
difficult to filter on.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>