On 5/12/2011 7:49 PM, Kent Watsen wrote:
Understood; I was asking because it sounded like Juniper was using a port they hadn't registered ;-( That should be fixed...Indeed, and that is exactly what we're trying to do with this submission. Our previous attempt to have IANA assign a port for this ended with their recommendation to bring it to IETF for standardization. It's taken awhile, but here we are.
Sure. In the meantime, Juniper shouldn't be using an unassigned port number in a public distribution, though. ;-)
Netconf over ssh uses a different port, as noted above.The need for the port 830 assignment was only to facilitate filtering.
Yes. And will the need for a reverse port create a similar need for every such current SSH-based port assignment to have a corresponding reverse-channel port assignment? That would be undesirable...
What's the reason for not solving this by having the client just listen on the SSH server port?Because then it would be expected to be the SSH server.
Well, seems to me that if the server is initiating the connection, then it *is* a server (where I define server as "host that listens on a registered port").
The particular roles of who checks what certificate should be negotiated in-band, IMO.
Joe