RE: [saag] draft-kwatsen-reverse-ssh submission for review

[Kent Watsen <kwatsen%juniper.net@localhost>]

> The subsystem is selected through the encrypted channel, something difficult to filter on.

True.  Though some firewalls can be provided the backend server's private key(s) in order to inspect the traffic.  This feature is more prevalent on industrial firewalls than consumer-grade firewalls.

Of course, there is a catch-22 to this is that, at least in our application of this proposal, the device that the "calling home" many times (but not always - see draft for details) is the gateway device having the firewalling functionality.

Still, I concur with your premise that the solution shouldn't discard the ability to do port-level filtering for each SSH-based protocol that has been reversed.  The question remains, though, if there should be a new port-assignment for each SSH-based protocol or if the existing ports are repurposed.

Would repurposing existing ports be too ambiguous, due to them having dual roles?


PS: Per Tom's comment, I've BCC-ed the "ietf-ssh" list to bring this discussion to one list.  I'm choosing the SAAG list primarily because it is an official IETF list.  Hope this is OK with all.

Thanks,
Kent