Re: [saag] draft-kwatsen-reverse-ssh submission for review

[Paul Hoffman <paul.hoffman%vpnc.org@localhost>]

[[ I think both mailing lists should remain on the mail. The issues relate to both. ]]

On May 13, 2011, at 8:02 AM, Joe Touch wrote:

>>> Netconf over ssh uses a different port, as noted above.
>> 
>> The need for the port 830 assignment was only to facilitate filtering.
> 
> Yes. And will the need for a reverse port create a similar need for every such current SSH-based port assignment to have a corresponding reverse-channel port assignment? That would be undesirable...

+1. A single reverse-port protocol that has a way to say "and I'm going to be doing X protocol" would be a much better design.

>>> What's the reason for not solving this by having the client just listen
>>> on the SSH server port?
>> 
>> Because then it would be expected to be the SSH server.
> 
> Well, seems to me that if the server is initiating the connection, then it *is* a server (where I define server as "host that listens on a registered port").

Fully agree. The design of this draft sounds like it can be summarized as "an entity that is normally a client becomes a server for a short period while it gets information from the entity that is normally a server". At the point that the was-a-client becomes a short-term server, why not make it a real SSH server?

> The particular roles of who checks what certificate should be negotiated in-band, IMO.


That sounds right to me.

--Paul Hoffman