>>>>> "Juergen" == Juergen Schoenwaelder <j.schoenwaelder@xxxxxxxxxxxx> writes:
Juergen> Sam,
Juergen> this is not about blocking port 22 as far as I understand
Juergen> things. I think the issue here is that TCP connection
Juergen> establishment determines ssh client/server roles. If
Juergen> there would be a way to initiate the connection but
Juergen> subsequently taking over the server role, protocols like
Juergen> netconf and presumably isms would find it much easier to
Juergen> provide CH functionality.
Right. But for the ssh-connect application I don't think you would
want that unless you were trying to get around firewall policy.
I suspect that the ssh community would decline to extend ssh in this
direction; I certainly know I would not support it.
I would support setting up port forwarding as a way to get a back
channel; I would also support a facility to run an ssh protocol over
ssh channel.
One advantage of both port forwarding and ssh over ssh is that they
provide a much more consistent model for authentication and
authorization of the request to "turn" than an explicit turn facility.
--Sam
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf