OpenSSH 4.3 released
OpenSSH 4.3 released
Posted Feb 1, 2006 18:10 UTC (Wed) by JLCdjinn (guest, #1905)Parent article: OpenSSH 4.3 released
Heh; "[t]his is primarily a bug-fix release, only one new feature has been added: Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces". And you thought it was easy to open gaping holes in your firewall before!
"[P]rimarily a bug-fix release", indeed! God bless the OpenSSH project.
Posted Feb 1, 2006 20:35 UTC (Wed)
by crow (guest, #96)
[Link] (6 responses)
So it isn't really anything new as far as the capabilities, just in ease-of-use.
Posted Feb 1, 2006 21:40 UTC (Wed)
by job (guest, #670)
[Link] (5 responses)
Posted Feb 1, 2006 23:38 UTC (Wed)
by Mithrandir (guest, #3031)
[Link] (1 responses)
Posted Feb 2, 2006 0:18 UTC (Thu)
by Ross (guest, #4065)
[Link]
Posted Feb 2, 2006 0:44 UTC (Thu)
by djm (subscriber, #11651)
[Link] (2 responses)
While you wouldn't use it as a permanent connection between two networks or to run real-time applications over, it is very useful for ad-hoc uses (e.g. establishing a secure connection back home while you are travelling) and its convenience. We point people towards IPsec in the documentation for serious uses.
People have been using OpenSSH's TCP-over-TCP port forwarding for years without complaint, just think of this as an incremental improvement :)
Posted Feb 2, 2006 2:32 UTC (Thu)
by dskoll (subscriber, #1630)
[Link]
People have been using OpenSSH's TCP-over-TCP port forwarding for years without complaint
That's not the same thing. Port-forwarding isn't really TCP-over-TCP. It's really just plain TCP. If you use a TCP connection as a piece of wire, and then run TCP over that piece of wire, then the TCP timers in the wire layer and the top layer can interact in very nasty ways, and pretty soon your connection gets totally clogged. You might not notice it on a LAN, but probably will if you try such tunneling over the Internet.
OpenVPN is really a much nicer solution for tunnelling. Works really well, and unlike IPSec, is not a horrible nightmarish protocol produced by committee.
Posted Feb 2, 2006 12:05 UTC (Thu)
by job (guest, #670)
[Link]
In the case of TCP-over-TCP the results are also very practical. As soon as you get packet loss performance will quickly deteriorate. The SSH protocol seems like a competent design so I doubt its port forwarding is broken in that regard.
Please don't misunderstand my previous comment as it was a sincere question. The OpenSSH people probably wouldn't design something as broken as PPP-over-SSH (especially not since OpenVPN is such a simple replacement), so I am interested to hear how it works.
Yup. This obsoletes the old method of tunneling PPP over SSH.OpenSSH 4.3 released
So it is still TCP-over-TCP? That's something one must avoid. The real OpenSSH 4.3 released
solution is IPsec, or OpenVPN if you really want.
Care to enlighten on why this must be avoided?OpenSSH 4.3 released
Performance issues. TCP handling of lost packets, corrupted packets, and congestion all rely on timing. When you stack TCP on TCP, rather than smoothing over these connection issues, they are magnified.OpenSSH 4.3 released
Saying you "must avoid" it is just a mindless application of dogma. Like most applications, it has appropriate and inappropriate uses.OpenSSH 4.3 released
TCP-over-TCP tunnelling (was OpenSSH 4.3 released)
Not "avoid" as in severe punishment, rather as in "don't do it if you can avoid it". It is a layering violation. All uses are inappropriate, unless you are a researcher doing it on purpose. Much like NAT, something you will regret sooner or later, but sometimes necessary to get the work done. A good rule of thumb is to not break principles unless you really understand them.OpenSSH 4.3 released