[136589] in North American Network Operators' Group
RE: quietly....
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu Feb 3 15:58:11 2011
From: Matthew Huff <mhuff@ox.com>
To: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
Date: Thu, 3 Feb 2011 15:46:11 -0500
In-Reply-To: <43082.1296765386@localhost>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Well, since ssh is a straight up tcp socket protocol on a well know port wi=
th no gimmicks needed like FTP, yeah, I would say it isn't a hack. FTP over=
TLS/SSL is much worse. In some implementations you can do an non-encrypted=
control channel and an encrypted data channel, so that a SPI firewall can =
"hack" it through, but unfortunately a lot of servers and/or clients won't =
negotiate that correctly and only allow both type of channels to be encrypt=
ed which is not possible to pass through a SPI firewall.=20
There are two other sorta widely implemented secure file transfer protocols=
, SCP and WebDav over TLS/SSL. Either works fine through a SPI firewall, bu=
t the consensus for file transfer (at least over the pub net) within the fi=
nancial services community appears to be converging to FTP over ssh.
> -----Original Message-----
> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
> Sent: Thursday, February 03, 2011 3:36 PM
> To: Matthew Huff
> Cc: Owen DeLong; nanog@nanog.org
> Subject: Re: quietly....
>=20
> On Thu, 03 Feb 2011 14:39:15 EST, Matthew Huff said:
> > Something like ftp over SSH works well without fixup or NAT issues and =
is
> > becoming more standard at least in the financial services community.
>=20
> And having to do it over SSH *isn't* a fixup/hackaround?
>=20
