Re: [Isms] ISMS charter broken- onus should be on WG to fix it

Jeffrey Hutzelman <> Tue, 13 September 2005 21:38 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1EFITY-0007mW-Gl; Tue, 13 Sep 2005 17:38:00 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1EFITV-0007m8-GI; Tue, 13 Sep 2005 17:37:57 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id RAA28223; Tue, 13 Sep 2005 17:37:54 -0400 (EDT)
Received: from ([]) by with smtp (Exim 4.43) id 1EFIXv-00025b-S6; Tue, 13 Sep 2005 17:42:35 -0400
Received: from SIRIUS.FAC.CS.CMU.EDU ([]) by id aa07195; 13 Sep 2005 17:37 EDT
Date: Tue, 13 Sep 2005 17:37:49 -0400
From: Jeffrey Hutzelman <>
To: Sam Hartman <>,
Message-ID: <>
In-Reply-To: <>
References: <> <> <20050913204555.GA14153@boskop.local> <>
Originator-Info: login-token=Mulberry:01XqLN48gKQleq7UVkkSD9UvUUBA7l1kbLF/tIlCI=;
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
Content-Transfer-Encoding: 7bit
Cc:,, 'IETF Discussion' <>, 'Eliot Lear' <>,
Subject: Re: [Isms] ISMS charter broken- onus should be on WG to fix it
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Tuesday, September 13, 2005 05:06:40 PM -0400 Sam Hartman 
<> wrote:

>>>>>> "Juergen" == Juergen Schoenwaelder <>
>>>>>> writes:
>     Juergen> Sam,
>     Juergen> this is not about blocking port 22 as far as I understand
>     Juergen> things. I think the issue here is that TCP connection
>     Juergen> establishment determines ssh client/server roles.  If
>     Juergen> there would be a way to initiate the connection but
>     Juergen> subsequently taking over the server role, protocols like
>     Juergen> netconf and presumably isms would find it much easier to
>     Juergen> provide CH functionality.
> Right.  But for the ssh-connect application I don't think you would
> want that unless you were trying to get around firewall policy.

I don't think that's necessarily the case.  Sure, you might be trying to do 
that, but you also might be trying to get around the fact that the machines 
at your house are behind a NAT and thus lack routable addresses.

> I suspect that the ssh community would decline to extend ssh in this
> direction; I certainly know I would not support it.

I'm not entirely sure _how_ I'd extend SSH in this direction, or how much 
utility it would have.  I don't think I would object to it, especially 
since I suspect it might make some of the ISMS cases easier even if you 
don't care about the firewall problem.

-- Jeff

Ietf mailing list