Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SSH over UDP
5,370 views
Skip to first unread message
Kevin Denis
Feb 22, 2012, 10:13:31 AM2/22/12
to
Hello,
I'm a heavy user of tunneling over SSH, usually to protect myself from
wifi hotspots.
It leads me to two problems:
-sometimes TCP port 22 is closed. But UDP port 53 is wide open.
-When wifi links is bad quality, packet drops occurs, and sometimes
it almost kills my connection. I think this is due to TCP in TCP
connection.
So, is it possible to use SSH over UDP? I read the document
http://publications.lib.chalmers.se/records/fulltext/123799.pdf
which has exactly this goal.
Is there plan to introduce it in main source tree?
Thanks
--
Kevin
I'm a heavy user of tunneling over SSH, usually to protect myself from
wifi hotspots.
It leads me to two problems:
-sometimes TCP port 22 is closed. But UDP port 53 is wide open.
-When wifi links is bad quality, packet drops occurs, and sometimes
it almost kills my connection. I think this is due to TCP in TCP
connection.
So, is it possible to use SSH over UDP? I read the document
http://publications.lib.chalmers.se/records/fulltext/123799.pdf
which has exactly this goal.
Is there plan to introduce it in main source tree?
Thanks
--
Kevin
Simon Tatham
Feb 22, 2012, 10:27:22 AM2/22/12
to
Kevin Denis <ke...@alinto.comNOSPAM> wrote:
> So, is it possible to use SSH over UDP? I read the document
> http://publications.lib.chalmers.se/records/fulltext/123799.pdf
> which has exactly this goal.
I suppose that with a lot of effort along those lines you could make
> So, is it possible to use SSH over UDP? I read the document
> http://publications.lib.chalmers.se/records/fulltext/123799.pdf
> which has exactly this goal.
an SSH implementation behave like a UDP-encapsulating VPN mechanism. I
haven't read the paper carefully, but I'd expect that you would have
to reimplement a lot of the TCP acking and retransmission stuff for
most of the SSH connection (e.g. you definitely need to retransmit the
KEX packets if they get lost), and only disable it for the special
case of data packets belonging to a special VPN channel type.
But what is the advantage over using dedicated VPN protocols which
have been properly security-reviewed for this use case? The only
practical benefit I can think of is if you wanted to reuse your
existing SSH login credentials, such as a private key stored in your
ssh-agent.
--
Simon Tatham These are my opinions. There are many
<ana...@pobox.com> like them but these ones are mine.
Dag-Erling Smørgrav
Feb 22, 2012, 10:32:14 AM2/22/12
to
Kevin Denis <ke...@nowhere.invalid> writes:
> -sometimes TCP port 22 is closed. But UDP port 53 is wide open.
...and so (usually) is TCP port 443.
> -sometimes TCP port 22 is closed. But UDP port 53 is wide open.
> So, is it possible to use SSH over UDP? I read the document
# echo Port 22 >>/etc/ssh/sshd_config
# echo Port 443 >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart
DES
--
Dag-Erling Smørgrav - d...@des.no
Kevin Denis
Feb 22, 2012, 10:42:59 AM2/22/12
to
Le 22-02-2012, Simon Tatham <ana...@pobox.com> a écrit :
>> So, is it possible to use SSH over UDP? I read the document
>> http://publications.lib.chalmers.se/records/fulltext/123799.pdf
>> which has exactly this goal.
>
> I suppose that with a lot of effort along those lines you could make
> an SSH implementation behave like a UDP-encapsulating VPN mechanism. I
> haven't read the paper carefully, but I'd expect that you would have
> to reimplement a lot of the TCP acking and retransmission stuff for
> most of the SSH connection (e.g. you definitely need to retransmit the
> KEX packets if they get lost), and only disable it for the special
> case of data packets belonging to a special VPN channel type.
>
UDP is only used for the tunneling part. Chapter 4 explains the
>> So, is it possible to use SSH over UDP? I read the document
>> http://publications.lib.chalmers.se/records/fulltext/123799.pdf
>> which has exactly this goal.
>
> I suppose that with a lot of effort along those lines you could make
> an SSH implementation behave like a UDP-encapsulating VPN mechanism. I
> haven't read the paper carefully, but I'd expect that you would have
> to reimplement a lot of the TCP acking and retransmission stuff for
> most of the SSH connection (e.g. you definitely need to retransmit the
> KEX packets if they get lost), and only disable it for the special
> case of data packets belonging to a special VPN channel type.
>
modifications. And yes, there is known problems directly related to
rekeying process (and predictability of VPN packets) see §4.3.
> But what is the advantage over using dedicated VPN protocols which
> have been properly security-reviewed for this use case? The only
> practical benefit I can think of is if you wanted to reuse your
> existing SSH login credentials, such as a private key stored in your
> ssh-agent.
>
the simple tunnel (-L and -R) socks (-D) and full IP (-w) for some
setups. It fulfills my needs, except for the two cases cited.
--
Kevin
Simon Tatham
Feb 22, 2012, 11:44:09 AM2/22/12
to
Kevin Denis <ke...@alinto.comNOSPAM> wrote:
> UDP is only used for the tunneling part.
Ah - so one of these modified SSH sessions is partially transported
> UDP is only used for the tunneling part.
over TCP as usual, and partially over UDP for the VPN mechanism?
That certainly sounds a lot easier to get to work, but in that case,
surely it still wouldn't help you if your TCP SSH connections are
blocked!
--
Simon Tatham "The voices in my head are trying to ignore me.
<ana...@pobox.com> But if I keep talking, I can drive them insane."
Kevin Denis
Feb 22, 2012, 3:17:17 PM2/22/12
to
Le 22-02-2012, Simon Tatham <ana...@pobox.com> a écrit :
>> UDP is only used for the tunneling part.
>
> Ah - so one of these modified SSH sessions is partially transported
> over TCP as usual, and partially over UDP for the VPN mechanism?
>
> That certainly sounds a lot easier to get to work, but in that case,
> surely it still wouldn't help you if your TCP SSH connections are
> blocked!
>
Indeed! :/ But there's still the problem of bad wifi links where it
>
> Ah - so one of these modified SSH sessions is partially transported
> over TCP as usual, and partially over UDP for the VPN mechanism?
>
> That certainly sounds a lot easier to get to work, but in that case,
> surely it still wouldn't help you if your TCP SSH connections are
> blocked!
>
could helps.
Thanks for the reply.
--
Kevin
Fred Mobach
Feb 23, 2012, 8:25:35 AM2/23/12
to
Kevin Denis wrote:
> I'm a heavy user of tunneling over SSH, usually to protect myself from
> wifi hotspots.
>
> It leads me to two problems:
> -sometimes TCP port 22 is closed. But UDP port 53 is wide open.
> -When wifi links is bad quality, packet drops occurs, and sometimes
> it almost kills my connection. I think this is due to TCP in TCP
> connection.
>
> So, is it possible to use SSH over UDP? I read the document
> http://publications.lib.chalmers.se/records/fulltext/123799.pdf
> which has exactly this goal.
UDP port 53 traffic can be blocked at firewalls for all networks except
> I'm a heavy user of tunneling over SSH, usually to protect myself from
> wifi hotspots.
>
> It leads me to two problems:
> -sometimes TCP port 22 is closed. But UDP port 53 is wide open.
> -When wifi links is bad quality, packet drops occurs, and sometimes
> it almost kills my connection. I think this is due to TCP in TCP
> connection.
>
> So, is it possible to use SSH over UDP? I read the document
> http://publications.lib.chalmers.se/records/fulltext/123799.pdf
> which has exactly this goal.
a dedicated group of DNS servers. For security reasons not a bad
choise. What you described above was seen as a potential security risc
some 15 years ago.
--
Fred Mobach
website : https://fred.mobach.nl
.... In God we trust ....
.. The rest we monitor ..
0 new messages