Q: how to restrict access selectively to client initiated local port forward

Jefferson Ogata Jefferson.Ogata at noaa.gov
Sat Sep 29 05:10:29 EST 2007

On 09/28/07 14:36, Michael O'Cleirigh wrote:
> I hadn't done this because the OpenVPN Documentation recommends not 
> tunneling TCP/IP through TCP/IP but I see know that thats exactly what 
> ssh is doing anyways.

I don't think that's in the same sense as warned about by OpenVPN docs.

Issues occur when two TCP stacks process a packet, e.g. when a source
system creates a TCP packet which is then transmitted in its entirety
over a TCP-based tunnel. If a packet is lost in the tunnel, both the
system managing the tunnel and the system which generated the original
packet will retransmit.

This is not an issue with native SSH tunnels since these are tunneling
payloads after TCP decapsulation, not entire TCP-encapsulated packets.

Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list