port forwarding trouble

Fri Aug 5 02:01:08 EST 2005

* Darren Tucker [2005-08-05 00:41:37 +1000]:
> Sergio Gelato wrote:
> >* Frederik Eaton [2005-08-02 17:39:59 +0100]:
> >>Also, I don't think that the "host at port" syntax suggested in the bug
> >>comments is a good idea. 
> >
> >At the very least it should be port at host. There is precedent for that,
> >e.g. in FlexLM LM_LICENSE_FILE environment variables.
> 
> Why is that better the host at port?  I would bet there's precedent for 
> that somewhere too.

Because "@" traditionally stands for the preposition "at", and most
people find it more natural to use the host name as a scope identifier
than the port number (maybe also because e-mail addresses have
the host name on the right side of the @ sign).

And while we are comparing with e-mail addresses: how about host!port ?

> [...]
> >I'm not sure about URLs, but various tools simply require square
> >brackets around the IPv6 address, as in
> >	[0:1:2:3:4:5:6:7]:port
> 
> That would be OK for new entries but it's not backward compatible with 
> existing known_hosts files.

That means the code to parse existing known_hosts files needs to be a
little more complex. New entries should obviously use the less ambiguous
notation.

> Once you add an optional ":port" I don't see how it's possible to 
> reliably distinguish between IPv6 addresses created by old versions and 
> host:port indentifiers created by new versions.

Don't add an optional ":port" for IPv6 address literals, then; make the
[v6addr]:port notation mandatory in such cases. 

If you've already allowed v6addr:port, then the ambiguity is with us no 
matter what. For interpreting existing known_hosts files, one could
agree that (a) the now-deprecated notation causes a warning to be
emitted, and (b) an ambiguous string is interpreted as matching
either interpretation, e.g. ::1:22 is equivalent to [::1]:22,[::1:22] .

> >For example, this (minus the port number) is what you are supposed to
> >do in /etc/hosts.allow. Implementations differ as to whether one needs
> >[fe80::]/10 or [fe80::/10] for network prefixes, but I think the former
> >is winning.
> 
> OpenSSH already understands that notation, eg for ListenAddress (minus 
> the network prefix, I think).
> 
> >>A brief search indicated "host.:port" might be used somewhere. 
> >>But "host:port" is so common that it would be better to use a different
> >>notation only when 'host' is IPv6. "@" is especially bad, because it
> >>makes it look like the host is a user.
> 
> They're host keys, I don't see how the identifiers could be confused 
> with a user. There's no reference to users at all in known_hosts.

The software wouldn't be confused, but humans who edit the known_hosts 
file might.