Good morning, I was wondering what you think about SNI (server name indication) support to OpenSSH? Background: SSH is one of the rare protocols in the data center that cannot be easily load balanced, proxied or made highly available. If the ssh client would indicate to which host it wants to connect to, a proxy or load balancer could easily be implemented. While this is an obvious feature for load balancing, I have another use case that is very important: bridging the IPv4 to the IPv6 world (see also [0]). With IPv4 having run out in many places, it is often necessary to multiplex a public IPv4 address for multiple IPv6 end hosts, to help them being reachable from the IPv4 world. With all the TLS based protocols (including https, imaps) this is easily possible. SSH is an exception here and makes it hard to implement a generic way of enabling IPv6 only systems to be reachable from the IPv4 world. My suggestion would be as follows: - change the ssh client to add a header/packet at the start of the connection that says "I want to connect to X", X being whatever is passed into the commandline (IPv6 address, IPv4 address, domain name). - either not modifying the server OR - adding a variable into the server that lets one match on the client provided value I am aware that one can used different ports for multiplexing and also that SNI is not secure, as it is client provided. However the latter is not a problem, as security always needs to be ensured on the server side. I am looking forward to hearing your opinion. If this is something that would be accepted upstream, I could come up with a patch it. Best regards, Nico [0] https://ungleich.ch/de/cms/ungleich-blog/2018/09/20/how-to-break-ipv4-https/ -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
On Sun, 12 Jan 2020, Nico Schottelius wrote:> I was wondering what you think about SNI (server name indication) > support to OpenSSH?Oh, please absolutely not. SNI is a privacy violation in HTTP, and otherwise just a poor excuse to continue running NAT and/or IPv4. bye, //mirabilos -- ?MyISAM tables -will- get corrupted eventually. This is a fact of life. ? ?mysql is about as much database as ms access? ? ?MSSQL at least descends from a database? ?it's a rebranded SyBase? ?MySQL however was born from a flatfile and went downhill from there? ? ?at least jetDB doesn?t claim to be a database? (#nosec) ??? Please let MySQL and MariaDB finally die!
On Sun, Jan 12, 2020 at 5:07 AM Nico Schottelius <nico.schottelius at ungleich.ch> wrote:> Background: SSH is one of the rare protocols in the data center that > cannot be easily load balanced, proxied or made highly available.you can pretty easily load balance sshd with host certs.
Hey Thorsten, Thorsten Glaser <t.glaser at tarent.de> writes:> On Sun, 12 Jan 2020, Nico Schottelius wrote: > >> I was wondering what you think about SNI (server name indication) >> support to OpenSSH? > > Oh, please absolutely not. SNI is a privacy violation in HTTP, and > otherwise just a poor excuse to continue running NAT and/or IPv4.you might have misunderstood me. The purpose of my request was to enable transition towards IPv6 networks. Concrete, the following scenario: [ v4 Internet ] | [ v4 to v6proxy ]---------------------------- | | | [v6 only host 1] [v6 only host 2] [v6 only host 3] | | | [ v6 Internet ]---------------------------- If we had any possibility to support this scenario, a lot of services that we see could be shifted to IPv6 only hosts today and not tomorrow. The "migrate everyone at once" approach really doesn't work in real life, you need to have either network providers or content providers do a start. And at this point a lot of things can already be shifted to IPv6 only machines with still being accessible from the legacy Internet. Besides ssh. Let me rephrase my original question, I don't actually want SNI: Is there any way to create a multiplexing proxy for SSH? Best regards, Nico -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
On Sun, 12 Jan 2020, Nico Schottelius wrote:> > Good morning, > > I was wondering what you think about SNI (server name indication) > support to OpenSSH?I think SNI would be problematic because (until very recently) it requires that clients advertise which host they'd like to connect to in the clear. However, ESNI[1] (encrypted SNI) is nearing standardisation and it might be possible to adapt that protocol for SSH. I'd rather follow something that has had lots of cryptographic review than cook up something for SSH alone. -d [1] https://tools.ietf.org/html/draft-ietf-tls-esni-05