Two thoughts to things I remember ... On 08.08.2015 01:33, Hayden Metsky wrote:
> * "Mosh requires opening UDP ports on the Broad perimeter. That makes > the Broad network available as a participant in a DDoS performed > against external entities, specifically ICMP PORT UNREACHABLE class of The more ports of a host are not firewalled, the more ports an attacker can use to send faked packets to, to provoke (e.g.) misdirected 'ICMP PORT UNREACHABLE' responses to a third party. So opening more ports makes somebody unknown elsewhere more vulnerable and makes a 'local server' machine more suspect. So some people strictly minimize the number of visible ports to the outside to only a few well known ports. > * "Mosh is based ... Also > the first UDP mosh packet is from client to server. That underscores > the fact that there is no way for a firewall to have any control of > state." Some people want their server to have the exact control over whom to give which port, so want to enforce, that the server(service) decides the port number, not the initiating user elsewhere, may be this could be done in mosh, because the newborn server can talk to the client. If you are behind a stateful firewall, a connection to a port is either to an officially dedicated and defied port of a service, or must be opened from the inside to start a connection. Stateful firewalls otherwise drop the packet assuming stray/erroneous/lost or aggressive access. Having completely connectionless packages coming in is then impossible. Mosh client and server could only 'connect', if both sides start the same connection in parallel from BOTH sides, answering only after receiving the starter packet, which would have to be recognizable to the firewall as a beginning mosh session. This on the other hand will have other new security implications to mosh, so many firewalled systems may simply forbid mosh and enforce ssh-only, which is TCP and thus stateful anyway. Stucki _______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel
