[aklug] Re: Quick and Dirty TCP WAN Acceleration

It's a good solution to connection multiplexing.. but not really
toward deduplication where hashes of bulk data are sent over the wire
and then requested if the remote side doesn't already know about the
hash

On Wed, Jun 13, 2012 at 9:23 PM, David M. Syzdek <david@syzdek.net> wrote:
> Shane,
>
> If what you mean by "TCP level dedpuplication" is to reduce the number of
> TCP connections to the remote host, then you may want to look at control
> paths for ssh. =A0Control paths allow multiple instances of ssh to share =
a
> single TCP connection to the remote host.
>
> For example, try adding this to inted's ssh config:
>
> Host host.example.com
> =A0 =A0Compression yes
> =A0 =A0ControlMaster auto
> =A0 =A0ControlPath ~/.ssh/path/%r@%h:%p
> =A0 =A0ControlPersist YES
>
>
> Create the directory for the shared sockets:
>
> $ mkdir =A0~inetd/.ssh/path
>
>
> Now when you SSH to "host.example.com" for the first time, a master socke=
t
> will be created. Any additional SSH sessions will traverse the master's T=
CP
> connection to the remote side.
>
> Once the tunnel is established, you can control the master session with t=
he
> following:
>
> # check status of connection
> ssh -O check=A0host.example.com
>
> # stop connection
> ssh -O exit host.example.com
>
>
> I've used this extensively to setup a SOCKS5 proxy into my home network f=
rom
> coffee shops (see DynamicForward or -D). =A0Here is a simple script I use=
 to
> manage my connection:
>
> #!/bin/sh
> #
> # =A0Script for managing proxy connections.
> # =A0SSH config is:
> #
> # =A0 =A0 host proxy.office.example.com
> # =A0 =A0 =A0 =A0Compression yes
> # =A0 =A0 =A0 =A0ExitOnForwardFailure yes
> # =A0 =A0 =A0 =A0ControlMaster auto
> # =A0 =A0 =A0 =A0ControlPath ~/.ssh/path/%r@%h:%p
> # =A0 =A0 =A0 =A0DynamicForward 8080
>
> PROXY=3Dproxy.office.example.com
>
> case $1 in
> =A0 =A0'start')
> =A0 =A0 =A0 ssh -O check ${PROXY} > /dev/null 2>&1
> =A0 =A0 =A0 if test $? !=3D 0;then
> =A0 =A0 =A0 =A0 =A0ssh -C -Nf ${PROXY} || exit 1
> =A0 =A0 =A0 fi
> =A0 =A0 =A0 ssh -O check ${PROXY}
> =A0 =A0 =A0 ;;
> =A0 =A0'stop')
> =A0 =A0 =A0 ssh -O check ${PROXY} > /dev/null 2>&1
> =A0 =A0 =A0 if test $? =3D=3D 0;then
> =A0 =A0 =A0 =A0 =A0ssh -O exit ${PROXY} || exit 1
> =A0 =A0 =A0 fi
> =A0 =A0 =A0 ;;
> =A0 =A0'restart')
> =A0 =A0 =A0 $0 stop =A0|| exit 1
> =A0 =A0 =A0 $0 start || exit 1
> =A0 =A0 =A0 ;;
> =A0 =A0'check')
> =A0 =A0 =A0 ssh -O check ${PROXY}
> =A0 =A0 =A0 ;;
> =A0 =A0*)
> =A0 =A0 =A0 echo "Usage: ${0} [ start | stop | restart | check ]"
> =A0 =A0 =A0 ;;
> esac
>
>
> --David M. Syzdek
>
>
> On Wed, Jun 13, 2012 at 2:58 PM, Shane Spencer <shane@bogomip.com> wrote:
>>
>> I've been using OpenVPN + Compression, SSH local and remote port
>> forwarding + Compression and several other solutions for a while.
>> Each of them seem to have a bit of overhead or juggling problems that
>> may slow things down.. cause excessive retries.. and even die for no
>> reason.
>>
>> One method of using secure shell.. as a remote socket client.. was
>> recently introduced to me which makes me super happy.
>>
>> For instance.. to connect to a work server at the address 10.1.0.23
>> port 4269 from your house without using a VPN you would want to
>> connect to a public secure shell server at your work .. say 5.6.7.8 ..
>> using the following command:
>>
>> =A0ssh -W 10.1.0.23:4269 myuser@5.6.7.8
>>
>> You are now in a stdin/stdout interface to port 4269 on the server at
>> work... This is not really all that practical for most people right
>> away.. however it means you can pipe commands to remote ports as if
>> those ports are programs.. which in itself is similar to using netcat,
>> telnet, socat.. however with a secure shell encrypted connection over
>> the Internet.
>>
>> The -W flag with SSH makes using SSH via INETD locally an option.
>> This allows you to forward a local port to a new SSH connection to a
>> remote host and initiate port forwarding very directly.. very similar
>> to the -L flag however with the added reliability of one process per
>> socket and if a socket or secure shell process dies there is no need
>> to restart it.. reconnecting is simple and requires less
>> administration and supervisor tools.
>>
>> For instance.. we use Filemaker and a custom accounting program that
>> use several TCP ports. =A0We have OpenVPN between sites but we aren't
>> really seeing the same compression that 'ssh -C' would offer. =A0The
>> following can be added to inetd.conf in order to make these remote
>> ports available locally and immediately compress and encrypt the
>> socket.
>>
>> # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
>> # Accounting Software
>> 1234 =A0 =A0stream =A0tcp =A0 =A0 nowait =A0tunneluser =A0 =A0 =A0/usr/b=
in/ssh ssh -c
>> blowfish -C -W
>> 10.1.0.23:1234 tunneluser@5.6.7.8
>> 1235 =A0 =A0stream =A0tcp =A0 =A0 nowait =A0tunneluser =A0 =A0 =A0/usr/b=
in/ssh ssh -c
>> blowfish -C -W
>> 10.1.0.23:1235 tunneluser@5.6.7.8
>> # Filemaker
>> 5003 =A0 =A0stream =A0tcp =A0 =A0 nowait =A0tunneluser =A0 =A0 =A0/usr/b=
in/ssh ssh -c
>> blowfish -C -W
>> 10.1.0.23:5003 tunneluser@5.6.7.8
>>
>> Now I just need to update the client software for these server
>> connections to use my local gateway running inetd vs the remote host
>> itself.. and I'm done. =A0I now have a SSH connection per socket pair as
>> new sockets are created.. it eats up a bit of memory.. but the
>> compression is crazy fast.
>>
>> =A0Filemaker <-> Local Gateway <--> Inetd(ssh client) <---> SSH Tunnel
>> <--> Remote SSH Server <-> Remote server
>>
>> Sped up Filemaker dramatically.
>>
>> Sped up our unencrypted.. uncompressed.. very plain text protocol
>> 'Accounting Software' as well.. infact it's almost nearly local speed
>> due to how they implemented the protocol.
>>
>> The only real improvement that can be offered at this point is TCP
>> level deduplication.. and there are projects out there for doing just
>> that as well.
>>
>> Shane
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jun 15 13:01:31 2012