Every packet does have the source IP address in it, but not because it's a UDP packet, it's because that's what all *IP* packets have. UDP is a protocol built on top of IP, as is TCP - we're used to the "full name" of TCP being TCP/IP, but it's unusual to say "UDP/IP" :-)
Because UDP is connectionless, there's no concept of an initial packet in the first place; all packets that arrive are completely self-contained entities with no relation to any other packets that might arrive before or after. It's a bit like HTTP in that respect.

The *application* that's using UDP may have a concept of a long-term session that involved multiple packets, but UDP itself doesn't. Again looking at HTTP, that's like using cookies to describe a session.
You have a middle layer load balancer, which will be keeping track of the state of sessions going through; this is easy for TCP because the session identifiers are basically in every packet. However, in UDP they are not present at all - you have to be aware of the actual application using UDP; you have to be explicitly aware of mosh itself in order to be able to load-balance/proxy it correctly.

A simple assumption for most protocols that want to have cheap lightweight sessions is to assume that the source IP address stays the same throughout. This happens to have been true for most of the network's history, but has never been guaranteed.

In the case of mosh, this is explicitly not true; the protocol *expects* that the source IP address will change unannounced throughout the application's session.

It is this issue that you need to be looking in to. You need a proxy/LB layer that looks at a UDP packet coming through, recognises that it is using SSP (State Synchronization Protocol), and keeps track of which backend system the packet should be forwarded to.

Unfortunately, this will be very difficult; datagrams are encrypted, and your proxy will not be aware of the key in use. The only way I can see to make this happen will be to alter the mosh server to inform the proxy directly, and that's a lot of engineering that will introduce a number of security tradeoffs that might not be worthwhile.

Overall, your better approach is to have a traditional "bastion host" in the middle, use mosh to connect to that, and from there make inbound ssh connections to your service hosts (because you can get away with ssh on an internal "reliable" network, and because you're using TCP for this, you can go through a load balancer if required).

-jim

--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ ***@otago.ac.nz ☏ +64 3 470 4670 ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

Hello Thomas,
IP is a connectionless protocol, and every IP datagram contains a source
and destination IP address in the IP header.

Both UDP and TCP put their data in IP datagrams -- so every TCP-in-IP
datagram and every UDP-in-IP datagram contains a source and destination IP
address.

TCP and Mosh both add connections on top of IP. (UDP is basically just a
thin layer on top of IP that adds a port number so that individual programs
can use it.)

It's not enough for either end to assume an IP based on the *initial*
datagram to get its IP:port is to query the OS.


Not quite sure what you mean here. When you write a program to receive a
UDP datagram, that program can learn the source IP and port of the datagram
by calling recvfrom() or recvmsg().
For the datagrams flowing from the mosh-server to the mosh-client, yeah,
the mosh-server is going to send using a private source address. It will be
the job of the proxy server to change that source address (and port number)
into a publicly reachable one.
I think you're going to have to write your own program to do this (using
the logic I described on June 30) -- I don't think iptables is going to be
able to do exactly what I described out of the box. But it doesn't have to
know anything about the SSP protocol and it doesn't have to decrypt
anything. It does have to rewrite the "private" IP addresses and port
numbers into public ones as I described.

Cheers,
Keith

On a separate note I re-launched Texttop as Browsh this week to a big