Yes. The best solution would be for the ZEO protocol to support auth and crypto natively...
+10 (At least)
The next best solution (while you wait) is to use CIPE ;-)
Could be, if you can: a) Get your customers to run a platform it's been ported to b) Run something so low level that is esentially replacing functionality that is already in their kernels. Anyone here want to try to explain to *ahem* technically non-expert *ahem* clients why PPTP is bad (Inspite of _all_ major and minor OS's now bundling support for it).
As far as I understand it, even regular TCP port forwarding is TCP over TCP and suffers from the unreliable carrier assumption causing excess (eg retransmit) traffic over a reliable channel.
By port-forwarding you mean... ? a) A firewall PC that receives an external connection and reroutes it to a machine on the inside? No, this is not TCP/TCP. b) An apache that takes a connection and forwards it to Zope? No, this is not TCP/TCP. What "port forwarding" are we talking about here?
Consider: host <--TCP--> local interface <--TCP tunnel--> local interface <--TCP--> host host <--TCP--> virtual loopback interface <--TCP--> host
In this common port forwarding scenario, the SSH or SSL tunnel creates a virtual single loopback interface that the two hosts use to talk to each other, using TCP. The transport that joins these two physical interfaces to create one virtual loopback interface is also TCP. Therefore it's TCP over TCP
If you insist on using User Land utils for Kernel Land functions, this will be the result IMHO. Just my 0.02c, YMMV Adrian...