IETF Logo Mail Archive

Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info

denis bider <denisbider.ietf@gmail.com> Fri, 07 April 2017 05:32 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D1C12702E for <curdle@ietfa.amsl.com>; Thu, 6 Apr 2017 22:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PlDSRNsbv7DK for <curdle@ietfa.amsl.com>; Thu, 6 Apr 2017 22:32:10 -0700 (PDT)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1824F1270FC for <curdle@ietf.org>; Thu, 6 Apr 2017 22:32:09 -0700 (PDT)
Received: by mail-qt0-x22e.google.com with SMTP id i34so53232033qtc.0 for <curdle@ietf.org>; Thu, 06 Apr 2017 22:32:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iwgxIoIlJlyRp0vyKgHqHToVQfE/w4MK5haHcWAjUKE=; b=QV1zUI9YgoGZnpNu1Qp7QkdcypY3FFwbopuVgcncl+phkEHw8YZXyVz8N/MD3ou8bH PdGjoJRqKe2UvTXAnE0KI1s9/QWuco2EVt61xFUsn90Vi5Xi68Nwvo5K+vGXrXlSf1yT CnfjYeo/XhMYGC926CKKufWQErShYDhagB/yp+LO+RylIlUb4IlxB8RbaBRo182x9HA6 eAYCuiwGlR+m3RjSqQtRHH5aUCBHehZRlFpeQVfcZzqIDaCcjz17rEFIsA1keu2xZ/Se A3qp4zNFsAdXYW2Pc0KZIO9j7IgRRP9dmg4GXf3QwNKdMUadmHhmCB9Dl5xmXk1fuBuT JUXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iwgxIoIlJlyRp0vyKgHqHToVQfE/w4MK5haHcWAjUKE=; b=T5TEqdcosPQMaAIkOuQLjrX5ha6pomRgLdwnOn1nm7FyI647oYA/KOdCMvPWXTpaRi w8NnT80gdLnEOwDXRtpGSQrz0juuKn6ZJCIHt5+bmIjfJqTIQywfg1N6SBPJcgerb/hb 0cTuXy4K6F7Q29uCr41R4UfQDFNdx4KgTBtKFB/CCp6nVhQtqExo12+Kb5uO52c80+A/ QyE5oRh/ZEu4zzSF56cLXh4hAl4rvKEdZ0csEWBfOoCP/egYtCSmkcUtCttFDkK+O8iY R1RvYZua2r+5WuBXw3FeJviw0wQEOvxNe2b6KDK8i1vQEZz3PqFHOTaoqNJCAuO3n9oy 6tqg==
X-Gm-Message-State: AFeK/H0+4PKEJcL48mMJN9T+WkJWz9M0tj975Uqj1UuU35oKhzhtaHPektqq5qbHGTwmg1QDiicyzWKB748+RA==
X-Received: by 10.237.34.8 with SMTP id n8mr41276685qtc.98.1491543128018; Thu, 06 Apr 2017 22:32:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.138.239 with HTTP; Thu, 6 Apr 2017 22:32:07 -0700 (PDT)
In-Reply-To: <1491480250094.74577@cs.auckland.ac.nz>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz> <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz> <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz> <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan> <1491480250094.74577@cs.auckland.ac.nz>
From: denis bider <denisbider.ietf@gmail.com>
Date: Thu, 06 Apr 2017 23:32:07 -0600
Message-ID: <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f09385015b4054c8cf207"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/-hZM60_t0RmPQatQNHLNA6-3yiA>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 05:32:14 -0000

> I was thinking of the problem that it's essentially
> impossible to safely do n-RTT, n < 1, for TLS, which
> meant that doing the same thing for SSH wasn't going
> to be any better.  I was reasoning by analogy from TLS
> rather than sitting down and drawing diagrams for SSH
> to try and figure out all the possible issues.

OK, but I'm not familiar with the security implications of this on TLS.

Can you link to any resources where this was discussed? Whether for TLS, or
in any other context?


> Perhaps adding an implementation note to say that at this
> point the crypto hasn't been confirmed yet and so you may
> want to be careful about what you put into your extension
> data would be useful?

 I agree, if this is a threat, we should add a warning in Security
Considerations. But to make that warning, I have to understand the threat.

If someone asks me about this warning, I want to be able to explain the
reason in detail. At this point, what I can say is, "Peter said this on the
list." That is, to me, insufficient backing.


> Wouldn't "true" and "false" be a better way to express a
> boolean?

Yes if you could choose the type. But you can't choose the type, because
all extensions have to use the same type. That type is a string.


> I realise this is kinda bikeshedding, but having to look
> up the spec just to figure out what mysterious magic
> values in a boolean field specify seems a bit awkward.

Booleans are equally mysterious.

The third parameter to the Windows API function WaitForMultipleObjects is a
boolean. Suppose an application passes "TRUE". Without checking the docs -
what does that mean?

If you check the docs, you know what "TRUE" in that context means. And if
you check the spec here, you know what "p" and "s" mean.

Booleans are not inherently self-documenting. (In fact - when used in
languages with positional parameters, they are more frequently
self-obfuscating.)


> Given that there are a nonzero number of implementations
> that send a window size of ~0 to indicate no flow control,
> it may be useful to add an implementation note to point
> this out.

OK. I added the following sub-section to my current working copy:


3.3.1.  Implementation Note: Prior "No Flow Control" Practice

  Before this extension, some applications would simply not implement
  SSH flow control, sending an initial channel window size of 2^32 - 1.
  Applications SHOULD NOT do this for the following reasons:

  - It is entirely within the realm of possibility to transfer more than
    2^32 bytes over a channel. The channel will then hang if the other
    party implements SSH flow control according to [RFC4254].

  - There exist implementations which cannot handle such large channel
    window sizes, and will exhibit non-graceful behaviors, including
    disconnection.


denis



On Thu, Apr 6, 2017 at 6:04 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:
>
> >Can you point out some of these subtle problems that could occur in this
> >regard in SSH?
>
> I was thinking of the problem that it's essentially impossible to safely
> do n-
> RTT, n < 1, for TLS, which meant that doing the same thing for SSH wasn't
> going to be any better.  I was reasoning by analogy from TLS rather than
> sitting down and drawing diagrams for SSH to try and figure out all the
> possible issues.
>
> >Under the assumption that such an extension were defined, can you point
> out
> >at least one way that sending this info right after NEWKEYS can help an
> >attacker?
>
> It depends on the extension.  Without one defined, there's no way to tell
> at
> the moment.  I could invent something that works out badly, but that'd be
> creating a strawman... my concern is that in the future someone may define
> a
> problematic extension without realising that they're creating a problem.
> Perhaps adding an implementation note to say that at this point the crypto
> hasn't been confirmed yet and so you may want to be careful about what you
> put
> into your extension data would be useful?
>
> >But the extension value field is generically a string (it must be same
> type
> >for all extensions, so unsupported extensions can be decoded and ignored).
> >"p" and "s" are therefore fitting ways to express this boolean.
>
> Wouldn't "true" and "false" be a better way to express a boolean?  I
> realise
> this is kinda bikeshedding, but having to look up the spec just to figure
> out
> what mysterious magic values in a boolean field specify seems a bit
> awkward.
>
> >Properly implemented flow control is superior. However, this extension is
> a
> >nod to that not everyone will be using an SSH library that does this
> right,
> >and "no-flow-control" is a better option if your needs are simple, and you
> >don't have a few years to get this right.
>
> Given that there are a nonzero number of implementations that send a window
> size of ~0 to indicate no flow control, it may be useful to add an
> implementation note to point this out.  I enabled some diagnostic code to
> throw an exception in my code if it found this from another implementation
> (other than mine) and got, uh, feedback from beta-testers about it, so at
> least some implementations are using a pseudo-infinite window size to
> indicate
> no flow control.  I'm not saying it should be adopted as an alternative to
> "no-flow-control", but merely to alert implementers about the practice,
> e.g. a
> certain big iron vendor whose device would crash and reboot as it tried to
> allocate ~0 bytes of memory to match the widow size.
>
> Peter.
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>

v2.23.0 | Report a Bug | By Email