IETF Logo Mail Archive

Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 11 April 2017 00:11 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17CC4126D05 for <curdle@ietfa.amsl.com>; Mon, 10 Apr 2017 17:11:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MF6nns91rSs5 for <curdle@ietfa.amsl.com>; Mon, 10 Apr 2017 17:11:12 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1F0C124C27 for <curdle@ietf.org>; Mon, 10 Apr 2017 17:11:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1491869471; x=1523405471; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=SY9ouhn8GIsRJ8iMKUfLKX2ozzqfVisDr+IxGluPVWg=; b=hJ8qw0kVCDUXGqvUFGV+pZG41k3QAvCY8x+iMURjqwcG1+K2ESZeOWmn GvJCrIJ5oUA7dT+HDiyGzt2t67LLmA0KuvKdGbF9KP7Oy/B45ealG8N2/ ULJiIPMJwtmmd4BvwcuIXO6h5e4bNW2YdLUjmq1mEp/nVzqCc8sxc0c8a AMWgCPigIlvXtz5l91wzC0GbnaR8IwBEjzj6Oy6XRaK16hqvwKUZ7aMfE wxyV7IwhX5dk58gf3ZVzVdJ6r42qkmd4Iwb9u3Fkr25xNPRZf3wzMsEum Xsm5wyxK+n+OIO5hPieSWxXCOwznMKncW1uw4rSwKNWt8IaFFr3blMs6q A==;
X-IronPort-AV: E=Sophos;i="5.37,184,1488798000"; d="scan'208";a="149156528"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing
Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Apr 2017 12:11:07 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.22) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 11 Apr 2017 12:11:06 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Tue, 11 Apr 2017 12:11:06 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: denis bider <denisbider.ietf@gmail.com>
CC: curdle <curdle@ietf.org>
Thread-Topic: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
Thread-Index: AQHSn+vj75AP59wDbUy5ryRiOFPQYKGb4DhQgAWgX4CAA91Jyf//yxWAgBMy0XmAAFvPgIACNyu///+1xACABMuyxg==
Date: Tue, 11 Apr 2017 00:11:06 +0000
Message-ID: <1491869463837.53839@cs.auckland.ac.nz>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz> <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz> <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz> <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan> <1491480250094.74577@cs.auckland.ac.nz> <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com> <1491621835513.71448@cs.auckland.ac.nz>, <CADPMZDCqK-bocB5qaz6Vqj7+NHfqgeL6qCzEXhm1nE5g_PTVCQ@mail.gmail.com>
In-Reply-To: <CADPMZDCqK-bocB5qaz6Vqj7+NHfqgeL6qCzEXhm1nE5g_PTVCQ@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/BL6-6WYODf5viXV0EzRmIpa7AK0>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2017 00:11:14 -0000

denis bider <denisbider.ietf@gmail.com> writes:

>According to the link provided by Eric, Zero-RTT in TLS is a concept that
>does not even exist in SSH. 

Yeah, as I said, I was reasoning by analogy, that there were concerns in TLS
about sending data before mutual confirmation of crypto parameters had taken
place.  Obviously SSH isn't TLS, but in this case it would also be sending
data before the mutual conf. had occurred, i.e. before the other side's
NEWKEYS had been received.

>As-is, the "no-flow-control" extension already dictates there will be no more
>than one concurrent channel. What do you have in mind beyond that?

Hmm, but the text around it is a bit confusing, it says "MUST refuse" (= MUST
NOT I assume?) but then immediately follows it with SHOULD allow it, so it
doesn't really appear to say "only one channel".

That text really is confusing since it contradicts itself across the two
sentences.  What about replacing it with:

  Implementations MUST NOT open more than one simultaneous channel when this
  extension is in effect.

Peter.

v2.23.0 | Report a Bug | By Email