IETF Logo Mail Archive

Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)

denis bider <denisbider.ietf@gmail.com> Wed, 13 September 2017 13:49 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED10F132F31; Wed, 13 Sep 2017 06:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aVvY_ohuto44; Wed, 13 Sep 2017 06:49:02 -0700 (PDT)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 155D1132D44; Wed, 13 Sep 2017 06:49:02 -0700 (PDT)
Received: by mail-lf0-x22d.google.com with SMTP id 80so764139lfy.4; Wed, 13 Sep 2017 06:49:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rDaMFxc5iukxPcEkxJ9wlgEdxNoVxK4bDTAlU8ab5e0=; b=DmJY7tLoaQkGncubqKUuFjRFuFHiXao+d1H/R5/MJt3D850C4zEHZ/6tF2C5PpG/yD mjYgLlvAvz3DZwdpjaFTnzxnoN61O2AN34723602kASLPa5AEYoIKBm6TaZdBLclKAco nqjnTHLB2pO00QoaMwGkIuSiWHnZDz89J2MMMvxo+vDRYLRAXH0SL3RF3ezCp/U06kMW Yh0OzveVy+5OxkTLm54s007ob6aeHDhQFkj6FKcrVyCKhysT8Q+ZD2wOIgzDgkLZmzEU PZXtFtsTmK/dRM26ZySL0e8HM17fZ1P0fJqF8gFixI9SlQTO37P6IoxhridT4oYYRnIx ghXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rDaMFxc5iukxPcEkxJ9wlgEdxNoVxK4bDTAlU8ab5e0=; b=Fa+w4G0YbKFdDJItdDOt9C4B9k/rFHUYvBUfPd7ktKr0TLtbRMfnEBtE5dEYmBPdWM uNbJcSw0epzx+DQVaSGIRCDjWVAKWh6CvYMhYiMbtx/gceOXqygKtKCBcwZw9edp09O8 6tODXAOFsVxyV37nnVVYfIDR0ye1BkBjkwN29lO3cSIr84FBqTcOA+7p8fL/RGjkvVRd kTjVw0lfzVynGpzandW89D3PGwXeMrfSiKQ0tAtv01wJ0XFY8NFlDxeRNrzerycswgsd BoXZjJSNQjGUp+fFngZvB0WRDzim625a4jtB40os6yM0y+fRpBn05zibgJXsnX5SbtXS YoyA==
X-Gm-Message-State: AHPjjUgdNbw0evooHRlK0f1iG26pLhg8brCfrMr/QuBdIVjXJnG52sCy BjpHL7HVza429UruLOzLOosu6MSDcthR5FT6k7M=
X-Google-Smtp-Source: AOwi7QAiCx9nyN9dQXD4PC1qF6slrEIeoisTI5S8qceubSswGWyGcegOubGik3fkQPsOJq4gh3AS2Agiosld38WIDKw=
X-Received: by 10.25.18.195 with SMTP id 64mr5792125lfs.60.1505310540273; Wed, 13 Sep 2017 06:49:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.179.27.209 with HTTP; Wed, 13 Sep 2017 06:48:59 -0700 (PDT)
In-Reply-To: <1505308325.2062993.1104706296.3E3DDD7F@webmail.messagingengine.com>
References: <150530402783.30467.17664468923363358742.idtracker@ietfa.amsl.com> <CADPMZDAENLRJEhbhYv86L=Q9v9nARtsrkicyPg86yGqrjUP0mg@mail.gmail.com> <1505308325.2062993.1104706296.3E3DDD7F@webmail.messagingengine.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Wed, 13 Sep 2017 07:48:59 -0600
Message-ID: <CADPMZDAqb8QND30c+zADZRz4yo=XL_5=DYOkRPA=OCp55tq+yg@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs <curdle-chairs@ietf.org>, curdle <curdle@ietf.org>, draft-ietf-curdle-ssh-ext-info@ietf.org
Content-Type: multipart/alternative; boundary="001a113fb8f8079a090559126c37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/FJeNiJVFmf2N-G2h-WvKAzg1geI>
Subject: Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 13:49:06 -0000

> If you can list an example here for both the client side and the server
side, that would be great.

There is no difference between what the two send. Added a line to explain
that as well.


> capability negotiation frameworks and very few of them (at the moment
> I can't think of any, actually) have dependencies on order

Not sure if I understand you correctly, but SSH is completely dependent on
order in algorithm lists (client algorithm order matters), and I believe so
is TLS (server algorithm order matters).

The list of extensions in SSH_MSG_EXT_INFO is order agnostic by default,
because the extensions are assumed to be independent. However, I see no
reason to prevent it from becoming an algorithm list for some purposes, if
the goals of some extensions overlap.

Note that it takes zero effort to allow for this use; and requires writing
unnecessary code to prevent.

I'm not enthusiastic about writing unnecessary code to prevent a particular
type of use, just to prevent people doing something in the future. The
idea, honestly, seems stupid.


> My gut feeling is that you will never need this, so I wanted to know if
you actually
> can provide an example that depends on order.

It would have to be two or more extensions with overlapping goals. For
example:

1. Extension A attempts to address situation X.

2. Extension A is flawed in situation Y, which bothers some people.

3. Extension B is developed to addresses situations X+Y. However, being
more complete, it is much more complex than Extension A. Past experience
shows that there will be existing servers which will only do Extension A
well. They might implement B, but it will be a hack job.

4. Therefore, Extension B specifies itself as a potential replacement for
Extension A, but allows servers to signal which one they prefer by
controlling the order in which the extensions appear. If both extensions
are advertised by both parties, then Extension B is used IF it is listed
first by the server. Otherwise, if Extension A is listed first, it is used.

Common example - Extension A favored by Linux servers, Extension B favored
by everyone else. The story of SFTP.


> I think explaining this in the document would be useful.
> "Penalties" sounds a bit vague.

Added footnote to explain.

denis




On Wed, Sep 13, 2017 at 7:12 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
wrote:

> On Wed, Sep 13, 2017, at 01:56 PM, denis bider wrote:
>
> > It is not clear for me from the formatting whether the first
> > name-list is sent by the client and the second by the server,
> > or both lists are always included in the value. I suspect it
> > is the former, but can you please clarify?
>
> SSH negotiates compression, integrity, and encryption algorithms
> separately for each direction. Both lists are sent by both parties. Not
> just here, but also in KEXINIT.
>
> This is used rarely in practice, but this draft keeps to the same
> practice, so as not to bundle a reduction of functionality (i.e. requiring
> same compression for both directions) in the same package as an extension
> (i.e. providing a mechanism for delayed activation of compression).
>
> The next draft will include an example of encoding, as suggested by Adam.
> This should make things clearer, even for readers unfamiliar with SSH.
>
> Yes, I think this will help. If you can list an example here for both the
> client side and the server side, that would be great.
>
>
> > 1) Sentences like:
> > Use of  Receivers MUST tolerate any sequence of bytes; including
> > null bytes at any position; in an unknown extension's extension-value.
>
> Reads fine to me. Still, I changed these to use dashes.
>
>
> > Can you provide an example of why depending on order
> > would be useful? This potentially makes it harder to implement.
>
> It is the nature of an extension mechanism that it intends to be open to
> unforeseen circumstances. If we could come up with examples for all
> possible future uses, extensions would not be required.
>
> For this reason, I would prefer if you can demonstrate how allowing for
> this possibility makes anything harder to implement. In my implementation
> experience, it doesn't.
>
> I implemented multiple capability negotiation frameworks and very few of
> them (at the moment I can't think of any, actually) have dependencies on
> order. Dealing with one element at a time seems a bit simpler.
>
> My gut feeling is that you will never need this, so I wanted to know if
> you actually can provide an example that depends on order.
>
> > In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO.
> > It would be less confusing if you used the latter consistently
> everywhere.
>
> This doesn't just go for EXT_INFO, it also goes for KEXINIT, NEWKEYS,
> NEWCOMPRESS, and USERAUTH_SUCCESS.
>
> OK, I changed this to use the SSH_MSG_ prefix always.
>
> Thank you.
>
>
> >   This extension is sent by the server, and contains a list of public
> >   key algorithms that the server is able to process as part of a
> >   "publickey" authentication request. If a client sends this extension,
> >   the server MAY ignore it, and MAY disconnect.
> >
> > Why would the client disconnect when seeing this extension? Does it mean
> it is
> > broken?
> >
> > Also, as the client can always disconnect at any point, why mentioning
> this
> > here?
>
> I believe you have misread the text in this case. It should be clear from
> the above quoted snippet.
>
> Oh, do you mean that this is never supposed to be sent by the client? In
> this case, yes, I misread it. Never mind.
>
>
> > Can you elaborate on what do you mean by "authentication penalties"
> > in this context?
>
> SSH servers commonly implement some way of locking out or throttling IP
> addresses that make frequent login attempts, so as to deter brute force
> password guessing, username guessing, and similar undesired behaviors.
>
> Some servers apply such penalties to clients that attempt to use an
> unknown public key algorithm (e.g. "rsa-sha2-256"). This can result in the
> client's IP address being locked out.
>
> The "server-sig-algs" extension provides a way for the client to know that
> the server supports e.g. "rsa-sha2-256" before it attempts to use it, to
> avoid a potential IP lockout.
>
> I think explaining this in the document would be useful. "Penalties"
> sounds a bit vague.
>
> On Wed, Sep 13, 2017 at 6:00 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
> wrote:
>
> Alexey Melnikov has entered the following ballot position for
> draft-ietf-curdle-ssh-ext-info-12: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-ext-info/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> This is generally a good and useful document. I have some minor comments I
> would like to discuss:
>
> 3.2.  "delay-compression"
>
>   This extension MAY be sent by both parties as follows:
>
>     string         "delay-compression"
>     string:
>       name-list    compression_algorithms_client_to_server
>       name-list    compression_algorithms_server_to_client
>
> It is not clear for me from the formatting whether the first name-list is
> sent
> by the client and the second by the server, or both lists are always
> included
> in the value. I suspect it is the former, but can you please clarify?
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> 1) Sentences like:
>   Use of  Receivers MUST tolerate any sequence of bytes; including null
> bytes
>   at any position; in an unknown extension's extension-value.
> or
>  In particular, applications MUST  tolerate any sequence of bytes;
> including
>  null bytes at any position;  in an unknown extension's extension-value.
>
> Use of punctuation is not my strongest point, but I am reasonably certain
> that
> use of ";" is not correct here. I think you should use (). Otherwise these
> sentences are reading as a list of 3 things, yet in both cases the 3rd is a
> continuation of the 1st.
>
> 2) In Section 2.5:
>
>  The relative order in which extensions appear in an
>   EXT_INFO message MUST be ignored by default; but an extension MAY
>   specify that the order matters for that extension, in a specific way.
>
> Can you provide an example of why depending on order would be useful? This
> potentially makes it harder to implement.
>
> In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO. It would be
> less confusing if you used the latter consistently everywhere.
>
> 3) In 3.1:
>
>   This extension is sent by the server, and contains a list of public
>   key algorithms that the server is able to process as part of a
>   "publickey" authentication request. If a client sends this extension,
>   the server MAY ignore it, and MAY disconnect.
>
> Why would the client disconnect when seeing this extension? Does it mean
> it is
> broken?
>
> Also, as the client can always disconnect at any point, why mentioning this
> here?
>
>   If a server does not send this extension, a client MUST NOT make any
>   assumptions about the server's public key algorithm support, and MAY
>   proceed with authentication requests using trial and error. Note that
>   implementations are known to exist that apply authentication penalties
>   if the client attempts to use an unexpected public key algorithm.
>
> Can you elaborate on what do you mean by "authentication penalties" in this
> context?
>
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
>
>

v2.23.0 | Report a Bug | By Email