IETF Logo Mail Archive

Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)

denis bider <denisbider.ietf@gmail.com> Thu, 14 September 2017 13:08 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 092F5132F65; Thu, 14 Sep 2017 06:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o2AfbTCEUaFG; Thu, 14 Sep 2017 06:08:22 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFBA3133010; Thu, 14 Sep 2017 06:08:21 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id k23so351253lfi.11; Thu, 14 Sep 2017 06:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oMN0dXKAU7jacfnGwXmQ7k9kDXM5Y+y+c0LJJyaue9A=; b=GIdmpY1jDpXqk8OZNuXgxrKinqxub8eC2YOP4PLBDQRL1fNbw/qydzPuoGtlZSa5Lm 1Izg2HhZOw2KL9d3NbI+L01b31ElT11oLtVB/Gh6LQ5rvdTfblNi5ya94R1R0zKRzu4v z0IjANGUXfJ0o7yQHPdDAD6hfom3xqZz12FVYiDnGT0qFwjKDe7KRFTzU/DqDRN08hR3 VTsqvo+8md+5fX5KJZMCkZyf8aTLjTqLRO9zVNqOYiTh72ekx8hBRAOfqMzGnZqVSpkT 9Wgv0XzJi26yK+agqrfUS7BDwj/8nZMwDnuxpW5ogh82zjmHM2U94FA3iWEwzpY95cTl D63A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oMN0dXKAU7jacfnGwXmQ7k9kDXM5Y+y+c0LJJyaue9A=; b=EP9d1DOCreDTeMeil/Wq2w0RWAcTfIrioLQ3sgtyUH7gtZjRnheMB3POe6g3jYeyr0 73N2YA/Fv6yLKFjV/OUwySiHs0JRbK8lGqloM3tGYFdJ99uZXGH7RINvaQgLD0JH+0OV 4C8cVulbDosI8f0vU0wIrPimxVYUaEZjUaTEzgKxTXeNUmNw8xX7RU0mfJ+NV0snhOjQ +UtRZZXw7czRkCGhIyq7WG6/9mV2F1siT0nlsqemAuMGGy1qKRqsVMsodWTNPDddzdJ1 /pxFPlfHZBe74p5LXLOmMVW9Ya13+28cEO/uHewKI5YmUlpTbquZJyfrav9t24Py/2Gy c6bw==
X-Gm-Message-State: AHPjjUgsiRRS9WvV6q/2nXXVTCsDbPM7UKi2LN0DAQpqGA8DrxgiUC5U TFRFfELzIDpg/tDZ9G3PMD67eoPlbjDWZikAArE=
X-Google-Smtp-Source: ADKCNb556/NZ7jWZnO/wxAcbBgV0baDh8wvPLHw4IVzU3WDGUDB9rYsL+hSK6smXvd7sKTsSbXyKHDVlX1muYVMRciE=
X-Received: by 10.46.0.160 with SMTP id e32mr9066162lji.106.1505394500195; Thu, 14 Sep 2017 06:08:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.179.27.209 with HTTP; Thu, 14 Sep 2017 06:08:19 -0700 (PDT)
In-Reply-To: <CABcZeBN7kYhV_1kzP21B6gAdOOnf60bkC5dcqbLDvAxdgtqGLA@mail.gmail.com>
References: <150530402783.30467.17664468923363358742.idtracker@ietfa.amsl.com> <CADPMZDAENLRJEhbhYv86L=Q9v9nARtsrkicyPg86yGqrjUP0mg@mail.gmail.com> <1505308325.2062993.1104706296.3E3DDD7F@webmail.messagingengine.com> <CADPMZDAqb8QND30c+zADZRz4yo=XL_5=DYOkRPA=OCp55tq+yg@mail.gmail.com> <CABcZeBN7kYhV_1kzP21B6gAdOOnf60bkC5dcqbLDvAxdgtqGLA@mail.gmail.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Thu, 14 Sep 2017 07:08:19 -0600
Message-ID: <CADPMZDBMLNamDq+32S9t=e5-dp4w3-tiu92cVjuvVgej0_Epzg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>, curdle-chairs <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-ext-info@ietf.org
Content-Type: multipart/alternative; boundary="001a1142bbc66e5993055925f86b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/PPzDQX2DEu8M2ZDpiudXZmMFKq0>
Subject: Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 13:08:26 -0000

Submitted. :-)

On Thu, Sep 14, 2017 at 6:22 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> It sounds like we have resolutions to both Adam's and Alexey's issues.
> Denis, can you please submit a new draft and then (assuming it is
> satisfactory to them) Adam and Alexey can clear.
>
> -Ekr
>
>
> On Wed, Sep 13, 2017 at 6:48 AM, denis bider <denisbider.ietf@gmail.com>
> wrote:
>
>> > If you can list an example here for both the client side and the
>> server side, that would be great.
>>
>> There is no difference between what the two send. Added a line to explain
>> that as well.
>>
>>
>> > capability negotiation frameworks and very few of them (at the moment
>> > I can't think of any, actually) have dependencies on order
>>
>> Not sure if I understand you correctly, but SSH is completely dependent
>> on order in algorithm lists (client algorithm order matters), and I believe
>> so is TLS (server algorithm order matters).
>>
>> The list of extensions in SSH_MSG_EXT_INFO is order agnostic by default,
>> because the extensions are assumed to be independent. However, I see no
>> reason to prevent it from becoming an algorithm list for some purposes, if
>> the goals of some extensions overlap.
>>
>> Note that it takes zero effort to allow for this use; and requires
>> writing unnecessary code to prevent.
>>
>> I'm not enthusiastic about writing unnecessary code to prevent a
>> particular type of use, just to prevent people doing something in the
>> future. The idea, honestly, seems stupid.
>>
>>
>> > My gut feeling is that you will never need this, so I wanted to know
>> if you actually
>> > can provide an example that depends on order.
>>
>> It would have to be two or more extensions with overlapping goals. For
>> example:
>>
>> 1. Extension A attempts to address situation X.
>>
>> 2. Extension A is flawed in situation Y, which bothers some people.
>>
>> 3. Extension B is developed to addresses situations X+Y. However, being
>> more complete, it is much more complex than Extension A. Past experience
>> shows that there will be existing servers which will only do Extension A
>> well. They might implement B, but it will be a hack job.
>>
>> 4. Therefore, Extension B specifies itself as a potential replacement for
>> Extension A, but allows servers to signal which one they prefer by
>> controlling the order in which the extensions appear. If both extensions
>> are advertised by both parties, then Extension B is used IF it is listed
>> first by the server. Otherwise, if Extension A is listed first, it is used.
>>
>> Common example - Extension A favored by Linux servers, Extension B
>> favored by everyone else. The story of SFTP.
>>
>>
>> > I think explaining this in the document would be useful.
>> > "Penalties" sounds a bit vague.
>>
>> Added footnote to explain.
>>
>> denis
>>
>>
>>
>>
>> On Wed, Sep 13, 2017 at 7:12 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
>> wrote:
>>
>>> On Wed, Sep 13, 2017, at 01:56 PM, denis bider wrote:
>>>
>>> > It is not clear for me from the formatting whether the first
>>> > name-list is sent by the client and the second by the server,
>>> > or both lists are always included in the value. I suspect it
>>> > is the former, but can you please clarify?
>>>
>>> SSH negotiates compression, integrity, and encryption algorithms
>>> separately for each direction. Both lists are sent by both parties. Not
>>> just here, but also in KEXINIT.
>>>
>>> This is used rarely in practice, but this draft keeps to the same
>>> practice, so as not to bundle a reduction of functionality (i.e. requiring
>>> same compression for both directions) in the same package as an extension
>>> (i.e. providing a mechanism for delayed activation of compression).
>>>
>>> The next draft will include an example of encoding, as suggested by
>>> Adam. This should make things clearer, even for readers unfamiliar with SSH.
>>>
>>> Yes, I think this will help. If you can list an example here for both
>>> the client side and the server side, that would be great.
>>>
>>>
>>> > 1) Sentences like:
>>> > Use of  Receivers MUST tolerate any sequence of bytes; including
>>> > null bytes at any position; in an unknown extension's extension-value.
>>>
>>> Reads fine to me. Still, I changed these to use dashes.
>>>
>>>
>>> > Can you provide an example of why depending on order
>>> > would be useful? This potentially makes it harder to implement.
>>>
>>> It is the nature of an extension mechanism that it intends to be open to
>>> unforeseen circumstances. If we could come up with examples for all
>>> possible future uses, extensions would not be required.
>>>
>>> For this reason, I would prefer if you can demonstrate how allowing for
>>> this possibility makes anything harder to implement. In my implementation
>>> experience, it doesn't.
>>>
>>> I implemented multiple capability negotiation frameworks and very few of
>>> them (at the moment I can't think of any, actually) have dependencies on
>>> order. Dealing with one element at a time seems a bit simpler.
>>>
>>> My gut feeling is that you will never need this, so I wanted to know if
>>> you actually can provide an example that depends on order.
>>>
>>> > In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO.
>>> > It would be less confusing if you used the latter consistently
>>> everywhere.
>>>
>>> This doesn't just go for EXT_INFO, it also goes for KEXINIT, NEWKEYS,
>>> NEWCOMPRESS, and USERAUTH_SUCCESS.
>>>
>>> OK, I changed this to use the SSH_MSG_ prefix always.
>>>
>>> Thank you.
>>>
>>>
>>> >   This extension is sent by the server, and contains a list of public
>>> >   key algorithms that the server is able to process as part of a
>>> >   "publickey" authentication request. If a client sends this extension,
>>> >   the server MAY ignore it, and MAY disconnect.
>>> >
>>> > Why would the client disconnect when seeing this extension? Does it
>>> mean it is
>>> > broken?
>>> >
>>> > Also, as the client can always disconnect at any point, why mentioning
>>> this
>>> > here?
>>>
>>> I believe you have misread the text in this case. It should be clear
>>> from the above quoted snippet.
>>>
>>> Oh, do you mean that this is never supposed to be sent by the client? In
>>> this case, yes, I misread it. Never mind.
>>>
>>>
>>> > Can you elaborate on what do you mean by "authentication penalties"
>>> > in this context?
>>>
>>> SSH servers commonly implement some way of locking out or throttling IP
>>> addresses that make frequent login attempts, so as to deter brute force
>>> password guessing, username guessing, and similar undesired behaviors.
>>>
>>> Some servers apply such penalties to clients that attempt to use an
>>> unknown public key algorithm (e.g. "rsa-sha2-256"). This can result in the
>>> client's IP address being locked out.
>>>
>>> The "server-sig-algs" extension provides a way for the client to know
>>> that the server supports e.g. "rsa-sha2-256" before it attempts to use it,
>>> to avoid a potential IP lockout.
>>>
>>> I think explaining this in the document would be useful. "Penalties"
>>> sounds a bit vague.
>>>
>>> On Wed, Sep 13, 2017 at 6:00 AM, Alexey Melnikov <aamelnikov@fastmail.fm
>>> > wrote:
>>>
>>> Alexey Melnikov has entered the following ballot position for
>>> draft-ietf-curdle-ssh-ext-info-12: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to https://www.ietf.org/iesg/stat
>>> ement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-ext-info/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> This is generally a good and useful document. I have some minor comments
>>> I
>>> would like to discuss:
>>>
>>> 3.2.  "delay-compression"
>>>
>>>   This extension MAY be sent by both parties as follows:
>>>
>>>     string         "delay-compression"
>>>     string:
>>>       name-list    compression_algorithms_client_to_server
>>>       name-list    compression_algorithms_server_to_client
>>>
>>> It is not clear for me from the formatting whether the first name-list
>>> is sent
>>> by the client and the second by the server, or both lists are always
>>> included
>>> in the value. I suspect it is the former, but can you please clarify?
>>>
>>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>> 1) Sentences like:
>>>   Use of  Receivers MUST tolerate any sequence of bytes; including null
>>> bytes
>>>   at any position; in an unknown extension's extension-value.
>>> or
>>>  In particular, applications MUST  tolerate any sequence of bytes;
>>> including
>>>  null bytes at any position;  in an unknown extension's extension-value.
>>>
>>> Use of punctuation is not my strongest point, but I am reasonably
>>> certain that
>>> use of ";" is not correct here. I think you should use (). Otherwise
>>> these
>>> sentences are reading as a list of 3 things, yet in both cases the 3rd
>>> is a
>>> continuation of the 1st.
>>>
>>> 2) In Section 2.5:
>>>
>>>  The relative order in which extensions appear in an
>>>   EXT_INFO message MUST be ignored by default; but an extension MAY
>>>   specify that the order matters for that extension, in a specific way.
>>>
>>> Can you provide an example of why depending on order would be useful?
>>> This
>>> potentially makes it harder to implement.
>>>
>>> In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO. It would
>>> be
>>> less confusing if you used the latter consistently everywhere.
>>>
>>> 3) In 3.1:
>>>
>>>   This extension is sent by the server, and contains a list of public
>>>   key algorithms that the server is able to process as part of a
>>>   "publickey" authentication request. If a client sends this extension,
>>>   the server MAY ignore it, and MAY disconnect.
>>>
>>> Why would the client disconnect when seeing this extension? Does it mean
>>> it is
>>> broken?
>>>
>>> Also, as the client can always disconnect at any point, why mentioning
>>> this
>>> here?
>>>
>>>   If a server does not send this extension, a client MUST NOT make any
>>>   assumptions about the server's public key algorithm support, and MAY
>>>   proceed with authentication requests using trial and error. Note that
>>>   implementations are known to exist that apply authentication penalties
>>>   if the client attempts to use an unexpected public key algorithm.
>>>
>>> Can you elaborate on what do you mean by "authentication penalties" in
>>> this
>>> context?
>>>
>>>
>>> _______________________________________________
>>> Curdle mailing list
>>> Curdle@ietf.org
>>> https://www.ietf.org/mailman/listinfo/curdle
>>>
>>>
>>>
>>
>> _______________________________________________
>> Curdle mailing list
>> Curdle@ietf.org
>> https://www.ietf.org/mailman/listinfo/curdle
>>
>>
>

v2.23.0 | Report a Bug | By Email