Re: [Curdle] SSH/QUIC draft
denis bider <denisbider.ietf@gmail.com> Sun, 12 July 2020 02:03 UTC
Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3A43A083F for <curdle@ietfa.amsl.com>; Sat, 11 Jul 2020 19:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNPVjdIRbXHC for <curdle@ietfa.amsl.com>; Sat, 11 Jul 2020 19:03:03 -0700 (PDT)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA893A083D for <curdle@ietf.org>; Sat, 11 Jul 2020 19:03:02 -0700 (PDT)
Received: by mail-ot1-x329.google.com with SMTP id 18so7011118otv.6 for <curdle@ietf.org>; Sat, 11 Jul 2020 19:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Gi7o8MBTDGiN9DB45p4l3vysUL0s3PFDJdxrlMtd558=; b=OU4oC8oJT+OjENjh0L3MtiNtfAsixiJTPlXHek4Fj6e6w4TyYz7jed7h7aYW+WAnXk vRc7HpkUVGCmJ4j7DhUzbvv218ZFkTQyX449grlY7AsUEGpWgyqPYpv1xc9/XAbkNZGm juA3jjpNT8fibACAagoSxrisUcT4cnfC0t+lp/VAeRfBgscxkNsTZaROtJo1QQbu2A22 JI2pubYPKrESUSoJDgEoFgOvWDCPHtpzay1HUqkMSFjHx/fWZAp8+/Fym975tTFZ53Jr n7d8YkY79X9RnmYbPgnPWOphiFxj3P4vcbCf6n9drrKcExMKqmaSGnIkoMqT9XJI9TP2 8sZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Gi7o8MBTDGiN9DB45p4l3vysUL0s3PFDJdxrlMtd558=; b=tXTnJB2NLYSEhAPSF3uQ1lPJIub97H1mbBmzuAYYPHerxSByLF8FqvOifOii1BRmgX W0HCqzaye8UVQPgxHeycOm/wH30GLW3rHYfsRMulABWf/ah+SwP2lg4hOCue6xP0U+kr j2IOY2bHm5CyuDwUReSKUd+6Gn7z+UwzTN3j9gjao+6yNXpWoWLuPURPSyaRKRpi5I5v +QL9Kbb9YqMQQjqUNkjzUFUbv+/wnv69QldgUdcMMJvKjTsdnHcuD4oTtRjRN7hc8X9k SLhfxjUAfLZpMyS+I3hCMSxd6y1xicLXSrlYdSVU5PUiLeQWd+wN+q1MeP2d7tVAIqEt jmOw==
X-Gm-Message-State: AOAM5318glRJPCDIpOoAO0vGdZByNEUg2CoR8cpb/J1LtjUWutVYWB3Y LHyNTLZyUnIjVnjkGguZ9XxBhZb4GPXxVksuWdP3nowdLYE=
X-Google-Smtp-Source: ABdhPJz9wC+CxSO9p88X+mJ8XjQV8ZlXxlCHZFTKkLE5B+8y8FLHQpqeDlHIgYo+oRqZUZ6L8jpBYt41sSmqqyb8Wss=
X-Received: by 2002:a9d:5a01:: with SMTP id v1mr61004133oth.146.1594519381955; Sat, 11 Jul 2020 19:03:01 -0700 (PDT)
MIME-Version: 1.0
References: <CADPMZDDEYZ7aTv=NUY+4+BmMnN=JxFUHUwM7=SYq=EK5v_r1oA@mail.gmail.com> <20200711193524.GA239102@LK-Perkele-VII>
In-Reply-To: <20200711193524.GA239102@LK-Perkele-VII>
From: denis bider <denisbider.ietf@gmail.com>
Date: Sat, 11 Jul 2020 21:02:50 -0500
Message-ID: <CADPMZDDz-_KDY1NbhakTkP3CKhCOTKGUzaQZHYA=nn+-8X7X2Q@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000059574a05aa34f9ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/fd44fx3XnIBEYfN9ENM000OP52g>
Subject: Re: [Curdle] SSH/QUIC draft
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2020 02:03:06 -0000
Ilari: > Section 2.1 just seems odd. Either one should run SSH over QUIC on separate port, or use ALPN to demultiplex it from other QUIC traffic. I do not understand this comment. SSH/QUIC is a protocol which is neither SSH nor QUIC, it is SSH/QUIC. Section 2.1 explains how to tell SSH over UDP key exchange packets apart from QUIC packets. This is doable, straightforward, it makes sense, and is much preferable to asking users to configure two separate ports for one protocol. > I do not see what would prevent attacker from passively listening for legimate connection and then mounting dictionary attack against obfustication code to discover it. The fact that the attacker against whom obfuscation is effective is in China or Russia and no legitimate connection is from there. People will use trivial obfuscation keywords, or just leave it empty. The key feature here is that you can easily make it so that BEFORE the attacker can even start guessing passwords, they have to guess another password. I thought of using Argon2 to derive the obfuscation encryption key from the keyword, but it seems to introduce WAY too much complexity for an optional, nice-to-have feature. Folks whose SSH implementations run on RFID chips embedded in clothing tags will not want to implement that. This feature specifically defends against complete strangers who are not on the network route between legitimate clients and servers, and incidentally that's by far the most common type of attacks on SSH servers. > I think HTTP/3 uses 1200 bytes instead of 1400 bytes as padding target (which is within IPv6 MinMTU, but considerably above IPv4 MinMTU). Useful to know, thank you! SSH_QUIC_INIT is inspired by SSH_MSG_KEXINIT, which tends to be long in practical use of SSH. However, the current SSH_QUIC_INIT has many fewer elaborately long algorithm negotiation fields, so 1200 could also work as a target. > Why is there key exchange stuff? One should have TLS do the key exchange and then extract any needed keys. It needs to work with existing SSH configurations which use SSH host keys. SSH key exchange methods are already specified, known to SSH implementers, and do not have glaring problems. > I presume server authentication should be done using the TLS server certificate. Server authentication needs to happen using existing SSH host keys with no change for users. Users should be able to update to new SSH software versions that support SSH/QUIC and everything should work out of the box without the user noticing a difference. Server admins may need to open a UDP port in the firewall, and that's it. > All of RSA, ECDSA and EdDSA (Ed25519/Ed448) keys (including raw) are supported. That would work, but then I can't put obfuscation and trusted fingerprints in it. In practical use of SSH, these have turned out to be important missing features. Looking at it from the other perspective, I don't see what's gained from using the TLS key exchange. Instead SSH would relinquish flexibility which it currently has. For example, the current draft does not specify multi-step key exchange which does not involve host keys, such as the GSSAPI key exchange methods which allow server authentication using Kerberos. But future drafts could allow that, or the extension fields could be used to allow that. SSH key exchanges are equally as robust as TLS. What does TLS bring? A strait-jacket? A requirement to implement ASN.1? Those are things we dislike. > For client authentication, one probably should use SSH-layer mechanisms For client authentication, we use the exact same mechanisms currently used in SSH. Anything less than "no change for the user" does not fly. > For server multiplexing to work (and no server multiplexing is the single biggest complaint I have with all of SSH!) Can you explain this in more detail? As someone who has been working on an SSH server for literally 20 years, I have not seen the term "server multiplexing" used by a customer, ever. But perhaps this is because none of the people who would want that are our users. Do you mean the ability to route the connection differently depending on, for example, the host name that was entered by the user to connect? If yes, that sounds very useful to add. I'll add a "server name indication" field to SSH_QUIC_INIT in the next draft version. With an SNI-like field, you should be able to dispatch SSH_QUIC_INIT to the correct back-end server, and then dispatch subsequent packets appropriately using the QUIC Destination Connection ID. > Makes it possible for one side to close TX and abort RX. This is NOT possible in TCP. Fair point, maybe the draft should address whether aborting RX should be done and what should happen in that case. Thank you for your comments! denis On Sat, Jul 11, 2020 at 2:35 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sat, Jul 11, 2020 at 12:50:09PM -0500, denis bider wrote: > > Hey everyone, > > > > With this inspiration, I wrote an SSH/QUIC spec which fixes all of the > > architectural problems I can think of in SSH from experience over the > years: > > > > https://datatracker.ietf.org/doc/draft-bider-ssh-quic/ > > Some comments: > > - Section 2.1 just seems odd. Either one should run SSH over QUIC on > separate port, or use ALPN to demultiplex it from other QUIC > traffic. > - I do not see what would prevent attacker from passively listening > for legimate connection and then mounting dictionary attack > against obfustication code to discover it. > - I think HTTP/3 uses 1200 bytes instead of 1400 bytes as padding > target (which is within IPv6 MinMTU, but considerably above IPv4 > MinMTU). > - Why is there key exchange stuff? One should have TLS do the key > exchange and then extract any needed keys. > - Then the overall session ID should be also extracted from TLS. > - I presume server authentication should be done using the TLS > server certificate. All of RSA, ECDSA and EdDSA (Ed25519/Ed448) > keys (including raw) are supported. > - For client authentication, one probably should use SSH-layer > mechanisms, due to some limitations of TLS-layer ones (extract nonces > or shared secrets from TLS if you need them). > - For server multiplexing to work (and no server multiplexing is the > single biggest complaint I have with all of SSH!), active migration > MUST be disabled. As far as I can tell, handing NAT rebindings is > still possible even with active migration off. > * The hacks people do to deal with this are ugly to say the least. > * Seriously, I would much rather lose NAT rebind handling than > server multiplexing. > > > Looking at QUIC specifications and trying to figure out what > QUIC looks from above: > > The basic data transport primitive is streams: > > - Each stream can be unidirectional or bidirectional. > - Stream is of arbitrary length. > - Each stream is reliable ordered at byte granularity. > - All streams are independent. > - Stream can be opened by either peer. > - Aborts are directional (not undirectional like in TCP)! > * Makes it possible for one side to close TX and abort RX. This is > NOT possible in TCP. > > Flow control: > > - There are three flow controllers. > * One operates on connection level, and limits the amount of aggerate > data that can be sent on all streams together. > * One operates on stream level, and limits data that can be sent > on that stream. > * One limits the number of streams that can be open at once. > * All are independent in both directions. > > Encryption: > > - For selecting endpoint, there server name (nice for server > multiplexing) and application layer protocol name fields. > - QUIC always does its own key exchange. > - QUIC always encrypts all application data streams. > - Server authentication with certificate or raw key is mandatory. > RSA, ECDSA and EdDSA (Ed25519/Ed448) are all supported. > - Client authentication is optional. > * The negotiation is really limited here! > - QUIC uses TLS, which can provode nonces and shares secrets for > application use. > > > > -Ilari >
- [Curdle] SSH/QUIC draft denis bider
- Re: [Curdle] SSH/QUIC draft Ilari Liusvaara
- Re: [Curdle] SSH/QUIC draft Peter Gutmann
- Re: [Curdle] SSH/QUIC draft denis bider
- Re: [Curdle] SSH/QUIC draft denis bider
- Re: [Curdle] SSH/QUIC draft Benjamin Kaduk
- Re: [Curdle] SSH/QUIC draft denis bider