IETF Logo Mail Archive

Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info

Eric Rescorla <ekr@rtfm.com> Fri, 07 April 2017 15:21 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4F5B1270A0 for <curdle@ietfa.amsl.com>; Fri, 7 Apr 2017 08:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ada0BObgwyL for <curdle@ietfa.amsl.com>; Fri, 7 Apr 2017 08:21:56 -0700 (PDT)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F207127BA3 for <curdle@ietf.org>; Fri, 7 Apr 2017 08:21:54 -0700 (PDT)
Received: by mail-yb0-x22d.google.com with SMTP id m133so17797182ybb.1 for <curdle@ietf.org>; Fri, 07 Apr 2017 08:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G1Zon5pkAJVlhfRYSlI2t349eu6OxE5relxZhY9NAnE=; b=zj4m/WoG/h/lKHK4rQM3myB8SKa4n99BQVoIP9JNES/OTdYhGZja/o2avmv+5Md72x 7LVwRj8NS1UQH0DKFpGYkR5Re9dq+t0pSSvxRopxYpivzWpz7PS0+NvtEJ/fn8tmfR4A g00p4A4DQnm7+rPQZbYBMWgyXieRaL9tlhuh+Rq2EKesoqQSamEgyCaQYOExcrWyWDZo 1bDzUfY/Om3PXm7MuUQZfImuIobFtMhuZ8+5jRvNzNSdNUL+LfVA42f5OH86swZ0RX9v 12/L8oWPTe3B0hJLqeS6j0SQPeE30PU7cdufpLdC3FYRY9vQQPtknT1lgcPrk/XFZGLw Obzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G1Zon5pkAJVlhfRYSlI2t349eu6OxE5relxZhY9NAnE=; b=TMVRiwjtNTAhzw3wedhKQgUHzOnN82BDo9xllwPJ7n6ZoKN/r1YeO5XruNlaVzzeIV AiBaZ+7P5lAzlBd4ZUcq0ZyJ/Pg11w1G96vCV3k8cFKvi33ecNpGXT3f6kk3mgwGVxfQ P6QsID6OyHPtvrKrpj5lqHLn7LU7Txt22bD7AYFvz+l1SSG74Yp3CLLX1clBp15soewW neNjNuP43JX6wwzeWQ4omX4y/CYsctRGuwU3xmuCU0u9TNViOlmMJ/sVfR24NqqYjUOT z5k1+/+fNm8V/Mvg6tDMQDvlX9Tv8aUqoCKmAwcYT50ecl86rmL+ReOO2VgV5bMEUCKM eqDQ==
X-Gm-Message-State: AN3rC/7tI2nnePI+sSjORhHvOergsaegSbVesUv6eqzYRwhmhu9RVCghXrsQVqcv/NhH32/1fFliffAQTS/Naw==
X-Received: by 10.37.199.11 with SMTP id w11mr7631338ybe.161.1491578513640; Fri, 07 Apr 2017 08:21:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Fri, 7 Apr 2017 08:21:13 -0700 (PDT)
In-Reply-To: <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz> <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz> <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz> <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan> <1491480250094.74577@cs.auckland.ac.nz> <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 07 Apr 2017 08:21:13 -0700
Message-ID: <CABcZeBMhx4pHNa-OBQUpTcm9i9oorTMaoQRWatg5=ox2F=8wcw@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c148114762f09054c952fe5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/h4oMGhc74Lx7kcF8inxghRWhkng>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 15:22:00 -0000

On Thu, Apr 6, 2017 at 10:32 PM, denis bider <denisbider.ietf@gmail.com>
wrote:

> > I was thinking of the problem that it's essentially
> > impossible to safely do n-RTT, n < 1, for TLS, which
> > meant that doing the same thing for SSH wasn't going
> > to be any better.  I was reasoning by analogy from TLS
> > rather than sitting down and drawing diagrams for SSH
> > to try and figure out all the possible issues.
>
> OK, but I'm not familiar with the security implications of this on TLS.
>
> Can you link to any resources where this was discussed? Whether for TLS,
> or in any other context?
>

Here is the section of TLS 1.3 that describes the security implications of
0-RTT data:

https://tlswg.github.io/tls13-spec/#zero-rtt-data

FWIW, it's less clear to me that these apply to SSH because at least the
replay issues stem from the desire to have loosely coupled distributed
servers and seamless fall back from server state or synchronization failure.

-Ekr


>
> > Perhaps adding an implementation note to say that at this
> > point the crypto hasn't been confirmed yet and so you may
> > want to be careful about what you put into your extension
> > data would be useful?
>
>  I agree, if this is a threat, we should add a warning in Security
> Considerations. But to make that warning, I have to understand the threat.
>
> If someone asks me about this warning, I want to be able to explain the
> reason in detail. At this point, what I can say is, "Peter said this on the
> list." That is, to me, insufficient backing.
>
>
> > Wouldn't "true" and "false" be a better way to express a
> > boolean?
>
> Yes if you could choose the type. But you can't choose the type, because
> all extensions have to use the same type. That type is a string.
>
>
> > I realise this is kinda bikeshedding, but having to look
> > up the spec just to figure out what mysterious magic
> > values in a boolean field specify seems a bit awkward.
>
> Booleans are equally mysterious.
>
> The third parameter to the Windows API function WaitForMultipleObjects is
> a boolean. Suppose an application passes "TRUE". Without checking the docs
> - what does that mean?
>
> If you check the docs, you know what "TRUE" in that context means. And if
> you check the spec here, you know what "p" and "s" mean.
>
> Booleans are not inherently self-documenting. (In fact - when used in
> languages with positional parameters, they are more frequently
> self-obfuscating.)
>
>
> > Given that there are a nonzero number of implementations
> > that send a window size of ~0 to indicate no flow control,
> > it may be useful to add an implementation note to point
> > this out.
>
> OK. I added the following sub-section to my current working copy:
>
>
> 3.3.1.  Implementation Note: Prior "No Flow Control" Practice
>
>   Before this extension, some applications would simply not implement
>   SSH flow control, sending an initial channel window size of 2^32 - 1.
>   Applications SHOULD NOT do this for the following reasons:
>
>   - It is entirely within the realm of possibility to transfer more than
>     2^32 bytes over a channel. The channel will then hang if the other
>     party implements SSH flow control according to [RFC4254].
>
>   - There exist implementations which cannot handle such large channel
>     window sizes, and will exhibit non-graceful behaviors, including
>     disconnection.
>
>
> denis
>
>
>
> On Thu, Apr 6, 2017 at 6:04 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
>
>> denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:
>>
>> >Can you point out some of these subtle problems that could occur in this
>> >regard in SSH?
>>
>> I was thinking of the problem that it's essentially impossible to safely
>> do n-
>> RTT, n < 1, for TLS, which meant that doing the same thing for SSH wasn't
>> going to be any better.  I was reasoning by analogy from TLS rather than
>> sitting down and drawing diagrams for SSH to try and figure out all the
>> possible issues.
>>
>> >Under the assumption that such an extension were defined, can you point
>> out
>> >at least one way that sending this info right after NEWKEYS can help an
>> >attacker?
>>
>> It depends on the extension.  Without one defined, there's no way to tell
>> at
>> the moment.  I could invent something that works out badly, but that'd be
>> creating a strawman... my concern is that in the future someone may
>> define a
>> problematic extension without realising that they're creating a problem.
>> Perhaps adding an implementation note to say that at this point the crypto
>> hasn't been confirmed yet and so you may want to be careful about what
>> you put
>> into your extension data would be useful?
>>
>> >But the extension value field is generically a string (it must be same
>> type
>> >for all extensions, so unsupported extensions can be decoded and
>> ignored).
>> >"p" and "s" are therefore fitting ways to express this boolean.
>>
>> Wouldn't "true" and "false" be a better way to express a boolean?  I
>> realise
>> this is kinda bikeshedding, but having to look up the spec just to figure
>> out
>> what mysterious magic values in a boolean field specify seems a bit
>> awkward.
>>
>> >Properly implemented flow control is superior. However, this extension
>> is a
>> >nod to that not everyone will be using an SSH library that does this
>> right,
>> >and "no-flow-control" is a better option if your needs are simple, and
>> you
>> >don't have a few years to get this right.
>>
>> Given that there are a nonzero number of implementations that send a
>> window
>> size of ~0 to indicate no flow control, it may be useful to add an
>> implementation note to point this out.  I enabled some diagnostic code to
>> throw an exception in my code if it found this from another implementation
>> (other than mine) and got, uh, feedback from beta-testers about it, so at
>> least some implementations are using a pseudo-infinite window size to
>> indicate
>> no flow control.  I'm not saying it should be adopted as an alternative to
>> "no-flow-control", but merely to alert implementers about the practice,
>> e.g. a
>> certain big iron vendor whose device would crash and reboot as it tried to
>> allocate ~0 bytes of memory to match the widow size.
>>
>> Peter.
>> _______________________________________________
>> Curdle mailing list
>> Curdle@ietf.org
>> https://www.ietf.org/mailman/listinfo/curdle
>>
>
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
>

v2.23.0 | Report a Bug | By Email