IETF Logo Mail Archive

Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 14 September 2017 12:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89F47120720 for <curdle@ietfa.amsl.com>; Thu, 14 Sep 2017 05:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAClyHnFtT_h for <curdle@ietfa.amsl.com>; Thu, 14 Sep 2017 05:23:12 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23BC133074 for <curdle@ietf.org>; Thu, 14 Sep 2017 05:23:12 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id h66so514914ioh.11 for <curdle@ietf.org>; Thu, 14 Sep 2017 05:23:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZbdMIGsjtqwg1xRIcS1W0VOVrRqAIdSd7//wciLpeMQ=; b=LgIOkkse3CQd9CQXdAyLpZjY/GyJF9wSZP1lPr3KN+pmdS2qmHkvKd2/RQ8P7nuQiP +qP/enQTr/0n3DHvqdWMOx8HiI4Inl46j8JIttkCeupC8tftebtk1GPriWYxShJUyAti /LSABanJ4FefVscIAJ+i0SM4xp74lBPve2CT8K+o/Rhd3vDxplK1k0ValoCZQkj81SJQ 4ReES+ja7ps8ztKXcVmEQSG6VEAzhn0jGGzPPmfPGMcsQHy1pu8zMLqOwxxyn57ZSPna M4hR55xCXkuJ1h6IzetDGQyh4sAg8Kca3kgJQt5XUCDTU3EOJwJQnBqlfWGZMZRWjmk3 Ba3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZbdMIGsjtqwg1xRIcS1W0VOVrRqAIdSd7//wciLpeMQ=; b=PzEoi8SzOKygdFekdQnUAKYTygvFgPwSn1MYVeilXJzk2wo98C3zJWPXpncPWmX939 +VKQOjuFVk91Yi0O2Xox6oSDFu0Ir6ci9waCi9xMCBpmB8ls4CG5OkVgQT4TzmJnLaBT u05dus1ZzfhaGXjbh/bRziAwkS5gpAIlp+qsyAMusOKh7QqYWigGrTF3Kfgj+fHJgnOh eBfoRRXHs/r7caOtLx4vOzcdPy2/MrXNZgeWf+DQ+cbQjFxbhvMVKUHiPrhXuu4oPMTZ N9cTVP4RGOYCMEINBEKCLs+b9+wef6NcO5J+TShHK6G5TTYWAZFbkoxa6t/OfGdr7N0g Dj3Q==
X-Gm-Message-State: AHPjjUgPpnBZ7uXBNs6vohaKaN2VJGwjj4X5vOa/LuZsRWhq3bd1Hyv/ yTJ1QDr9e2BIlsqiLdszWG4wSXobw7a5orU+xSUh+A==
X-Google-Smtp-Source: AOwi7QAwF9E35KphuRx8qvWJ5JcMK6mS3hvGf9bh4kyChKoT/cQt3NshIEqjtp7hyiccHtEn3wPb+a9mMSRt7h9GR3o=
X-Received: by 10.202.221.7 with SMTP id u7mr2778396oig.166.1505391791973; Thu, 14 Sep 2017 05:23:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.168.74.197 with HTTP; Thu, 14 Sep 2017 05:22:31 -0700 (PDT)
In-Reply-To: <CADPMZDAqb8QND30c+zADZRz4yo=XL_5=DYOkRPA=OCp55tq+yg@mail.gmail.com>
References: <150530402783.30467.17664468923363358742.idtracker@ietfa.amsl.com> <CADPMZDAENLRJEhbhYv86L=Q9v9nARtsrkicyPg86yGqrjUP0mg@mail.gmail.com> <1505308325.2062993.1104706296.3E3DDD7F@webmail.messagingengine.com> <CADPMZDAqb8QND30c+zADZRz4yo=XL_5=DYOkRPA=OCp55tq+yg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 14 Sep 2017 05:22:31 -0700
Message-ID: <CABcZeBN7kYhV_1kzP21B6gAdOOnf60bkC5dcqbLDvAxdgtqGLA@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>, curdle-chairs <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-ext-info@ietf.org
Content-Type: multipart/alternative; boundary="001a113cf39c02420305592557b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/p3BWF-k40j7yVmjrCvC0LDAl8Z0>
Subject: Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 12:23:16 -0000

It sounds like we have resolutions to both Adam's and Alexey's issues.
Denis, can you please submit a new draft and then (assuming it is
satisfactory to them) Adam and Alexey can clear.

-Ekr


On Wed, Sep 13, 2017 at 6:48 AM, denis bider <denisbider.ietf@gmail.com>
wrote:

> > If you can list an example here for both the client side and the server
> side, that would be great.
>
> There is no difference between what the two send. Added a line to explain
> that as well.
>
>
> > capability negotiation frameworks and very few of them (at the moment
> > I can't think of any, actually) have dependencies on order
>
> Not sure if I understand you correctly, but SSH is completely dependent on
> order in algorithm lists (client algorithm order matters), and I believe so
> is TLS (server algorithm order matters).
>
> The list of extensions in SSH_MSG_EXT_INFO is order agnostic by default,
> because the extensions are assumed to be independent. However, I see no
> reason to prevent it from becoming an algorithm list for some purposes, if
> the goals of some extensions overlap.
>
> Note that it takes zero effort to allow for this use; and requires writing
> unnecessary code to prevent.
>
> I'm not enthusiastic about writing unnecessary code to prevent a
> particular type of use, just to prevent people doing something in the
> future. The idea, honestly, seems stupid.
>
>
> > My gut feeling is that you will never need this, so I wanted to know if
> you actually
> > can provide an example that depends on order.
>
> It would have to be two or more extensions with overlapping goals. For
> example:
>
> 1. Extension A attempts to address situation X.
>
> 2. Extension A is flawed in situation Y, which bothers some people.
>
> 3. Extension B is developed to addresses situations X+Y. However, being
> more complete, it is much more complex than Extension A. Past experience
> shows that there will be existing servers which will only do Extension A
> well. They might implement B, but it will be a hack job.
>
> 4. Therefore, Extension B specifies itself as a potential replacement for
> Extension A, but allows servers to signal which one they prefer by
> controlling the order in which the extensions appear. If both extensions
> are advertised by both parties, then Extension B is used IF it is listed
> first by the server. Otherwise, if Extension A is listed first, it is used.
>
> Common example - Extension A favored by Linux servers, Extension B favored
> by everyone else. The story of SFTP.
>
>
> > I think explaining this in the document would be useful.
> > "Penalties" sounds a bit vague.
>
> Added footnote to explain.
>
> denis
>
>
>
>
> On Wed, Sep 13, 2017 at 7:12 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
> wrote:
>
>> On Wed, Sep 13, 2017, at 01:56 PM, denis bider wrote:
>>
>> > It is not clear for me from the formatting whether the first
>> > name-list is sent by the client and the second by the server,
>> > or both lists are always included in the value. I suspect it
>> > is the former, but can you please clarify?
>>
>> SSH negotiates compression, integrity, and encryption algorithms
>> separately for each direction. Both lists are sent by both parties. Not
>> just here, but also in KEXINIT.
>>
>> This is used rarely in practice, but this draft keeps to the same
>> practice, so as not to bundle a reduction of functionality (i.e. requiring
>> same compression for both directions) in the same package as an extension
>> (i.e. providing a mechanism for delayed activation of compression).
>>
>> The next draft will include an example of encoding, as suggested by Adam.
>> This should make things clearer, even for readers unfamiliar with SSH.
>>
>> Yes, I think this will help. If you can list an example here for both the
>> client side and the server side, that would be great.
>>
>>
>> > 1) Sentences like:
>> > Use of  Receivers MUST tolerate any sequence of bytes; including
>> > null bytes at any position; in an unknown extension's extension-value.
>>
>> Reads fine to me. Still, I changed these to use dashes.
>>
>>
>> > Can you provide an example of why depending on order
>> > would be useful? This potentially makes it harder to implement.
>>
>> It is the nature of an extension mechanism that it intends to be open to
>> unforeseen circumstances. If we could come up with examples for all
>> possible future uses, extensions would not be required.
>>
>> For this reason, I would prefer if you can demonstrate how allowing for
>> this possibility makes anything harder to implement. In my implementation
>> experience, it doesn't.
>>
>> I implemented multiple capability negotiation frameworks and very few of
>> them (at the moment I can't think of any, actually) have dependencies on
>> order. Dealing with one element at a time seems a bit simpler.
>>
>> My gut feeling is that you will never need this, so I wanted to know if
>> you actually can provide an example that depends on order.
>>
>> > In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO.
>> > It would be less confusing if you used the latter consistently
>> everywhere.
>>
>> This doesn't just go for EXT_INFO, it also goes for KEXINIT, NEWKEYS,
>> NEWCOMPRESS, and USERAUTH_SUCCESS.
>>
>> OK, I changed this to use the SSH_MSG_ prefix always.
>>
>> Thank you.
>>
>>
>> >   This extension is sent by the server, and contains a list of public
>> >   key algorithms that the server is able to process as part of a
>> >   "publickey" authentication request. If a client sends this extension,
>> >   the server MAY ignore it, and MAY disconnect.
>> >
>> > Why would the client disconnect when seeing this extension? Does it
>> mean it is
>> > broken?
>> >
>> > Also, as the client can always disconnect at any point, why mentioning
>> this
>> > here?
>>
>> I believe you have misread the text in this case. It should be clear from
>> the above quoted snippet.
>>
>> Oh, do you mean that this is never supposed to be sent by the client? In
>> this case, yes, I misread it. Never mind.
>>
>>
>> > Can you elaborate on what do you mean by "authentication penalties"
>> > in this context?
>>
>> SSH servers commonly implement some way of locking out or throttling IP
>> addresses that make frequent login attempts, so as to deter brute force
>> password guessing, username guessing, and similar undesired behaviors.
>>
>> Some servers apply such penalties to clients that attempt to use an
>> unknown public key algorithm (e.g. "rsa-sha2-256"). This can result in the
>> client's IP address being locked out.
>>
>> The "server-sig-algs" extension provides a way for the client to know
>> that the server supports e.g. "rsa-sha2-256" before it attempts to use it,
>> to avoid a potential IP lockout.
>>
>> I think explaining this in the document would be useful. "Penalties"
>> sounds a bit vague.
>>
>> On Wed, Sep 13, 2017 at 6:00 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
>> wrote:
>>
>> Alexey Melnikov has entered the following ballot position for
>> draft-ietf-curdle-ssh-ext-info-12: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-ext-info/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> This is generally a good and useful document. I have some minor comments I
>> would like to discuss:
>>
>> 3.2.  "delay-compression"
>>
>>   This extension MAY be sent by both parties as follows:
>>
>>     string         "delay-compression"
>>     string:
>>       name-list    compression_algorithms_client_to_server
>>       name-list    compression_algorithms_server_to_client
>>
>> It is not clear for me from the formatting whether the first name-list is
>> sent
>> by the client and the second by the server, or both lists are always
>> included
>> in the value. I suspect it is the former, but can you please clarify?
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> 1) Sentences like:
>>   Use of  Receivers MUST tolerate any sequence of bytes; including null
>> bytes
>>   at any position; in an unknown extension's extension-value.
>> or
>>  In particular, applications MUST  tolerate any sequence of bytes;
>> including
>>  null bytes at any position;  in an unknown extension's extension-value.
>>
>> Use of punctuation is not my strongest point, but I am reasonably certain
>> that
>> use of ";" is not correct here. I think you should use (). Otherwise these
>> sentences are reading as a list of 3 things, yet in both cases the 3rd is
>> a
>> continuation of the 1st.
>>
>> 2) In Section 2.5:
>>
>>  The relative order in which extensions appear in an
>>   EXT_INFO message MUST be ignored by default; but an extension MAY
>>   specify that the order matters for that extension, in a specific way.
>>
>> Can you provide an example of why depending on order would be useful? This
>> potentially makes it harder to implement.
>>
>> In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO. It would
>> be
>> less confusing if you used the latter consistently everywhere.
>>
>> 3) In 3.1:
>>
>>   This extension is sent by the server, and contains a list of public
>>   key algorithms that the server is able to process as part of a
>>   "publickey" authentication request. If a client sends this extension,
>>   the server MAY ignore it, and MAY disconnect.
>>
>> Why would the client disconnect when seeing this extension? Does it mean
>> it is
>> broken?
>>
>> Also, as the client can always disconnect at any point, why mentioning
>> this
>> here?
>>
>>   If a server does not send this extension, a client MUST NOT make any
>>   assumptions about the server's public key algorithm support, and MAY
>>   proceed with authentication requests using trial and error. Note that
>>   implementations are known to exist that apply authentication penalties
>>   if the client attempts to use an unexpected public key algorithm.
>>
>> Can you elaborate on what do you mean by "authentication penalties" in
>> this
>> context?
>>
>>
>> _______________________________________________
>> Curdle mailing list
>> Curdle@ietf.org
>> https://www.ietf.org/mailman/listinfo/curdle
>>
>>
>>
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
>

v2.23.0 | Report a Bug | By Email