Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 14 September 2017 12:23 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89F47120720 for <curdle@ietfa.amsl.com>; Thu, 14 Sep 2017 05:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAClyHnFtT_h for <curdle@ietfa.amsl.com>; Thu, 14 Sep 2017 05:23:12 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23BC133074 for <curdle@ietf.org>; Thu, 14 Sep 2017 05:23:12 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id h66so514914ioh.11 for <curdle@ietf.org>; Thu, 14 Sep 2017 05:23:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZbdMIGsjtqwg1xRIcS1W0VOVrRqAIdSd7//wciLpeMQ=; b=LgIOkkse3CQd9CQXdAyLpZjY/GyJF9wSZP1lPr3KN+pmdS2qmHkvKd2/RQ8P7nuQiP +qP/enQTr/0n3DHvqdWMOx8HiI4Inl46j8JIttkCeupC8tftebtk1GPriWYxShJUyAti /LSABanJ4FefVscIAJ+i0SM4xp74lBPve2CT8K+o/Rhd3vDxplK1k0ValoCZQkj81SJQ 4ReES+ja7ps8ztKXcVmEQSG6VEAzhn0jGGzPPmfPGMcsQHy1pu8zMLqOwxxyn57ZSPna M4hR55xCXkuJ1h6IzetDGQyh4sAg8Kca3kgJQt5XUCDTU3EOJwJQnBqlfWGZMZRWjmk3 Ba3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZbdMIGsjtqwg1xRIcS1W0VOVrRqAIdSd7//wciLpeMQ=; b=PzEoi8SzOKygdFekdQnUAKYTygvFgPwSn1MYVeilXJzk2wo98C3zJWPXpncPWmX939 +VKQOjuFVk91Yi0O2Xox6oSDFu0Ir6ci9waCi9xMCBpmB8ls4CG5OkVgQT4TzmJnLaBT u05dus1ZzfhaGXjbh/bRziAwkS5gpAIlp+qsyAMusOKh7QqYWigGrTF3Kfgj+fHJgnOh eBfoRRXHs/r7caOtLx4vOzcdPy2/MrXNZgeWf+DQ+cbQjFxbhvMVKUHiPrhXuu4oPMTZ N9cTVP4RGOYCMEINBEKCLs+b9+wef6NcO5J+TShHK6G5TTYWAZFbkoxa6t/OfGdr7N0g Dj3Q==
X-Gm-Message-State: AHPjjUgPpnBZ7uXBNs6vohaKaN2VJGwjj4X5vOa/LuZsRWhq3bd1Hyv/ yTJ1QDr9e2BIlsqiLdszWG4wSXobw7a5orU+xSUh+A==
X-Google-Smtp-Source: AOwi7QAwF9E35KphuRx8qvWJ5JcMK6mS3hvGf9bh4kyChKoT/cQt3NshIEqjtp7hyiccHtEn3wPb+a9mMSRt7h9GR3o=
X-Received: by 10.202.221.7 with SMTP id u7mr2778396oig.166.1505391791973; Thu, 14 Sep 2017 05:23:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.168.74.197 with HTTP; Thu, 14 Sep 2017 05:22:31 -0700 (PDT)
In-Reply-To: <CADPMZDAqb8QND30c+zADZRz4yo=XL_5=DYOkRPA=OCp55tq+yg@mail.gmail.com>
References: <150530402783.30467.17664468923363358742.idtracker@ietfa.amsl.com> <CADPMZDAENLRJEhbhYv86L=Q9v9nARtsrkicyPg86yGqrjUP0mg@mail.gmail.com> <1505308325.2062993.1104706296.3E3DDD7F@webmail.messagingengine.com> <CADPMZDAqb8QND30c+zADZRz4yo=XL_5=DYOkRPA=OCp55tq+yg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 14 Sep 2017 05:22:31 -0700
Message-ID: <CABcZeBN7kYhV_1kzP21B6gAdOOnf60bkC5dcqbLDvAxdgtqGLA@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>, curdle-chairs <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-ext-info@ietf.org
Content-Type: multipart/alternative; boundary="001a113cf39c02420305592557b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/p3BWF-k40j7yVmjrCvC0LDAl8Z0>
Subject: Re: [Curdle] Alexey Melnikov's Discuss on draft-ietf-curdle-ssh-ext-info-12: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 12:23:16 -0000
It sounds like we have resolutions to both Adam's and Alexey's issues. Denis, can you please submit a new draft and then (assuming it is satisfactory to them) Adam and Alexey can clear. -Ekr On Wed, Sep 13, 2017 at 6:48 AM, denis bider <denisbider.ietf@gmail.com> wrote: > > If you can list an example here for both the client side and the server > side, that would be great. > > There is no difference between what the two send. Added a line to explain > that as well. > > > > capability negotiation frameworks and very few of them (at the moment > > I can't think of any, actually) have dependencies on order > > Not sure if I understand you correctly, but SSH is completely dependent on > order in algorithm lists (client algorithm order matters), and I believe so > is TLS (server algorithm order matters). > > The list of extensions in SSH_MSG_EXT_INFO is order agnostic by default, > because the extensions are assumed to be independent. However, I see no > reason to prevent it from becoming an algorithm list for some purposes, if > the goals of some extensions overlap. > > Note that it takes zero effort to allow for this use; and requires writing > unnecessary code to prevent. > > I'm not enthusiastic about writing unnecessary code to prevent a > particular type of use, just to prevent people doing something in the > future. The idea, honestly, seems stupid. > > > > My gut feeling is that you will never need this, so I wanted to know if > you actually > > can provide an example that depends on order. > > It would have to be two or more extensions with overlapping goals. For > example: > > 1. Extension A attempts to address situation X. > > 2. Extension A is flawed in situation Y, which bothers some people. > > 3. Extension B is developed to addresses situations X+Y. However, being > more complete, it is much more complex than Extension A. Past experience > shows that there will be existing servers which will only do Extension A > well. They might implement B, but it will be a hack job. > > 4. Therefore, Extension B specifies itself as a potential replacement for > Extension A, but allows servers to signal which one they prefer by > controlling the order in which the extensions appear. If both extensions > are advertised by both parties, then Extension B is used IF it is listed > first by the server. Otherwise, if Extension A is listed first, it is used. > > Common example - Extension A favored by Linux servers, Extension B favored > by everyone else. The story of SFTP. > > > > I think explaining this in the document would be useful. > > "Penalties" sounds a bit vague. > > Added footnote to explain. > > denis > > > > > On Wed, Sep 13, 2017 at 7:12 AM, Alexey Melnikov <aamelnikov@fastmail.fm> > wrote: > >> On Wed, Sep 13, 2017, at 01:56 PM, denis bider wrote: >> >> > It is not clear for me from the formatting whether the first >> > name-list is sent by the client and the second by the server, >> > or both lists are always included in the value. I suspect it >> > is the former, but can you please clarify? >> >> SSH negotiates compression, integrity, and encryption algorithms >> separately for each direction. Both lists are sent by both parties. Not >> just here, but also in KEXINIT. >> >> This is used rarely in practice, but this draft keeps to the same >> practice, so as not to bundle a reduction of functionality (i.e. requiring >> same compression for both directions) in the same package as an extension >> (i.e. providing a mechanism for delayed activation of compression). >> >> The next draft will include an example of encoding, as suggested by Adam. >> This should make things clearer, even for readers unfamiliar with SSH. >> >> Yes, I think this will help. If you can list an example here for both the >> client side and the server side, that would be great. >> >> >> > 1) Sentences like: >> > Use of Receivers MUST tolerate any sequence of bytes; including >> > null bytes at any position; in an unknown extension's extension-value. >> >> Reads fine to me. Still, I changed these to use dashes. >> >> >> > Can you provide an example of why depending on order >> > would be useful? This potentially makes it harder to implement. >> >> It is the nature of an extension mechanism that it intends to be open to >> unforeseen circumstances. If we could come up with examples for all >> possible future uses, extensions would not be required. >> >> For this reason, I would prefer if you can demonstrate how allowing for >> this possibility makes anything harder to implement. In my implementation >> experience, it doesn't. >> >> I implemented multiple capability negotiation frameworks and very few of >> them (at the moment I can't think of any, actually) have dependencies on >> order. Dealing with one element at a time seems a bit simpler. >> >> My gut feeling is that you will never need this, so I wanted to know if >> you actually can provide an example that depends on order. >> >> > In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO. >> > It would be less confusing if you used the latter consistently >> everywhere. >> >> This doesn't just go for EXT_INFO, it also goes for KEXINIT, NEWKEYS, >> NEWCOMPRESS, and USERAUTH_SUCCESS. >> >> OK, I changed this to use the SSH_MSG_ prefix always. >> >> Thank you. >> >> >> > This extension is sent by the server, and contains a list of public >> > key algorithms that the server is able to process as part of a >> > "publickey" authentication request. If a client sends this extension, >> > the server MAY ignore it, and MAY disconnect. >> > >> > Why would the client disconnect when seeing this extension? Does it >> mean it is >> > broken? >> > >> > Also, as the client can always disconnect at any point, why mentioning >> this >> > here? >> >> I believe you have misread the text in this case. It should be clear from >> the above quoted snippet. >> >> Oh, do you mean that this is never supposed to be sent by the client? In >> this case, yes, I misread it. Never mind. >> >> >> > Can you elaborate on what do you mean by "authentication penalties" >> > in this context? >> >> SSH servers commonly implement some way of locking out or throttling IP >> addresses that make frequent login attempts, so as to deter brute force >> password guessing, username guessing, and similar undesired behaviors. >> >> Some servers apply such penalties to clients that attempt to use an >> unknown public key algorithm (e.g. "rsa-sha2-256"). This can result in the >> client's IP address being locked out. >> >> The "server-sig-algs" extension provides a way for the client to know >> that the server supports e.g. "rsa-sha2-256" before it attempts to use it, >> to avoid a potential IP lockout. >> >> I think explaining this in the document would be useful. "Penalties" >> sounds a bit vague. >> >> On Wed, Sep 13, 2017 at 6:00 AM, Alexey Melnikov <aamelnikov@fastmail.fm> >> wrote: >> >> Alexey Melnikov has entered the following ballot position for >> draft-ietf-curdle-ssh-ext-info-12: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-ext-info/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> This is generally a good and useful document. I have some minor comments I >> would like to discuss: >> >> 3.2. "delay-compression" >> >> This extension MAY be sent by both parties as follows: >> >> string "delay-compression" >> string: >> name-list compression_algorithms_client_to_server >> name-list compression_algorithms_server_to_client >> >> It is not clear for me from the formatting whether the first name-list is >> sent >> by the client and the second by the server, or both lists are always >> included >> in the value. I suspect it is the former, but can you please clarify? >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> 1) Sentences like: >> Use of Receivers MUST tolerate any sequence of bytes; including null >> bytes >> at any position; in an unknown extension's extension-value. >> or >> In particular, applications MUST tolerate any sequence of bytes; >> including >> null bytes at any position; in an unknown extension's extension-value. >> >> Use of punctuation is not my strongest point, but I am reasonably certain >> that >> use of ";" is not correct here. I think you should use (). Otherwise these >> sentences are reading as a list of 3 things, yet in both cases the 3rd is >> a >> continuation of the 1st. >> >> 2) In Section 2.5: >> >> The relative order in which extensions appear in an >> EXT_INFO message MUST be ignored by default; but an extension MAY >> specify that the order matters for that extension, in a specific way. >> >> Can you provide an example of why depending on order would be useful? This >> potentially makes it harder to implement. >> >> In several places you use EXT_INFO instead of SSH_MSG_EXT_INFO. It would >> be >> less confusing if you used the latter consistently everywhere. >> >> 3) In 3.1: >> >> This extension is sent by the server, and contains a list of public >> key algorithms that the server is able to process as part of a >> "publickey" authentication request. If a client sends this extension, >> the server MAY ignore it, and MAY disconnect. >> >> Why would the client disconnect when seeing this extension? Does it mean >> it is >> broken? >> >> Also, as the client can always disconnect at any point, why mentioning >> this >> here? >> >> If a server does not send this extension, a client MUST NOT make any >> assumptions about the server's public key algorithm support, and MAY >> proceed with authentication requests using trial and error. Note that >> implementations are known to exist that apply authentication penalties >> if the client attempts to use an unexpected public key algorithm. >> >> Can you elaborate on what do you mean by "authentication penalties" in >> this >> context? >> >> >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle >> >> >> > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > >
- [Curdle] Alexey Melnikov's Discuss on draft-ietf-… Alexey Melnikov
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… denis bider
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… denis bider
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… Eric Rescorla
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… denis bider
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… Adam Roach
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… denis bider
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… Adam Roach
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… denis bider
- Re: [Curdle] Alexey Melnikov's Discuss on draft-i… Adam Roach