Re: SSH v3?
Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be> Sun, 06 December 2015 23:32 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3401A1A0119 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 6 Dec 2015 15:32:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.71
X-Spam-Level:
X-Spam-Status: No, score=-1.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BIAEB7nxQPUF for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 6 Dec 2015 15:32:17 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ACA31A0115 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 6 Dec 2015 15:32:17 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id C2FCD85EE9; Sun, 6 Dec 2015 23:32:15 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 3DCAD85E47 for <ietf-ssh@netbsd.org>; Sun, 6 Dec 2015 23:32:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=uclouvain.be
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id aU8JWqzjZdZy for <ietf-ssh@netbsd.org>; Sun, 6 Dec 2015 23:32:12 +0000 (UTC)
Received: from smtp6.sgsi.ucl.ac.be (smtp.sgsi.ucl.ac.be [130.104.5.67]) by mail.netbsd.org (Postfix) with ESMTP id 4376A85E13 for <ietf-ssh@netbsd.org>; Sun, 6 Dec 2015 23:32:11 +0000 (UTC)
Received: from mbpobo.local (host-78-129-6-94.dynamic.voo.be [78.129.6.94]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: obonaventure@smtp6.sgsi.ucl.ac.be) by smtp6.sgsi.ucl.ac.be (Postfix) with ESMTPSA id 0354318343C; Sun, 6 Dec 2015 23:13:28 +0100 (CET)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp6.sgsi.ucl.ac.be 0354318343C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uclouvain.be; s=selucl; t=1449440009; bh=pC+EZw0YlWmvfsJZu9SsY4D2MvBVfaCUorTQ8FUXmHU=; h=Reply-To:Subject:References:To:Cc:From:Message-ID:Date: MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=UYIUfZ18pWrjO2gKrJ7i3wBOvgEddOjq2Ar9w2XT/vNV7Sug7mhwvROiXOXIvQkDe XugBqVChB07QZP3GtmrAip/qWnG4fAzpHzm36DmT/65o+dSS/LOJZAmprHkXsUER2M 0cdNiyIony9TNZq2g4fJ2gjVD5wT4Tj9laUbvr1s=
Reply-To: Olivier.Bonaventure@uclouvain.be
Subject: Re: SSH v3?
References: <1537810400-3144@skroderider.denisbider.com> <nnio4hp7t9.fsf@armitage.lysator.liu.se>
To: Niels Möller <nisse@lysator.liu.se>, denis bider <ietf-ssh3@denisbider.com>
Cc: Damien Miller <djm@mindrot.org>, Simon Tatham <anakin@pobox.com>, Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
From: Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be>
Message-ID: <5664B308.6050605@uclouvain.be>
Date: Sun, 06 Dec 2015 23:13:28 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <nnio4hp7t9.fsf@armitage.lysator.liu.se>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.99-beta1 at smtp-6.sipr-dc.ucl.ac.be
X-Virus-Status: Clean
X-Sgsi-Spamcheck: SASL authenticated,
X-SGSI-MailScanner-ID: 0354318343C.A09ED
X-SGSI-MailScanner: Found to be clean
X-SGSI-From: olivier.bonaventure@uclouvain.be
X-SGSI-Spam-Status: No
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Niels, Denis, > >> - On connections prone to random errors (wireless), large transfers >> are bound for disconnects at a rate of 2^-16 per error. TCP just >> corrupts the data in this case. SSH detects the corruption, but cannot >> recover from it. >> - A TCP connection can be reset by a single spoofed RST packet from >> anyone who knows the IP address and port number of one of the end >> points. > > So you're basically saying that tcp sucks. That's not very ssh specific. > > Maybe it would make sense with some mechanism to let ssh reconnect after > a tcp connection fails. You may also want to have a look at mptcp, > which, among other things, can let a connection survive failure of a > single tcp flow. Indeed, mptcp can cope with several of the issues that you mention. Upon reception of a (spurious, fake, middlebox-generated,...) RST, MPTCP can preserve the connection and restablish a subflow. MPTCP is also able to use different paths simultaneously, which brings interesting benefits and challenges from a security viewpoint. MPTCP has been standardised by the IETF (RFC6824), and there are implementations for Linux (http://www.multipath-tcp.org), Apple (iOS and Macos ship it but only enable it for Siri), FreeBSD (partial) and Oracle. It is also possible to better integrate a security protocol like SSH with the underlying MPTCP. I wrote a first step in this direction last year for TLS : https://tools.ietf.org/html/draft-bonaventure-mptcp-tls-00 A similar approach could be used for SSH. Basically, the main idea is to delegate the authentication of the received data to MPTCP so that MPTCP can detect packet errors and recover at this layer (e.g. by releasing a subflow and restating another one) without forcing the security protocol to terminate the session because an invalid data was received. Olivier
- Re: SSH v3? Niels Möller
- Re: SSH v3? Niels Möller
- Re: SSH v3? Bryan A Ford
- SSH v3? denis bider
- Re: SSH v3? denis bider
- Re: SSH v3? Bryan Ford
- Re: SSH v3? denis bider
- Re: SSH v3? denis bider
- Re: SSH v3? denis bider
- RE: SSH v3? Peter Gutmann
- RE: SSH v3? Peter Gutmann
- RE: SSH v3? Peter Gutmann
- Re: SSH v3? Stephen Farrell
- Re: SSH v3? Stephen Farrell
- Re: SSH v3? Olivier Bonaventure