IETF Logo Mail Archive

Re: Feedback on draft-ssh-ext-info-00

Damien Miller <djm@mindrot.org> Sat, 05 December 2015 20:32 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF4C21A909E for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 12:32:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sxXpEsQ4rt8K for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 12:32:19 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67EA71A0363 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 5 Dec 2015 12:32:19 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id BBBA285EF0; Sat, 5 Dec 2015 20:32:17 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 6F8F985EE7; Sat, 5 Dec 2015 20:32:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E2C2C85EB6 for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 04:06:08 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Fn7ooqtixdIE for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 04:06:08 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id D682485E93 for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 04:06:07 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id tB345xni005356; Thu, 3 Dec 2015 14:06:00 +1000
Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id tB345xqS043774 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 3 Dec 2015 14:05:59 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id tB345wEK015629; Thu, 3 Dec 2015 14:05:59 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 84F3AA4F2E; Thu, 3 Dec 2015 15:05:58 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 7CACDA4F07; Thu, 3 Dec 2015 15:05:58 +1100 (AEDT)
Date: Thu, 03 Dec 2015 15:05:58 +1100
From: Damien Miller <djm@mindrot.org>
To: denis bider <ietf-ssh3@denisbider.com>
cc: Markus Friedl <mfriedl@gmail.com>, ietf-ssh@netbsd.org
Subject: Re: Feedback on draft-ssh-ext-info-00
In-Reply-To: <1642890958-3540@skroderider.denisbider.com>
Message-ID: <alpine.BSO.2.20.1512031456190.12629@natsu.mindrot.org>
References: <1642890958-3540@skroderider.denisbider.com>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="15775414878208-1821183572-1449115558=:12629"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17
X-UQ-FilterTime: 1449115560
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Thu, 3 Dec 2015, denis bider wrote:

> > If there's a functioning extension mechanism,
> > then why would there be competition?
> 
> To extend other aspects of SSH that EXT_INFO cannot. This could be to change
> some aspect of algorithm negotiation, for example.
> 
> For instance, there has been a problem in how AEAD is negotiated. Besides
> what OpenSSH did - implementing a private algorithm for AES-GCM - another
> possible solution could be an extension where both client and server put
> something in their key exchange algorithms field. If both client and server
> do this, then the result of MAC negotiation is ignored if an AEAD encryption
> algorithm is negotiated.
> 
> But why do you even feel the need to call this out? Is it any harder to
> call:
> 
>     is_in_namelist(name, namelist)
> 
> instead of:
> 
>     is_at_end_of_namelist(name, namelist)

I'm suggesting you specify what is sent, not how implementations test
for it. The benefit is that ~ a paragraph of fairly useless verbiage
in your spec disappears.

> > IIRC I've heard of at least one server that doesn't
> > implement ssh-userauth.
> 
> This is possible with EXT_INFO also. Send an extension name and value
> informing the client of what you implement. No need to waste a round-trip
> for 99.999% of other users.

I'll repeat my opinion: an extension mechanism is not the place to
fundamentally retcon parts of the protocol. It breaks orthagonality
and turns implementations into spaghetti.

Perhaps you want a "no-service-requests" extension instead?

-d

v2.23.0 | Report a Bug | By Email