IETF Logo Mail Archive

RE: Feedback on draft-ssh-ext-info-00

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 05 December 2015 23:42 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 448491AC3F5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 15:42:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6JW-6bul01U for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 15:42:37 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FB3D1AC3F2 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 5 Dec 2015 15:42:37 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 6A50B85F08; Sat, 5 Dec 2015 23:42:36 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7590D85EFC for <ietf-ssh@netbsd.org>; Sat, 5 Dec 2015 23:42:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id XcAzKiDVcTY1 for <ietf-ssh@netbsd.org>; Sat, 5 Dec 2015 23:42:33 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 2329785E57 for <ietf-ssh@netbsd.org>; Sat, 5 Dec 2015 23:42:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1449358953; x=1480894953; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Fi4svz4FhEH3Zkbs1PIjXe+O+hN+NojVeAgtqsFR95U=; b=WzxC/4I6NjyiiI4SvXwWdi91v+kp6QOPaG0nOI405A1oBoZwBwrtgup6 5oVP1bKJAeZymelAVowYwek4/l9q2YhfKFzCg+KvTPKJF6D2xOnOs0dgN u/2Y3BBox7dTiHEuglJgKVvmt/thTgzwNafP0pJWsju2W2W8U8SV6VCdY QGdlmuPVz1OX4H6svF2nmEqVtO92/ND17ivHqHYoRUzn4+O8IBov41dgR EzNcwsZR678yD/wyy0ThcUBhAJjogGzjCD5HsCbHPmldqZ8bbCZjezjw/ XuaHf9cYOcu3hJQWhKYR8fQJY94q+agyhgXjJRJwfxngZAyoMM2doH2o8 g==;
X-IronPort-AV: E=Sophos;i="5.20,387,1444647600"; d="scan'208";a="57771440"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Dec 2015 12:42:31 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0266.001; Sun, 6 Dec 2015 12:42:31 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Damien Miller <djm@mindrot.org>, denis bider <ietf-ssh3@denisbider.com>
CC: Markus Friedl <mfriedl@gmail.com>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: RE: Feedback on draft-ssh-ext-info-00
Thread-Topic: Feedback on draft-ssh-ext-info-00
Thread-Index: AQHRLX0POk6t5sv1I0ywABy5Xd0b7J63yusAgAVHG+k=
Date: Sat, 05 Dec 2015 23:42:30 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B9B382@uxcn10-5.UoA.auckland.ac.nz>
References: <1642890958-3540@skroderider.denisbider.com>, <alpine.BSO.2.20.1512031456190.12629@natsu.mindrot.org>
In-Reply-To: <alpine.BSO.2.20.1512031456190.12629@natsu.mindrot.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Damien Miller <djm@mindrot.org> writes:

>I'll repeat my opinion: an extension mechanism is not the place to
>fundamentally retcon parts of the protocol. 

Why not?  I would have thought that's what it was there for.  TLS has been
using extensions to fix protocol problems for years without any real problems.
Taking one case that I'm pretty familiar with, the encrypt-then-MAC extension,
the impact was very minimal, you add an entry to an extension en/decoding
table, and then have a boolean flag to swap the order of calls to encrypt and
MAC routines.  It was, I dunno, maybe a dozen lines of code and a hour's work
to fix a problem that had been plagueing the protocol for at least fifteen
years.  It's a really easy way to fix issues in the protocol, I just wish SSH
had had an extension mechanism of the kind that Denis is working on a long
time ago.

Peter.

v2.23.0 | Report a Bug | By Email