Re: Feedback on draft-ssh-ext-info-00
denis bider <ietf-ssh3@denisbider.com> Sat, 05 December 2015 19:43 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01781A8AEF for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 11:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FD7z2uvqrLSD for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 11:43:29 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 286011A8AED for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 5 Dec 2015 11:43:29 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 208B185F20; Sat, 5 Dec 2015 18:08:20 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id E0FB485F1F; Sat, 5 Dec 2015 18:08:00 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D3EC385E94 for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 00:21:20 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id o90vyBI58h-B for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 00:21:20 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 1E76985E66 for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 00:21:20 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for mfriedl@gmail.com; Thu, 3 Dec 2015 00:21:13 +0000
Date: Thu, 03 Dec 2015 00:21:13 +0000
Subject: Re: Feedback on draft-ssh-ext-info-00
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Message-ID: <1631450999-4056@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: Markus Friedl <mfriedl@gmail.com>, Damien Miller <djm@mindrot.org>
Cc: ietf-ssh@netbsd.org
Content-Type: multipart/alternative; boundary="=-55/Eyvnq5YdoCw0L2BIC"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
*blush* :) Sounds good. Can you post a writeup of the scheme you implement? It doesn't have to be an Internet-Draft, just something better than reverse engineering source code. (A spec might not only make things easier for others, but also improve the implementation. I find that writing things down helps call to mind corner cases I would have ignored otherwise.) ----- Original Message ----- From: Markus Friedl Sent: Wednesday, December 2, 2015 08:39 To: ietf-ssh@netbsd.org Cc: Damien Miller Subject: Re: Feedback on draft-ssh-ext-info-00 I'm in the process of implementing draft-rsa-dsa-sha2-256-03 and welcome a way for signaling SHA2 support to the client for userauth, especially since I'm sabotaging protocol extensions with the strict message format checks I've added to OpenSSH before. However, I also agree with Damien that the suggested proposal seems unnecessary complex to me and will try to implement the simpler scheme he suggests. -m > Am 02.12.2015 um 12:35 schrieb Damien Miller <djm@mindrot.org>: > > Hi, > > Here's some feedback on draft-ssh-ext-info-00. > >> 3.1. Signaling of Extension Negotiation in KEXINIT > ... >> The indicator name is added without quotes, and MAY be added at any >> position in the name-list, subject to proper separation from other >> names as per name-list conventions. The suggested position is last in >> the list, but implementations MUST recognize these indicator names >> when included at any position. > > IMO it would be best to make it a MUST that the flags may only be > sent as the last element. What rationale is there for putting it > anywhere else? > >> 3.2. Mechanism Enabling Criteria > > This whole section seems over-complicated. I think a simpler scheme > is: > > If a client or server offers "ext-info-c" or "ext-info-s" respectively, > then it must be prepared to accept a SSH_MSG_EXT_INFO message from the > peer. > > If this message is sent, then it will be the first message after the > initial SSH_MSG_NEWKEYS. > > I.e. make it a simple advertisment that a client or server is willing > to accept a notification message that might optionally be sent. > Don't require both sides to offer acceptance, don't have the messages > offer any sort of negotiation between the client and server (just > statements of extensions/capabilities) and don't "replace" any > messages like SSH_MSG_SERVICE_REQUEST. > > This would yield a much simpler specification IMO. > >> 4. Initially Defined Extensions >> 4.2. "client-req-ok" > > I don't see the point of this: implementations that don't respond with > SSH_MSG_REQUEST_FAILURE to unknown SSH_MSG_GLOBAL_REQUEST messages are > incompliant with RFC4254 section 4. > > OpenSSH has sent various @openssh.com global requests for years, > so most of the implementations that violate this should have long since > been shaken out. > >> 4.3. "no-handbrake" > > This could be implemented more elegantly using new channel type names > in SSH_MSG_CHANNEL_OPEN messages rather than the complicated and > inflexible method proposed here (e.g. it's impossible to have one > channel without the "handbrake" and one with normal flow control). > > It would be better to use the extension to signal that the > peer is willing to accept SSH_MSG_CHANNEL_OPEN messages with new channel > type names, and use these to selectively disable flow control. > > Given this, IMO this would be better off being replaced by a generic > "these are the channel types I'm prepared to open" message, which would > be useful even for implementation that don't want to turn off flow control > but which do implement non-standard channel types (e.g. tun@openssh.com). > > -d >
- Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- RE: Feedback on draft-ssh-ext-info-00 Peter Gutmann
- RE: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- RE: Feedback on draft-ssh-ext-info-00 Peter Gutmann
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Updated EXT_INFO draft - draft-ssh-ext-info-02 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- RE: Feedback on draft-ssh-ext-info-00 Peter Gutmann
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Matt Johnston
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Updated EXT_INFO draft - draft-ssh-ext-info-02 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller