Re: [Patch] TCP MD5SIG for OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jan 15, 2016 at 1:07 PM, Alex Bligh <alex@xxxxxxxxxxx> wrote:
> On 15 Jan 2016, at 11:44, Thomas ☃ Habets <habets@xxxxxxxxxx> wrote:
>> On 15 January 2016 at 08:48, Alex Bligh <alex@xxxxxxxxxxx> wrote:
[snip]
> 3. Server compares supplied address/port pair with what it sees
>    (to detect DNAT like Amazon elastic IPs), and if they are the
>    same, it waits for the TCP ECHO reply, and if it gets it
>    says "Excellent, let's apply TCP-MD5SIG, here is a
>    random key", and from that point on TCP-MD5SIG is applied
>    both times, else proceeds as normal.
>
> I don't see the advantage in hashing a session key (which should
> be kept private) over using a random key. The random key could
> be hashed with the session key I suppose if the concern was
> entropy.
>
> The idea would be for this to detect NAT (without revealing private
> IP addresses) and avoid TCP-MD5SIG if it's in use, but for TCP-MD5SIG
> to be off by default anyway. The reason for this is that it might not
> detect middleboxen (e.g. firewalls) that effectively proxy the TCP
> session or strip the packets. A couple of dummy ECHO/ECHO REPLY TCP
> options are used in order to detect such stripping.

Don't these extra roundtrips further increase the latency of ssh
connection setup (e.g. imagine a high-bandwidth&&high-latency satelite
link) ? ssh is already a *PAIN* in that area, killing it's usefullness
for applications like "Distributed make" because the time to setup the
connection can be much longer than the command executed on the remote
side.

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz@xxxxxxxxxxx
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux