Re: Question on transport protocol

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Question on transport protocol
From: Derek Fawcus <dfawcus%cisco.com@localhost>
Date: Tue, 15 Jan 2002 04:39:28 +0000

On Tue, Jan 15, 2002 at 03:29:44 +0000, Derek Fawcus wrote:
> In the transport protocol,  section 8 (Service Request),  the last paragraph
> states:
> 
>    Note that after a key exchange with implicit server authentication,
>    the client MUST wait for response to its service request message
>    before sending any further data.
> 
> I'd like to ask why is the above contraint there?  I assume it's for some
> security reason,  but looking at the packet flow,  I can't see a reason
> for it.

A bit more about what I'm thinking...

The obvious problem with implicit server authentication is that it leaves
one open to a MITM attack.  However I don't see how the above constraint
helps here.  You'd have just done a sucessful DH exchange with the MITM,
and he can then fake all responses,  delaying till you get the SERVICE_ACCEPT
doesn't appear to gain any advantage in this case.

I there must assume it's for some other scenario,  if so then what?

DF

References:
- Question on transport protocol
  - From: Derek Fawcus

Prev by Date: Do we have standards available for scp ??
Next by Date: Re: Do we have standards available for scp ??
Previous by Thread: Re: Question on transport protocol
Next by Thread: Do we have standards available for scp ??
Indexes:

Home | Main Index | Thread Index | Old Index