Re: Application data during key re-exchange

To: <ietf-ssh%netbsd.org@localhost>, Niels Möller <nisse%lysator.liu.se@localhost>
Subject: Re: Application data during key re-exchange
From: "Joseph Galbraith" <galb-list%vandyke.com@localhost>
Date: Tue, 12 Mar 2002 08:56:46 -0700

> It's not entirely clear what is meant by "after key exchange" in the
> final paragraph above. My interpretation is "after KEX_DHINIT" (in the
> stream from the client) and "after KEX_DHREPLY" (in the stream from
> the server).
> 
> Another possible interpretation is that the only messages that can be
> sent between KEXINIT and NEWKEYS are key-exchange messages and DEBUG,
> DISCONNECT and IGNORE. Then all channels on the connection will freeze
> completely during the entire key exchange process, which seems
> undesirable, in particular with slow connections and machines. For
> client-initiated key exchange, it's two roundtrips.
> 
> How do you handle this?

Our interpretation is between KEXINIT and NEWKEYS
nothing is allowed.  So after sending a KEXINIT
packet, an implementation (client or server)
must not send any non-key-exchange packets
other than DEBUG, DISCONNECT, and IGNORE until
it has sent a NEWKEYS packet.

- Joseph

Follow-Ups:
- Re: Application data during key re-exchange
  - From: Markus Friedl

References:
- Application data during key re-exchange
  - From: Niels Möller

Prev by Date: Application data during key re-exchange
Next by Date: Re: Application data during key re-exchange
Previous by Thread: Application data during key re-exchange
Next by Thread: Re: Application data during key re-exchange
Indexes:

Home | Main Index | Thread Index | Old Index