minutes from Secure Shell [secsh] meeting at 53rd IETF

To: ietf-ssh%netbsd.org@localhost
Subject: minutes from Secure Shell [secsh] meeting at 53rd IETF
From: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Date: Tue, 26 Mar 2002 23:10:28 -0500

Meeting notes for IETG Secsh WG meeting, Minneapolis 53rd IETF, 3/18/02.
[notes taken by Ken Hornstein, lightly edited by Bill Sommerfeld]

Bill Sommerfeld (WG chair) opened the meeting with traditional agenda
bashing.

First up was comments about the CBC mode vulernability Wei Dai pointed
out; the consensus was that this will NOT hold up the core drafts, and
a disclaimer will be added (plus additional modes will be defined in a
seperate document).

Bill also pointed out that upon checking the listed milestones, all of them
have been completed!

Darren M gave a report about ssh testing at Connectathon (six different
vendors, three implementations).  Some interoperability problems were
discovered, which turned out to be a problem with draft ambiguity.  The
hope was to have a more formal plan for doing SSH testing at the next
Connectathon, including Kerberos/GSS interop testing (a lot of interest
was expressed by Kerberos folks at Connectathon).

Note from WG Chair: I am grumpy that this has taken this long!  But it is
his belief that the documents are ready, they survived WG last call, and
a IETF-wide last call should be forthcoming.

3 drafts still in WG last call; please send comments to the list (not much
discussion except on the public key file format).  A few comments were
brought up about making the document standards-track versus informational;
the draft author said, "Either way is fine", jhutz Hutzlman said, "Standard
would be better for interopability", jis said, "Standard is fine, but there
might be some pushback".

keyboard-interactive - seems to be done, and it interoperates with other
implementations (same for d-h group exchange).

4 drafts are remaining that are NOT ready for last-call.

GSSAPI - jhutz says, "Not ready yet" (there was discussion on the list,
comments sent in need to be incorporated, will send out a new document
next week).

agent-forwarding - insufficient detail to implemnt.  joeg says, "A starting
point would be great, at least how OpenSSH does it".  Consensus was to
incorporate text describing OpenSSH agent forwarding into document.

file transfer - NO consenus, as every so often someone suggests major
redesign.

host keys in DNS - moved to the SIKED BOF on Tuesday.

CBC Attack:

- Duplicate cipherblock leak the XOR of the plaintext
- A chosen-plaintext attacker can force collision (by injection the XOR of the
  old plaintext and the old IV)
- The protocol is resistant (because of multiple levels of framing) but
  not immune.

Fixes to attack (note that it's not a ssh-specific attack):

- A fixed CBC mode which includes a nonce.
- Counter mode
- OFB mode.

_Rough_ consensus is to not hold current documents for the fix --
instead, do new document defining new encryption mode(s) (but no
consensus on which mode to use).  jhutz pointed out that CTR is rather
new and we don't have a lot of experience with it; it was also pointed
out that putting all of our eggs in one basket might be considered
bad.

Bill asked if anyone read his proposed disclaimer to the transport draft;
all comments were "looks good"; jis said that document could be rev'd
without doing a WG last call.  Modulo any list comments, consensus was
to do that.  [this has happened].

Future draft ideas:

- Legacy/historic identifiers (des-cbc); volunteer for that draft, but no
  draft has yet appeared.
- X.509 / PKIX.  Why not a GSS mechanism that knows how to do X.509?
  jhutz points out that people are actually using simon's patches with
  non-Kerberos 5 mechanisms; future discussion is necessary.
- Round-trip count reduction.  There was some interest in this when it
  was brought up before.
- Deprecate implementation-name-based-workaround - do we want to officially
  deprecate these hacks once the drafts reach draft standard?  It was
  brought up that customers still have non-compliant servers; Bill said that
  maybe put the RFC number in the version string or some other mechanism
  for knowing if a implementation is RFC-compliant.
- Server key fingerprints: trivial draft mailed to list, not published.
- Please send drafts for these:
  - Port forwarding of arbitrary port
  - UDP forwarding (Comment from WG chair: "Much pain, little gain")
  - line mode
  - Console server options (send BREAK, RS232 parameter settings) .

Curent milestones: All done!

New milestones?

Apr 02: gssapi draft ready for last-call
Apr 02: Publish draft on new modes
May 02: Agent draft ready for last call
May 02: Publish draft on X.509/PKIX (or maybe just use GSSAPI)
May 02: publish draft on console server extensions.
Dec 02: File transfer draft ready for last call.

Follow-Ups:
- Re: minutes from Secure Shell [secsh] meeting at 53rd IETF
  - From: Markus Friedl

Prev by Date: I-D ACTION:draft-ietf-secsh-transport-14.txt
Next by Date: I-D ACTION:draft-ietf-secsh-transport-14.txt
Previous by Thread: I-D ACTION:draft-ietf-secsh-transport-14.txt
Next by Thread: Re: minutes from Secure Shell [secsh] meeting at 53rd IETF
Indexes:

Home | Main Index | Thread Index | Old Index