Re: SSH paper and a possible transport layer extension [was: aside on formal methods]

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Sat, May 17, 2003 at 09:28:44PM +0300, Heikki Nousiainen wrote:
> On Sat, 17 May 2003, Nicolas Williams wrote:
> > It is bad to let sequence numbers wrap around while using the same key.
> > Rekeying takes care of this problem.
> 
> Oh yes, the rekeying is required, but with a 64bit counter, a suitable MAC 
> algorithm and a suitable cipher, we can bump up the re-keying requirement 
> up to every 2^64 packets. Excessive? Maybe as for today, but modularising 
> this aspect of the protocol paves way for future changes if so needed.

I don't see anything stopping a future SSHv2 encr/mac alg set from
requiring larger sequence numbers.  I wouldn't mind sequence number
sizes being negotiable though (I take it this is what you mean by
"modularizing").

I think larger sequence numbers (e.g., 64 bits and up) are a must for
protocols that don't support rekeying; for those that do, unless
rekeying is onerous (and I don't think SSHv2 rekeking is), smaller
sequence numbers (e.g., 32 bits) are not such a bad thing.

Cheers,

Nico
--