retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Wed, 09 Jul 2003 18:41:43 -0400

So, thinking a bit more about what I said yesterday, I think if we
want to support multiple attempts at key exchange, the correct
sematics are:

If you fail trying to do GSSAPI key exchange, use the messages already
defined for GSSAPI key exchange error reporting, but don't disconnect.

If you send the last message in a key exchange sequence, wait to see
if SSH_MSG_NEWKEYS comes.  If it does, your peer accepted what you
sent in that last message, and you can send SSH_MSG_NEWKEYS too.
(This avoids having only one side use keys from a key exchange: you
get either both or neither, which simplifies the session identifier
question a bit.)

If you need to try again, just send SSH_MSG_KEXINIT again.

I'm willing to write up an internet-draft along these lines after IETF
if people think it's a good idea.

Follow-Ups:
- Re: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)
  - From: Nicolas Williams

References:
- Why SFTP performance sucks, and how to fix it
  - From: Peter Gutmann
- Re: Why SFTP performance sucks, and how to fix it
  - From: Nicolas Williams
- Re: Why SFTP performance sucks, and how to fix it
  - From: Joel N. Weber II

Prev by Date: Re: Why SFTP performance sucks, and how to fix it
Next by Date: Re: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)
Previous by Thread: Re: Why SFTP performance sucks, and how to fix it
Next by Thread: Re: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)
Indexes:

Home | Main Index | Thread Index | Old Index