[Jeffrey Hutzelman <jhutz%cmu.edu@localhost>: Re: Implementation support for SSH_MSG_UNIMPLEMENTED]

To: ietf-ssh%netbsd.org@localhost
Subject: [Jeffrey Hutzelman <jhutz%cmu.edu@localhost>: Re: Implementation support for SSH_MSG_UNIMPLEMENTED]
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Thu, 24 Jul 2003 15:33:51 -0400

[jhutz said I could forward this to the list.]
------- Start of forwarded message -------
Date: Thu, 24 Jul 2003 13:30:52 -0400
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
To: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Subject: Re: Implementation support for SSH_MSG_UNIMPLEMENTED
Content-Disposition: inline

On Thursday, July 24, 2003 12:16:35 -0400 "Joel N. Weber II" 
<ietf-secsh%joelweber.com@localhost> wrote:

>> > Are there any implementations which do not respond with
>> > SSH_MSG_UNIMPLEMENTED to unknown packet types during the key exchange
>> > phase of the protocol?
>>
>> I don't, but that can be fixed if it becomes a critical requirement of
>> the protocol.  The reason I don't is that I always send the minimal
>> amount of info in error returns for any protocol I do
>> (SSH/SSL/CMP/TSP/RTCS/OCSP/etc), which has saved me from at least two
>> attacks on SSL and probably attacks on other protocols as well.  In
>> other words if the protocol requires a certain response in order to
>> function I'll do it, but if it's merely a nicety for debugging, I'll
>> send the most generic response I can get away with.
>
> The text of the protocol spec says that sending SSH_MSG_UNIMPLEMENTED
> is mandatory, if I recall correctly.  Not implementing this according
> to the spec makes interoperability harder when new features get added
> later.

It's actually fairly important to send SSH_MSG_UNIMPLEMENTED when you get a 
message you don't understand.  This is a critical extensibility mechanism 
- -- a peer may send you a message which requires a response, and adjust his 
behavior based on whether the response is SSH_MSG_UNIMPLEMENTED or some 
other message mandated by the extension he's following.  If you just send 
nothing, he can't distinguish your behavior from that of a peer which 
supports the extension but is starved for CPU cycles or whatever.
------- End of forwarded message -------

Prev by Date: Re: Publickey subsystem draft posted
Next by Date: Working group LAST CALL on draft-ietf-secsh-dh-group-exchange-04.txt
Previous by Thread: I-D ACTION:draft-ietf-secsh-dh-group-exchange-04.txt
Next by Thread: Re: [Jeffrey Hutzelman <jhutz%cmu.edu@localhost>: Re: Implementation support for SSH_MSG_UNIMPLEMENTED]
Indexes:

Home | Main Index | Thread Index | Old Index