On Sunday, October 19, 2003 01:56:28 +1300 Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> wrote:
Markus Friedl <markus%openbsd.org@localhost> writes:On Sat, Oct 18, 2003 at 06:56:35PM +1300, Peter Gutmann wrote:Markus Friedl <markus%openbsd.org@localhost> writes:i think this has been discussed before.Hmm, I think "debated without clear resolution" might be a better description, if you're referring to the debate from about two years ago. Specifically, the exact message/data flow was never totally resolved.Hm, AFAIK we agreed, that after sending KEXINIT you MUST NOT send messages of type > 49 (i.e. only transport layer messages are allowed) until you send NEWKEYS.I was under the impression that the debate had simply fizzled out. The specification certainly hasn't been clarified (it's remained unchanged since the -02 draft of late 1997), and that would be the definitive reference.
The document does seem a little murky in this area. Section 5.3 clearly states:
Implementations MUST NOT accept any other messages after key
exchange before receiving SSH_MSG_NEWKEYS.
But it's unclear whether we're talking about all key exchanges, or just
_initial_ key exchange. However, section 7, discussing rekey, says:
Re-exchange is processed identically to the initial key exchange,
except for the session identifier that will remain unchanged.
...
More application data may be sent after the SSH_MSG_NEWKEYS packet
has been sent; key exchange does not affect the protocols that lie
above the SSH transport layer.
That last sentence is _extremely_ ambiguous. It could be read to mean the
behaviour which Markus described, in which application data (and, in fact,
anything above the transport layer) is simply suspended until rekeying is
complete. Or, it could be read to mean that application data continues to
flow during the rekey. I think if I were a new SSH implementor, working in
a vacuum, I'd read it to mean that higher-layer protocols are _not_
suspended. So if that's not what we mean, then maybe this needs to be
clarified. Bleah.
-- Jeff