IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Some questions about "SSH Transport Layer Encryption Modes"
On Sat, Oct 18, 2003 at 06:23:25PM -0400, Jeffrey Hutzelman wrote:
> More application data may be sent after the SSH_MSG_NEWKEYS packet
> has been sent; key exchange does not affect the protocols that lie
> above the SSH transport layer.
>
> That last sentence is _extremely_ ambiguous. It could be read to mean the
> behaviour which Markus described, in which application data (and, in fact,
> anything above the transport layer) is simply suspended until rekeying is
> complete. Or, it could be read to mean that application data continues to
> flow during the rekey. I think if I were a new SSH implementor, working in
> a vacuum, I'd read it to mean that higher-layer protocols are _not_
> suspended. So if that's not what we mean, then maybe this needs to be
but that could result in the higher layer using the
old keying material forever.
> clarified. Bleah.
I wrote earlier:
> Date: Wed, 4 Apr 2001 12:00:54 +0200
> From: Markus Friedl <Markus.Friedl%informatik.uni-erlangen.de@localhost>
> To: ietf-ssh%netbsd.org@localhost
> Cc: Mats Andersson <mats%mindbright.se@localhost>
> Subject: Re: Key Re-Exchange
> Message-ID: <20010404120054.B28718%faui02.informatik.uni-erlangen.de@localhost>
> References: <Pine.BSO.4.21.0104041024530.30096-100000%mindterm.appgate.com@localhost> <Pine.BSO.4.21.0104041138300.30096-100000%mindterm.appgate.com@localhost>
> In-Reply-To: <Pine.BSO.4.21.0104041138300.30096-100000%mindterm.appgate.com@localhost>; from mats%mindbright.se@localhost on Wed, Apr 04, 2001 at 11:55:40AM +0200
>
>
> I think that the draft should point out that a sender MUST NOT send
> non-KEX messages after he _sent_ a KEXINIT message. he has to delay all
> non-KEX messages until he has sent the NEWKEYS message.
>
I remember a mail from Tatu about this issue, but I
cannot find this right now...
Home |
Main Index |
Thread Index |
Old Index