Re: [Fwd: [Russ Housley] DISCUSS: draft-ietf-secsh-newmodes-05]

[Bill Sommerfeld <sommerfeld%sun.com@localhost>]

On Mon, 2005-08-29 at 14:15, Jeffrey Hutzelman wrote:
> Russ's comment notwithstanding, I don't think we actually need any of the 
> modes described in newmodes to be REQUIRED.  It's one thing to say "if you 
> support ssh then you MUST support 3des-cbc".  It's quite another to say "if 
> you support 3des-ctr then you MUST also support aes128-ctr" or vice versa. 
> The former insures that ssh implementations will be interoperable; the 
> latter does not appear to me to add any value.

<wg chair hat off>

The motivation for the counter-mode ciphers in newmodes is to avoid the
known, but generally considered minor, security hole from the use of CBC
with known IV values.

I'd expect that users concerned with this attack will therefore want to
move to a world where it is possible to disable CBC-mode ciphers.

I think that, alone, justifies making one or more of the ciphers
REQUIRED, to avoid a situation where two implementations would be
required to fall back to 3des-cbc because neither implements the same
counter-mode cipher.