RE: applying AES-GCM to secure shell: proposed "tweak"

[James Blaisdell <JBlaisdell%mocana.com@localhost>]

It doesn't need to be ignored, but the order does matter.  AEAD-* algorithms must appear first in the order list.  And AEAD-* algos must match cipher and MAC in order as well.  It's easy to detect, if there is a mismatch between cipher and hmac.  

-----Original Message-----
From: ietf-ssh-owner%NetBSD.org@localhost [mailto:ietf-ssh-owner%NetBSD.org@localhost] On Behalf Of Nicolas Williams
Sent: Wednesday, April 15, 2009 8:36 AM
To: der Mouse
Cc: ietf-ssh%NetBSD.org@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"

On Wed, Apr 15, 2009 at 06:10:50AM -0400, der Mouse wrote:
> >    Maybe it's easier to say that if an AEAD-algorithm is chosen for
> >    encryption, the lists of mac algorithms (for that direction) are
> >    ignored).
> 
> That would be a rather unpleasant violation of the existing definition.
> I'd much rather just re-kex if using a none MAC is that important.

AEAD cipher modes clearly combine the MAC into the cipher.  That
means that the MAC can no longer be negotiated separately from the
cipher.

Therefore I believe Niels is correct: when an AEAD cipher is selected
then the MAC negotiation MUST be ignored.