Re: Albrecht/Paterson/Watson's attack

[nisse%lysator.liu.se@localhost (Niels Möller)]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

> Vastly different internal architecture.  My code sends packets by
> encrypting them and appending to an output queue.

If you do it similarly to what I do, you'd need to add a (short) queue
of unencrypted packets before the output buffer. I think that's more
sane than a "crypto rollback".

> I might be able to add something like your `push' flag, but it's not
> clear to me when I should set it.  It sounds to me as though your
> paradigm will insert IGNOREs at certain points in the output stream
> even if the connectino _isn't_ going idle - correct?

I might add some unnecessary ignores, but the intention is not to never
add them if output queue already is larger than a tcp segment.

I think the push flag will be set for most messages, except when you
know that additional messages will be generated shortly. E.g., when
reading data for a tcp forward, if you check with FIONREAD that there's
more data coming (and there's more window space), you can pass a false
push flag for the corresponding SSH_MSG_CHANNEL_DATA message.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.