Re: Binary packet protocol rethink

[nisse%lysator.liu.se@localhost (Niels Möller)]

Simon Josefsson <simon%josefsson.org@localhost> writes:

>> IMO the AEAD primitive is the right metaphor for the security
>> properties of the SSH transport protocol. Removing the large
>> cartesian product of ciphers x MACs will make testing faster and
>> binaries smaller too.
>
> I agree.  I believe there is opportunity to deprecate all pre-AEAD
> modes, if there is interest on doing that.

I agree this makes a lot of sense. AEAD is exactly what the protocol
needs, it just wasn't well established at the time.

I'd like to see some discussion on how to do it within the ssh algorithm
negotiation, since it doesn't quite fit in the original design. Maybe we
can just do what openssh does, I'm not sure?

I know that completely dropping support for "first_kex_packet_follows"
has been suggested. Maybe that's appropriate, but I'd strongly prefer if
we could keep that a separate issue, and for now just make sure that the
key exchange details stay sane and unambiguous when we add AEAD.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.