RE: SSH v3?

To: denis bider <ietf-ssh3%denisbider.com@localhost>, Niels Möller <nisse%lysator.liu.se@localhost>, Damien Miller <djm%mindrot.org@localhost>, Simon Tatham <anakin%pobox.com@localhost>, Simon Josefsson <simon%josefsson.org@localhost>, "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>
Subject: RE: SSH v3?
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Sat, 5 Dec 2015 23:37:17 +0000

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>TCP is neither reliable, nor secure. Its weaknesses break SSH sessions beyond
>recovery. It's the single biggest weakness of SSH in practice.

TCP is good enough for most purposes.  SSH's initial purpose was to replace
telnet and FTP, which a TCP-based mechanism does admirably.  It's only when
SSH2 tried to also be a VPN that problems arose.  So for people using it for
its initial purpose, it's just fine.

Another problem with switching to UDP is that you now have to emulate TCP's
reliable transport using UDP.  Your SSH implementation needs to reinvent a lot
of TCP just to work, which is a lot of pain and complexity to deal with.  Not
to mention that every single new implementation gets to make all the mistakes
that have been bred out of TCP stacks over the last 20-30 years all over
again.

(I don't really have anything against an option to do SSH over UDP if people
want to, which means you've now got SSH trying to compete with both IPsec and
DTLS, but I don't want to see it made mandatory.  Approximately, oh, 100.0% of
my users use SSH as a secure telnet and FTP, not a VPN).

Peter.

References:
- Re: SSH v3?
  - From: denis bider

Prev by Date: RE: SSH v3?
Next by Date: RE: Feedback on draft-ssh-ext-info-00
Previous by Thread: Re: SSH v3?
Next by Thread: SSH v3?
Indexes:

Home | Main Index | Thread Index | Old Index