IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: SSH v3?



denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>TCP is neither reliable, nor secure. Its weaknesses break SSH sessions beyond
>recovery. It's the single biggest weakness of SSH in practice.

TCP is good enough for most purposes.  SSH's initial purpose was to replace
telnet and FTP, which a TCP-based mechanism does admirably.  It's only when
SSH2 tried to also be a VPN that problems arose.  So for people using it for
its initial purpose, it's just fine.

Another problem with switching to UDP is that you now have to emulate TCP's
reliable transport using UDP.  Your SSH implementation needs to reinvent a lot
of TCP just to work, which is a lot of pain and complexity to deal with.  Not
to mention that every single new implementation gets to make all the mistakes
that have been bred out of TCP stacks over the last 20-30 years all over
again.

(I don't really have anything against an option to do SSH over UDP if people
want to, which means you've now got SSH trying to compete with both IPsec and
DTLS, but I don't want to see it made mandatory.  Approximately, oh, 100.0% of
my users use SSH as a secure telnet and FTP, not a VPN).

Peter.



Home | Main Index | Thread Index | Old Index