IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Terrapin
Niels Möller wrote:
> One subtlety if resetting sequence number to zero is that it risks
> breaking MSG_UNIMPLEMENTED (since seqno may get ambiguous in some cases,
> e.g., if for some reason there are multiple keyexchanges only few
> packets apart). So please keep this in mind.
I agree. That's why the proposed idea is to maintain two distinct
sequence counters. We could keep the originally specified sequence
number untouched for MSG_UNIMPLEMENTED and also for legacy algorithms
that are not secure anymore. A separate counter that is reset on
NEWKEYS could be used for the new algorithms. This way, we do not have
to rely on a single counter and mess with it in order to workaround
Terrapin.
> I see some value in the original seqno that is continuously incremented
> through out the connection, in that it makes it a little easier to think
> about correct packet order attacks regardless of the key exchange
> boundaries.
Yes, keeping the original sequence number as a unique packet identifier
looks like a good idea too me as well.
--
Alexandre
https://www.nongnu.org/libassh/
Home |
Main Index |
Thread Index |
Old Index