Re: [Isms] wg last call followup - sshtm

To: Jeffrey Hutzelman <jhutz at cmu.edu>
Subject: Re: [Isms] wg last call followup - sshtm
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Mon, 02 Mar 2009 11:48:28 -0800
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <EEDA75400ECB6B177C6C7E6D at minbar.fac.cs.cmu.edu> (Jeffrey Hutzelman's message of "Mon, 02 Mar 2009 13:25:30 -0500")
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <20090226075301.GA29686 at elstar.iuhb02.iu-bremen.de> <200902282050.n1SKoiNK028275 at grapenut.srv.cs.cmu.edu> <80DC81EC28A8208000C75503 at atlantis.pc.cs.cmu.edu> <0fca01c99a75$ca30d9a0$0600a8c0 at china.huawei.com> <0EC6E6F12C9FCFFF421435BB at atlantis.pc.cs.cmu.edu> <0fdb01c99a7e$3d217750$0600a8c0 at china.huawei.com> <003e01c99aa8$f70bd1e0$0601a8c0 at allison> <200903020217.n222HDpd017530 at grapenut.srv.cs.cmu.edu> <EEDA75400ECB6B177C6C7E6D at minbar.fac.cs.cmu.edu>
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Mon, 02 Mar 2009 13:25:30 -0500, Jeffrey Hutzelman <jhutz at cmu.edu> said:

This is the important part that everyone needs to understand.  I'm sort
of confused why we're rehashing stuff that was long ago discussed and
even agreed upon (I thought by a fairly big majority of the people!).

JH> ... the response will come back _over the same ssh session_.  Period.
JH> We don't get a response back from a particular IP address or hostname
JH> or user.  We get a response back over the channel _we_ opened.  This
JH> is exactly what tmSameSecurity is fore.

Stream based transports like SSH or even DTLS (which is defining a
cryptographic stream, even if it's not a packet based stream like a TCP
stream) performs things in an order:

  1) start up the stream, sharing and negotiating information like
     certificates, names, passwords, options, etc.

     Alice <----  ----> Bob

     The result of this negotiation is almost always some sort of "handle"
     and in most implementations is a file-descriptor socket at the heart
     of it all (IE, an integer number identifying the stream to the
     kernel/what-have-you).

  2) Send traffic through the stream.  It's important to note that pretty
     much every protocol *does not send the user name /etc again*.  It'd
     be highly redundant to keep sending messages saying "oh, and this is
     from Bob again".  The stream user on one side is expected to know
     that already (regardless of whether they initiated or accepted the
     connection).

  3) close the connection upon request


For the SSHTM we just recently added wording (I thought; I have yet to
check the new draft) that basically says that the tmSecurityName needs
to be cached/consistent during the life of a session.  That way when
Alice sends a first message with a securityName of "alice" but that says
"open bob at foo.com" where bob@ is the SshTransportAddress convention,
alice's stack remembers that "alice" is the security name for the
lifetime of the session on our end.  When it gets *any* messages from
the other side, it passes up "alice" as the tmSecurityName in the
upward-bound traveling tmStateReference.


If alice didn't want it this way and actually wanted "bob" to be
securityName, she would have set the initial tmStateRerence's
tmSecurityName correctly.  It'd be *her* fault for not tying them
together.

-- 
Wes Hardaker
Sparta, Inc.

Follow-Ups:
- Re: [Isms] wg last call followup - sshtm
  - From: tom.petch

References:
- [Isms] wg last call followup
  - From: Juergen Schoenwaelder
- Re: [Isms] wg last call followup - sshtm
  - From: Jeffrey Hutzelman
- Re: [Isms] wg last call followup - sshtm
  - From: David Harrington
- Re: [Isms] wg last call followup - sshtm
  - From: Jeffrey Hutzelman
- Re: [Isms] wg last call followup - sshtm
  - From: David Harrington
- Re: [Isms] wg last call followup - sshtm
  - From: tom.petch
- Re: [Isms] wg last call followup - sshtm
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Isms] wg last call followup - sshtm
Next by Date: Re: [Isms] wg last call followup - sshtm
Previous by thread: Re: [Isms] wg last call followup - sshtm
Next by thread: Re: [Isms] wg last call followup - sshtm
Index(es):
- Date
- Thread

Re: [Isms] wg last call followup - sshtm

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.