Re: Key Re-Exchange

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Key Re-Exchange
From: Simon Tatham <anakin%pobox.com@localhost>
Date: Wed, 04 Apr 2001 10:46:17 +0100

Markus Friedl  <markus.friedl%informatik.uni-erlangen.de@localhost> wrote:
> the problem here is that i cannot tell whether my KEXINIT message
> did already arrive at the peer or whether the peer just ignores the
> KEXINIT message and just keeps sending applications messages.

Well, if _you_ stop sending application messages after sending your
own KEXINIT, then the peer can only ignore it for a limited time,
because you won't be sending WINDOW_ADJUST messages. So any data the
peer is still trying to transmit to you will eventually dry up as
the windows all go down to zero, and then the peer will _have_ to
pay attention to KEXINIT because it's the only thing left it can
usefully do.

It seems to me that should be sufficient.

 - Send KEXINIT.
 - Process incoming non-KEXINIT messages. If any of them require
   replies, such as WINDOW_ADJUST, queue the reply messages
   unencrypted to be sent after the re-exchange.
 - When the peer sends KEXINIT, do the key exchange.
 - After you send NEWKEYS, encrypt and send your reply messages.

Does that make sense? Have I missed something? 

Cheers,
Simon
-- 
Simon Tatham         "I'm going to pull his head off. Ear by ear."
<anakin%pobox.com@localhost>                          - a games teacher

References:
- Key Re-Exchange
  - From: Markus Friedl

Prev by Date: Re: Key Re-Exchange
Next by Date: Re: Key Re-Exchange
Previous by Thread: Re: Key Re-Exchange
Next by Thread: Re: Key Re-Exchange
Indexes:

Home | Main Index | Thread Index | Old Index