On Tue, 19 Feb 2002, Kevin Steves wrote: [snip]
> i'm glad we got to the details rather than broad handwaving. protocol 1 > does have weaknesses, however it is not horribly broken as you say, and > its support in OpenSSH has hastened the migration to protocol 2 by > permitting people to better manage large migration efforts. For migration, fallback is a good thing, however at this point in the game, people should probably have migrated already- not that I believe they have mind you... > :If you don't *have* to support v1 clients, there's _no_ reason to support > :the v1 protocol > > yes, agreed :) Ok, so the cure is fine, you're just in disagreement with the text of the diagnosis? > > :and given the weaknesses in implementations the argument > :for not supporting it is compelling. > > are you referring to the deattack buffer overflow? implementation > vulnerabilities are addressed by keeping your software patched. It's my understanding that deattack isn't an overflow, it's a known-plaintext based data insertion attack. The "fix" is to detect the attack- the 2000 overflow advisory (CORE-20010207) said it thusly: "The problem was not fixable without breaking the protocol 1.5 semantics and thus a patch was devised that would detect an attack that exploited the vulnerability found." The overflow is fixable by patching the detector code, the deattack itself is fixable by changing protocols. Surely the lack of a strong MAC is worth calling the protocol broken if the "fix" is to detect the attack rather than mitigate it? (I'm also not certain that connection rate limiting as a fix for session key recovery isn't indicative a protocol issue as well.) If folks can patch for a broken deattack, surely they can upgrade to v2? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
