openssh unix dev - Oct 2002 - Different ciphers, MAC, compression for inbound and outbound .

Hi,

According to IETF draft draft-ietf-secsh-transport-14.txt, different
ciphers(encryption), MAC and compression can be used for one direction say
server-to-client and a completely different cipher, MAC and compression for
the other direction client-to-server of the same connection.

Is this supported today in OpenSSH, and if not, are there plans to support
it in any future releases of the code?  If so, in which release is it
planned?

Thanks

------
Behnam Behzadi

408-878-6551
http://www.riverstonenet.com

On Sat, 2002-10-26 at 10:45, Behnam Behzadi wrote:
> Hi,
> 
> According to IETF draft draft-ietf-secsh-transport-14.txt, different
> ciphers(encryption), MAC and compression can be used for one direction say
> server-to-client and a completely different cipher, MAC and compression for
> the other direction client-to-server of the same connection.
> 
> Is this supported today in OpenSSH, and if not, are there plans to support
> it in any future releases of the code?  If so, in which release is it
> planned?
This is supported at the protocol level, but there is no way to
configure sshd to force different client->server and server->client
ciphers.

Why do you want to do this?

-d

> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org]
> Sent: Friday, October 25, 2002 9:27 PM
> To: Behnam Behzadi
> Cc: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
> Subject: Re: Different ciphers, MAC, compression for inbound and
> outbound .
> 
> 
> On Sat, 2002-10-26 at 10:45, Behnam Behzadi wrote:
> > Hi,
> > 
> > According to IETF draft draft-ietf-secsh-transport-14.txt, different
> > ciphers(encryption), MAC and compression can be used for 
> one direction say
> > server-to-client and a completely different cipher, MAC and 
> compression for
> > the other direction client-to-server of the same connection.
> > 
> > Is this supported today in OpenSSH, and if not, are there 
> plans to support
> > it in any future releases of the code?  If so, in which 
> release is it
> > planned?
> 
> This is supported at the protocol level, but there is no way to
> configure sshd to force different client->server and server->client
> ciphers.
> 
> Why do you want to do this?
> 
> -d
Hi Damien,

This question is not coming from actual users.  This was raised from the
Marketing to Engineering to research the possibilities if some future customer
makes it a requirement.

Thanks for your response.

------
Behnam Behzadi

408-878-6551
http://www.riverstonenet.com

I could see an organization choosing to only encrypt client to server
communications if they only sensitive data they were concerned about is
passwords.  This would lower resource utilization, esp. if the clients
usually consume data instead of send it.

-----Original Message-----
From: Markus Friedl [mailto:markus at openbsd.org]
Sent: Tuesday, October 29, 2002 4:25 AM
To: Behnam Behzadi
Cc: Damien Miller; openssh-unix-dev at mindrot.org;
secureshell at securityfocus.com
Subject: Re: Different ciphers, MAC, compression for inbound and
outbound .


On Mon, Oct 28, 2002 at 10:43:52AM -0800, Behnam Behzadi
wrote:
> This question is not coming from actual users.  This was raised from the
Marketing to Engineering to research the possibilities if some future
customer makes it a requirement.

it's possible, it's simple to implement, but i don't see a reason
for this.  it might be very confusing for users.
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


***********************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021029/41446498/attachment.html

Hi Jason,
 
This is the only valid argument I have heard on this issue.  But then again one
would assume that the server side data protected by that very password would be
considered just as protection-worthy.  Otherwise, why would they ask for
password to begin with.
 
Thanks for your reply.
------ 
Behnam Behzadi 

408-878-6551 
http://www.riverstonenet.com <http://www.riverstonenet.com/>  

-----Original Message-----
From: Lacoss-Arnold, Jason [mailto:Jason.Lacoss-Arnold at agedwards.com]
Sent: Tuesday, October 29, 2002 5:02 AM
To: Behnam Behzadi
Cc: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
Subject: RE: Different ciphers, MAC, compression for inbound and outbound .



I could see an organization choosing to only encrypt client to server
communications if they only sensitive data they were concerned about is
passwords.  This would lower resource utilization, esp. if the clients usually
consume data instead of send it.

-----Original Message----- 
From: Markus Friedl [ mailto:markus at openbsd.org] 
Sent: Tuesday, October 29, 2002 4:25 AM 
To: Behnam Behzadi 
Cc: Damien Miller; openssh-unix-dev at mindrot.org; 
secureshell at securityfocus.com 
Subject: Re: Different ciphers, MAC, compression for inbound and 
outbound . 


On Mon, Oct 28, 2002 at 10:43:52AM -0800, Behnam Behzadi wrote:
> This question is not coming from actual users.  This was raised from the
Marketing to Engineering to research the possibilities if some future customer
makes it a requirement.
it's possible, it's simple to implement, but i don't see a reason 
for this.  it might be very confusing for users. 
_______________________________________________ 
openssh-unix-dev at mindrot.org mailing list 
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev 



***********************************************************************************
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
************************************************************************************


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021029/8a06792d/attachment.html