Created attachment 2163 [details] The SCTP support patch for the current CVS version This patch adds SCTP support for OpenSSH on systems with SCTP capabilities with the following features: - SCTP support can be configured with --with-sctp, but is disabled by default - use SCTP for SSH connections instead of TCP - SCTP's multi-homing is activated for all available addresses by default, if SCTP is used - the sshd can be configured to listen with TCP, SCTP, or both with the "Transport" keyword for sshd_config - the sshd listens on single addresses given with each "ListenAddress" and on multiple addresses multi-homed given with each "ListenMultipleAddresses" (with SCTP) - the ssh client can use SCTP to connected to a server with the -z cmd parameter or the "Transport" keyword for ssh_config - updated man pages - the patch is prepared to add multi-streaming support for SSH channels later
on freebsd: with this patch i cant connect with sctp to v6-only host. v4 is ok, but v6 addresses is not used in connection (in >netstat -p sctp - only sctp4 on connection, but sctp46 in listener)
works on linux via ipv6 (`ssh -z6 ::1`). the patch applies with minimal fuzz on the 6.1p1 and the 6.1p1-2 (debian patched) version. contrary to the description, i didn't find man page updates in the patch -- were they maybe just missed out?
no problems with ::1 but any of /usr/local/bin/ssh -z6 fe80::ea40:f2ff:fe3e:a9f3 /usr/local/bin/ssh -z6 2001:5c0:1000:5000::1 does not works
i get the same behavior here on linux: `ssh -z6 fe80::216:d3ff:fece:598f`: ssh: connect to host fe80::216:d3ff:fece:598f port 22: Invalid argument what works is `ssh -z4 10.13.13.159`, `ssh -z6 ::1` and `ssh -z4 127.0.0.1`. the relevant lines from my config file are `Transport all`, `Port 22` and no explicit ListenAddress. the problem is server-side, as the following socat dialogue shows: $ socat sctp6:"[fe80::216:d3ff:fece:598f]":22 - 2013/01/08 08:53:30 socat[6565.18446744071997048576] E connect(3, AF=10 [fe80:0000:0000:0000:0216:d3ff:fece:598f]:22, 28): Invalid argument $ socat sctp6:"[::1]":22 - SSH-2.0-OpenSSH_6.1p1 Debian-2.1
The link local address (fe80::) require the interface which should be used to reach the address. On linux you use % operator for this: |bin/ssh -M fe80::111:41ff:fec1:1a81%br0 -p 65535 -z |Last login: Sun Aug 18 16:16:56 2013 from ip6-localhost where I use br0 to reach fe80::111:41ff:fec1:1a81. This is not sctp specific.
Created attachment 2329 [details] update patch against CVS as of today This is an update version with the following changes to the original patch: - s/xfree/free - clash in command args parse fixup - configure.ac: check for sctp support if enabled. This avoids passing the configure script and having later errors at compile time errors due to missing headers or libs. - uset setsockopt() for SCTP instead of getsockopt() a second time in set_nodelay() - update man pages for scp.1, ssh.1, ssh_config.5, sshd_config.5 - use strcasecmp() for option checking so "SCTP" can be specified as well as "sctp"
/usr/local/bin/ssh -z 2002:1111:1111::1 #Read from socket failed: Software caused connection abort /usr/local/bin/ssh -z -6 2002:1111:1111::1 #ok, all v4 and v6 addrs in netstat -nW -p sctp xx.yy.net have A and AAAA=2002:1111:1111::1 /usr/local/bin/ssh -z xx.yy.net #only v4 in Foreign Address /usr/local/bin/ssh -z -6 xx.yy.net #ok, all v4 and v6 addrs in netstat -nW -p sctp
(In reply to proler from comment #7) > /usr/local/bin/ssh -z 2002:1111:1111::1 > #Read from socket failed: Software caused connection abort ./ssh 2001:470::de5a -p 65535 -z works on Linux. I doubt that this is 6to4 specific or might it be?. Could it be a Freebsd issue? > /usr/local/bin/ssh -z -6 2002:1111:1111::1 > #ok, all v4 and v6 addrs in netstat -nW -p sctp So forcing works. I guess you don't have this problems with TCP, or do you? > xx.yy.net have A and AAAA=2002:1111:1111::1 > > /usr/local/bin/ssh -z xx.yy.net > #only v4 in Foreign Address that means you connect to 17.17.17.17 instead? This doesn't make sense since :1 is missing. > > /usr/local/bin/ssh -z -6 xx.yy.net > #ok, all v4 and v6 addrs in netstat -nW -p sctp
Created attachment 2423 [details] Update of #2329 that applies to OpenSSH 6.6p1 What's the status on this, out of curiosity? Is upstream interested in it at all? I took the latest patch and updated it to apply against OpenSSH-6.6p1, and it seems to work pretty good for now on several systems, but someone else should probably check things to make sure I didn't miss something or screw something up.
What is the benefit for SSH in using SCTP?
(In reply to Damien Miller from comment #10) > What is the benefit for SSH in using SCTP? The primary feature that I am aware of that SSH would benefit from is SCTP's built-in multi-homing capability. So if one connection in a multi-homed SCTP association broke down for some reason, the session wouldn't be interrupted because of automatic failover to other connections. There's a good whitepaper that discusses additional enhancements, such as using SCTP's multi-streaming capability to carry SSH's multiple channels: http://www.advances.et.put.poznan.pl/issues/5/ATE_issue5_p0097.pdf But it implies additional changes are needed to SCTP itself (mainly, definition of new chunk types specific to encryption being the main ones, of which I believe there are drafts before the IETF for RFC consideration). One thing I did notice, was back in OpenSSH 3.7, "implementation barriers" were removed that would enable SCTP support: http://www.openssh.com/txt/release-3.7 (~line 67) So there was some interest over ten years ago in this capability. What interest, however, seems to have been lost to the ravages of time. I haven't exactly stress-tested it or anything, but I figured I'd at least update the patch to apply against 6.6p1 and then see what interest, if any, there was :)
imho This patch needs thorough checking for security issues. At least sctp had severe bugs in the past.
(In reply to Roland Friedwagner from comment #12) > imho > This patch needs thorough checking for security issues. > At least sctp had severe bugs in the past. Agreed. Though, I noticed that FreeBSD has been using this patch with their Ports copy of OpenSSH since mid-2013: http://www.freebsd.org/cgi/query-pr.cgi?pr=174570 So I have to assume someone from FreeBSD already went over it. But, the more eyes, the merrier.
One very nice feature is the four-way handshake to protect against SYN-Flood attacks like in TCP. http://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol#Security
Created attachment 2496 [details] Update of SCTP patch for OpenSSH 6.7p1 Updating for OpenSSH 6.7p1.
*** This bug has been marked as a duplicate of bug 1604 ***
Close all resolved bugs after 7.3p1 release