From owner-freebsd-security@freebsd.org Wed Nov 11 07:40:13 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E863EA2BFAA; Wed, 11 Nov 2015 07:40:13 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 706481EDF; Wed, 11 Nov 2015 07:40:13 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by lbbkw15 with SMTP id kw15so12259701lbb.0; Tue, 10 Nov 2015 23:40:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9HxL4Br4fIa8zjVXaHUK67u6UEqf4xng/j8AEXqTge8=; b=za2GqfUnocGY20BOQlul7kjoFiJdyC6Iiq8iuhgtWkDBmx1QtP+S+hXWGVji9erQd6 trG8BZC5xI8ZH2DltqTua5fqScv2AUNovOcOCbGJs1T7w5jBO2YigvcX2sh4mNvu/Udr Fiu00fTcah9TKXrt0W85YNG8x7UWUVHONLbtn3iNqRxqnhVkFVq6mSQHSx4u82UU8uh+ 05kQrNRqrHsj4UtTRZ+4abcuFsnV3G4Qde7JEjQ27Z6swRvT/tjItS3vLsePaao9vDXI dLsJLH8HWqu6vORNlJxIWFRCdinXy60IEbF/TZvPYqwgoT0qAn5EZGRBzh6x3RzaDdvo kb3w== MIME-Version: 1.0 X-Received: by 10.112.150.201 with SMTP id uk9mr3610651lbb.67.1447227610968; Tue, 10 Nov 2015 23:40:10 -0800 (PST) Received: by 10.25.141.129 with HTTP; Tue, 10 Nov 2015 23:40:10 -0800 (PST) In-Reply-To: <56428C84.8050600@FreeBSD.org> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> Date: Wed, 11 Nov 2015 15:40:10 +0800 Message-ID: Subject: Re: OpenSSH HPN From: Ben Woods To: Bryan Drewery Cc: John-Mark Gurney , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" X-Mailman-Approved-At: Wed, 11 Nov 2015 12:21:19 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 07:40:14 -0000 On Wednesday, 11 November 2015, Bryan Drewery wrote: > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by it's performance. Now we have both aes-gcm and > > chacha-poly which it's performance should be more than acceptable for > > today's uses (i.e. cipher performance is 2GB/sec+). > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > for me. > I have to agree that there are cases when the NONE cipher makes sense, and it is up to the end user to make sure they know what they are doing. Personally I have used it at home to backup my old FreeBSD server (which does not have AESNI) over a dedicated network connection to a backup server using rsync/ssh. Since it was not possible for anyone else to be on that local network, and the server was so old it didn't have AESNI and would soon be retired, using the NONE cipher sped up the transfer significantly. If the patch is made easy enough to maintain (as some subsequent posts have implied), I quote the NONE cipher stays. I would even like to see it compiled in by default (but disabled in the default configuration file). That way you wouldn't need a custom compiled base to use it - just edit the config file. Regards, Ben -- -- From: Benjamin Woods woodsb02@gmail.com