From owner-freebsd-security@freebsd.org Mon Nov 30 19:32:25 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27C4AA3C4EE; Mon, 30 Nov 2015 19:32:25 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F3BB01785; Mon, 30 Nov 2015 19:32:24 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id B87EF5A9F12; Mon, 30 Nov 2015 19:23:48 +0000 (UTC) Date: Mon, 30 Nov 2015 19:23:48 +0000 From: Brooks Davis To: Aaron Zauner Cc: Dag-Erling Sm??rgrav , freebsd-security@freebsd.org, freebsd-current@freebsd.org, Dewayne Geraghty , Benjamin Kaduk Subject: Re: OpenSSH HPN Message-ID: <20151130192348.GD81246@spindle.one-eyed-alien.net> References: <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> <20151111184448.GR31314@zxy.spb.ru> <86egfu9z0j.fsf@desk.des.no> <20151124212613.4ff9b25ea0@80601bfc61c7744> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <20151124212613.4ff9b25ea0@80601bfc61c7744> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 19:32:25 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 24, 2015 at 09:29:44PM +0100, Aaron Zauner wrote: > Hi, >=20 > Please forgive my ignorance but what's the reason FreeBSD ships > OpenSSH patched with HPN by default? Besides my passion for > security, I've been working in the HPC sector for a while and > benchmarked the patch for a customer about 1.5 years ago. The > CTR-multi threading patch is actually *slower* than upstream OpenSSH > with AES in CTR mode. GCM being, of course, the fastest mode on > AESNI plattforms. We never imported the AES bits as they were broken and AESNI was available. > The NULL mode is a security concern as some have noted, I can only > imagine that the window-scaling patch is of such importance? Both NULL and window-scaling were merged because both are useful in some environments. -- Brooks --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWXKJDAAoJEKzQXbSebgfASrgH/1p/MkvhO0k28KFPB9wE0eKG MwNfbV7LzVJNR7ZZPUZHbvuR4OS1XR497q9yHBEmcpwEDCMqPZazHrSsaam9z46N e1sUcbLzPE1qeWIiHZX4cDddTQZMDkK53Wb368doSPF04SO+FseJWBZi0N0UEcjI RdRXtGkqH4pjvUc9g7HgKrhGQuL8qTpym9QGkfqTla3JrOHYK92DqNU2VNQnDX5T /N3OsD9BprvoQo+rrjwMc0znODGpBFFaxY8LxyCNJFb8k4S69yhrSufoad3/sTFj Q+tPhl01pNKRBxfN0O5Zz1hrx1U36A5OcpNfhcImnK5nI8RfXvqP8cFzdqkgASc= =uiPE -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw--