1. Forum
  2. Fsxnet Message
  3. FSX MYS

  • SynchTERM / NR + keepalives

    From Avon@21:1/101 to g00r00 on Wednesday, January 30, 2019 20:33:23
    Just posting some info here that came in from Nu in fsx_bbs that mentions
    stuff you may be interested in and may not otherwise see.

    [snip]

    From: NuSkooler
    To: All
    Subj: SyncTERM / NR + keepalives
    Date: 01/29/19 20:55
    Base: BBS Support/Dev

    A while back I posted about some issues found with SyncTERM and NetRunner (alpha) getting disconnected from ENiGMA 1/2 systems when connected over SSH. I'm hoping this report will find it's way to the right authors:

    It appears the issue is indeed with keepalives: When a OpenSSH style keep alive
    "ping" is sent, both clients in question respond with an error packet. The keep-alive is simply a "keepalive@openssh.com" global request which expects a reply. It has the following bytes:

    // global request
    80
    // "keepalive@openssh.com"
    0, 0, 0, 21,
    107, 101, 101, 112, 97, 108, 105, 118, 101, 64, 111, 112, 101, 110, 115,
    115, 104, 46, 99, 111, 109,
    // Request a reply
    1

    As both clients share that they use Cryptlib and I have not seen this with clients that are based on other libraries, I'm tempted to believe it's a Cryptlib issue or perhaps one must enable/handle the pings manually with cryptlib?

    For now, I have disabled the keep-alives, but this has drawbacks as well: Various ISP's love to disconnect connections that are "idle" aka not respect lower level TCP/IP flags & pings usually help with this.

    --- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)


    [snip]

    Best, Paul

    --- E:avon@bbs.nz ------ W:bbs.nz ---
    --- K:keybase.io/avon --------------

    --- Mystic BBS v1.12 A42 2018/12/30 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From g00r00@21:1/108 to Avon on Wednesday, January 30, 2019 12:21:16
    It appears the issue is indeed with keepalives: When a OpenSSH style
    keep alive "ping" is sent, both clients in question respond with an
    error packet. The keep-alive is simply a "keepalive@openssh.com" global request which expects a reply. It has the following bytes:

    This would be something he'd need to take up with the author of Cryptlib I would think? I'll make a note to look into it a bit more but I don't know
    when I'll get around to it.

    I believe keep alive should be done at the TCP layer on the server, not the software/SSH layer. Although in the case of NetRunner it does do a telnet NOOP when using telnet, Mystic doesn't do any software-based keep alive.

    I could be wrong about this but I think I read years ago about an exploit with OpenSSL related to keep alive? Just a faint memory and it could be completely false.

    --- Mystic BBS v1.12 A42 2019/01/25 (Windows/32)
    * Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)
  • From Avon@21:1/101 to g00r00 on Thursday, January 31, 2019 13:41:43
    On 30 Jan 2019, g00r00 pondered and said...

    This would be something he'd need to take up with the author of Cryptlib
    I would think? I'll make a note to look into it a bit more but I don't know when I'll get around to it.

    Yep all good, thanks for the reply and noting it.

    Best, Paul

    --- E:avon@bbs.nz ------ W:bbs.nz ---
    --- K:keybase.io/avon --------------

    --- Mystic BBS v1.12 A42 2018/12/30 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From NuSkooler@21:1/121 to g00r00 on Wednesday, January 30, 2019 20:33:23
    (not sure if g00r00 will see this, but...)

    On Wednesday, January 30th g00r00 was heard saying...
    This would be something he'd need to take up with the author of Cryptlib I would think? I'll make a note to look into it a bit more but I don't know when I'll get around to it.

    I downloaded cryptlib's docs, and source and poked around a bit. It appears it's left up to the consumer as cryptlib is mostly a foundation framework.

    On Wednesday, January 30th g00r00 said...
    I believe keep alive should be done at the TCP layer on the server, not the software/SSH layer. Although in the case of NetRunner it does do a telnet NOOP when using telnet, Mystic doesn't do any software-based keep alive.

    The reason OpenSSH et. al. utilize application layer keep-alives is many ISP's simply ignore TCP keep alive and shut down connections. A keep-alive over encrypted traffic looks like any other encrypted traffic and thus does a better
    job keeping it alive.

    g00r00 around Wednesday, January 30th...
    I could be wrong about this but I think I read years ago about an exploit with OpenSSL related to keep alive? Just a faint memory and it could be completely false.

    Not that I'm aware of. OpenSSL simply provides SSL/TLS, and connections that use it do their own thing (ie: HTTP keep-alive). OpenSSH has the previously mentioned keep-alives via the Server/ClientInterval and Server/ClientCountMax settings (ie in ~/.ssh/config)



    --- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)