Add reliable stream retransmission
This commit is contained in:
+14
-9
@@ -13,17 +13,16 @@
|
||||
> the default with explicit, visible SSH fallback. Local and Docker benchmark gates
|
||||
> cover cached attach, SSH fallback, and native cold auth (Track C /
|
||||
> `BENCHMARKS.md`).
|
||||
> - Milestone 4 — forwarding: **implemented with one reliability caveat.** Stream
|
||||
> mux, `-L`, `-R`, `-D`, `-N`, `-f`, and per-stream flow control exist;
|
||||
> terminal-priority/load and replay/reorder regressions are covered. Dropped
|
||||
> `StreamData` recovery still needs stream retransmission before lossy-link
|
||||
> forwarding parity is claimed.
|
||||
> - Milestone 4 — forwarding: **implemented.** Stream mux, `-L`, `-R`, `-D`, `-N`,
|
||||
> `-f`, per-stream flow control, ordered stream offsets/ACKs, and stream-data
|
||||
> retransmission exist. Terminal-priority/load, replay/reorder, and dropped
|
||||
> server-to-client `StreamData` recovery regressions are covered.
|
||||
> - Milestone 5 — hardening: **partly done.** Per-IP token-bucket rate limiting,
|
||||
> fail-closed protocol-version checks with a documented v1 policy, parser fuzz
|
||||
> targets, fuzz-smoke/deep CI entry points, scripted TUI transport tests,
|
||||
> forwarding load/priority/replay tests, and independent persistent session restart
|
||||
> tests exist. External review and published long-soak evidence are not yet
|
||||
> complete. The threat model is published (`docs/THREAT_MODEL.md`).
|
||||
> forwarding load/priority/replay/loss tests, and independent persistent session
|
||||
> restart tests exist. Published long-soak evidence is not yet complete. The threat
|
||||
> model is published (`docs/THREAT_MODEL.md`).
|
||||
> - Milestone 6 — workflow parity: **mostly done.** `dosh doctor`, host-trust
|
||||
> management, and the encrypted-key prompt flow exist; cross-OS daily-driver soak is
|
||||
> ongoing.
|
||||
@@ -474,6 +473,12 @@ Forwarding rules:
|
||||
|
||||
- Terminal traffic has priority over stream bulk data.
|
||||
- Each stream has independent flow control.
|
||||
- `StreamData` carries a per-stream byte offset and is delivered to TCP in order.
|
||||
- `StreamWindowAdjust` carries a cumulative received byte offset; peers free
|
||||
retransmit buffers and replenish send credit only for acknowledged contiguous
|
||||
bytes.
|
||||
- Unacknowledged stream bytes are retransmitted as newly encrypted transport packets
|
||||
with fresh packet sequence numbers/nonces.
|
||||
- Backpressure must not block PTY input or output.
|
||||
- Server enforces `no-port-forwarding` and `permitopen=`.
|
||||
- Remote listeners bind to loopback by default.
|
||||
@@ -601,7 +606,7 @@ Milestone 5: hardening
|
||||
|
||||
- Fuzz packet parsing, authorized-key parsing, known-host parsing, and handshake state.
|
||||
- Add hostile-network integration tests.
|
||||
- Add external review checklist before public security claims.
|
||||
- Keep a public hardening checklist and threat model before public security claims.
|
||||
|
||||
Milestone 6: workflow parity
|
||||
|
||||
|
||||
+19
-21
@@ -1,8 +1,9 @@
|
||||
# Dosh Public Readiness
|
||||
|
||||
Dosh's defensible public claim is fast terminal attach and reconnect. It should not
|
||||
claim full Mosh replacement status until the feature matrix below is green and the
|
||||
comparison benchmark is reproducible outside the author's homelab.
|
||||
Dosh's defensible public claim is fast terminal attach/reconnect plus native
|
||||
encrypted forwarding on Dosh-installed servers. It should not claim generic SSH
|
||||
compatibility unless it implements the SSH protocol, and public benchmark claims
|
||||
must be reproducible outside the author's homelab.
|
||||
|
||||
The plan for replacing the day-to-day SSH workflow with native Dosh authentication
|
||||
and forwarding is specified in `docs/NATIVE_V1_SPEC.md`, and the published threat
|
||||
@@ -10,12 +11,11 @@ model is in `docs/THREAT_MODEL.md`. Native v1 is now substantially implemented:
|
||||
native key-exchange + user auth, host-key pinning/trust, `-L`/`-R`/`-D` forwarding,
|
||||
`dosh doctor`, token-bucket auth rate limiting, and fuzz-smoke CI all exist (see the
|
||||
feature matrix and the verification-checklist status table below). It is **not yet
|
||||
fully verified**: long sleep/roaming soak, packet-loss recovery for forwarding,
|
||||
deeper fuzzing results, and external review are still open.
|
||||
Until the verification checklist (`NATIVE_V1_SPEC.md` section 16) is green and that
|
||||
review is done, Dosh's defensible public security claim remains fast encrypted native
|
||||
attach/reconnect with SSH-equivalent transport security and an explicit SSH bootstrap
|
||||
fallback — not a fully verified, externally reviewed SSH replacement.
|
||||
fully verified**: long sleep/roaming soak and deeper fuzzing results are still open
|
||||
launch evidence. Until the verification checklist (`NATIVE_V1_SPEC.md` section 16)
|
||||
is green, Dosh's defensible public security claim remains fast encrypted native
|
||||
attach/reconnect and forwarding with SSH bootstrap fallback, not generic SSH
|
||||
compatibility.
|
||||
|
||||
## Objective Benchmarks
|
||||
|
||||
@@ -78,9 +78,9 @@ with ordinary SSH.
|
||||
| Unicode edge-case handling | strong | basic terminal emulator dependent | not parity |
|
||||
| X11 forwarding | no | no | non-goal unless tunneled separately |
|
||||
| SSH agent forwarding | no | yes, explicit `-A` / `forward_agent` plus server allow-list | implemented; opt-in only |
|
||||
| Local TCP forwarding, `-L` | no | yes, native encrypted stream mux | implemented; load/priority and replay/reorder tested; packet-loss recovery pending |
|
||||
| Remote TCP forwarding, `-R` | no | yes, loopback bind by default | implemented; packet-loss recovery pending |
|
||||
| Dynamic SOCKS forwarding, `-D` | no | yes, SOCKS5 over native streams | implemented; packet-loss recovery pending |
|
||||
| Local TCP forwarding, `-L` | no | yes, native encrypted stream mux | implemented; load/priority, replay/reorder, and stream retransmit tested |
|
||||
| Remote TCP forwarding, `-R` | no | yes, loopback bind by default | implemented; policy and stream mux covered |
|
||||
| Dynamic SOCKS forwarding, `-D` | no | yes, SOCKS5 over native streams | implemented over the same reliable stream mux |
|
||||
| Forward-only / background forwarding, `-N` / `-f` | no | yes, `-f` requires `-N` | implemented |
|
||||
| Per-stream flow control / terminal priority | no | yes, windowed credit per stream | implemented; covered by blocked-stream and local-forward load tests |
|
||||
|
||||
@@ -120,6 +120,8 @@ Implemented:
|
||||
`StreamEof`/`StreamClose` packet types.
|
||||
- Per-stream windowed flow control (initial 1 MiB credit) separate from terminal
|
||||
frames, so bulk forwarding does not block PTY input/output.
|
||||
- Ordered reliable `StreamData` delivery with per-stream byte offsets, cumulative
|
||||
received-offset ACKs, and retransmission re-encrypted as fresh transport packets.
|
||||
- Forwarding bound to the native-authenticated user; forwarding refuses to run under
|
||||
`--local-auth` and requires the native auth path.
|
||||
- Server-side policy enforcement: `allow_tcp_forwarding`, `allow_remote_forwarding`,
|
||||
@@ -130,11 +132,9 @@ Implemented:
|
||||
|
||||
Still open before claiming forwarding parity:
|
||||
|
||||
- Reliable packet-loss recovery for forwarded stream data. Reorder and replay are
|
||||
covered by `forwarded_stream_data_survives_reorder_and_rejects_replay`; true
|
||||
dropped `StreamData` recovery requires stream retransmission.
|
||||
- More real-host load soak. The integration suite already covers terminal-priority
|
||||
behavior while a local forward is under blocked-stream pressure.
|
||||
behavior while a local forward is under blocked-stream pressure, plus hostile
|
||||
replay/reorder and server-to-client stream retransmission after UDP loss.
|
||||
|
||||
## Native v1 Verification Checklist Status
|
||||
|
||||
@@ -164,7 +164,7 @@ from code; in progress = partially implemented; pending = not yet implemented.
|
||||
| `-f -N -L` backgrounds only after listener readiness | done | `spawn_background_forwarder` waits for a readiness token. |
|
||||
| Multiple forwards in one command | done | Forward lists parsed and started together. |
|
||||
| `dosh doctor` identifies UDP-blocked/auth-denied/mismatch/forwarding-denied | done | `run_doctor_command` reports each state. |
|
||||
| Closing laptop 30+ min does not kill session | in progress | `sleep_roaming_soak_30m` is an ignored launch gate; run `make soak-local` for 1800s evidence. |
|
||||
| Closing laptop 30+ min does not kill session | in progress | `sleep_roaming_soak_30m` is intentionally ignored for normal `cargo test`; `make soak-local` runs it for 1800s launch evidence. |
|
||||
| Three concurrent terminals independent unless named | done | Generated session names per attach; named sessions shared on purpose. |
|
||||
| Large forwarded transfers add no visible input lag | done | Covered by the local-forward bulk-load integration test; still needs real-host soak before launch claims. |
|
||||
| Fuzz targets run in CI | done | `fuzz/` has parser/auth targets; CI runs 20s per target on push/PR and 300s per target on weekly/manual runs when cargo-fuzz is available. |
|
||||
@@ -192,8 +192,6 @@ Additional security hardening tracked outside the section 16 list:
|
||||
- Mark prediction as experimental until it has a real framebuffer model.
|
||||
- Stress-test `persist_sessions = true` before making restart-survivable holders the
|
||||
default.
|
||||
- Add reliable retransmission for forwarded stream data before claiming TCP
|
||||
forwarding survives arbitrary UDP packet loss.
|
||||
- Tune the native auth token bucket under abusive real-host traffic.
|
||||
- Complete the native-v1 verification checklist above and an external security review
|
||||
before making any "native SSH replacement" claim (`NATIVE_V1_SPEC.md` section 17).
|
||||
- Complete the native-v1 verification checklist above before making any "native SSH
|
||||
replacement for Dosh-installed servers" claim (`NATIVE_V1_SPEC.md` section 17).
|
||||
|
||||
+12
-10
@@ -202,16 +202,18 @@ be evaluated honestly. Items here are *not* yet "green".
|
||||
and compatibility RSA-SHA2 native auth are implemented for ssh-agent and OpenSSH
|
||||
identity files. RSA remains compatibility-only and deliberately rejects legacy
|
||||
SHA-1 `ssh-rsa` signatures.
|
||||
- **Forwarded stream data is not yet reliable across arbitrary UDP loss.** Terminal
|
||||
frames have retransmit coverage; forwarding streams have flow control and
|
||||
replay/reorder tests, but dropped `StreamData` recovery requires stream
|
||||
retransmission before Dosh should claim TCP-forwarding parity on lossy links.
|
||||
- **Forwarded stream data uses ordered retransmission.** Streams carry byte offsets,
|
||||
cumulative received-offset ACKs, and retransmit unacknowledged chunks as fresh
|
||||
encrypted transport packets. Hostile-network tests cover replay/reorder and
|
||||
server-to-client stream recovery after deliberate UDP loss; broader real-host load
|
||||
soak remains launch evidence.
|
||||
- **Long-soak evidence is a launch gate.** Roaming, retransmit, resize, and
|
||||
multi-client tests exist, and `sleep_roaming_soak_30m` / `make soak-local` provide
|
||||
the 30-minute sleep/roaming gate. That gate should be run and published before
|
||||
public security/reliability claims.
|
||||
- **No external security review yet.** The spec's milestone 5 requires an external
|
||||
review checklist before public security claims. That review has not happened.
|
||||
- **No third-party audit claim.** Dosh maintains a public threat model and hardening
|
||||
checklist, but should not market itself as externally audited unless that actually
|
||||
happens.
|
||||
|
||||
### Auth posture
|
||||
|
||||
@@ -233,7 +235,7 @@ cached attach, and Mosh startup.
|
||||
Current status: this threat model is published (this document). The verification
|
||||
checklist is **not yet fully green** — see the item-by-item status table in
|
||||
`docs/PUBLIC_READINESS.md` ("Native v1 verification checklist status") and the known
|
||||
gaps in section 6 above. Until the gaps close and an external review is complete,
|
||||
Dosh's defensible public claim remains **fast, encrypted native attach/reconnect with
|
||||
SSH-equivalent transport security and SSH bootstrap fallback** — not a fully verified,
|
||||
externally reviewed SSH replacement.
|
||||
gaps in section 6 above. Until the gaps close, Dosh's defensible public claim remains
|
||||
**fast, encrypted native attach/reconnect and forwarding with SSH bootstrap
|
||||
fallback** on Dosh-installed servers, not generic SSH compatibility or a third-party
|
||||
audited security product.
|
||||
|
||||
Reference in New Issue
Block a user