Internet-Draft                                                  D. Bider
Expires: June 3, 2016                                    Bitvise Limited
                                                        December 3, 2015


               Extension Negotiation in Secure Shell (SSH)
                        draft-ssh-ext-info-04.txt


Abstract

  This memo defines a mechanism for SSH clients and servers to exchange
  information about supported protocol extensions confidentially after
  completed key exchange.

Status

  This Internet-Draft is submitted in full conformance with the
  provisions of BCP 78 and BCP 79.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its areas, and its working groups.  Note that other
  groups may also distribute working documents as Internet-Drafts.

  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time. It is inappropriate to use Internet-Drafts as reference material
  or to cite them other than as "work in progress."

  The list of current Internet-Drafts can be accessed at
  http://www.ietf.org/1id-abstracts.html

  The list of Internet-Draft Shadow Directories can be accessed at
  http://www.ietf.org/shadow.html

Copyright

  Copyright (c) 2015 IETF Trust and the persons identified as the
  document authors.  All rights reserved.

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  (http://trustee.ietf.org/license-info) in effect on the date of
  publication of this document.  Please review these documents
  carefully, as they describe your rights and restrictions with respect
  to this document.  Code Components extracted from this document must
  include Simplified BSD License text as described in Section 4.e of
  the Trust Legal Provisions and are provided without warranty as
  described in the Simplified BSD License.





Bider                                                           [Page 1]


Internet-Draft        Extension Negotiation in SSH         December 2015


1.  Overview and Rationale

  Secure Shell (SSH) is a common protocol for secure communication on
  the Internet. The original design of the SSH transport layer [RFC4253]
  lacks proper extension negotiation. Meanwhile, diverse implementations
  take steps to ensure that known message types contain no unrecognized
  information. This makes it difficult for implementations to signal
  capabilities and negotiate extensions without risking disconnection.

  This obstacle has been recognized in relationship with [SSH-RSA-SHA2],
  where the need arises for a client to efficiently discover signature
  algorithms a server accepts, to avoid round-trips of trial and error.

1.1.  Requirements Terminology

  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
  document are to be interpreted as described in [RFC2119].


2.  Extension Negotiation Mechanism

2.1.  Signaling of Extension Negotiation in KEXINIT

  Applications implementing this mechanism MUST add to the field
  "kex_algorithms", in their KEXINIT packet sent for the first key
  exchange, one of the following indicator names:

  - When acting as server: "ext-info-s"
  - When acting as client: "ext-info-c"

  The indicator name is added without quotes, and MAY be added at any
  position in the name-list, subject to proper separation from other
  names as per name-list conventions.

  The names are added to the "kex_algorithms" field because this is one
  of two name-list fields in KEXINIT that do not have a separate copy
  for each data direction.

  The indicator names inserted by the client and server are different to
  ensure that these names will not produce a match, and will be neutral
  with respect to key exchange algorithm negotiation.

  The inclusion of textual indicator names is intended to provide a clue
  for implementers to discover this mechanism.

2.2.  Enabling Criteria

  If a client or server offers "ext-info-c" or "ext-info-s"
  respectively, it must be prepared to accept a SSH_MSG_EXT_INFO message
  from the peer.


Bider                                                           [Page 2]


Internet-Draft        Extension Negotiation in SSH         December 2015


  Thus a server only needs to send "ext-info-s" if it intends to process
  SSH_MSG_EXT_INFO from the client.

  If a server receives an "ext-info-c", it MAY send an SSH_MSG_EXT_INFO
  message, but is not required to do so.

  If a SSH_MSG_EXT_INFO message is sent, then it MUST be the first
  message after the initial SSH_MSG_NEWKEYS.

  Implementations MUST NOT send an incorrect indicator name for their
  role. Implementations MAY disconnect if the counter-party sends an
  incorrect indicator. If "ext-info-c" or "ext-info-s" ends up being
  negotiated as a key exchange method, the parties MUST disconnect.

2.3.  SSH_MSG_EXT_INFO Message

 A party that received the "ext-info-c" or "ext-info-s" indicator
 can send the the following message:

    byte       SSH_MSG_EXT_INFO (value 7)
    uint32     nr-extensions
    repeat "nr-extensions" times:
      string   extension-name
      string   extension-value

  This message is sent without delay, and immediately after
  SSH_MSG_NEWKEYS.

2.4.  Server's Secondary SSH_MSG_EXT_INFO

  If the client sent "ext-info-c", the server MAY send, but is not
  obligated to, send an SSH_MSG_EXT_INFO message immediately before
  SSH_MSG_USERAUTH_SUCCESS, as defined in [RFC4252]. The server MAY send
  this message whether or not it sent EXT_INFO after SSH_MSG_NEWKEYS.

  This allows a server to reveal support for additional extensions that
  it was unwilling to reveal to an unauthenticated client. If a server
  sends a subsequent SSH_MSG_EXT_INFO, this replaces any previous ones,
  and both the client and the server re-evaluate extensions in effect.
  The server's last EXT_INFO is matched against the client's original.

2.5.  Interpretation of Extension Names and Values

  Each extension is identified by its extension-name, and defines the
  conditions under which the extension is considered to be in effect.
  Applications MUST ignore unrecognized extension-names.

  In general, if an extension requires both the client and the server
  to include it in order for the extension to take effect, the relative
  position of the extension-name in each EXT_INFO message is irrelevant.



Bider                                                           [Page 3]


Internet-Draft        Extension Negotiation in SSH         December 2015


  Extension-value fields are interpreted as defined by their respective
  extension. An extension-value field MAY be empty if so permitted by
  the extension. Applications that do not implement or recognize a
  particular extension MUST ignore the associated extension-value field,
  regardless of its size or content.

  The cumulative size of an SSH_MSG_EXT_INFO message is limited only by
  the maximum packet length that an implementation may apply in
  accordance with [RFC4253]. Implementations MUST accept well-formed
  SSH_MSG_EXT_INFO messages up to the maximum packet length they accept.


3. Initially Defined Extensions

3.1. "server-sig-algs"

  This extension is sent with the following extension name and value:

    string      "server-sig-algs"
    name-list   signature-algorithms-accepted

  Note that the name-list type is a strict subset of the string type,
  and is thus permissible as an extension-value.

  This extension is sent by the server only, and contains a list of
  signature algorithms that the server is able to process as part of a
  "publickey" request.

  A client that wishes to proceed with public key authentication MAY
  wait for the server's SSH_MSG_EXT_INFO so it can send a "publickey"
  authentication request with an appropriate signature algorithm, rather
  than resorting to trial and error.

  Servers that implement public key authentication SHOULD implement this
  extension.

  If a server does not send this extension, a client SHALL NOT make any
  assumptions about the server's signature algorithm support, and MAY
  proceed with authentication request trial and error.

3.2.  "no-flow-control"

  This extension is sent with the following extension name and value:

    string      "no-flow-control"
    string      (empty)

  This extension MUST be sent by both parties in order to take effect.

  If included by both parties, the effect of this extension is that the
  "initial window size" fields in the messages SSH_MSG_CHANNEL_OPEN and


Bider                                                           [Page 4]


Internet-Draft        Extension Negotiation in SSH         December 2015


  SSH_MSG_CHANNEL_OPEN_CONFIRMATION, as defined in [RFC4254], become
  meaningless. The values of these fields MUST be ignored, and a channel
  behaves as if the window size in either direction is infinite. Neither
  side is required to send any SSH_MSG_CHANNEL_WINDOW_ADJUST messages,
  and if received, such messages MUST be ignored.

  This extension is intended, but not limited to, use by file transfer
  applications that are only going to use one channel, and for which the
  flow control provided by SSH is an impediment, rather than a feature.

  Implementations MUST refuse to open more than one simultaneous channel
  when this extension is in effect. Nevertheless, server implementations
  SHOULD support clients opening more than one non-simultaneous channel.

3.3.  "accept-channels"

  This extension is sent with the following extension name and value:

    string      "accept-channels"
    name-list   channel-types-accepted

  An implementation MAY use this extension to signal to the other party
  a list of channel types it might accept. A server that adapts the list
  of available channel types based on authentication MAY defer sending
  this extension until a subsequent EXT_INFO, just before sending the
  message USERAUTH_SUCCESS.

  An implementation is not obligated to unconditionally accept open
  requests for channel types advertised in this extension. An open
  request for a listed channel type MAY still fail for another reason.























Bider                                                           [Page 5]


Internet-Draft        Extension Negotiation in SSH         December 2015


4.  IANA Considerations

4.1.  Additions to existing tables

  IANA is requested to insert the following entry into the table Message
  Numbers under Secure Shell (SSH) Protocol Parameters [RFC4250]:

    Value    Message ID          Reference
    7        SSH_MSG_EXT_INFO    [this document]

  IANA is requested to insert the following entries into the table Key
  Exchange Method Names:

    Method Name     Reference          Note
    ext-info-s      [this document]    Section 2.2
    ext-info-c      [this document]    Section 2.2

4.2.  New table: Extension Names

  Also under Secure Shell (SSH) Protocol Parameters, IANA is requested
  to create a new table, Extension Names, with initial content:

    Extension Name     Reference          Note
    server-sig-algs    [this document]    Section 3.1
    no-flow-control    [this document]    Section 3.2
    accept-channels    [this document]    Section 3.3

4.2.1.  Future Assignments to Extension Names

  Names in the Extension Names table MUST follow the Conventions for
  Names defined in [RFC4250], Section 4.6.1.

  Requests for assignments of new non-local names in the Extension Names
  table (i.e. names not including the '@' character) MUST be done
  through the IETF CONSENSUS method, as described in [RFC5226].


















Bider                                                           [Page 6]


Internet-Draft        Extension Negotiation in SSH         December 2015


6.  References

6.1.  Normative References

  [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

  [RFC4250]   Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Protocol Assigned Numbers", RFC 4250, January 2006.

  [RFC4252]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Authentication Protocol", RFC 4252, January 2006.

  [RFC4253]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Transport Layer Protocol", RFC 4253, January 2006.

  [RFC4254]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Connection Protocol", RFC 4254, January 2006.

  [RFC5226]   Narten, T. and Alvestrand, H., "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

6.2.  Informative References

  [SSH-RSA-SHA2]
              Bider, D., "Use of RSA Keys with SHA-2 256 and 512 in
              Secure Shell (SSH)", draft-rsa-dsa-sha2-256-02,
              November 2015,
              <https://tools.ietf.org/html/draft-rsa-dsa-sha2-256-02>.























Bider                                                           [Page 7]


Internet-Draft        Extension Negotiation in SSH         December 2015


Author's Address

  Denis Bider
  Bitvise Limited
  Suites 41/42, Victoria House
  26 Main Street
  GI

  Phone: +506 8315 6519
  EMail: ietf-ssh3@denisbider.com
  URI:   https://www.bitvise.com/


Acknowledgments

  Thanks to Markus Friedl and Damien Miller for comments and initial
  implementation.






































Bider                                                           [Page 8]