Network Working Group S. Tatham Internet-Draft PuTTY Intended status: Standards Track D. Miller Expires: November 4, 2016 OpenSSH May 3, 2016 Clarification to the channel closure procedure in Secure Shell (SSH) draft-sgtatham-secsh-closure-race-02 Abstract This memo identifies an ambiguity in the Secure Shell (SSH) connection protocol defined by RFC 4254 regarding the handling of channel closure in combination with channel requests requiring a reply, and issues a clarification specifying the correct interpretation of the ambiguous point. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 4, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Tatham & Miller Expires November 4, 2016 [Page 1] Internet-Draft Clarification to channel closure in SSH May 2016 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in this Document . . . . . . . . . . . . . . 3 3. Ambiguity . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Resolution . . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction The Secure Shell (SSH) connection protocol [RFC4254] multiplexes many bidirectional communications ('channels') over a single data stream. In addition to sending data in both directions as a stream of bytes, these channels also permit the sending of assorted types of 'channel request' in both directions. Channel request messages have a flag called 'want reply' which, if set, requires the recipient of the request to respond with a success or failure message (or some other specific response message if the request type defines one). Because channel requests have no identifying number, the only way that a request sender can identify which response goes with which request is by their ordering. As a result, it is important that a request receiver reply to a request if and only if it has the "want reply" flag set, as required by [RFC4254] section 5.4. (Implementations have been known to make mistakes on this in the past.) Channels may be closed at any time, by sending and receiving the SSH_MSG_CHANNEL_CLOSE message. After a party has both sent and received a close message for a channel, that channel is closed from the point of view of that party, and it may reuse the channel's identifying number. The question therefore arises: if a party has initiated channel closure by sending its close message, and then it receives a channel request with "want reply" set, should it reply? Tatham & Miller Expires November 4, 2016 [Page 2] Internet-Draft Clarification to channel closure in SSH May 2016 2. Conventions Used in this Document The key phrase "MUST NOT" in this document is to be interpreted as described in [RFC2119]. 3. Ambiguity The wording of [RFC4254] fails to unambiguously specify what should be done in this situation. Section 5.4 states that channel requests must be replied to if they have "want reply" set, and does not make any exception for channels in the process of being closed. This suggests that if the request- recipient does not respond to the request, it is in violation of section 5.4. However, suppose the request sender now sends its own channel close message, having received the close message from the request recipient. Now the request sender has both sent and received SSH_MSG_CHANNEL_CLOSE, and according to section 5.3, it is permitted to reuse the channel number immediately. So if the request receiver's response now arrives, a sender which has indeed reused the channel number will not be expecting it. This suggests if the request recipient does respond to the request, it is potentially in violation of section 5.3. In other words, a request recipient placed in this situation has no viable response which does not violate, or risk violating, one or other term of [RFC4254]. The specification is thus self- contradictory, and needs clarification. 4. Resolution This memo resolves the ambiguity by specifying the correct one of the above interpretations. The resolution is as follows: a request recipient MUST NOT send any response to a channel request if it has already sent SSH_MSG_CHANNEL_CLOSE on the same channel. This introduces an exception to section 5.4 of [RFC4254], and preserves the invariant intended by section 5.3. Specifically, users of [RFC4254] should replace the first sentence of the third paragraph of section 5.4: If 'want reply' is FALSE, no response will be sent to the request. with the text: Tatham & Miller Expires November 4, 2016 [Page 3] Internet-Draft Clarification to channel closure in SSH May 2016 If 'want reply' is FALSE, or if the sender has already sent SSH_MSG_CHANNEL_CLOSE for the channel, then the sender MUST NOT send a reply. 5. Rationale The choice of resolution is based on consensus among SSH implementors, following a discussion in which several points were made in favour of this decision: o If the channel is already in the process of closing, it is likely that any resources associated with the channel have already been deleted by the request receiver, so it would be unlikely to be able to successfully handle any request. Hence, responses to requests in this situation would almost certainly be SSH_MSG_REQUEST_FAILURE, and therefore this should simply be inferred. o To make the other decision (i.e. requiring recipients to respond to requests even after channel closure) adds complexity on the side of the request sender, which now requires an additional state in its channel state machine for the situation in which SSH_MSG_CHANNEL_CLOSE has been both sent and received but one or more "want reply" channel requests are still outstanding. o The apparent intent of section 5.3 (though not explicitly stated) is for SSH_MSG_CHANNEL_CLOSE to be the final message sent by each party in regard to each channel, and the clarification suggested here preserves that simple property. The protocol change is believed to eliminate the race condition, because it bases the decision of whether to send a response on information both sides can agree on, namely the ordering of two messages going in the same direction. The request recipient sends a response to a channel request (which has 'want reply' set) if and only if it has not sent SSH_MSG_CHANNEL_CLOSE first; therefore, the request sender knows that it should expect to receive a response if and only if it does not receive SSH_MSG_CHANNEL_CLOSE first (or rather, it should wait for either SSH_MSG_CHANNEL_CLOSE or a request response, whichever comes first). Hence, neither party needs to make a decision based on the relative ordering of messages sent in opposite directions (which would risk reintroducing a race, because the two parties would not necessarily observe those messages in the same order). Tatham & Miller Expires November 4, 2016 [Page 4] Internet-Draft Clarification to channel closure in SSH May 2016 6. Security Considerations No security issues are believed to be introduced by this change. The SSH connection protocol is intended to run inside the SSH transport protocol [RFC4253], which protects the content of the connection protocol stream against eavesdropping and active modification by malicious third parties. As a result, changes within the connection protocol itself need not consider questions of external interference with the sequence of messages. One attack still available to a malicious third party able to modify TCP packets on the way past is to delay one or both directions of the connection. It is therefore worth asking whether any race conditions are introduced by this change which such an attacker might deliberately induce to deny service. However, it is believed not: as discussed in the previous section, the request sender's decision about whether or not to expect a response message is based on the ordering of messages within a single direction of the connection, so no adjustment of the relative timing of the two directions will affect that ordering. (This is not an argument in favour of this particular choice of resolution to the ambiguity, since a similar and equally good argument against race conditions would have applied if this memo had specified the opposite resolution.) Another threat model worth considering is the one in which the client and server do not trust one another. No additional security hazards are believed to be introduced by this clarification in that situation either: the only possible security effect of altering the legality of sending a message in a particular stage of the protocol is to enable or disable one party to confuse the other by sending an illegal message on purpose - but many other illegal messages still exist (e.g. referring to a channel number that has never existed) so neither party's ability to do this has changed. 7. Acknowledgements The authors are indebted to Matt Johnston, Denis Bider and Niels Moller for discussion of this question. This document was written using the xml2rfc tool described in [RFC2629]. Tatham & Miller Expires November 4, 2016 [Page 5] Internet-Draft Clarification to channel closure in SSH May 2016 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, January 2006, . 8.2. Informative References [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, DOI 10.17487/RFC2629, June 1999, . [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, January 2006, . Authors' Addresses Simon Tatham PuTTY Email: anakin@pobox.com Damien Miller OpenSSH Email: djm@openssh.com Tatham & Miller Expires November 4, 2016 [Page 6]