diff options
Diffstat (limited to 'doc/draft-ietf-secsh-transport-16.txt')
-rw-r--r-- | doc/draft-ietf-secsh-transport-16.txt | 1624 |
1 files changed, 0 insertions, 1624 deletions
diff --git a/doc/draft-ietf-secsh-transport-16.txt b/doc/draft-ietf-secsh-transport-16.txt deleted file mode 100644 index b4564f17..00000000 --- a/doc/draft-ietf-secsh-transport-16.txt +++ /dev/null @@ -1,1624 +0,0 @@ - - -Network Working Group T. Ylonen -Internet-Draft T. Kivinen -Expires: January 12, 2004 SSH Communications Security Corp - M. Saarinen - University of Jyvaskyla - T. Rinne - S. Lehtinen - SSH Communications Security Corp - July 14, 2003 - - - SSH Transport Layer Protocol - draft-ietf-secsh-transport-16.txt - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on January 12, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2003). All Rights Reserved. - -Abstract - - SSH is a protocol for secure remote login and other secure network - services over an insecure network. - - This document describes the SSH transport layer protocol which - typically runs on top of TCP/IP. The protocol can be used as a - - - -Ylonen, et. al. Expires January 12, 2004 [Page 1] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - basis for a number of secure network services. It provides strong - encryption, server authentication, and integrity protection. It - may also provide compression. - - Key exchange method, public key algorithm, symmetric encryption - algorithm, message authentication algorithm, and hash algorithm - are all negotiated. - - This document also describes the Diffie-Hellman key exchange - method and the minimal set of algorithms that are needed to - implement the SSH transport layer protocol. - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 - 3. Connection Setup . . . . . . . . . . . . . . . . . . . . . . . 4 - 3.1 Use over TCP/IP . . . . . . . . . . . . . . . . . . . . . . . 4 - 3.2 Protocol Version Exchange . . . . . . . . . . . . . . . . . . 4 - 3.3 Compatibility With Old SSH Versions . . . . . . . . . . . . . 5 - 3.4 Old Client, New Server . . . . . . . . . . . . . . . . . . . . 5 - 3.5 New Client, Old Server . . . . . . . . . . . . . . . . . . . . 6 - 4. Binary Packet Protocol . . . . . . . . . . . . . . . . . . . . 6 - 4.1 Maximum Packet Length . . . . . . . . . . . . . . . . . . . . 7 - 4.2 Compression . . . . . . . . . . . . . . . . . . . . . . . . . 7 - 4.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 8 - 4.4 Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . 10 - 4.5 Key Exchange Methods . . . . . . . . . . . . . . . . . . . . . 11 - 4.6 Public Key Algorithms . . . . . . . . . . . . . . . . . . . . 11 - 5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 5.1 Algorithm Negotiation . . . . . . . . . . . . . . . . . . . . 14 - 5.2 Output from Key Exchange . . . . . . . . . . . . . . . . . . . 17 - 5.3 Taking Keys Into Use . . . . . . . . . . . . . . . . . . . . . 18 - 6. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 19 - 6.1 diffie-hellman-group1-sha1 . . . . . . . . . . . . . . . . . . 20 - 7. Key Re-Exchange . . . . . . . . . . . . . . . . . . . . . . . 21 - 8. Service Request . . . . . . . . . . . . . . . . . . . . . . . 22 - 9. Additional Messages . . . . . . . . . . . . . . . . . . . . . 22 - 9.1 Disconnection Message . . . . . . . . . . . . . . . . . . . . 23 - 9.2 Ignored Data Message . . . . . . . . . . . . . . . . . . . . . 23 - 9.3 Debug Message . . . . . . . . . . . . . . . . . . . . . . . . 24 - 9.4 Reserved Messages . . . . . . . . . . . . . . . . . . . . . . 24 - 10. Summary of Message Numbers . . . . . . . . . . . . . . . . . . 24 - 11. Security Considerations . . . . . . . . . . . . . . . . . . . 25 - 12. Intellectual Property . . . . . . . . . . . . . . . . . . . . 25 - 13. Additional Information . . . . . . . . . . . . . . . . . . . . 25 - References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 27 - - - -Ylonen, et. al. Expires January 12, 2004 [Page 2] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - Full Copyright Statement . . . . . . . . . . . . . . . . . . . 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 3] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - 1. Introduction - - The SSH transport layer is a secure low level transport protocol. - It provides strong encryption, cryptographic host authentication, - and integrity protection. - - Authentication in this protocol level is host-based; this protocol - does not perform user authentication. A higher level protocol for - user authentication can be designed on top of this protocol. - - The protocol has been designed to be simple, flexible, to allow - parameter negotiation, and to minimize the number of round-trips. - Key exchange method, public key algorithm, symmetric encryption - algorithm, message authentication algorithm, and hash algorithm - are all negotiated. It is expected that in most environments, - only 2 round-trips will be needed for full key exchange, server - authentication, service request, and acceptance notification of - service request. The worst case is 3 round-trips. - - 2. Conventions Used in This Document - - The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD - NOT", and "MAY" that appear in this document are to be interpreted - as described in [RFC2119] - - The used data types and terminology are specified in the - architecture document [SSH-ARCH] - - The architecture document also discusses the algorithm naming - conventions that MUST be used with the SSH protocols. - - 3. Connection Setup - - SSH works over any 8-bit clean, binary-transparent transport. The - underlying transport SHOULD protect against transmission errors as - such errors cause the SSH connection to terminate. - - The client initiates the connection. - - 3.1 Use over TCP/IP - - When used over TCP/IP, the server normally listens for connections - on port 22. This port number has been registered with the IANA, - and has been officially assigned for SSH. - - 3.2 Protocol Version Exchange - - When the connection has been established, both sides MUST send an - - - -Ylonen, et. al. Expires January 12, 2004 [Page 4] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - identification string of the form "SSH-protoversion- - softwareversion comments", followed by carriage return and newline - characters (ASCII 13 and 10, respectively). Both sides MUST be - able to process identification strings without carriage return - character. No null character is sent. The maximum length of the - string is 255 characters, including the carriage return and - newline. - - The part of the identification string preceding carriage return - and newline is used in the Diffie-Hellman key exchange (see - Section Section 6). - - The server MAY send other lines of data before sending the version - string. Each line SHOULD be terminated by a carriage return and - newline. Such lines MUST NOT begin with "SSH-", and SHOULD be - encoded in ISO-10646 UTF-8 [RFC2279] (language is not specified). - Clients MUST be able to process such lines; they MAY be silently - ignored, or MAY be displayed to the client user; if they are - displayed, control character filtering discussed in [SSH-ARCH] - SHOULD be used. The primary use of this feature is to allow TCP- - wrappers to display an error message before disconnecting. - - Version strings MUST consist of printable US-ASCII characters, not - including whitespaces or a minus sign (-). The version string is - primarily used to trigger compatibility extensions and to indicate - the capabilities of an implementation. The comment string should - contain additional information that might be useful in solving - user problems. - - The protocol version described in this document is 2.0. - - Key exchange will begin immediately after sending this identifier. - All packets following the identification string SHALL use the - binary packet protocol, to be described below. - - 3.3 Compatibility With Old SSH Versions - - During the transition period, it is important to be able to work - in a way that is compatible with the installed SSH clients and - servers that use an older version of the protocol. Information in - this section is only relevant for implementations supporting - compatibility with SSH versions 1.x. - - 3.4 Old Client, New Server - - Server implementations MAY support a configurable "compatibility" - flag that enables compatibility with old versions. When this flag - is on, the server SHOULD identify its protocol version as "1.99". - - - -Ylonen, et. al. Expires January 12, 2004 [Page 5] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - Clients using protocol 2.0 MUST be able to identify this as - identical to "2.0". In this mode the server SHOULD NOT send the - carriage return character (ASCII 13) after the version - identification string. - - In the compatibility mode the server SHOULD NOT send any further - data after its initialization string until it has received an - identification string from the client. The server can then - determine whether the client is using an old protocol, and can - revert to the old protocol if required. In the compatibility - mode, the server MUST NOT send additional data before the version - string. - - When compatibility with old clients is not needed, the server MAY - send its initial key exchange data immediately after the - identification string. - - 3.5 New Client, Old Server - - Since the new client MAY immediately send additional data after - its identification string (before receiving server's - identification), the old protocol may already have been corrupted - when the client learns that the server is old. When this happens, - the client SHOULD close the connection to the server, and - reconnect using the old protocol. - - 4. Binary Packet Protocol - - Each packet is in the following format: - - uint32 packet_length - byte padding_length - byte[n1] payload; n1 = packet_length - padding_length - 1 - byte[n2] random padding; n2 = padding_length - byte[m] mac (message authentication code); m = mac_length - - packet_length - The length of the packet (bytes), not including MAC or the - packet_length field itself. - - padding_length - Length of padding (bytes). - - payload - The useful contents of the packet. If compression has been - negotiated, this field is compressed. Initially, - compression MUST be "none". - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 6] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - random padding - Arbitrary-length padding, such that the total length of - (packet_length || padding_length || payload || padding) is a - multiple of the cipher block size or 8, whichever is larger. - There MUST be at least four bytes of padding. The padding - SHOULD consist of random bytes. The maximum amount of - padding is 255 bytes. - - mac - Message authentication code. If message authentication has - been negotiated, this field contains the MAC bytes. - Initially, the MAC algorithm MUST be "none". - - - Note that length of the concatenation of packet length, padding - length, payload, and padding MUST be a multiple of the cipher - block size or 8, whichever is larger. This constraint MUST be - enforced even when using stream ciphers. Note that the packet - length field is also encrypted, and processing it requires special - care when sending or receiving packets. - - The minimum size of a packet is 16 (or the cipher block size, - whichever is larger) bytes (plus MAC); implementations SHOULD - decrypt the length after receiving the first 8 (or cipher block - size, whichever is larger) bytes of a packet. - - 4.1 Maximum Packet Length - - All implementations MUST be able to process packets with - uncompressed payload length of 32768 bytes or less and total - packet size of 35000 bytes or less (including length, padding - length, payload, padding, and MAC.). The maximum of 35000 bytes - is an arbitrary chosen value larger than uncompressed size. - Implementations SHOULD support longer packets, where they might be - needed, e.g. if an implementation wants to send a very large - number of certificates. Such packets MAY be sent if the version - string indicates that the other party is able to process them. - However, implementations SHOULD check that the packet length is - reasonable for the implementation to avoid denial-of-service - and/or buffer overflow attacks. - - 4.2 Compression - - If compression has been negotiated, the payload field (and only - it) will be compressed using the negotiated algorithm. The length - field and MAC will be computed from the compressed payload. - Encryption will be done after compression. - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 7] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - Compression MAY be stateful, depending on the method. Compression - MUST be independent for each direction, and implementations MUST - allow independently choosing the algorithm for each direction. - - The following compression methods are currently defined: - - none REQUIRED no compression - zlib OPTIONAL ZLIB (LZ77) compression - - The "zlib" compression is described in [RFC1950] and in [RFC1951]. - The compression context is initialized after each key exchange, - and is passed from one packet to the next with only a partial - flush being performed at the end of each packet. A partial flush - means that the current compressed block is ended and all data will - be output. If the current block is not a stored block, one or - more empty blocks are added after the current block to ensure that - there are at least 8 bits counting from the start of the end-of- - block code of the current block to the end of the packet payload. - - Additional methods may be defined as specified in [SSH-ARCH]. - - 4.3 Encryption - - An encryption algorithm and a key will be negotiated during the - key exchange. When encryption is in effect, the packet length, - padding length, payload and padding fields of each packet MUST be - encrypted with the given algorithm. - - The encrypted data in all packets sent in one direction SHOULD be - considered a single data stream. For example, initialization - vectors SHOULD be passed from the end of one packet to the - beginning of the next packet. All ciphers SHOULD use keys with an - effective key length of 128 bits or more. - - The ciphers in each direction MUST run independently of each - other, and implementations MUST allow independently choosing the - algorithm for each direction (if multiple algorithms are allowed - by local policy). - - The following ciphers are currently defined: - - 3des-cbc REQUIRED three-key 3DES in CBC mode - blowfish-cbc RECOMMENDED Blowfish in CBC mode - twofish256-cbc OPTIONAL Twofish in CBC mode, - with 256-bit key - twofish-cbc OPTIONAL alias for "twofish256-cbc" (this - is being retained for - historical reasons) - - - -Ylonen, et. al. Expires January 12, 2004 [Page 8] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - twofish192-cbc OPTIONAL Twofish with 192-bit key - twofish128-cbc RECOMMENDED Twofish with 128-bit key - aes256-cbc OPTIONAL AES (Rijndael) in CBC mode, - with 256-bit key - aes192-cbc OPTIONAL AES with 192-bit key - aes128-cbc RECOMMENDED AES with 128-bit key - serpent256-cbc OPTIONAL Serpent in CBC mode, with - 256-bit key - serpent192-cbc OPTIONAL Serpent with 192-bit key - serpent128-cbc OPTIONAL Serpent with 128-bit key - arcfour OPTIONAL the ARCFOUR stream cipher - idea-cbc OPTIONAL IDEA in CBC mode - cast128-cbc OPTIONAL CAST-128 in CBC mode - none OPTIONAL no encryption; NOT RECOMMENDED - - The "3des-cbc" cipher is three-key triple-DES (encrypt-decrypt- - encrypt), where the first 8 bytes of the key are used for the - first encryption, the next 8 bytes for the decryption, and the - following 8 bytes for the final encryption. This requires 24 - bytes of key data (of which 168 bits are actually used). To - implement CBC mode, outer chaining MUST be used (i.e., there is - only one initialization vector). This is a block cipher with 8 - byte blocks. This algorithm is defined in [SCHNEIER] - - The "blowfish-cbc" cipher is Blowfish in CBC mode, with 128 bit - keys [SCHNEIER]. This is a block cipher with 8 byte blocks. - - The "twofish-cbc" or "twofish256-cbc" cipher is Twofish in CBC - mode, with 256 bit keys as described [TWOFISH]. This is a block - cipher with 16 byte blocks. - - The "twofish192-cbc" cipher. Same as above but with 192-bit key. - - The "twofish128-cbc" cipher. Same as above but with 128-bit key. - - The "aes256-cbc" cipher is AES (Advanced Encryption Standard), - formerly Rijndael, in CBC mode. This version uses 256-bit key. - - The "aes192-cbc" cipher. Same as above but with 192-bit key. - - The "aes128-cbc" cipher. Same as above but with 128-bit key. - - The "serpent256-cbc" cipher in CBC mode, with 256-bit key as - described in the Serpent AES submission. - - The "serpent192-cbc" cipher. Same as above but with 192-bit key. - - The "serpent128-cbc" cipher. Same as above but with 128-bit key. - - - -Ylonen, et. al. Expires January 12, 2004 [Page 9] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - The "arcfour" is the Arcfour stream cipher with 128 bit keys. The - Arcfour cipher is believed to be compatible with the RC4 cipher - [SCHNEIER]. RC4 is a registered trademark of RSA Data Security - Inc. Arcfour (and RC4) has problems with weak keys, and should be - used with caution. - - The "idea-cbc" cipher is the IDEA cipher in CBC mode [SCHNEIER]. - IDEA is patented by Ascom AG. - - The "cast128-cbc" cipher is the CAST-128 cipher in CBC mode - [RFC2144]. - - The "none" algorithm specifies that no encryption is to be done. - Note that this method provides no confidentiality protection, and - it is not recommended. Some functionality (e.g. password - authentication) may be disabled for security reasons if this - cipher is chosen. - - Additional methods may be defined as specified in [SSH-ARCH]. - - 4.4 Data Integrity - - Data integrity is protected by including with each packet a - message authentication code (MAC) that is computed from a shared - secret, packet sequence number, and the contents of the packet. - - The message authentication algorithm and key are negotiated during - key exchange. Initially, no MAC will be in effect, and its length - MUST be zero. After key exchange, the selected MAC will be - computed before encryption from the concatenation of packet data: - - mac = MAC(key, sequence_number || unencrypted_packet) - - where unencrypted_packet is the entire packet without MAC (the - length fields, payload and padding), and sequence_number is an - implicit packet sequence number represented as uint32. The - sequence number is initialized to zero for the first packet, and - is incremented after every packet (regardless of whether - encryption or MAC is in use). It is never reset, even if - keys/algorithms are renegotiated later. It wraps around to zero - after every 2^32 packets. The packet sequence number itself is - not included in the packet sent over the wire. - - The MAC algorithms for each direction MUST run independently, and - implementations MUST allow choosing the algorithm independently - for both directions. - - The MAC bytes resulting from the MAC algorithm MUST be transmitted - - - -Ylonen, et. al. Expires January 12, 2004 [Page 10] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - without encryption as the last part of the packet. The number of - MAC bytes depends on the algorithm chosen. - - The following MAC algorithms are currently defined: - - hmac-sha1 REQUIRED HMAC-SHA1 (digest length = key - length = 20) - hmac-sha1-96 RECOMMENDED first 96 bits of HMAC-SHA1 (digest - length = 12, key length = 20) - hmac-md5 OPTIONAL HMAC-MD5 (digest length = key - length = 16) - hmac-md5-96 OPTIONAL first 96 bits of HMAC-MD5 (digest - length = 12, key length = 16) - none OPTIONAL no MAC; NOT RECOMMENDED - - The "hmac-*" algorithms are described in [RFC2104] The "*-n" MACs - use only the first n bits of the resulting value. - - The hash algorithms are described in [SCHNEIER]. - - Additional methods may be defined as specified in [SSH-ARCH]. - - 4.5 Key Exchange Methods - - The key exchange method specifies how one-time session keys are - generated for encryption and for authentication, and how the - server authentication is done. - - Only one REQUIRED key exchange method has been defined: - - diffie-hellman-group1-sha1 REQUIRED - - This method is described later in this document. - - Additional methods may be defined as specified in [SSH-ARCH]. - - 4.6 Public Key Algorithms - - This protocol has been designed to be able to operate with almost - any public key format, encoding, and algorithm (signature and/or - encryption). - - There are several aspects that define a public key type: - o Key format: how is the key encoded and how are certificates - represented. The key blobs in this protocol MAY contain - certificates in addition to keys. - o Signature and/or encryption algorithms. Some key types may not - support both signing and encryption. Key usage may also be - - - -Ylonen, et. al. Expires January 12, 2004 [Page 11] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - restricted by policy statements in e.g. certificates. In this - case, different key types SHOULD be defined for the different - policy alternatives. - o Encoding of signatures and/or encrypted data. This includes - but is not limited to padding, byte order, and data formats. - - The following public key and/or certificate formats are currently defined: - - ssh-dss REQUIRED sign Simple DSS - ssh-rsa RECOMMENDED sign Simple RSA - x509v3-sign-rsa OPTIONAL sign X.509 certificates (RSA key) - x509v3-sign-dss OPTIONAL sign X.509 certificates (DSS key) - spki-sign-rsa OPTIONAL sign SPKI certificates (RSA key) - spki-sign-dss OPTIONAL sign SPKI certificates (DSS key) - pgp-sign-rsa OPTIONAL sign OpenPGP certificates (RSA key) - pgp-sign-dss OPTIONAL sign OpenPGP certificates (DSS key) - - Additional key types may be defined as specified in [SSH-ARCH]. - - The key type MUST always be explicitly known (from algorithm - negotiation or some other source). It is not normally included in - the key blob. - - Certificates and public keys are encoded as follows: - - string certificate or public key format identifier - byte[n] key/certificate data - - The certificate part may have be a zero length string, but a - public key is required. This is the public key that will be used - for authentication; the certificate sequence contained in the - certificate blob can be used to provide authorization. - - Public key / certifcate formats that do not explicitly specify a - signature format identifier MUST use the public key / certificate - format identifier as the signature identifier. - - Signatures are encoded as follows: - string signature format identifier (as specified by the - public key / cert format) - byte[n] signature blob in format specific encoding. - - - The "ssh-dss" key format has the following specific encoding: - - string "ssh-dss" - mpint p - mpint q - - - -Ylonen, et. al. Expires January 12, 2004 [Page 12] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - mpint g - mpint y - - Here the p, q, g, and y parameters form the signature key blob. - - Signing and verifying using this key format is done according to - the Digital Signature Standard [FIPS-186] using the SHA-1 hash. A - description can also be found in [SCHNEIER]. - - The resulting signature is encoded as follows: - - string "ssh-dss" - string dss_signature_blob - - dss_signature_blob is encoded as a string containing r followed by - s (which are 160 bits long integers, without lengths or padding, - unsigned and in network byte order). - - The "ssh-rsa" key format has the following specific encoding: - - string "ssh-rsa" - mpint e - mpint n - - Here the e and n parameters form the signature key blob. - - Signing and verifying using this key format is done according to - [SCHNEIER] and [PKCS1] using the SHA-1 hash. - - The resulting signature is encoded as follows: - - string "ssh-rsa" - string rsa_signature_blob - - rsa_signature_blob is encoded as a string containing s (which is - an integer, without lengths or padding, unsigned and in network - byte order). - - The "spki-sign-rsa" method indicates that the certificate blob - contains a sequence of SPKI certificates. The format of SPKI - certificates is described in [RFC2693]. This method indicates - that the key (or one of the keys in the certificate) is an RSA- - key. - - The "spki-sign-dss". As above, but indicates that the key (or one - of the keys in the certificate) is a DSS-key. - - The "pgp-sign-rsa" method indicates the certificates, the public - - - -Ylonen, et. al. Expires January 12, 2004 [Page 13] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - key, and the signature are in OpenPGP compatible binary format - ([RFC2440]). This method indicates that the key is an RSA-key. - - The "pgp-sign-dss". As above, but indicates that the key is a - DSS-key. - - 5. Key Exchange - - Key exchange begins by each side sending lists of supported - algorithms. Each side has a preferred algorithm in each category, - and it is assumed that most implementations at any given time will - use the same preferred algorithm. Each side MAY guess which - algorithm the other side is using, and MAY send an initial key - exchange packet according to the algorithm if appropriate for the - preferred method. - - Guess is considered wrong, if: - o the kex algorithm and/or the host key algorithm is guessed - wrong (server and client have different preferred algorithm), - or - o if any of the other algorithms cannot be agreed upon (the - procedure is defined below in Section Section 5.1). - - Otherwise, the guess is considered to be right and the - optimistically sent packet MUST be handled as the first key - exchange packet. - - However, if the guess was wrong, and a packet was optimistically - sent by one or both parties, such packets MUST be ignored (even if - the error in the guess would not affect the contents of the - initial packet(s)), and the appropriate side MUST send the correct - initial packet. - - Server authentication in the key exchange MAY be implicit. After - a key exchange with implicit server authentication, the client - MUST wait for response to its service request message before - sending any further data. - - 5.1 Algorithm Negotiation - - Key exchange begins by each side sending the following packet: - - byte SSH_MSG_KEXINIT - byte[16] cookie (random bytes) - string kex_algorithms - string server_host_key_algorithms - string encryption_algorithms_client_to_server - string encryption_algorithms_server_to_client - - - -Ylonen, et. al. Expires January 12, 2004 [Page 14] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - string mac_algorithms_client_to_server - string mac_algorithms_server_to_client - string compression_algorithms_client_to_server - string compression_algorithms_server_to_client - string languages_client_to_server - string languages_server_to_client - boolean first_kex_packet_follows - uint32 0 (reserved for future extension) - - Each of the algorithm strings MUST be a comma-separated list of - algorithm names (see ''Algorithm Naming'' in [SSH-ARCH]). Each - supported (allowed) algorithm MUST be listed in order of - preference. - - The first algorithm in each list MUST be the preferred (guessed) - algorithm. Each string MUST contain at least one algorithm name. - - - cookie - The cookie MUST be a random value generated by the sender. - Its purpose is to make it impossible for either side to - fully determine the keys and the session identifier. - - kex_algorithms - Key exchange algorithms were defined above. The first - algorithm MUST be the preferred (and guessed) algorithm. If - both sides make the same guess, that algorithm MUST be used. - Otherwise, the following algorithm MUST be used to choose a - key exchange method: iterate over client's kex algorithms, - one at a time. Choose the first algorithm that satisfies - the following conditions: - + the server also supports the algorithm, - + if the algorithm requires an encryption-capable host key, - there is an encryption-capable algorithm on the server's - server_host_key_algorithms that is also supported by the - client, and - + if the algorithm requires a signature-capable host key, - there is a signature-capable algorithm on the server's - server_host_key_algorithms that is also supported by the - client. - + If no algorithm satisfying all these conditions can be - found, the connection fails, and both sides MUST - disconnect. - - server_host_key_algorithms - List of the algorithms supported for the server host key. - The server lists the algorithms for which it has host keys; - the client lists the algorithms that it is willing to - - - -Ylonen, et. al. Expires January 12, 2004 [Page 15] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - accept. (There MAY be multiple host keys for a host, - possibly with different algorithms.) - - Some host keys may not support both signatures and - encryption (this can be determined from the algorithm), and - thus not all host keys are valid for all key exchange - methods. - - Algorithm selection depends on whether the chosen key - exchange algorithm requires a signature or encryption - capable host key. It MUST be possible to determine this - from the public key algorithm name. The first algorithm on - the client's list that satisfies the requirements and is - also supported by the server MUST be chosen. If there is no - such algorithm, both sides MUST disconnect. - - encryption_algorithms - Lists the acceptable symmetric encryption algorithms in - order of preference. The chosen encryption algorithm to - each direction MUST be the first algorithm on the client's - list that is also on the server's list. If there is no such - algorithm, both sides MUST disconnect. - - Note that "none" must be explicitly listed if it is to be - acceptable. The defined algorithm names are listed in - Section Section 4.3. - - mac_algorithms - Lists the acceptable MAC algorithms in order of preference. - The chosen MAC algorithm MUST be the first algorithm on the - client's list that is also on the server's list. If there - is no such algorithm, both sides MUST disconnect. - - Note that "none" must be explicitly listed if it is to be - acceptable. The MAC algorithm names are listed in Section - Figure 1. - - compression_algorithms - Lists the acceptable compression algorithms in order of - preference. The chosen compression algorithm MUST be the - first algorithm on the client's list that is also on the - server's list. If there is no such algorithm, both sides - MUST disconnect. - - Note that "none" must be explicitly listed if it is to be - acceptable. The compression algorithm names are listed in - Section Section 4.2. - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 16] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - languages - This is a comma-separated list of language tags in order of - preference [RFC1766]. Both parties MAY ignore this list. - If there are no language preferences, this list SHOULD be - empty. - - first_kex_packet_follows - Indicates whether a guessed key exchange packet follows. If - a guessed packet will be sent, this MUST be TRUE. If no - guessed packet will be sent, this MUST be FALSE. - - After receiving the SSH_MSG_KEXINIT packet from the other - side, each party will know whether their guess was right. - If the other party's guess was wrong, and this field was - TRUE, the next packet MUST be silently ignored, and both - sides MUST then act as determined by the negotiated key - exchange method. If the guess was right, key exchange MUST - continue using the guessed packet. - - After the KEXINIT packet exchange, the key exchange algorithm is - run. It may involve several packet exchanges, as specified by the - key exchange method. - - 5.2 Output from Key Exchange - - The key exchange produces two values: a shared secret K, and an - exchange hash H. Encryption and authentication keys are derived - from these. The exchange hash H from the first key exchange is - additionally used as the session identifier, which is a unique - identifier for this connection. It is used by authentication - methods as a part of the data that is signed as a proof of - possession of a private key. Once computed, the session - identifier is not changed, even if keys are later re-exchanged. - - - Each key exchange method specifies a hash function that is used in - the key exchange. The same hash algorithm MUST be used in key - derivation. Here, we'll call it HASH. - - - Encryption keys MUST be computed as HASH of a known value and K as - follows: - o Initial IV client to server: HASH(K || H || "A" || session_id) - (Here K is encoded as mpint and "A" as byte and session_id as - raw data."A" means the single character A, ASCII 65). - o Initial IV server to client: HASH(K || H || "B" || session_id) - o Encryption key client to server: HASH(K || H || "C" || - session_id) - - - -Ylonen, et. al. Expires January 12, 2004 [Page 17] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - o Encryption key server to client: HASH(K || H || "D" || - session_id) - o Integrity key client to server: HASH(K || H || "E" || - session_id) - o Integrity key server to client: HASH(K || H || "F" || - session_id) - - Key data MUST be taken from the beginning of the hash output. 128 - bits (16 bytes) SHOULD be used for algorithms with variable-length - keys. For other algorithms, as many bytes as are needed are taken - from the beginning of the hash value. If the key length in longer - than the output of the HASH, the key is extended by computing HASH - of the concatenation of K and H and the entire key so far, and - appending the resulting bytes (as many as HASH generates) to the - key. This process is repeated until enough key material is - available; the key is taken from the beginning of this value. In - other words: - - K1 = HASH(K || H || X || session_id) (X is e.g. "A") - K2 = HASH(K || H || K1) - K3 = HASH(K || H || K1 || K2) - ... - key = K1 || K2 || K3 || ... - - This process will lose entropy if the amount of entropy in K is - larger than the internal state size of HASH. - - 5.3 Taking Keys Into Use - - Key exchange ends by each side sending an SSH_MSG_NEWKEYS message. - This message is sent with the old keys and algorithms. All - messages sent after this message MUST use the new keys and - algorithms. - - - When this message is received, the new keys and algorithms MUST be - taken into use for receiving. - - - This message is the only valid message after key exchange, in - addition to SSH_MSG_DEBUG, SSH_MSG_DISCONNECT and SSH_MSG_IGNORE - messages. The purpose of this message is to ensure that a party - is able to respond with a disconnect message that the other party - can understand if something goes wrong with the key exchange. - Implementations MUST NOT accept any other messages after key - exchange before receiving SSH_MSG_NEWKEYS. - - byte SSH_MSG_NEWKEYS - - - -Ylonen, et. al. Expires January 12, 2004 [Page 18] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - 6. Diffie-Hellman Key Exchange - - The Diffie-Hellman key exchange provides a shared secret that can - not be determined by either party alone. The key exchange is - combined with a signature with the host key to provide host - authentication. - - - In the following description (C is the client, S is the server; p - is a large safe prime, g is a generator for a subgroup of GF(p), - and q is the order of the subgroup; V_S is S's version string; V_C - is C's version string; K_S is S's public host key; I_C is C's - KEXINIT message and I_S S's KEXINIT message which have been - exchanged before this part begins): - - - 1. C generates a random number x (1 < x < q) and computes e = g^x - mod p. C sends "e" to S. - - 2. S generates a random number y (0 < y < q) and computes f = g^y - mod p. S receives "e". It computes K = e^y mod p, H = - hash(V_C || V_S || I_C || I_S || K_S || e || f || K) (these - elements are encoded according to their types; see below), and - signature s on H with its private host key. S sends "K_S || f - || s" to C. The signing operation may involve a second - hashing operation. - - 3. C verifies that K_S really is the host key for S (e.g. using - certificates or a local database). C is also allowed to - accept the key without verification; however, doing so will - render the protocol insecure against active attacks (but may - be desirable for practical reasons in the short term in many - environments). C then computes K = f^x mod p, H = hash(V_C || - V_S || I_C || I_S || K_S || e || f || K), and verifies the - signature s on H. - - Either side MUST NOT send or accept e or f values that are not in - the range [1, p-1]. If this condition is violated, the key - exchange fails. - - - This is implemented with the following messages. The hash - algorithm for computing the exchange hash is defined by the method - name, and is called HASH. The public key algorithm for signing is - negotiated with the KEXINIT messages. - - First, the client sends the following: - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 19] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - byte SSH_MSG_KEXDH_INIT - mpint e - - - The server responds with the following: - - byte SSH_MSG_KEXDH_REPLY - string server public host key and certificates (K_S) - mpint f - string signature of H - - The hash H is computed as the HASH hash of the concatenation of - the following: - - string V_C, the client's version string (CR and NL excluded) - string V_S, the server's version string (CR and NL excluded) - string I_C, the payload of the client's SSH_MSG_KEXINIT - string I_S, the payload of the server's SSH_MSG_KEXINIT - string K_S, the host key - mpint e, exchange value sent by the client - mpint f, exchange value sent by the server - mpint K, the shared secret - - This value is called the exchange hash, and it is used to - authenticate the key exchange. The exchange hash SHOULD be kept - secret. - - - The signature algorithm MUST be applied over H, not the original - data. Most signature algorithms include hashing and additional - padding. For example, "ssh-dss" specifies SHA-1 hashing; in that - case, the data is first hashed with HASH to compute H, and H is - then hashed with SHA-1 as part of the signing operation. - - 6.1 diffie-hellman-group1-sha1 - - The "diffie-hellman-group1-sha1" method specifies Diffie-Hellman - key exchange with SHA-1 as HASH, and the following group: - - The prime p is equal to 2^1024 - 2^960 - 1 + 2^64 * floor( 2^894 - Pi + 129093 ). Its hexadecimal value is: - - FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 - FFFFFFFF FFFFFFFF. - - - -Ylonen, et. al. Expires January 12, 2004 [Page 20] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - In decimal, this value is: - - 179769313486231590770839156793787453197860296048756011706444 - 423684197180216158519368947833795864925541502180565485980503 - 646440548199239100050792877003355816639229553136239076508735 - 759914822574862575007425302077447712589550957937778424442426 - 617334727629299387668709205606050270810842907692932019128194 - 467627007. - - The generator used with this prime is g = 2. The group order q is - (p - 1) / 2. - - This group was taken from the ISAKMP/Oakley specification, and was - originally generated by Richard Schroeppel at the University of - Arizona. Properties of this prime are described in [Orm96]. - - 7. Key Re-Exchange - - Key re-exchange is started by sending an SSH_MSG_KEXINIT packet - when not already doing a key exchange (as described in Section - Section 5.1). When this message is received, a party MUST respond - with its own SSH_MSG_KEXINIT message except when the received - SSH_MSG_KEXINIT already was a reply. Either party MAY initiate - the re-exchange, but roles MUST NOT be changed (i.e., the server - remains the server, and the client remains the client). - - - Key re-exchange is performed using whatever encryption was in - effect when the exchange was started. Encryption, compression, - and MAC methods are not changed before a new SSH_MSG_NEWKEYS is - sent after the key exchange (as in the initial key exchange). Re- - exchange is processed identically to the initial key exchange, - except for the session identifier that will remain unchanged. It - is permissible to change some or all of the algorithms during the - re-exchange. Host keys can also change. All keys and - initialization vectors are recomputed after the exchange. - Compression and encryption contexts are reset. - - - It is recommended that the keys are changed after each gigabyte of - transmitted data or after each hour of connection time, whichever - comes sooner. However, since the re-exchange is a public key - operation, it requires a fair amount of processing power and - should not be performed too often. - - - More application data may be sent after the SSH_MSG_NEWKEYS packet - has been sent; key exchange does not affect the protocols that lie - - - -Ylonen, et. al. Expires January 12, 2004 [Page 21] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - above the SSH transport layer. - - 8. Service Request - - After the key exchange, the client requests a service. The - service is identified by a name. The format of names and - procedures for defining new names are defined in [SSH-ARCH]. - - - Currently, the following names have been reserved: - - ssh-userauth - ssh-connection - - Similar local naming policy is applied to the service names, as is - applied to the algorithm names; a local service should use the - "servicename@domain" syntax. - - byte SSH_MSG_SERVICE_REQUEST - string service name - - If the server rejects the service request, it SHOULD send an - appropriate SSH_MSG_DISCONNECT message and MUST disconnect. - - - When the service starts, it may have access to the session - identifier generated during the key exchange. - - - If the server supports the service (and permits the client to use - it), it MUST respond with the following: - - byte SSH_MSG_SERVICE_ACCEPT - string service name - - Message numbers used by services should be in the area reserved - for them (see Section 6 in [SSH-ARCH]). The transport level will - continue to process its own messages. - - - Note that after a key exchange with implicit server - authentication, the client MUST wait for response to its service - request message before sending any further data. - - 9. Additional Messages - - Either party may send any of the following messages at any time. - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 22] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - 9.1 Disconnection Message - - byte SSH_MSG_DISCONNECT - uint32 reason code - string description [RFC2279] - string language tag [RFC1766] - - This message causes immediate termination of the connection. All - implementations MUST be able to process this message; they SHOULD - be able to send this message. - - The sender MUST NOT send or receive any data after this message, - and the recipient MUST NOT accept any data after receiving this - message. The description field gives a more specific explanation - in a human-readable form. The error code gives the reason in a - more machine-readable format (suitable for localization), and can - have the following values: - - #define SSH_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 - #define SSH_DISCONNECT_PROTOCOL_ERROR 2 - #define SSH_DISCONNECT_KEY_EXCHANGE_FAILED 3 - #define SSH_DISCONNECT_RESERVED 4 - #define SSH_DISCONNECT_MAC_ERROR 5 - #define SSH_DISCONNECT_COMPRESSION_ERROR 6 - #define SSH_DISCONNECT_SERVICE_NOT_AVAILABLE 7 - #define SSH_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 - #define SSH_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 - #define SSH_DISCONNECT_CONNECTION_LOST 10 - #define SSH_DISCONNECT_BY_APPLICATION 11 - #define SSH_DISCONNECT_TOO_MANY_CONNECTIONS 12 - #define SSH_DISCONNECT_AUTH_CANCELLED_BY_USER 13 - #define SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 - #define SSH_DISCONNECT_ILLEGAL_USER_NAME 15 - - If the description string is displayed, control character - filtering discussed in [SSH-ARCH] should be used to avoid attacks - by sending terminal control characters. - - 9.2 Ignored Data Message - - byte SSH_MSG_IGNORE - string data - - All implementations MUST understand (and ignore) this message at - any time (after receiving the protocol version). No - implementation is required to send them. This message can be used - as an additional protection measure against advanced traffic - analysis techniques. - - - -Ylonen, et. al. Expires January 12, 2004 [Page 23] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - 9.3 Debug Message - - byte SSH_MSG_DEBUG - boolean always_display - string message [RFC2279] - string language tag [RFC1766] - - All implementations MUST understand this message, but they are - allowed to ignore it. This message is used to pass the other side - information that may help debugging. If always_display is TRUE, - the message SHOULD be displayed. Otherwise, it SHOULD NOT be - displayed unless debugging information has been explicitly - requested by the user. - - - The message doesn't need to contain a newline. It is, however, - allowed to consist of multiple lines separated by CRLF (Carriage - Return - Line Feed) pairs. - - - If the message string is displayed, terminal control character - filtering discussed in [SSH-ARCH] should be used to avoid attacks - by sending terminal control characters. - - 9.4 Reserved Messages - - An implementation MUST respond to all unrecognized messages with - an SSH_MSG_UNIMPLEMENTED message in the order in which the - messages were received. Such messages MUST be otherwise ignored. - Later protocol versions may define other meanings for these - message types. - - byte SSH_MSG_UNIMPLEMENTED - uint32 packet sequence number of rejected message - - - 10. Summary of Message Numbers - - The following message numbers have been defined in this protocol: - - #define SSH_MSG_DISCONNECT 1 - #define SSH_MSG_IGNORE 2 - #define SSH_MSG_UNIMPLEMENTED 3 - #define SSH_MSG_DEBUG 4 - #define SSH_MSG_SERVICE_REQUEST 5 - #define SSH_MSG_SERVICE_ACCEPT 6 - - #define SSH_MSG_KEXINIT 20 - - - -Ylonen, et. al. Expires January 12, 2004 [Page 24] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - #define SSH_MSG_NEWKEYS 21 - - /* Numbers 30-49 used for kex packets. - Different kex methods may reuse message numbers in - this range. */ - - #define SSH_MSG_KEXDH_INIT 30 - #define SSH_MSG_KEXDH_REPLY 31 - - - 11. Security Considerations - - This protocol provides a secure encrypted channel over an insecure - network. It performs server host authentication, key exchange, - encryption, and integrity protection. It also derives a unique - session id that may be used by higher-level protocols. - - Full security considerations for this protocol are provided in - Section 8 of [SSH-ARCH] - - 12. Intellectual Property - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described - in this document or the extent to which any license under such - rights might or might not be available; neither does it represent - that it has made any effort to identify any such rights. - Information on the IETF's procedures with respect to rights in - standards-track and standards-related documentation can be found - in BCP-11. Copies of claims of rights made available for - publication and any assurances of licenses to be made available, - or the result of an attempt made to obtain a general license or - permission for the use of such proprietary rights by implementers - or users of this specification can be obtained from the IETF - Secretariat. - - The IETF has been notified of intellectual property rights claimed - in regard to some or all of the specification contained in this - document. For more information consult the online list of claimed - rights. - - 13. Additional Information - - The current document editor is: Darren.Moffat@Sun.COM. Comments - on this internet draft should be sent to the IETF SECSH working - group, details at: http://ietf.org/html.charters/secsh- - charter.html - - - -Ylonen, et. al. Expires January 12, 2004 [Page 25] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - -References - - [FIPS-186] Federal Information Processing Standards - Publication, ., "FIPS PUB 186, Digital Signature - Standard", May 1994. - - [Orm96] Orman, H., "The Okaley Key Determination Protcol - version1, TR97-92", 1996. - - [RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, - "Internet X.509 Public Key Infrastructure - Certificate and CRL Profile", RFC 2459, January - 1999. - - [RFC1034] Mockapetris, P., "Domain names - concepts and - facilities", STD 13, RFC 1034, Nov 1987. - - [RFC1766] Alvestrand, H., "Tags for the Identification of - Languages", RFC 1766, March 1995. - - [RFC1950] Deutsch, P. and J-L. Gailly, "ZLIB Compressed Data - Format Specification version 3.3", RFC 1950, May - 1996. - - [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format - Specification version 1.3", RFC 1951, May 1996. - - [RFC2279] Yergeau, F., "UTF-8, a transformation format of - ISO 10646", RFC 2279, January 1998. - - [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: - Keyed-Hashing for Message Authentication", RFC - 2104, February 1997. - - [RFC2119] Bradner, S., "Key words for use in RFCs to - Indicate Requirement Levels", BCP 14, RFC 2119, - March 1997. - - [RFC2144] Adams, C., "The CAST-128 Encryption Algorithm", - RFC 2144, May 1997. - - [RFC2440] Callas, J., Donnerhacke, L., Finney, H. and R. - Thayer, "OpenPGP Message Format", RFC 2440, - November 1998. - - [RFC2693] Ellison, C., Frantz, B., Lampson, B., Rivest, R., - Thomas, B. and T. Ylonen, "SPKI Certificate - Theory", RFC 2693, September 1999. - - - -Ylonen, et. al. Expires January 12, 2004 [Page 26] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - [SCHNEIER] Schneier, B., "Applied Cryptography Second - Edition: protocols algorithms and source in code - in C", 1996. - - [TWOFISH] Schneier, B., "The Twofish Encryptions Algorithm: - A 128-Bit Block Cipher, 1st Edition", March 1999. - - [SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D - draft-ietf-architecture-14.txt, July 2003. - - [SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D - draft-ietf-transport-16.txt, July 2003. - - [SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D - draft-ietf-userauth-17.txt, July 2003. - - [SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft- - ietf-connect-17.txt, July 2003. - - [SSH-NUMBERS] Lehtinen, S. and D. Moffat, "SSH Protocol Assigned - Numbers", I-D draft-ietf-secsh-assignednumbers- - 03.txt, July 2003. - - -Authors' Addresses - - Tatu Ylonen - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: ylo@ssh.com - - - Tero Kivinen - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: kivinen@ssh.com - - - Markku-Juhani O. Saarinen - University of Jyvaskyla - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 27] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - - Timo J. Rinne - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: tri@ssh.com - - - Sami Lehtinen - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: sjl@ssh.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 28] - -Internet-Draft SSH Transport Layer Protocol July 2003 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2003). All Rights Reserved. - - This document and translations of it may be copied and furnished - to others, and derivative works that comment on or otherwise - explain it or assist in its implementation may be prepared, - copied, published and distributed, in whole or in part, without - restriction of any kind, provided that the above copyright notice - and this paragraph are included on all such copies and derivative - works. However, this document itself may not be modified in any - way, such as by removing the copyright notice or references to the - Internet Society or other Internet organizations, except as needed - for the purpose of developing Internet standards in which case the - procedures for copyrights defined in the Internet Standards - process must be followed, or as required to translate it into - languages other than English. - - The limited permissions granted above are perpetual and will not - be revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on - an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 29] - |