One document matched: draft-agl-tls-nextprotoneg-01.xml

<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[
 <!ENTITY RFC2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
 <!ENTITY RFC2616 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2616.xml'>
 <!ENTITY RFC5077 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5077.xml'>
 <!ENTITY RFC5246 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml'>
]>

<?rfc toc="yes" symrefs="yes"?>

<rfc ipr="trust200902" docName="draft-agl-tls-nextprotoneg-01">
  <front>
    <title abbrev="TLS Next Protocol Negotiation">Transport Layer Security (TLS) Next Protocol Negotiation Extension</title>
    <author initials="A." surname="Langley" fullname="Adam Langley">
      <organization>Google Inc</organization>
      <address>
        <email>agl@google.com</email>
      </address>
    </author>
    <date month="August" year="2010" />
    <area>Security</area>
    <abstract>
      <t>
        This document describes a Transport Layer Security (TLS) extension for
        application layer protocol negotiation. This allows the application
        layer to negotiate which protocol should be performed over the secure
        connection.
      </t>
    </abstract>
  </front>

  <middle>
    <section anchor="intro" title="Introduction">
      <t>
        As the Internet has evolved, it has become commonplace for hosts to initiate connections
        based on untrusted and possibly hostile data. <xref target="RFC2616">HTTP</xref> clients
        are currently the most widespread example of this as they will fetch URLs based on the
        contents of untrusted webpages.
      </t>

      <t>
        Any time that a connection is initiated based on untrusted data there is the possibility of
        a cross-protocol attack. If the attacker can control the contents of the connection in any
        way (for example, the requested URL in an HTTP connection) they may be able to encode a
        valid message in another protocol. The connecting host believes that it is speaking one
        protocol but the server understands it to be another. The application of Postel's
        Law exacerbates the issue as many servers will permit gross violations of the expected
        protocol in order to achieve maximum compatibility with clients.
      </t>

      <t>
        The <xref target="websockets">WebSockets</xref> protocol seeks to allow low-latency,
        full-duplex communication between browsers and HTTP servers. However, it also permits an
        unprecedented amount of attacker control over the contents of the connection. In order to
        prevent cross-protocol attacks, a mechanism to assure that both client and server are
        speaking the same protocol is required. To this end, Next Protocol Negotiation extends the
        <xref target="RFC5246">TLS</xref> handshake to permit both parties to agree on their
        intended protocol.
      </t>
    </section>

    <section title="Requirements Notation">
      <t>
        The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
        "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
        document are to be interpreted as described in <xref
          target="RFC2119">RFC 2119</xref>.
      </t>
    </section>

    <section title="Next Protocol Negotiation Extension">
      <t>
        A new extension type (<spanx
          style="verb">next_protocol_negotiation(TBD)</spanx>) is defined and
        MAY be included by the client in its <spanx style="verb">ClientHello</spanx> message. If,
        and only if, the server sees this extension in the <spanx style="verb">ClientHello</spanx>,
        it MAY choose to include the extension in its <spanx style="verb">ServerHello</spanx>.
      </t>

      <figure>
        <artwork>
enum {
  next_protocol_negotiation(TBD), (65535)
} ExtensionType;
        </artwork>
      </figure>

      <t>
        A new handshake message type (<spanx style="verb">next_protocol(TBD)</spanx>) is
        defined.  If, and only if, the server included a <spanx
          style="verb">next_protocol_negotiation</spanx> extension in its ServerHello message, the
        client MUST send a <spanx style="verb">NextProtocol</spanx> message after its
        <spanx style="verb">ChangeCipherSpec</spanx> and before its <spanx
          style="verb">Finished</spanx> message.  </t>

      <figure>
        <artwork>
struct {
  opaque selected_protocol<0..255>;
  opaque padding<0..255>;
} NextProtocol;
        </artwork>
      </figure>

      <t>The <spanx style="verb">extension_data</spanx> field of a <spanx style="verb">next_protocol_negotiation</spanx> in a <spanx style="verb">ClientHello</spanx> MUST be empty.</t>

      <t>
        The <spanx style="verb">extension_data</spanx> field in a <spanx
          style="verb">ServerHello</spanx> and the <spanx style="verb">NextProtocol</spanx> message
        contain opaque bytes to be used by the application layer to negotiate the
        application layer protocol. The format of this data is not specified in this draft.
      </t>

      <t>
        Unlike many other TLS extensions, this extension does not establish properties of the
        session, only of the connection. When session resumption or <xref target="RFC5077">session
        tickets</xref> are used, the previous contents of this extension are irrelevent and only the
        values in the new handshake messages are considered.
      </t>

      <t>
	For the same reasons, after a handshake has been performed for a given connection,
        renegotiations on the same connection MUST NOT include the <spanx
        style="verb">next_protocol_negotiation</spanx> extension.
      </t>
    </section>

    <section title="Security considerations">
      <t>
        The server's list of supported protocols is still advertised in the clear with this extension.
        This may be undesirable for certain protocols (such as <xref target="tor">Tor</xref>) where
        one could imagine that hostile networks would terminate any TLS connection with a server
        that advertised such a capability. In this case, clients may wish to opportunistically
        select a protocol that wasn't advertised by the server. However, the workings of such a
        scheme are outside the scope of this document.
      </t>
    </section>

    <section title="IANA Considerations">
      <t>
        This document requires IANA to update its registry of TLS extensions
        to assign an entry, referred herein as <spanx style="verb">next_protocol_negotiation</spanx>.
      </t>
      <t>
        This document also requires IANA to update its registry of TLS handshake types
        to assign an entry, referred herein as <spanx style="verb">next_protocol</spanx>.
      </t>
    </section>
    <section title="Acknowledgements">
      <t>
        This document benefitted specifically from discussions with Wan-Teh
        Chang and Nagendra Modadugu.
      </t>
    </section>
  </middle>

  <back>
    <references title="Normative References">

      &RFC2119;
      &RFC2616;
      &RFC5077;
      &RFC5246;

    </references>
    <references title="Informative References">
      <reference anchor="websockets">
        <front>
          <title>The Web Socket protocol</title>
          <author initials="I." surname="Hickson"> <organization/> </author>
          <date month="Internet Draft (work in progress), October" year="2009"/>
        </front>
      </reference>

      <reference anchor="tor">
        <front>
          <title>Tor: The Second-Generation Onion Router</title>
          <author initials="R." surname="Dingledine"> <organization/> </author>
          <author initials="N." surname="Matthewson"> <organization/> </author>
          <author initials="P." surname="Syverson"> <organization/> </author>
          <date month="August" year="2004"/>
        </front>
      </reference>
    </references>

    <section title="Changes">
      <t>To be removed by RFC Editor before publication</t>
    </section>
  </back>
</rfc>