draft-ietf-tsvwg-sctp-auth-00.txt   draft-ietf-tsvwg-sctp-auth-01.txt 
Network Working Group M. Tuexen Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Applied Sciences Internet-Draft Muenster Univ. of Applied Sciences
Expires: December 14, 2005 R. Stewart Expires: April 18, 2006 R. Stewart
P. Lei P. Lei
Cisco Systems, Inc. Cisco Systems, Inc.
E. Rescorla E. Rescorla
RTFM, Inc. RTFM, Inc.
June 12, 2005 October 15, 2005
Authenticated Chunks for Stream Control Transmission Protocol (SCTP) Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
draft-ietf-tsvwg-sctp-auth-00.txt draft-ietf-tsvwg-sctp-auth-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 14, 2005. This Internet-Draft will expire on April 18, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document describes a new chunk type, several parameters and This document describes a new chunk type, several parameters and
procedures for SCTP. This new chunk type can be used to authenticate procedures for SCTP. This new chunk type can be used to authenticate
SCTP chunks by using a shared key between the sender and receiver. SCTP chunks by using shared keys between the sender and receiver.
The new parameters are used to establish the shared key. The new parameters are used to establish the shared keys.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. New Parameter Types . . . . . . . . . . . . . . . . . . . . 3 3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 3
3.1 Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4 3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4
3.2 Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 4 3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 4
3.3 Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 5 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 5
4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . 6 4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7
4.1 Unsupported HMAC Identifier error cause . . . . . . . . . 7 4.1. Unsupported HMAC Identifier error cause . . . . . . . . . 7
5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . 7 5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1 Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8 5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8
6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1 Establishment of an association shared key . . . . . . . . 8 6.1. Establishment of an association shared key . . . . . . . . 9
6.2 Sending authenticated chunks . . . . . . . . . . . . . . . 9 6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 10
6.3 Receiving authenticated chunks . . . . . . . . . . . . . . 10 6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 10
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . 11 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 12 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 11. Normative References . . . . . . . . . . . . . . . . . . . . . 13
11.1 Normative References . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
11.2 Informative References . . . . . . . . . . . . . . . . . 13 Intellectual Property and Copyright Statements . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . 14
1. Introduction 1. Introduction
SCTP uses 32 bit verification tags to protect itself against blind SCTP uses 32 bit verification tags to protect itself against blind
attackers. These values are not changed during the lifetime of an attackers. These values are not changed during the lifetime of an
SCTP association. SCTP association.
Looking at new SCTP extensions there is the need to have a method of Looking at new SCTP extensions there is the need to have a method of
proving that an SCTP chunk(s) was really sent by the original peer proving that an SCTP chunk(s) was really sent by the original peer
that started the association and not by a malicious attacker. that started the association and not by a malicious attacker.
Using TLS as defined in RFC3436 [6] does not help here because it Using TLS as defined in RFC3436 [5] does not help here because it
only secures SCTP user data. only secures SCTP user data.
Therefore an SCTP extension is presented in this document which Therefore an SCTP extension is presented in this document which
allows an SCTP sender to sign chunks using a shared key between the allows an SCTP sender to sign chunks using shared keys between the
sender and receiver. The receiver can then verify, that the chunks sender and receiver. The receiver can then verify that the chunks
are sent from the sender and not from a malicious attacker. are sent from the sender and not from a malicious attacker.
This extension also provides a mechanism for deriving a shared key This extension also provides a mechanism for deriving a shared key
for each association. This association shared key is derived from a for each association. This association shared key is derived from
endpoint pair shared key, which is preconfigured and might be empty. endpoint pair shared keys, which are preconfigured and might be
empty.
2. Conventions 2. Conventions
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL, when SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL, when
they appear in this document, are to be interpreted as described in they appear in this document, are to be interpreted as described in
RFC2119 [4]. RFC2119 [3].
3. New Parameter Types 3. New Parameter Types
This section defines the new parameter types that will be used to This section defines the new parameter types that will be used to
negotiate the authentication during association setup. Figure 1 negotiate the authentication during association setup. Table 1
illustrates the new parameter types. illustrates the new parameter types.
Parameter Type Parameter Name +----------------+------------------------------------------------+
-------------------------------------------------------------- | Parameter Type | Parameter Name |
0x8002 Random Parameter (RANDOM) +----------------+------------------------------------------------+
0x8003 Chunk List Parameter (CHUNKS) | 0x8002 | Random Parameter (RANDOM) |
0x8004 Requested HMAC Algorithm Parameter (HMAC-ALGO) | 0x8003 | Chunk List Parameter (CHUNKS) |
| 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) |
Figure 1 +----------------+------------------------------------------------+
Table 1
It should be noted that the parameter format requires the receiver to It should be noted that the parameter format requires the receiver to
ignore the parameter and continue processing if it is not understood. ignore the parameter and continue processing if it is not understood.
This is accomplished as described in RFC2960 [5] section 3.2.1. by This is accomplished as described in RFC2960 [4] section 3.2.1. by
the use of the upper bit of the parameter type. the use of the upper bit of the parameter type.
3.1 Random Parameter (RANDOM) 3.1. Random Parameter (RANDOM)
This parameter is used to carry an arbitrary length random number. This parameter is used to carry an arbitrary length random number.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8002 | Parameter Length | | Parameter Type = 0x8002 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ Random Number / \ Random Number /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2 Figure 1
Parameter Type: 2 bytes (unsigned integer) This value MUST be set to Parameter Type: 2 bytes (unsigned integer)
0x8002. This value MUST be set to 0x8002.
Parameter Length: 2 bytes (unsigned integer) This value is the length Parameter Length: 2 bytes (unsigned integer)
of the Random Number plus 4. This value is the length of the Random Number plus 4.
Random Number: n bytes (unsigned integer) This value represents an Random Number: n bytes (unsigned integer)
arbitrary Random Number in network byte order. This value represents an arbitrary Random Number in network byte
order.
The RANDOM parameter MUST be included once in the INIT or INIT-ACK The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks. chunk if the sender wants to send or receive authenticated chunks.
3.2 Chunk List Parameter (CHUNKS) 3.2. Chunk List Parameter (CHUNKS)
This parameter is used to specify which chunk types are required to This parameter is used to specify which chunk types are required to
be sent authenticated by the peer. be sent authenticated by the peer.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8003 | Parameter Length | | Parameter Type = 0x8003 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1 | Chunk Type 2 | Chunk Type 4 | Chunk Type 4 | | Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ / / /
\ ... \ \ ... \
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type n | Padding | | Chunk Type n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3 Figure 2
Parameter Type: 2 bytes (unsigned integer) This value MUST be set to Parameter Type: 2 bytes (unsigned integer)
0x8003. This value MUST be set to 0x8003.
Parameter Length: 2 bytes (unsigned integer) This value is the number Parameter Length: 2 bytes (unsigned integer)
of listed Chunk Types plus 4. This value is the number of listed Chunk Types plus 4.
Chunk Type n: 1 byte (unsigned integer) Each Chunk Type listed is Chunk Type n: 1 byte (unsigned integer)
required to be authenticated when sent by the peer. Each Chunk Type listed is required to be authenticated when sent
by the peer.
The CHUNKS parameter MUST be included once in the INIT or INIT-ACK The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to receive authenticated chunks. Its chunk if the sender wants to receive authenticated chunks. Its
maximum length is 260 bytes. maximum length is 260 bytes.
The chunk types for INIT, INIT-ACK, COOKIE-ECHO, COOKIE-ACK, The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks
SHUTDOWN-COMPLETE and AUTH chunks MUST not be listed in the CHUNKS MUST not be listed in the CHUNKS parameter. However, if a CHUNKS
parameter. However, if a CHUNKS parameter is received then the types parameter is received then the types for INIT, INIT-ACK, SHUTDOWN-
for INIT, INIT-ACK, COOKIE-ECHO, COOKIE-ACK, SHUTDOWN-COMPLETE and COMPLETE and AUTH chunks MUST be ignored.
AUTH chunks MUST be ignored.
3.3 Requested HMAC Algorithm Parameter (HMAC-ALGO) 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO)
This parameter is used to list the HMAC identifiers the peer has to This parameter is used to list the HMAC identifiers the peer has to
use. use.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8004 | Parameter Length | | Parameter Type = 0x8004 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier 1 | | HMAC Identifier 1 | HMAC Identifier 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ / / /
\ ... \ \ ... \
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier n | | HMAC Identifier n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4 Figure 3
Parameter Type: 2 bytes (unsigned integer) This value MUST be set to Parameter Type: 2 bytes (unsigned integer)
0x8004. This value MUST be set to 0x8004.
Parameter Length: 2 bytes (unsigned integer) This value is the length Parameter Length: 2 bytes (unsigned integer)
of the number of HMAC identifiers times 4 plus 4. This value is the length of the number of HMAC identifiers times 2
plus 4.
HMAC Identifier n: 4 bytes (unsigned integer) The values is a a HMAC Identifier n: 2 bytes (unsigned integer)
requested HMAC Identifier. The values is an HMAC Identifier which should be used. The values
are listed by priority. Highest priority first.
The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks. chunk if the sender wants to send or receive authenticated chunks.
The following Figure 5 shows the currently defined values for HMAC The following Table 2 shows the currently defined values for HMAC
identifiers. identifiers.
HMAC Identifier Message Digest Algorithm +-----------------+--------------------------+
--------------------------------------------------------------- | HMAC Identifier | Message Digest Algorithm |
0 Reserved +-----------------+--------------------------+
1 SHA-1 defined in [10] | 0 | Reserved |
2 MD-5 defined in [1] | 1 | SHA-1 defined in [7] |
| 2 | MD-5 defined in [1] |
+-----------------+--------------------------+
Figure 5 Table 2
Every endpoint supporting SCTP chunk authentication MUST support the Every endpoint supporting SCTP chunk authentication MUST support the
HMAC based on the SHA-1 algorithm. HMAC based on the SHA-1 algorithm.
4. New Error Cause 4. New Error Cause
This section defines a new error cause that will be sent if an AUTH This section defines a new error cause that will be sent if an AUTH
chunk is received with an unsupported HMAC identifier. Figure 6 chunk is received with an unsupported HMAC identifier. Table 3
illustrates the new error cause. illustrates the new error cause.
Cause Code Error Cause Name +------------+-----------------------------+
-------------------------------------------------------------- | Cause Code | Error Cause Name |
0x0105 Unsupported HMAC Identifier +------------+-----------------------------+
| 0x0105 | Unsupported HMAC Identifier |
+------------+-----------------------------+
Figure 6 Table 3
4.1 Unsupported HMAC Identifier error cause 4.1. Unsupported HMAC Identifier error cause
This error cause is used to indicate that an AUTH chunk was received This error cause is used to indicate that an AUTH chunk was received
with an unsupported HMAC Identifier. with an unsupported HMAC Identifier.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x0105 | Cause Length = 8 | | Cause Code = 0x0105 | Cause Length = 6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | | HMAC Identifier | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7 Figure 4
Cause Code: 2 bytes (unsigned integer) This value MUST be set to Cause Code: 2 bytes (unsigned integer)
0x0105. This value MUST be set to 0x0105.
Cause Length: 2 bytes (unsigned integer) This value MUST be set to 8. Cause Length: 2 bytes (unsigned integer)
This value MUST be set to 6.
HMAC Identifier: 4 bytes (unsigned integer) This value is the HMAC HMAC Identifier: 4 bytes (unsigned integer)
Identifier which is not supported. This value is the HMAC Identifier which is not supported.
5. New Chunk Type 5. New Chunk Type
This section defines the new chunk type that will be used to This section defines the new chunk type that will be used to
authenticate chunks. Figure 8 illustrates the new chunk type. authenticate chunks. Table 4 illustrates the new chunk type.
Chunk Type Chunk Name +------------+-----------------------------+
-------------------------------------------------------------- | Chunk Type | Chunk Name |
0x83 Authentication Chunk (AUTH) +------------+-----------------------------+
| 0x83 | Authentication Chunk (AUTH) |
+------------+-----------------------------+
Figure 8 Table 4
It should be noted that the AUTH-chunk format requires the receiver It should be noted that the AUTH-chunk format requires the receiver
to ignore the chunk if it is not understood and silently discard all to ignore the chunk if it is not understood and silently discard all
chunks that follow. This is accomplished as described in RFC2960 [5] chunks that follow. This is accomplished as described in RFC2960 [4]
section 3.2. by the use of the upper bit of the chunk type. section 3.2. by the use of the upper bit of the chunk type.
5.1 Authentication Chunk (AUTH) 5.1. Authentication Chunk (AUTH)
This chunk is used to hold the result of the HMAC calculation. This chunk is used to hold the result of the HMAC calculation.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x83 | Flags=0 | Length | | Type = 0x83 | Flags=0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | | Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ HMAC / \ HMAC /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9 Figure 5
Type: 1 byte (unsigned integer) This value MUST be set to 0x83 for Type: 1 byte (unsigned integer)
all AUTH-chunks. This value MUST be set to 0x83 for all AUTH-chunks.
Flags: 1 byte (unsigned integer) Set to zero on transmit and ignored Flags: 1 byte (unsigned integer)
on receipt. Set to zero on transmit and ignored on receipt.
Length: 2 bytes (unsigned integer) This value holds the length of the Length: 2 bytes (unsigned integer)
HMAC plus 8. This value holds the length of the HMAC plus 8.
HMAC Identifier: 4 bytes (unsigned integer) This value describes Shared Key Identifier: 2 bytes (unsigned integer)
which message digest is being used. Figure 5 shows the currently This value describes which endpoint pair shared key is used.
defined values.
HMAC: n bytes (unsigned integer) This hold the result of the HMAC HMAC Identifier: 2 bytes (unsigned integer)
calculation. This value describes which message digest is being used. Table 2
shows the currently defined values.
HMAC: n bytes (unsigned integer)
This hold the result of the HMAC calculation.
The control chunk AUTH can appear at most once in an SCTP packet. The control chunk AUTH can appear at most once in an SCTP packet.
All control and data chunks which are placed after the AUTH chunk in All control and data chunks which are placed after the AUTH chunk in
the packet are sent in an authenticated way. Those chunks placed in the packet are sent in an authenticated way. Those chunks placed in
a packet before the AUTH chunk are not authenticated. a packet before the AUTH chunk are not authenticated. Please note
that DATA chunks can not appear before control chunks in an SCTP
packet.
6. Procedures 6. Procedures
6.1 Establishment of an association shared key 6.1. Establishment of an association shared key
An SCTP endpoint willing to receive or send authenticated chunks has An SCTP endpoint willing to receive or send authenticated chunks MUST
to send one RANDOM parameter in its INIT or INIT-ACK chunk. The send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM
RANDOM parameter SHOULD contain a 32 byte random number. This random parameter SHOULD contain a 32 byte random number. In case of INIT
number is handled like the verification tag in case of INIT collision, the rules governing the handling of this random number
collisions. Therefore each endpoint knows its own random number and follow the same pattern as those for the Verification Tag, as
the peers random number after the association has been established. explained in section 5.2.4 of RFC2960 [4]. Therefore each endpoint
knows its own random number and the peer's random number after the
association has been established.
An SCTP endpoint has a list of chunks it only accepts if they are An SCTP endpoint has a list of chunks it only accepts if they are
received in an authenticated way. This list is included in the INIT received in an authenticated way. This list is included in the INIT
and INIT-ACK and MAY be omitted if it is empty. Since this list is and INIT-ACK and MAY be omitted if it is empty. Since this list does
for an endpoint there is no problem in case of INIT collision. not change during the lifetime of there is no problem in case of INIT
collision.
Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO
parameter containing a list of HMAC Identifiers it requests the peer parameter containing a list of HMAC Identifiers it requests the peer
to use. The receiver of a HMAC-ALGO parameter SHOULD use the first to use. The receiver of a HMAC-ALGO parameter SHOULD use the first
listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST
be supported and included in the HMAC-ALGO parameter. An SCTP be supported and included in the HMAC-ALGO parameter. An SCTP
endpoint MUST not change the parameters listed in the HMAC-ALGO endpoint MUST not change the parameters listed in the HMAC-ALGO
parameter during the lifetime of the endpoint. parameter during the lifetime of the endpoint.
Both enpoints of an association have an endpoint pair shared key Both endpoints of an association MAY have endpoint pair shared keys
which is a byte vector and preconfigured or established by another which are byte vectors and preconfigured or established by another
mechanism. If it is not preconfigured or established by another mechanism. They are identified by the shared key identifier. If no
mechanism it is set to the empty byte vector. endpoint pair shared keys are preconfigured or established by another
mechanism an empty byte vector is used.
From this endpoint pair shared key the association shared key is From these endpoint pair shared keys the association shared keys are
computed by concatenating the endpoint pair shared key with the computed by concatenating the endpoint pair shared key with the
random numbers exchanged in the INIT and INIT-ACK. This is performed random numbers exchanged in the INIT and INIT-ACK. This is performed
by selecting the smaller random number and concatenating it to the by selecting the smaller random number and concatenating it to the
endpoint pair shared key. Then concatenating the larger of the endpoint pair shared key. Then concatenating the larger of the
random numbers to that. If both random numbers are equal they may be random numbers to that. If both random numbers are equal they may be
concatenated to the endpoint pair key in any order. The concatenated to the endpoint pair key in any order. The
concatenation is performed on byte vectors representing all numbers concatenation is performed on byte vectors representing all numbers
in network byte order. The result is the association shared key. in network byte order. The result is the association shared key.
6.2 Sending authenticated chunks 6.2. Sending authenticated chunks
Chunks can only be authenticated when the SCTP association is in the Both endpoints MUST send all those chunks authenticated where this
ESTABLISHED state. Both endpoints MUST send all those chunks has been requested by the peer. The other chunks MAY be sent
authenticated where this has been requested by the peer. The other authenticated or not. If endpoint pair shared keys are used one of
chunks MAY be sent authenticated. them has to be selected for authentication.
To send chunks in an authenticated way, the sender has to include To send chunks in an authenticated way, the sender has to include
these chunks after an AUTH chunk. This means that a sender MUST these chunks after an AUTH chunk. This means that a sender MUST
bundle chunks in order to authenticate them. bundle chunks in order to authenticate them.
The sender MUST calculate the MAC using the hash function H as The sender MUST calculate the MAC using the hash function H as
described by the MAC Identifier and the shared association key K. The described by the MAC Identifier and the shared association key K
'data' used for the computation of the AUTH-chunk is given by based on the endpoint pair shared key described by the shared key
Figure 10 and all chunks that are placed after the AUTH chunk in the identifier. The 'data' used for the computation of the AUTH-chunk is
SCTP packet. RFC2104 [3] can be used as a guideline for generating given by Figure 6 and all chunks that are placed after the AUTH chunk
the MAC. in the SCTP packet. RFC2104 [2] can be used as a guideline for
generating the MAC.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x83 | Flags=0 | Chunk Length | | Type = 0x83 | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | | Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ 0 / \ 0 /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10 Figure 6
Please note that all fields are in network byte order and that the Please note that all fields are in network byte order and that the
field which will contain the complete HMAC is filled with zeroes. field which will contain the complete HMAC is filled with zeroes.
The length of the field shown as 0 is the length of the HMAC The length of the field shown as 0 is the length of the HMAC
described by the HMAC Identifier. described by the HMAC Identifier. The padding of all chunks being
authenticated has to be included in the HMAC computation.
The sender fills the HMAC into the HMAC field and sends the packet. The sender fills the HMAC into the HMAC field and sends the packet.
6.3 Receiving authenticated chunks 6.3. Receiving authenticated chunks
The receiver has a list of chunk types which it expects to be The receiver has a list of chunk types which it expects to be
received only after an AUTH-chunk. This list has been sent to the received only after an AUTH-chunk. This list has been sent to the
peer during the association setup. It MUST silently discard these peer during the association setup. It MUST silently discard these
chunks if they are not placed after an AUTH chunk in the packet. chunks if they are not placed after an AUTH chunk in the packet.
The receiver MUST use the HMAC algorithm indicated in the HMAC The receiver MUST use the HMAC algorithm indicated in the HMAC
Identifier field. If this algorithm is not known the AUTH chunk and Identifier field. If this algorithm is not known the AUTH chunk and
all chunks after it MUST be discarded and an ERROR chunk SHOULD be all chunks after it MUST be discarded and an ERROR chunk SHOULD be
sent with the error cause defined in Section 4.1. sent with the error cause defined in Section 4.1.
If the endpoints has no endpoint pair shared key for the peer it MUST
us an empty endpoint pair shared key regardless which Shared Key
Identifier is present in the AUTH chunk. If the endpoint has at
least one endpoint pair shared key for the peer it MUST use the key
specified by the Shared Key Identifier if a key has been configured
for that Shared Key Identifier. If no endpoint pair shared key has
been configured for that Shared Key Identifier all authenticated
chunks MUST be silently discarded.
The receiver now performs the same calculation as described for the The receiver now performs the same calculation as described for the
sender based on Figure 10. If the result of the calculation is the sender based on Figure 6. If the result of the calculation is the
same as given in the HMAC field, all chunks following the AUTH chunk same as given in the HMAC field, all chunks following the AUTH chunk
are processed. If the field does not match the result of the are processed. If the field does not match the result of the
calculation all these chunks MUST be silently discarded. calculation all these chunks MUST be silently discarded.
It should be noted that if the receiver wants to tear down an It should be noted that if the receiver wants to tear down an
association in an authenticated way only, the handling of malformed association in an authenticated way only, the handling of malformed
packets should be in tune with this. packets should be in tune with this.
It should also be noted that if an endpoints accepts ABORT chunks
only in an authenticated way it may take longer to detect that the
peer is no longer available. If an endpoint accepts COOKIE chunks
only in an authenticated way the restart procedure does not work.
7. Examples 7. Examples
This section gives examples of message exchanges for association This section gives examples of message exchanges for association
setup. setup.
The simplest way of using the extension described in this document is The simplest way of using the extension described in this document is
given by the following message exchange. given by the following message exchange.
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
skipping to change at page 12, line 23 skipping to change at page 13, line 16
Because SCTP has already a mechanism built-in that handles the Because SCTP has already a mechanism built-in that handles the
reception of duplicated chunks the presented solution makes use of reception of duplicated chunks the presented solution makes use of
this functionality and does not provide a method to avoid replay this functionality and does not provide a method to avoid replay
attacks by itself. Of course, this only works within each SCTP attacks by itself. Of course, this only works within each SCTP
association. Therefore a separate shared key is used for each SCTP association. Therefore a separate shared key is used for each SCTP
association to handle replay attacks covering multiple SCTP association to handle replay attacks covering multiple SCTP
associations. associations.
10. Acknowledgments 10. Acknowledgments
The authors wish to thank Sascha Grau for his invaluable comments. The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, for his
invaluable comments.
11. References
11.1 Normative References 11. Normative References
[1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[2] Bradner, S., "The Internet Standards Process -- Revision 3", [2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
BCP 9, RFC 2026, October 1996.
[3] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997. for Message Authentication", RFC 2104, February 1997.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[5] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer, [4] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer,
H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson, H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson,
"Stream Control Transmission Protocol", RFC 2960, October 2000. "Stream Control Transmission Protocol", RFC 2960, October 2000.
[6] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer [5] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer
Security over Stream Control Transmission Protocol", RFC 3436, Security over Stream Control Transmission Protocol", RFC 3436,
December 2002. December 2002.
[7] National Institute of Standards and Technology, "Secure Hash [6] National Institute of Standards and Technology, "Secure Hash
Standard", FIPS PUB 180-1, April 1995, Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>. <http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
11.2 Informative References
[8] Stewart, R., "Stream Control Transmission Protocol (SCTP)
Dynamic Address Reconfiguration",
draft-ietf-tsvwg-addip-sctp-12 (work in progress), June 2005.
Authors' Addresses Authors' Addresses
Michael Tuexen Michael Tuexen
Muenster Univ. of Applied Sciences Muenster Univ. of Applied Sciences
Stegerwaldstr. 39 Stegerwaldstr. 39
48565 Steinfurt 48565 Steinfurt
Germany Germany
Email: tuexen@fh-muenster.de Email: tuexen@fh-muenster.de
 End of changes. 82 change blocks. 
167 lines changed or deleted 190 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/