draft-ietf-tsvwg-sctp-auth-04.txt   draft-ietf-tsvwg-sctp-auth-05.txt 
Network Working Group M. Tuexen Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Applied Sciences Internet-Draft Muenster Univ. of Applied Sciences
Intended status: Standards Track R. Stewart Intended status: Standards Track R. Stewart
Expires: March 7, 2007 P. Lei Expires: April 26, 2007 P. Lei
Cisco Systems, Inc. Cisco Systems, Inc.
E. Rescorla E. Rescorla
RTFM, Inc. RTFM, Inc.
September 3, 2006 October 23, 2006
Authenticated Chunks for Stream Control Transmission Protocol (SCTP) Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
draft-ietf-tsvwg-sctp-auth-04.txt draft-ietf-tsvwg-sctp-auth-05.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 7, 2007. This Internet-Draft will expire on April 26, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document describes a new chunk type, several parameters and This document describes a new chunk type, several parameters and
procedures for SCTP. This new chunk type can be used to authenticate procedures for SCTP. This new chunk type can be used to authenticate
SCTP chunks by using shared keys between the sender and receiver. SCTP chunks by using shared keys between the sender and receiver.
skipping to change at page 2, line 27 skipping to change at page 2, line 27
6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Establishment of an association shared key . . . . . . . . 9 6.1. Establishment of an association shared key . . . . . . . . 9
6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 10 6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 10
6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 11 6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 11
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 13 8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 13
8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 14 8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 14
8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 14 8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 14
8.4. A New Table For HMAC Identifiers . . . . . . . . . . . . . 14 8.4. A New Table For HMAC Identifiers . . . . . . . . . . . . . 14
9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
11. Normative References . . . . . . . . . . . . . . . . . . . . . 15 11. Normative References . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Intellectual Property and Copyright Statements . . . . . . . . . . 17 Intellectual Property and Copyright Statements . . . . . . . . . . 18
1. Introduction 1. Introduction
SCTP uses 32 bit verification tags to protect itself against blind SCTP uses 32 bit verification tags to protect itself against blind
attackers. These values are not changed during the lifetime of an attackers. These values are not changed during the lifetime of an
SCTP association. SCTP association.
Looking at new SCTP extensions there is the need to have a method of Looking at new SCTP extensions there is the need to have a method of
proving that an SCTP chunk(s) was really sent by the original peer proving that an SCTP chunk(s) was really sent by the original peer
that started the association and not by a malicious attacker. that started the association and not by a malicious attacker.
Using TLS as defined in RFC3436 [5] does not help here because it Using TLS as defined in RFC3436 [5] does not help here because it
only secures SCTP user data. only secures SCTP user data.
Therefore an SCTP extension is presented in this document which Therefore an SCTP extension is presented which provides a mechanism
allows an SCTP sender to sign chunks using shared keys between the for deriving shared keys for each association. These association
sender and receiver. The receiver can then verify that the chunks shared keys are derived from endpoint pair shared keys, which are
are sent from the sender and not from a malicious attacker. configured and might be empty, and data which is exchanged during the
SCTP association setup.
This extension also provides a mechanism for deriving a shared key The extension presented in this document allows an SCTP sender to
for each association. This association shared key is derived from sign chunks using shared keys between the sender and receiver. The
endpoint pair shared keys, which are preconfigured and might be receiver can then verify that the chunks are sent from the sender and
empty. not from a malicious attacker as long as the attacker does not know
an association shared key.
2. Conventions 2. Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL", when they appear in this document, are to be interpreted "OPTIONAL", when they appear in this document, are to be interpreted
as described in RFC2119 [3]. as described in RFC2119 [3].
3. New Parameter Types 3. New Parameter Types
skipping to change at page 4, line 29 skipping to change at page 4, line 31
\ Random Number / \ Random Number /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1 Figure 1
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer)
This value MUST be set to 0x8002. This value MUST be set to 0x8002.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This value is the length of the Random Number plus 4. This value is the length of the Random Number in bytes plus 4.
Random Number: n bytes (unsigned integer) Random Number: n bytes (unsigned integer)
This value represents an arbitrary Random Number in network byte This value represents an arbitrary Random Number in network byte
order. order.
The RANDOM parameter MUST be included once in the INIT or INIT-ACK The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks. chunk if the sender wants to send or receive authenticated chunks.
3.2. Chunk List Parameter (CHUNKS) 3.2. Chunk List Parameter (CHUNKS)
skipping to change at page 6, line 25 skipping to change at page 6, line 25
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier n | Padding | | HMAC Identifier n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3 Figure 3
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer)
This value MUST be set to 0x8004. This value MUST be set to 0x8004.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This value is the length of the number of HMAC identifiers This value is the number of HMAC identifiers multiplied by 2 plus
multiplied by 2 plus 4. 4.
HMAC Identifier n: 2 bytes (unsigned integer) HMAC Identifier n: 2 bytes (unsigned integer)
The values is an HMAC Identifier which should be used. The values The values expressed are a list of HMAC identifiers that may be
are listed by priority. Highest priority first. used by the peer. The values are listed by preference, with
respect to the sender, where the first HMAC identifier listed is
the one most preferable to the sender.
The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks. chunk if the sender wants to send or receive authenticated chunks.
The following Table 2 shows the currently defined values for HMAC The following Table 2 shows the currently defined values for HMAC
identifiers. identifiers.
+-----------------+--------------------------+ +-----------------+--------------------------+
| HMAC Identifier | Message Digest Algorithm | | HMAC Identifier | Message Digest Algorithm |
+-----------------+--------------------------+ +-----------------+--------------------------+
| 0 | Reserved | | 0 | Reserved |
| 1 | SHA-1 defined in [6] | | 1 | SHA-1 defined in [6] |
| 2 | MD-5 defined in [1] | | 3 | SHA-256 defined in [6] |
+-----------------+--------------------------+ +-----------------+--------------------------+
Table 2 Table 2
Every endpoint supporting SCTP chunk authentication MUST support the Every endpoint supporting SCTP chunk authentication MUST support the
HMAC based on the SHA-1 algorithm. HMAC based on the SHA-1 algorithm.
4. New Error Cause 4. New Error Cause
This section defines a new error cause that will be sent if an AUTH This section defines a new error cause that will be sent if an AUTH
skipping to change at page 8, line 40 skipping to change at page 8, line 40
\ HMAC / \ HMAC /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5 Figure 5
Type: 1 byte (unsigned integer) Type: 1 byte (unsigned integer)
This value MUST be set to 0x0F for all AUTH-chunks. This value MUST be set to 0x0F for all AUTH-chunks.
Flags: 1 byte (unsigned integer) Flags: 1 byte (unsigned integer)
Set to zero on transmit and ignored on receipt. SHOULD be set to zero on transmit and MUST be ignored on receipt.
Length: 2 bytes (unsigned integer) Length: 2 bytes (unsigned integer)
This value holds the length of the HMAC plus 8. This value holds the length of the HMAC in bytes plus 8.
Shared Key Identifier: 2 bytes (unsigned integer) Shared Key Identifier: 2 bytes (unsigned integer)
This value describes which endpoint pair shared key is used. This value describes which endpoint pair shared key is used.
HMAC Identifier: 2 bytes (unsigned integer) HMAC Identifier: 2 bytes (unsigned integer)
This value describes which message digest is being used. Table 2 This value describes which message digest is being used. Table 2
shows the currently defined values. shows the currently defined values.
HMAC: n bytes (unsigned integer) HMAC: n bytes (unsigned integer)
This hold the result of the HMAC calculation. This hold the result of the HMAC calculation.
skipping to change at page 9, line 21 skipping to change at page 9, line 21
placed in a packet before the AUTH chunk are not authenticated. placed in a packet before the AUTH chunk are not authenticated.
Please note that DATA chunks can not appear before control chunks in Please note that DATA chunks can not appear before control chunks in
an SCTP packet. an SCTP packet.
6. Procedures 6. Procedures
6.1. Establishment of an association shared key 6.1. Establishment of an association shared key
An SCTP endpoint willing to receive or send authenticated chunks MUST An SCTP endpoint willing to receive or send authenticated chunks MUST
send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM
parameter SHOULD contain a 32 byte random number. In case of INIT parameter MUST contain a 32 byte random number. If the random number
is not 32 byte long the association MUST be aborted. The ABORT chunk
SHOULD contain the error cause 'Protocol Violation'. In case of INIT
collision, the rules governing the handling of this random number collision, the rules governing the handling of this random number
follow the same pattern as those for the Verification Tag, as follow the same pattern as those for the Verification Tag, as
explained in section 5.2.4 of RFC2960 [4]. Therefore each endpoint explained in section 5.2.4 of RFC2960 [4]. Therefore each endpoint
knows its own random number and the peer's random number after the knows its own random number and the peer's random number after the
association has been established. association has been established.
An SCTP endpoint has a list of chunks it only accepts if they are An SCTP endpoint has a list of chunks it only accepts if they are
received in an authenticated way. This list is included in the INIT received in an authenticated way. This list is included in the INIT
and INIT-ACK and MAY be omitted if it is empty. Since this list does and INIT-ACK and MAY be omitted if it is empty. Since this list does
not change during the lifetime of there is no problem in case of INIT not change during the lifetime of there is no problem in case of INIT
skipping to change at page 9, line 43 skipping to change at page 9, line 45
Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO
parameter containing a list of HMAC Identifiers it requests the peer parameter containing a list of HMAC Identifiers it requests the peer
to use. The receiver of a HMAC-ALGO parameter SHOULD use the first to use. The receiver of a HMAC-ALGO parameter SHOULD use the first
listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST
be supported and included in the HMAC-ALGO parameter. An SCTP be supported and included in the HMAC-ALGO parameter. An SCTP
endpoint MUST NOT change the parameters listed in the HMAC-ALGO endpoint MUST NOT change the parameters listed in the HMAC-ALGO
parameter during the lifetime of the endpoint. parameter during the lifetime of the endpoint.
Both endpoints of an association MAY have endpoint pair shared keys Both endpoints of an association MAY have endpoint pair shared keys
which are byte vectors and preconfigured or established by another which are byte vectors and pre-configured or established by another
mechanism. They are identified by the shared key identifier. If no mechanism. They are identified by the shared key identifier. If no
endpoint pair shared keys are preconfigured or established by another endpoint pair shared keys are preconfigured or established by another
mechanism an empty byte vector is used. mechanism an empty byte vector is used.
From these endpoint pair shared keys the association shared keys are The random number value, the list of chunks and the list of HMAC
computed by concatenating the endpoint pair shared key with the identifiers in network byte order sent by each endpoint are
random numbers exchanged in the INIT and INIT-ACK. This is performed concatenated as byte vectors. The resulting two vectors are called
by selecting the smaller random number value and concatenating it to the two key numbers.
the endpoint pair shared key, and then concatenating the larger of
the random number values to that. If both random numbers are equal, From the endpoint pair shared keys and the key numbers the
then the concatenation order is the random number with the shorter association shared keys are computed. This is performed by selecting
length, followed by the endpoint shared key, followed by the random the smaller key number and concatenating it to the endpoint pair
number with the longer length. If the random number lengths are the shared key, and then concatenating the larger of the key numbers to
same, then they may be concatenated to the endpoint pair key in any that. If both key numbers are equal, then the concatenation order is
order. The concatenation is performed on byte vectors representing the endpoint shared key, followed by the key number with the shorter
all numbers in network byte order. The result is the association length, followed by the key number with the longer length. If the
shared key. key number lengths are the same, then they may be concatenated to the
endpoint pair key in any order. The concatenation is performed on
byte vectors representing all numbers in network byte order. The
result is the association shared key.
6.2. Sending authenticated chunks 6.2. Sending authenticated chunks
Endpoints MUST send all requested chunks authenticated where this has Endpoints MUST send all requested chunks authenticated where this has
been requested by the peer. The other chunks MAY be sent been requested by the peer. The other chunks MAY be sent
authenticated or not. If endpoint pair shared keys are used, one of authenticated or not. If endpoint pair shared keys are used, one of
them MUST be selected for authentication. them MUST be selected for authentication.
To send chunks in an authenticated way, the sender MUST include these To send chunks in an authenticated way, the sender MUST include these
chunks after an AUTH chunk. This means that a sender MUST bundle chunks after an AUTH chunk. This means that a sender MUST bundle
chunks in order to authenticate them. chunks in order to authenticate them.
If the endpoint has no endpoint shared key for the peer, it MUST use If the endpoint has no endpoint shared key for the peer, it MUST use
Shared Key Identifier 0 with an empty endpoint pair shared key. Shared Key Identifier 0 with an empty endpoint pair shared key.
The sender MUST calculate the MAC using the hash function H as The sender MUST calculate the MAC as described in RFC2104 [2] using
described by the MAC Identifier and the shared association key K the hash function H as described by the MAC Identifier and the shared
based on the endpoint pair shared key described by the shared key association key K based on the endpoint pair shared key described by
identifier. The 'data' used for the computation of the AUTH-chunk is the shared key identifier. The 'data' used for the computation of
given by Figure 6 and all chunks that are placed after the AUTH chunk the AUTH-chunk is given by Figure 6 and all chunks that are placed
in the SCTP packet. RFC2104 [2] can be used as a guideline for after the AUTH chunk in the SCTP packet.
generating the MAC.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Chunk Length | | Type = 0x0F | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier | | Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ 0 / \ 0 /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 11, line 41 skipping to change at page 11, line 45
sender based on Figure 6. If the result of the calculation is the sender based on Figure 6. If the result of the calculation is the
same as given in the HMAC field, all chunks following the AUTH chunk same as given in the HMAC field, all chunks following the AUTH chunk
are processed. If the field does not match the result of the are processed. If the field does not match the result of the
calculation, all the chunks following the AUTH chunk MUST be silently calculation, all the chunks following the AUTH chunk MUST be silently
discarded. discarded.
It should be noted that if the receiver wants to tear down an It should be noted that if the receiver wants to tear down an
association in an authenticated way only, the handling of malformed association in an authenticated way only, the handling of malformed
packets should be in tune with this. packets should be in tune with this.
If the receiver does not find a TCB for a packet containing an AUTH An SCTP implementation has to maintain state for each SCTP
association. In the following we call this data structure the SCTP
transmission control block (STCB).
If the receiver does not find a STCB for a packet containing an AUTH
chunk as a first chunk and a COOKIE-ECHO chunk as the second chunk chunk as a first chunk and a COOKIE-ECHO chunk as the second chunk
and possibly more chunks after them, the receiver MUST authenticate and possibly more chunks after them, the receiver MUST authenticate
the chunks by using the random numbers included in the COOKIE-ECHO, the chunks by using the random numbers included in the COOKIE-ECHO,
and possibly the local shared secret. If authentication fails then and possibly the local shared secret. If authentication fails then
the packet discarded. If the authentication is successful the the packet discarded. If the authentication is successful the
COOKIE-ECHO and all chunks after the COOKIE-ECHO MUST be processed. COOKIE-ECHO and all chunks after the COOKIE-ECHO MUST be processed.
If the receiver has a TCB, it MUST process the AUTH chunk as If the receiver has a STCB, it MUST process the AUTH chunk as
described above using the TCB from the existing association to described above using the STCB from the existing association to
authenticate the COOKIE-ECHO chunk and all chunks after it. authenticate the COOKIE-ECHO chunk and all chunks after it.
If the receiver does not find an association for a packet containing If the receiver does not find a STCB for a packet containing an AUTH
an AUTH chunk as the first chunk and not a COOKIE-ECHO chunk as the chunk as the first chunk and not a COOKIE-ECHO chunk as the second
second chunk, it MUST use the chunks after the AUTH chunk to look up chunk, it MUST use the chunks after the AUTH chunk to look up an
an existing association. If no association is found, the packet MUST existing association. If no association is found, the packet MUST be
be considered as out of the blue. The out of the blue handling MUST considered as out of the blue. The out of the blue handling MUST be
be based on the packet without taking the AUTH chunk into account. based on the packet without taking the AUTH chunk into account. If
If an association is found, it MUST process the AUTH chunk using the an association is found, it MUST process the AUTH chunk using the
TCB from the existing association as described earlier. STCB from the existing association as described earlier.
If the receiver of the packet does not have a TCB when it needs to If the receiver of the packet does not have a STCB when it needs to
process the AUTH chunk, it MUST ignore the AUTH chunk. This applies process the AUTH chunk, it MUST ignore the AUTH chunk. This applies
to a packet containing an AUTH chunk as a first chunk and an COOKIE- to a packet containing an AUTH chunk as a first chunk and an COOKIE-
ECHO chunk as the second chunk received in the CLOSED state. If the ECHO chunk as the second chunk received in the CLOSED state. If the
receiver has a TCB, it MUST process the AUTH chunk as described receiver has a STCB, it MUST process the AUTH chunk as described
above. above.
It should also be noted that if an endpoint accepts ABORT chunks only Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated
in an authenticated way, it may take longer to detect that the peer makes it impossible for an attacker to bring down or restart an
is no longer available. If an endpoint accepts COOKIE chunks only in association as long as the attacker does not know an association
an authenticated way, the restart procedure does not work. shared key. But it should also be noted that if an endpoint accepts
ABORT chunks only in an authenticated way, it may take longer to
detect that the peer is no longer available. If an endpoint accepts
COOKIE-ECHO chunks only in an authenticated way, the restart
procedure does not work.
Furthermore it is important that the cookie contained in an INIT-ACK Furthermore it is important that the cookie contained in an INIT-ACK
chunk and in a COOKIE_ECHO chunk MUST NOT contain the end-point pair chunk and in a COOKIE-ECHO chunk MUST NOT contain the end-point pair
shared key. shared key.
7. Examples 7. Examples
This section gives examples of message exchanges for association This section gives examples of message exchanges for association
setup. setup.
The simplest way of using the extension described in this document is The simplest way of using the extension described in this document is
given by the following message exchange. given by the following message exchange.
skipping to change at page 13, line 12 skipping to change at page 13, line 27
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
--------------- COOKIE-ECHO; AUTH; DATA -------------> --------------- COOKIE-ECHO; AUTH; DATA ------------->
<----------------- COOKIE-ACK; SACK ------------------ <----------------- COOKIE-ACK; SACK ------------------
Please note that if the endpoint pair shared key depends on the Please note that if the endpoint pair shared key depends on the
client and the server and that it is only known by the upper layer client and the server and that it is only known by the upper layer
this message exchange requires an upper layer intervention between this message exchange requires an upper layer intervention between
the processing of the COOKIE-ECHO chunk (COMMUNICATION-UP the processing of the COOKIE-ECHO chunk (COMMUNICATION-UP
notification followed by the presentation of the endpoint pair shared notification followed by the presentation of the endpoint pair shared
key by the upper layer to the SCTP stack) and the processing of the key by the upper layer to the SCTP stack) and the processing of the
AUTH and DATA chunk. If this intervention is not possible due to AUTH and DATA chunk at the server side. If this intervention is not
limitations of the API the server might discard the AUTH and DATA possible due to limitations of the API (for example the socket API)
chunk making a retransmission of the DATA chunk necessary. If the the server might discard the AUTH and DATA chunk making a
same endpoint pair shared key is used for multiple endpoints and does retransmission of the DATA chunk necessary. If the same endpoint
not depend on the client this intervention might not be necessary. pair shared key is used for multiple endpoints and does not depend on
the client this intervention might not be necessary.
8. IANA Considerations 8. IANA Considerations
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
"RFCXXXX" is to be replaced by the RFC number you assign this "RFCXXXX" is to be replaced by the RFC number you assign this
document. document.
The reference to sctp-parameters [7] should be removed from the
"Normative References" section after the IANA section has been
removed.
] ]
This document (RFCXXX) is the reference for all registrations This document (RFCXXX) is the reference for all registrations
described in this section. All registrations need to be listed in described in this section. All registrations need to be listed in
the document available at sctp-parameters [7]. The suggested changes the document available at sctp-parameters [7]. The suggested changes
are described below. are described below.
8.1. A New Chunk Type 8.1. A New Chunk Type
A chunk type for the AUTH chunk has to be assigned by IANA. It is A chunk type for the AUTH chunk has to be assigned by IANA. It is
skipping to change at page 14, line 44 skipping to change at page 14, line 51
8.4. A New Table For HMAC Identifiers 8.4. A New Table For HMAC Identifiers
HMAC Identifiers have to be maintained by IANA. Three initial values HMAC Identifiers have to be maintained by IANA. Three initial values
should be assigned by IANA as described in Table 2. This requires a should be assigned by IANA as described in Table 2. This requires a
new table "HMAC IDENTIFIERS" in sctp-parameters [7]: new table "HMAC IDENTIFIERS" in sctp-parameters [7]:
HMAC Identifier Message Digest Algorithm REFERENCE HMAC Identifier Message Digest Algorithm REFERENCE
--------------- ------------------------ --------- --------------- ------------------------ ---------
0 Reserved RFCXXXX 0 Reserved RFCXXXX
1 SHA-1 RFCXXXX 1 SHA-1 RFCXXXX
2 MD-5 RFCXXXX 3 SHA-256 RFCXXXX
For registering at IANA a new HMAC Identifier in this table a request
has to be made to assign such a number. This number must be unique
and a message digest algorithm usable with the HMAC defined in
RFC2104 [2] MUST be specified.
9. Security Considerations 9. Security Considerations
Without using endpoint shared keys this extensions only provides a Without using endpoint shared keys this extension only protects
way of making sure that chunks being authenticated are received from against modification or injection of authenticated chunks by
the same peer the association was established with. If an attacker attackers who did not capture the initial handshake setting up the
captures the association setup he can insert arbitrary packets in an SCTP association.
authenticated way. But if the attacker does not capture the
association setup he can not inject packets.
If an endpoint pair shared key is used even a true man in the middle If an endpoint pair shared key is used even a true man in the middle
cannot inject chunks which are required to be authenticated even if cannot inject chunks which are required to be authenticated even if
he intercepts the initial message exchange. The endpoint also knows he intercepts the initial message exchange. The endpoint also knows
that it is accepting authenticated chunks from a peer who knows the that it is accepting authenticated chunks from a peer who knows the
endpoint pair shared key. endpoint pair shared key.
The establishment of endpoint pair shared keys is out of scope of The establishment of endpoint pair shared keys is out of scope of
this document. Other mechanisms can be used like using TLS or manual this document. Other mechanisms can be used like using TLS or manual
configuration. configuration.
Because SCTP has already a mechanism built-in that handles the Because SCTP has already a mechanism built-in that handles the
reception of duplicated chunks, the presented solution makes use of reception of duplicated chunks, the presented solution makes use of
this functionality and does not provide a method to avoid replay this functionality and does not provide a method to avoid replay
attacks by itself. Of course, this only works within each SCTP attacks by itself. Of course, this only works within each SCTP
association. Therefore a separate shared key is used for each SCTP association. Therefore a separate shared key is used for each SCTP
association to handle replay attacks covering multiple SCTP association to handle replay attacks covering multiple SCTP
associations. associations.
Each endpoint presenting a list of more than one element in the HMAC-
ALGO parameter must be prepared that the peer uses the weakest
algorithm listed.
If an endpoint requests the authentication of some chunks using the
CHUNKS parameter and an attacker intercepts the handshake used to
setup the association and modifies or removes this CHUNKS parameter
this endpoint will not accept chunks which are authenticated or needs
to be authenticated and are not. This might result in the failure of
the association.
When an endpoint pair uses non-NULL endpoint pair shared keys and one
of the endpoints still accepts a NULL key an attacker who captured
the initial handshake can still inject or modify authenticated chunks
by using the NULL key.
10. Acknowledgments 10. Acknowledgments
The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, and The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, Irene
Irene Ruengeler for their invaluable comments. Ruengeler, and Magnus Westerlund for their invaluable comments.
11. Normative References 11. Normative References
[1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing [2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997. for Message Authentication", RFC 2104, February 1997.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
skipping to change at page 16, line 4 skipping to change at page 16, line 30
[4] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer, [4] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer,
H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson, H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson,
"Stream Control Transmission Protocol", RFC 2960, October 2000. "Stream Control Transmission Protocol", RFC 2960, October 2000.
[5] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer [5] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer
Security over Stream Control Transmission Protocol", RFC 3436, Security over Stream Control Transmission Protocol", RFC 3436,
December 2002. December 2002.
[6] National Institute of Standards and Technology, "Secure Hash [6] National Institute of Standards and Technology, "Secure Hash
Standard", FIPS PUB 180-1, April 1995, Standard", FIPS PUB 180-2, August 2002,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>. <http://csrc.nist.gov/publications/fips/fips180-2/
fips180-2.pdf>.
[7] <http://www.iana.org/assignments/sctp-parameters> [7] <http://www.iana.org/assignments/sctp-parameters>
Authors' Addresses Authors' Addresses
Michael Tuexen Michael Tuexen
Muenster Univ. of Applied Sciences Muenster Univ. of Applied Sciences
Stegerwaldstr. 39 Stegerwaldstr. 39
48565 Steinfurt 48565 Steinfurt
Germany Germany
 End of changes. 32 change blocks. 
84 lines changed or deleted 116 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/