draft-ietf-tsvwg-sctp-auth-08.txt   rfc4895.txt 
Network Working Group M. Tuexen Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Applied Sciences Request for Comments: 4895 Muenster Univ. of Applied Sciences
Intended status: Standards Track R. Stewart Category: Standards Track R. Stewart
Expires: August 30, 2007 P. Lei P. Lei
Cisco Systems, Inc. Cisco Systems, Inc.
E. Rescorla E. Rescorla
RTFM, Inc. RTFM, Inc.
February 26, 2007 August 2007
Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
draft-ietf-tsvwg-sctp-auth-08.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 30, 2007. Authenticated Chunks for
the Stream Control Transmission Protocol (SCTP)
Copyright Notice Status of This Memo
Copyright (C) The IETF Trust (2007). This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract Abstract
This document describes a new chunk type, several parameters and This document describes a new chunk type, several parameters, and
procedures for SCTP. This new chunk type can be used to authenticate procedures for the Stream Control Transmission Protocol (SCTP). This
SCTP chunks by using shared keys between the sender and receiver. new chunk type can be used to authenticate SCTP chunks by using
The new parameters are used to establish the shared keys. shared keys between the sender and receiver. The new parameters are
used to establish the shared keys.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 4 3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 4
3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4 3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4
3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 5 3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 5
3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 6 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 6
4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7 4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Unsupported HMAC Identifier error cause . . . . . . . . . 7 4.1. Unsupported HMAC Identifier Error Cause . . . . . . . . . 7
5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 8 5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8 5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8
6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Establishment of an association shared key . . . . . . . . 10 6.1. Establishment of an Association Shared Key . . . . . . . . 10
6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 11 6.2. Sending Authenticated Chunks . . . . . . . . . . . . . . . 11
6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 12 6.3. Receiving Authenticated Chunks . . . . . . . . . . . . . . 12
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 15 8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 15
8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 15 8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 15
8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 15 8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 15
8.4. A New Table For HMAC Identifiers . . . . . . . . . . . . . 16 8.4. A New Table for HMAC Identifiers . . . . . . . . . . . . . 16
9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
11. Normative References . . . . . . . . . . . . . . . . . . . . . 17 11. Normative References . . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . . . . 20
1. Introduction 1. Introduction
SCTP uses 32 bit verification tags to protect itself against blind SCTP uses 32-bit verification tags to protect itself against blind
attackers. These values are not changed during the lifetime of an attackers. These values are not changed during the lifetime of an
SCTP association. SCTP association.
Looking at new SCTP extensions there is the need to have a method of Looking at new SCTP extensions, there is the need to have a method of
proving that an SCTP chunk(s) was really sent by the original peer proving that an SCTP chunk(s) was really sent by the original peer
that started the association and not by a malicious attacker. that started the association and not by a malicious attacker.
Using TLS as defined in RFC3436 [6] does not help here because it Using Transport Layer Security (TLS), as defined in RFC 3436 [6],
only secures SCTP user data. does not help because it only secures SCTP user data.
Therefore an SCTP extension is presented which provides a mechanism Therefore, an SCTP extension that provides a mechanism for deriving
for deriving shared keys for each association. These association shared keys for each association is presented. These association
shared keys are derived from endpoint pair shared keys, which are shared keys are derived from endpoint pair shared keys, which are
configured and might be empty, and data which is exchanged during the configured and might be empty, and data that is exchanged during the
SCTP association setup. SCTP association setup.
The extension presented in this document allows an SCTP sender to The extension presented in this document allows an SCTP sender to
authenticate chunks using shared keys between the sender and authenticate chunks using shared keys between the sender and
receiver. The receiver can then verify that the chunks are sent from receiver. The receiver can then verify that the chunks are sent from
the sender and not from a malicious attacker as long as the attacker the sender and not from a malicious attacker (as long as the attacker
does not know an association shared key. does not know an association shared key).
The extension described in this document puts the result of an HMAC The extension described in this document places the result of a
computation before the data covered by that computation. Putting it Hashed Message Authentication Code (HMAC) computation before the data
at the end of the packet would have required putting a control chunk covered by that computation. Placing it at the end of the packet
after DATA chunks in case of authenticating DATA chunks. This would would have required placing a control chunk after DATA chunks in case
break the rule that control chunks occur before DATA chunks in SCTP of authenticating DATA chunks. This would break the rule that
packets. It should also be noted that putting the result of the HMAC control chunks occur before DATA chunks in SCTP packets. It should
computation after the data being covered would not allow sending the also be noted that putting the result of the HMAC computation after
packet during the computation of the HMAC because the result of the the data being covered would not allow sending the packet during the
HMAC computation is needed to compute the CRC32C checksum of the SCTP computation of the HMAC because the result of the HMAC computation is
packet which is placed in the common header of the SCTP packet. needed to compute the CRC32C checksum of the SCTP packet, which is
placed in the common header of the SCTP packet.
The SCTP extension for Dynamic Address Reconfiguration (ADD-IP) The SCTP extension for Dynamic Address Reconfiguration (ADD-IP)
requires the usage of the extension described in this document. The requires the usage of the extension described in this document. The
SCTP Partial Reliability Extension (PR-SCTP) can be used in SCTP Partial Reliability Extension (PR-SCTP) can be used in
conjunction with the extension described in this document. conjunction with the extension described in this document.
2. Conventions 2. Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at page 4, line 21 skipping to change at page 4, line 21
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
| Parameter Type | Parameter Name | | Parameter Type | Parameter Name |
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
| 0x8002 | Random Parameter (RANDOM) | | 0x8002 | Random Parameter (RANDOM) |
| 0x8003 | Chunk List Parameter (CHUNKS) | | 0x8003 | Chunk List Parameter (CHUNKS) |
| 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) | | 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) |
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
Table 1 Table 1
It should be noted that the parameter format requires the receiver to Note that the parameter format requires the receiver to ignore the
ignore the parameter and continue processing if it is not understood. parameter and continue processing if the parameter is not understood.
This is accomplished as described in RFC2960 [5] section 3.2.1. by This is accomplished (as described in RFC 2960 [5], Section 3.2.1.)
the use of the upper bits of the parameter type. by the use of the upper bits of the parameter type.
3.1. Random Parameter (RANDOM) 3.1. Random Parameter (RANDOM)
This parameter is used to carry an arbitrary length random number. This parameter is used to carry a random number of an arbitrary
length.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8002 | Parameter Length | | Parameter Type = 0x8002 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ Random Number / \ Random Number /
/ +-------------------------------\ / +-------------------------------\
| | Padding | | | Padding |
skipping to change at page 5, line 6 skipping to change at page 5, line 10
This value MUST be set to 0x8002. This value MUST be set to 0x8002.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This value is the length of the Random Number in bytes plus 4. This value is the length of the Random Number in bytes plus 4.
Random Number: n bytes (unsigned integer) Random Number: n bytes (unsigned integer)
This value represents an arbitrary Random Number in network byte This value represents an arbitrary Random Number in network byte
order. order.
Padding: 0, 1, 2, or 3 bytes (unsigned integer) Padding: 0, 1, 2, or 3 bytes (unsigned integer)
If the length of the random number is not a multiple of 4 bytes, If the length of the Random Number is not a multiple of 4 bytes,
the sender MUST pad the parameter with all zero bytes to make the the sender MUST pad the parameter with all zero bytes to make the
parameter 32-bit aligned. The Padding MUST NOT be longer than 3 parameter 32-bit aligned. The Padding MUST NOT be longer than 3
bytes and it MUST be ignored by the receiver. bytes and it MUST be ignored by the receiver.
The RANDOM parameter MUST be included once in the INIT or INIT-ACK The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks to chunk, if the sender wants to send or receive authenticated chunks,
provide a 32 byte Random Number. For 32 byte Random Numbers the to provide a 32-byte Random Number. For 32-byte Random Numbers, the
Padding is empty. Padding is empty.
3.2. Chunk List Parameter (CHUNKS) 3.2. Chunk List Parameter (CHUNKS)
This parameter is used to specify which chunk types are required to This parameter is used to specify which chunk types are required to
be sent authenticated by the peer. be authenticated before being sent by the peer.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8003 | Parameter Length | | Parameter Type = 0x8003 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 | | Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ / / /
\ ... \ \ ... \
skipping to change at page 6, line 9 skipping to change at page 6, line 15
Padding: 0, 1, 2, or 3 bytes (unsigned integer) Padding: 0, 1, 2, or 3 bytes (unsigned integer)
If the number of Chunk Types is not a multiple of 4, the sender If the number of Chunk Types is not a multiple of 4, the sender
MUST pad the parameter with all zero bytes to make the parameter MUST pad the parameter with all zero bytes to make the parameter
32-bit aligned. The Padding MUST NOT be longer than 3 bytes and 32-bit aligned. The Padding MUST NOT be longer than 3 bytes and
it MUST be ignored by the receiver. it MUST be ignored by the receiver.
The CHUNKS parameter MUST be included once in the INIT or INIT-ACK The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to receive authenticated chunks. Its chunk if the sender wants to receive authenticated chunks. Its
maximum length is 260 bytes. maximum length is 260 bytes.
The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and AUTH
MUST NOT be listed in the CHUNKS parameter. However, if a CHUNKS chunks MUST NOT be listed in the CHUNKS parameter. However, if a
parameter is received then the types for INIT, INIT-ACK, SHUTDOWN- CHUNKS parameter is received then the types for INIT, INIT-ACK,
COMPLETE and AUTH chunks MUST be ignored. SHUTDOWN-COMPLETE, and AUTH chunks MUST be ignored.
3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO)
This parameter is used to list the HMAC identifiers the peer MUST This parameter is used to list the HMAC Identifiers the peer MUST
use. use.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8004 | Parameter Length | | Parameter Type = 0x8004 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier 1 | HMAC Identifier 2 | | HMAC Identifier 1 | HMAC Identifier 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ / / /
skipping to change at page 6, line 39 skipping to change at page 6, line 45
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier n | Padding | | HMAC Identifier n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3 Figure 3
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer)
This value MUST be set to 0x8004. This value MUST be set to 0x8004.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This value is the number of HMAC identifiers multiplied by 2 plus This value is the number of HMAC Identifiers multiplied by 2, plus
4. 4.
HMAC Identifier n: 2 bytes (unsigned integer) HMAC Identifier n: 2 bytes (unsigned integer)
The values expressed are a list of HMAC identifiers that may be The values expressed are a list of HMAC Identifiers that may be
used by the peer. The values are listed by preference, with used by the peer. The values are listed by preference, with
respect to the sender, where the first HMAC identifier listed is respect to the sender, where the first HMAC Identifier listed is
the one most preferable to the sender. the one most preferable to the sender.
Padding: 0 or 2 bytes (unsigned integer) Padding: 0 or 2 bytes (unsigned integer)
If the number of HMAC Identifiers is not even, the sender MUST pad If the number of HMAC Identifiers is not even, the sender MUST pad
the parameter with all zero bytes to make the parameter 32-bit the parameter with all zero bytes to make the parameter 32-bit
aligned. The Padding MUST be 0 or 2 bytes long and it MUST be aligned. The Padding MUST be 0 or 2 bytes long and it MUST be
ignored by the receiver. ignored by the receiver.
The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks. chunk if the sender wants to send or receive authenticated chunks.
The following Table 2 shows the currently defined values for HMAC Table 2 shows the currently defined values for HMAC Identifiers.
identifiers.
+-----------------+--------------------------+ +-----------------+--------------------------+
| HMAC Identifier | Message Digest Algorithm | | HMAC Identifier | Message Digest Algorithm |
+-----------------+--------------------------+ +-----------------+--------------------------+
| 0 | Reserved | | 0 | Reserved |
| 1 | SHA-1 defined in [8] | | 1 | SHA-1 defined in [8] |
| 2 | Reserved | | 2 | Reserved |
| 3 | SHA-256 defined in [8] | | 3 | SHA-256 defined in [8] |
+-----------------+--------------------------+ +-----------------+--------------------------+
Table 2 Table 2
Every endpoint supporting SCTP chunk authentication MUST support the Every endpoint supporting SCTP chunk authentication MUST support the
HMAC based on the SHA-1 algorithm. HMAC based on the SHA-1 algorithm.
4. New Error Cause 4. New Error Cause
This section defines a new error cause that will be sent if an AUTH This section defines a new error cause that will be sent if an AUTH
chunk is received with an unsupported HMAC identifier. Table 3 chunk is received with an unsupported HMAC Identifier. Table 3
illustrates the new error cause. illustrates the new error cause.
+------------+-----------------------------+ +------------+-----------------------------+
| Cause Code | Error Cause Name | | Cause Code | Error Cause Name |
+------------+-----------------------------+ +------------+-----------------------------+
| 0x0105 | Unsupported HMAC Identifier | | 0x0105 | Unsupported HMAC Identifier |
+------------+-----------------------------+ +------------+-----------------------------+
Table 3 Table 3
4.1. Unsupported HMAC Identifier error cause 4.1. Unsupported HMAC Identifier Error Cause
This error cause is used to indicate that an AUTH chunk was received This error cause is used to indicate that an AUTH chunk has been
with an unsupported HMAC Identifier. received with an unsupported HMAC Identifier.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x0105 | Cause Length = 6 | | Cause Code = 0x0105 | Cause Length = 6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | Padding | | HMAC Identifier | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4 Figure 4
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This value MUST be set to 0x0105. This value MUST be set to 0x0105.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This value MUST be set to 6. This value MUST be set to 6.
HMAC Identifier: 2 bytes (unsigned integer) HMAC Identifier: 2 bytes (unsigned integer)
This value is the HMAC Identifier which is not supported. This value is the HMAC Identifier which is not supported.
skipping to change at page 8, line 35 skipping to change at page 8, line 44
+------------+-----------------------------+ +------------+-----------------------------+
| Chunk Type | Chunk Name | | Chunk Type | Chunk Name |
+------------+-----------------------------+ +------------+-----------------------------+
| 0x0F | Authentication Chunk (AUTH) | | 0x0F | Authentication Chunk (AUTH) |
+------------+-----------------------------+ +------------+-----------------------------+
Table 4 Table 4
It should be noted that the AUTH-chunk format requires the receiver It should be noted that the AUTH-chunk format requires the receiver
to ignore the chunk if it is not understood and silently discard all to ignore the chunk if it is not understood and silently discard all
chunks that follow. This is accomplished as described in RFC2960 [5] chunks that follow. This is accomplished (as described in RFC 2960
section 3.2. by the use of the upper bits of the chunk type. [5], Section 3.2.) by the use of the upper bits of the chunk type.
5.1. Authentication Chunk (AUTH) 5.1. Authentication Chunk (AUTH)
This chunk is used to hold the result of the HMAC calculation. This chunk is used to hold the result of the HMAC calculation.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Length | | Type = 0x0F | Flags=0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 9, line 38 skipping to change at page 9, line 38
This value holds the length of the HMAC in bytes plus 8. This value holds the length of the HMAC in bytes plus 8.
Shared Key Identifier: 2 bytes (unsigned integer) Shared Key Identifier: 2 bytes (unsigned integer)
This value describes which endpoint pair shared key is used. This value describes which endpoint pair shared key is used.
HMAC Identifier: 2 bytes (unsigned integer) HMAC Identifier: 2 bytes (unsigned integer)
This value describes which message digest is being used. Table 2 This value describes which message digest is being used. Table 2
shows the currently defined values. shows the currently defined values.
HMAC: n bytes (unsigned integer) HMAC: n bytes (unsigned integer)
This hold the result of the HMAC calculation. This holds the result of the HMAC calculation.
Padding: 0, 1, 2, or 3 bytes (unsigned integer) Padding: 0, 1, 2, or 3 bytes (unsigned integer)
If the length of the HMAC is not a multiple of 4 bytes, the sender If the length of the HMAC is not a multiple of 4 bytes, the sender
MUST pad the chunk with all zero bytes to make the chunk 32-bit MUST pad the chunk with all zero bytes to make the chunk 32-bit
aligned. The Padding MUST NOT be longer than 3 bytes and it MUST aligned. The Padding MUST NOT be longer than 3 bytes and it MUST
be ignored by the receiver. be ignored by the receiver.
The control chunk AUTH MUST NOT appear more than once in an SCTP The control chunk AUTH MUST NOT appear more than once in an SCTP
packet. All control and data chunks which are placed after the AUTH packet. All control and data chunks that are placed after the AUTH
chunk in the packet are sent in an authenticated way. Those chunks chunk in the packet are sent in an authenticated way. Those chunks
placed in a packet before the AUTH chunk are not authenticated. placed in a packet before the AUTH chunk are not authenticated.
Please note that DATA chunks can not appear before control chunks in Please note that DATA chunks can not appear before control chunks in
an SCTP packet. an SCTP packet.
6. Procedures 6. Procedures
6.1. Establishment of an association shared key 6.1. Establishment of an Association Shared Key
An SCTP endpoint willing to receive or send authenticated chunks MUST An SCTP endpoint willing to receive or send authenticated chunks MUST
send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM
parameter MUST contain a 32 byte random number. The random number parameter MUST contain a 32-byte Random Number. The Random Number
should be generated in accordance with RFC4086 [7]. If the random should be generated in accordance with RFC 4086 [7]. If the Random
number is not 32 byte long the association MUST be aborted. The Number is not 32 bytes, the association MUST be aborted. The ABORT
ABORT chunk SHOULD contain the error cause 'Protocol Violation'. In chunk SHOULD contain the error cause 'Protocol Violation'. In case
case of INIT collision, the rules governing the handling of this of INIT collision, the rules governing the handling of this Random
random number follow the same pattern as those for the Verification Number follow the same pattern as those for the Verification Tag, as
Tag, as explained in section 5.2.4 of RFC2960 [5]. Therefore each explained in Section 5.2.4 of RFC 2960 [5]. Therefore, each endpoint
endpoint knows its own random number and the peer's random number knows its own Random Number and the peer's Random Number after the
after the association has been established. association has been established.
An SCTP endpoint has a list of chunks it only accepts if they are An SCTP endpoint has a list of chunks it only accepts if they are
received in an authenticated way. This list is included in the INIT received in an authenticated way. This list is included in the INIT
and INIT-ACK and MAY be omitted if it is empty. Since this list does and INIT-ACK, and MAY be omitted if it is empty. Since this list
not change during the lifetime of there is no problem in case of INIT does not change during the lifetime of the SCTP endpoint there is no
collision. problem in case of INIT collision.
Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO
parameter containing a list of HMAC Identifiers it requests the peer parameter containing a list of HMAC Identifiers it requests the peer
to use. The receiver of a HMAC-ALGO parameter SHOULD use the first to use. The receiver of an HMAC-ALGO parameter SHOULD use the first
listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST
be supported and included in the HMAC-ALGO parameter. An SCTP be supported and included in the HMAC-ALGO parameter. An SCTP
endpoint MUST NOT change the parameters listed in the HMAC-ALGO endpoint MUST NOT change the parameters listed in the HMAC-ALGO
parameter during the lifetime of the endpoint. parameter during the lifetime of the endpoint.
Both endpoints of an association MAY have endpoint pair shared keys Both endpoints of an association MAY have endpoint pair shared keys
which are byte vectors and pre-configured or established by another that are byte vectors and pre-configured or established by another
mechanism. They are identified by the shared key identifier. For mechanism. They are identified by the Shared Key Identifier. For
each endpoint pair shared key an association shared key is computed. each endpoint pair shared key, an association shared key is computed.
If there is no endpoint pair shared key only one association shared If there is no endpoint pair shared key, only one association shared
key is computed by using an empty byte vector as the endpoint pair key is computed by using an empty byte vector as the endpoint pair
shared key. shared key.
The RANDOM parameter, the CHUNKS parameter and the HMAC-ALGO The RANDOM parameter, the CHUNKS parameter, and the HMAC-ALGO
parameter sent by each endpoint are concatenated as byte vectors. parameter sent by each endpoint are concatenated as byte vectors.
These parameters include the parameter type, parameter length, and These parameters include the parameter type, parameter length, and
the parameter value, but padding is omitted; all padding MUST be the parameter value, but padding is omitted; all padding MUST be
removed from this concatenation before proceeding with further removed from this concatenation before proceeding with further
computation of keys. Parameters which were not sent are simply computation of keys. Parameters that were not sent are simply
omitted from the concatenation process. The resulting two vectors omitted from the concatenation process. The resulting two vectors
are called the two key vectors. are called the two key vectors.
From the endpoint pair shared keys and the key vectors the From the endpoint pair shared keys and the key vectors, the
association shared keys are computed. This is performed by selecting association shared keys are computed. This is performed by selecting
the numerically smaller key vector and concatenating it to the the numerically smaller key vector and concatenating it to the
endpoint pair shared key, and then concatenating the numerically endpoint pair shared key, and then concatenating the numerically
larger key vector to that. If the key vectors are equal as numbers larger key vector to that. If the key vectors are equal as numbers
but differ in length, then the concatenation order is the endpoint but differ in length, then the concatenation order is the endpoint
shared key, followed by the shorter key vector, followed by the shared key, followed by the shorter key vector, followed by the
longer key vector. Otherwise, the key vectors are identical, and may longer key vector. Otherwise, the key vectors are identical, and may
be concatenated to the endpoint pair key in any order. The be concatenated to the endpoint pair key in any order. The
concatenation is performed on byte vectors, and all numerical concatenation is performed on byte vectors, and all numerical
comparisons use network byte order to convert the key vectors to a comparisons use network byte order to convert the key vectors to a
number. The result of the concatenation is the association shared number. The result of the concatenation is the association shared
key. key.
6.2. Sending authenticated chunks 6.2. Sending Authenticated Chunks
Endpoints MUST send all requested chunks authenticated where this has Endpoints MUST send all requested chunks that have been authenticated
been requested by the peer. The other chunks MAY be sent where this has been requested by the peer. The other chunks MAY be
authenticated or not. If endpoint pair shared keys are used, one of sent whether or not they have been authenticated. If endpoint pair
them MUST be selected for authentication. shared keys are used, one of them MUST be selected for
authentication.
To send chunks in an authenticated way, the sender MUST include these To send chunks in an authenticated way, the sender MUST include these
chunks after an AUTH chunk. This means that a sender MUST bundle chunks after an AUTH chunk. This means that a sender MUST bundle
chunks in order to authenticate them. chunks in order to authenticate them.
If the endpoint has no endpoint pair shared key for the peer, it MUST If the endpoint has no endpoint pair shared key for the peer, it MUST
use Shared Key Identifier 0 with an empty endpoint pair shared key. use Shared Key Identifier zero with an empty endpoint pair shared
If there are multiple endpoint shared keys the sender selects one and key. If there are multiple endpoint shared keys the sender selects
uses the corresponding Shared Key Identifier. one and uses the corresponding Shared Key Identifier.
The sender MUST calculate the MAC as described in RFC2104 [2] using The sender MUST calculate the Message Authentication Code (MAC) (as
the hash function H as described by the MAC Identifier and the shared described in RFC 2104 [2]) using the hash function H as described by
association key K based on the endpoint pair shared key described by the HMAC Identifier and the shared association key K based on the
the shared key identifier. The 'data' used for the computation of endpoint pair shared key described by the Shared Key Identifier. The
the AUTH-chunk is given by the AUTH chunk with its HMAC field set to 'data' used for the computation of the AUTH-chunk is given by the
zero (as shown in Figure 6) followed by all chunks that are placed AUTH chunk with its HMAC field set to zero (as shown in Figure 6)
after the AUTH chunk in the SCTP packet. followed by all the chunks that are placed after the AUTH chunk in
the SCTP packet.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Chunk Length | | Type = 0x0F | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier | | Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ 0 / \ 0 /
/ +-------------------------------\ / +-------------------------------\
| | Padding | | | Padding |
skipping to change at page 12, line 4 skipping to change at page 12, line 15
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Chunk Length | | Type = 0x0F | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier | | Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ 0 / \ 0 /
/ +-------------------------------\ / +-------------------------------\
| | Padding | | | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6 Figure 6
Please note that all fields are in network byte order and that the Please note that all fields are in network byte order and that the
field which will contain the complete HMAC is filled with zeroes. field that will contain the complete HMAC is filled with zeroes. The
The length of the field shown as 0 is the length of the HMAC length of the field shown as zero is the length of the HMAC described
described by the HMAC Identifier. The padding of all chunks being by the HMAC Identifier. The padding of all chunks being
authenticated MUST be included in the HMAC computation. authenticated MUST be included in the HMAC computation.
The sender fills the HMAC into the HMAC field and sends the packet. The sender fills the HMAC into the HMAC field and sends the packet.
6.3. Receiving authenticated chunks 6.3. Receiving Authenticated Chunks
The receiver has a list of chunk types which it expects to be The receiver has a list of chunk types that it expects to be received
received only after an AUTH-chunk. This list has been sent to the only after an AUTH-chunk. This list has been sent to the peer during
peer during the association setup. It MUST silently discard these the association setup. It MUST silently discard these chunks if they
chunks if they are not placed after an AUTH chunk in the packet. are not placed after an AUTH chunk in the packet.
The receiver MUST use the HMAC algorithm indicated in the HMAC The receiver MUST use the HMAC algorithm indicated in the HMAC
Identifier field. If this algorithm was not specified by the Identifier field. If this algorithm was not specified by the
receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
during association setup, the AUTH chunk and all chunks after it MUST during association setup, the AUTH chunk and all the chunks after it
be discarded and an ERROR chunk SHOULD be sent with the error cause MUST be discarded and an ERROR chunk SHOULD be sent with the error
defined in Section 4.1. cause defined in Section 4.1.
If an endpoint with no shared key receives a Shared Key Identifier If an endpoint with no shared key receives a Shared Key Identifier
other than 0, it MUST silently discard all authenticated chunks. If other than 0, it MUST silently discard all authenticated chunks. If
the endpoint has at least one endpoint pair shared key for the peer, the endpoint has at least one endpoint pair shared key for the peer,
it MUST use the key specified by the Shared Key Identifier if a key it MUST use the key specified by the Shared Key Identifier if a key
has been configured for that Shared Key Identifier. If no endpoint has been configured for that Shared Key Identifier. If no endpoint
pair shared key has been configured for that Shared Key Identifier, pair shared key has been configured for that Shared Key Identifier,
all authenticated chunks MUST be silently discarded. all authenticated chunks MUST be silently discarded.
The receiver now performs the same calculation as described for the The receiver now performs the same calculation as described for the
sender based on Figure 6. If the result of the calculation is the sender based on Figure 6. If the result of the calculation is the
same as given in the HMAC field, all chunks following the AUTH chunk same as given in the HMAC field, all the chunks following the AUTH
are processed. If the field does not match the result of the chunk are processed. If the field does not match the result of the
calculation, all the chunks following the AUTH chunk MUST be silently calculation, all the chunks following the AUTH chunk MUST be silently
discarded. discarded.
It should be noted that if the receiver wants to tear down an It should be noted that if the receiver wants to tear down an
association in an authenticated way only, the handling of malformed association in an authenticated way only, the handling of malformed
packets should not result in tearing down the association. packets should not result in tearing down the association.
An SCTP implementation has to maintain state for each SCTP An SCTP implementation has to maintain state for each SCTP
association. In the following we call this data structure the SCTP association. In the following, we call this data structure the SCTP
transmission control block (STCB). transmission control block (STCB).
When an endpoint requires COOKIE-ECHO chunks to be authenticated some When an endpoint requires COOKIE-ECHO chunks to be authenticated,
special procedures have to be followed because the reception of an some special procedures have to be followed because the reception of
COOKIE-ECHO chunk might result in the creation of an SCTP a COOKIE-ECHO chunk might result in the creation of an SCTP
association. If a packet arrives containing an AUTH chunk as a first association. If a packet arrives containing an AUTH chunk as a first
chunk, a COOKIE-ECHO chunk as the second chunk and possibly more chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more
chunks after them, and the receiver does not have an STCB for that chunks after them, and the receiver does not have an STCB for that
packet, then authentication is based on the contents of the COOKIE- packet, then authentication is based on the contents of the COOKIE-
ECHO chunk. In this situation, the receiver MUST authenticate the ECHO chunk. In this situation, the receiver MUST authenticate the
chunks in the packet by using the RANDOM parameters, CHUNKS chunks in the packet by using the RANDOM parameters, CHUNKS
parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO
chunk, and possibly a local shared secret as inputs to the chunk, and possibly a local shared secret as inputs to the
authentication procedure specified in Section 6.3. If authentication authentication procedure specified in Section 6.3. If authentication
fails then the packet is discarded. If the authentication is fails, then the packet is discarded. If the authentication is
successful the COOKIE-ECHO and all chunks after the COOKIE-ECHO MUST successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
be processed. If the receiver has a STCB, it MUST process the AUTH MUST be processed. If the receiver has an STCB, it MUST process the
chunk as described above using the STCB from the existing association AUTH chunk as described above using the STCB from the existing
to authenticate the COOKIE-ECHO chunk and all chunks after it. association to authenticate the COOKIE-ECHO chunk and all the chunks
after it.
If the receiver does not find a STCB for a packet containing an AUTH If the receiver does not find an STCB for a packet containing an AUTH
chunk as the first chunk and not a COOKIE-ECHO chunk as the second chunk as the first chunk and does not find a COOKIE-ECHO chunk as the
chunk, it MUST use the chunks after the AUTH chunk to look up an second chunk, it MUST use the chunks after the AUTH chunk to look up
existing association. If no association is found, the packet MUST be an existing association. If no association is found, the packet MUST
considered as out of the blue. The out of the blue handling MUST be be considered as out of the blue. The out of the blue handling MUST
based on the packet without taking the AUTH chunk into account. If be based on the packet without taking the AUTH chunk into account.
an association is found, it MUST process the AUTH chunk using the If an association is found, it MUST process the AUTH chunk using the
STCB from the existing association as described earlier. STCB from the existing association as described earlier.
Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated
makes it impossible for an attacker to bring down or restart an makes it impossible for an attacker to bring down or restart an
association as long as the attacker does not know the association association as long as the attacker does not know the association
shared key. But it should also be noted that if an endpoint accepts shared key. But it should also be noted that if an endpoint accepts
ABORT chunks only in an authenticated way, it may take longer to ABORT chunks only in an authenticated way, it may take longer to
detect that the peer is no longer available. If an endpoint accepts detect that the peer is no longer available. If an endpoint accepts
COOKIE-ECHO chunks only in an authenticated way, the restart COOKIE-ECHO chunks only in an authenticated way, the restart
procedure does not work, because the restarting end-point most likely procedure does not work, because the restarting endpoint most likely
does not know the association shared key of the old association to be does not know the association shared key of the old association to be
restarted. However, if the restarting end-point does know the old restarted. However, if the restarting endpoint does know the old
association shared key he can send successfully the COOKIE-ECHO chunk association shared key, he can successfully send the COOKIE-ECHO
in a way that it is accepted by the peer by using this old chunk in a way that it is accepted by the peer by using this old
association shared key for the packet containing the AUTH chunk. association shared key for the packet containing the AUTH chunk.
After this operation both end-points have to use the new association After this operation, both endpoints have to use the new association
shared key. shared key.
If a server has an endpoint pair shared key with some clients it can If a server has an endpoint pair shared key with some clients, it can
request the COOKIE_ECHO chunk to be authenticated and can ensure that request the COOKIE_ECHO chunk to be authenticated and can ensure that
only associations from client with a correct endpoint pair shared key only associations from clients with a correct endpoint pair shared
are accepted. key are accepted.
Furthermore it is important that the cookie contained in an INIT-ACK Furthermore, it is important that the cookie contained in an INIT-ACK
chunk and in a COOKIE-ECHO chunk MUST NOT contain any end-point pair chunk and in a COOKIE-ECHO chunk MUST NOT contain any endpoint pair
shared keys. shared keys.
7. Examples 7. Examples
This section gives examples of message exchanges for association This section gives examples of message exchanges for association
setup. setup.
The simplest way of using the extension described in this document is The simplest way of using the extension described in this document is
given by the following message exchange. given by the following message exchange.
skipping to change at page 14, line 32 skipping to change at page 14, line 47
If the server wants to receive DATA chunks in an authenticated way, If the server wants to receive DATA chunks in an authenticated way,
the following message exchange is possible: the following message exchange is possible:
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
--------------- COOKIE-ECHO; AUTH; DATA -------------> --------------- COOKIE-ECHO; AUTH; DATA ------------->
<----------------- COOKIE-ACK; SACK ------------------ <----------------- COOKIE-ACK; SACK ------------------
Please note that if the endpoint pair shared key depends on the Please note that if the endpoint pair shared key depends on the
client and the server and that it is only known by the upper layer client and the server, and is only known by the upper layer, this
this message exchange requires an upper layer intervention between message exchange requires an upper layer intervention between the
the processing of the COOKIE-ECHO chunk and the processing of the processing of the COOKIE-ECHO chunk and the processing of the AUTH
AUTH and DATA chunk at the server side. This intervention may be and DATA chunk at the server side. This intervention may be realized
realized by a COMMUNICATION-UP notification followed by the by a COMMUNICATION-UP notification followed by the presentation of
presentation of the endpoint pair shared key by the upper layer to the endpoint pair shared key by the upper layer to the SCTP stack,
the SCTP stack, see for example section 10 of RFC2960 [5]. If this see for example Section 10 of RFC 2960 [5]. If this intervention is
intervention is not possible due to limitations of the API (for not possible due to limitations of the API (for example, the socket
example the socket API) the server might discard the AUTH and DATA API), the server might discard the AUTH and DATA chunk, making a
chunk making a retransmission of the DATA chunk necessary. If the retransmission of the DATA chunk necessary. If the same endpoint
same endpoint pair shared key is used for multiple endpoints and does pair shared key is used for multiple endpoints and does not depend on
not depend on the client this intervention might not be necessary. the client, this intervention might not be necessary.
8. IANA Considerations 8. IANA Considerations
[NOTE to RFC-Editor: This document (RFC 4895) is the reference for all registrations
"RFCXXXX" is to be replaced by the RFC number you assign this
document.
]
This document (RFCXXX) is the reference for all registrations
described in this section. All registrations need to be listed in described in this section. All registrations need to be listed in
the document available at sctp-parameters [9]. The suggested changes the document available at SCTP-parameters [9]. The changes are
are described below. described below.
8.1. A New Chunk Type 8.1. A New Chunk Type
A chunk type for the AUTH chunk has to be assigned by IANA. It is A chunk type for the AUTH chunk has been assigned by IANA. IANA has
suggested to use the value given in Table 4. This requires an assigned the value (15), as given in Table 4. An additional line has
additional line in the "CHUNK TYPES" table of sctp-parameters [9]: been added in the "CHUNK TYPES" table of SCTP-parameters [9]:
CHUNK TYPES CHUNK TYPES
ID Value Chunk Type Reference ID Value Chunk Type Reference
----- ---------- --------- ----- ---------- ---------
15 Authentication Chunk (AUTH) [RFCXXXX] 15 Authentication Chunk (AUTH) [RFC4895]
8.2. Three New Parameter Types 8.2. Three New Parameter Types
Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC- Parameter types have been assigned for the RANDOM, CHUNKS, and HMAC-
ALGO parameter by IANA. It is suggested to use the values given in ALGO parameter by IANA. The values are as given in Table 1. This
Table 1. This requires two modifications of the "CHUNK PARAMETER required two modifications to the "CHUNK PARAMETER TYPES" tables in
TPYES" tables in sctp-parameters [9]: The first change is the SCTP-parameters [9]: the first is the addition of three new lines to
addition of three new lines to the "INIT Chunk Parameter Types" the "INIT Chunk Parameter Types" table:
table:
Chunk Parameter Type Value Chunk Parameter Type Value
-------------------- ----- -------------------- -----
Random 32770 (0x8002) Random 32770 (0x8002)
Chunk List 32771 (0x8003) Chunk List 32771 (0x8003)
Requested HMAC Algorithm Parameter 32772 (0x8004) Requested HMAC Algorithm Parameter 32772 (0x8004)
The second required change is the addition of the same three lines to The second required change is the addition of the same three lines to
the to the "INIT ACK Chunk Parameter Types" table. the to the "INIT ACK Chunk Parameter Types" table.
8.3. A New Error Cause 8.3. A New Error Cause
An error cause for the Unsupported HMAC Identifier error cause has to An error cause for the Unsupported HMAC Identifier error cause has
be assigned. It is suggested to use the value given in Table 3. been assigned. The value (261) has been assigned as in Table 3.
This requires an additional line of the "CAUSE CODES" table in sctp-
This requires an additional line of the "CAUSE CODES" table in SCTP-
parameters [9]: parameters [9]:
VALUE CAUSE CODE REFERENCE VALUE CAUSE CODE REFERENCE
----- ---------------- --------- ----- ---------------- ---------
261 (0x0105) Unsupported HMAC Identifier RFCXXXX 261 (0x0105) Unsupported HMAC Identifier [RFC4895]
8.4. A New Table For HMAC Identifiers 8.4. A New Table for HMAC Identifiers
HMAC Identifiers have to be maintained by IANA. Four initial values HMAC Identifiers have to be maintained by IANA. Four initial values
should be assigned by IANA as described in Table 2. This requires a have been assigned by IANA as described in Table 2. This required a
new table "HMAC IDENTIFIERS" in sctp-parameters [9]: new table "HMAC IDENTIFIERS" in SCTP-parameters [9]:
HMAC Identifier Message Digest Algorithm REFERENCE HMAC Identifier Message Digest Algorithm REFERENCE
--------------- ------------------------ --------- --------------- ------------------------ ---------
0 Reserved RFCXXXX 0 Reserved [RFC4895]
1 SHA-1 RFCXXXX 1 SHA-1 [RFC4895]
2 Reserved RFCXXXX 2 Reserved [RFC4895]
3 SHA-256 RFCXXXX 3 SHA-256 [RFC4895]
For registering at IANA a new HMAC Identifier in this table a request For registering a new HMAC Identifier with IANA, in this table, a
has to be made to assign such a number. This number must be unique request has to be made to assign such a number. This number must be
and a message digest algorithm usable with the HMAC defined in unique and a message digest algorithm usable with the HMAC defined in
RFC2104 [2] MUST be specified. The "Specification Required" policy RFC2104 [2] MUST be specified. The "Specification Required" policy
of RFC2434 [4] MUST be applied. of RFC2434 [4] MUST be applied.
9. Security Considerations 9. Security Considerations
Without using endpoint shared keys this extension only protects Without using endpoint shared keys, this extension only protects
against modification or injection of authenticated chunks by against modification or injection of authenticated chunks by
attackers who did not capture the initial handshake setting up the attackers who did not capture the initial handshake setting up the
SCTP association. SCTP association.
If an endpoint pair shared key is used even a true man in the middle If an endpoint pair shared key is used, even a true man in the middle
cannot inject chunks which are required to be authenticated even if cannot inject chunks, which are required to be authenticated, even if
he intercepts the initial message exchange. The endpoint also knows he intercepts the initial message exchange. The endpoint also knows
that it is accepting authenticated chunks from a peer who knows the that it is accepting authenticated chunks from a peer who knows the
endpoint pair shared key. endpoint pair shared key.
The establishment of endpoint pair shared keys is out of scope of The establishment of endpoint pair shared keys is out of the scope of
this document. Other mechanisms can be used like using TLS or manual this document. Other mechanisms can be used, like using TLS or
configuration. manual configuration.
When an endpoint accepts COOKIE-ECHO chunks only in an authenticated When an endpoint accepts COOKIE-ECHO chunks only in an authenticated
way the restart procedure does not work. Neither an attacker nor a way the restart procedure does not work. Neither an attacker nor a
restarted end-point not knowing the association shared key can restarted endpoint not knowing the association shared key can perform
perform an restart. However, if the association shared key is known, an restart. However, if the association shared key is known, it is
it is possible to restart the association. possible to restart the association.
Because SCTP has already a mechanism built-in that handles the Because SCTP already has a built-in mechanism that handles the
reception of duplicated chunks, the presented solution makes use of reception of duplicated chunks, the presented solution makes use of
this functionality and does not provide a method to avoid replay this functionality and does not provide a method to avoid replay
attacks by itself. Of course, this only works within each SCTP attacks by itself. Of course, this only works within each SCTP
association. Therefore a separate shared key is used for each SCTP association. Therefore, a separate shared key is used for each SCTP
association to handle replay attacks covering multiple SCTP association to handle replay attacks covering multiple SCTP
associations. associations.
Each endpoint presenting a list of more than one element in the HMAC- Each endpoint presenting a list of more than one element in the HMAC-
ALGO parameter must be prepared that the peer uses the weakest ALGO parameter must be prepared for the peer using the weakest
algorithm listed. algorithm listed.
When an endpoint pair uses non-NULL endpoint pair shared keys and one When an endpoint pair uses non-NULL endpoint pair shared keys and one
of the endpoints still accepts a NULL key an attacker who captured of the endpoints still accepts a NULL key, an attacker who captured
the initial handshake can still inject or modify authenticated chunks the initial handshake can still inject or modify authenticated chunks
by using the NULL key. by using the NULL key.
10. Acknowledgments 10. Acknowledgments
The authors wish to thank David Black, Sascha Grau, Russ Housley, The authors wish to thank David Black, Sascha Grau, Russ Housley,
Ivan Arias Rodriguez, Irene Ruengeler, and Magnus Westerlund for Ivan Arias Rodriguez, Irene Ruengeler, and Magnus Westerlund for
their invaluable comments. their invaluable comments.
11. Normative References 11. Normative References
skipping to change at page 18, line 20 skipping to change at page 18, line 20
[9] <http://www.iana.org/assignments/sctp-parameters> [9] <http://www.iana.org/assignments/sctp-parameters>
Authors' Addresses Authors' Addresses
Michael Tuexen Michael Tuexen
Muenster Univ. of Applied Sciences Muenster Univ. of Applied Sciences
Stegerwaldstr. 39 Stegerwaldstr. 39
48565 Steinfurt 48565 Steinfurt
Germany Germany
Email: tuexen@fh-muenster.de EMail: tuexen@fh-muenster.de
Randall R. Stewart Randall R. Stewart
Cisco Systems, Inc. Cisco Systems, Inc.
4875 Forest Drive 4875 Forest Drive
Suite 200 Suite 200
Columbia, SC 29206 Columbia, SC 29206
USA USA
Email: rrs@cisco.com EMail: rrs@cisco.com
Peter Lei Peter Lei
Cisco Systems, Inc. Cisco Systems, Inc.
8735 West Higgins Road 8735 West Higgins Road
Suite 300 Suite 300
Chicago, IL 60631 Chicago, IL 60631
USA USA
Phone: Phone:
Email: peterlei@cisco.com EMail: peterlei@cisco.com
Eric Rescorla Eric Rescorla
RTFM, Inc. RTFM, Inc.
2064 Edgewood Drive 2064 Edgewood Drive
Palo Alto, CA 94303 Palo Alto, CA 94303
USA USA
Phone: +1 650-320-8549 Phone: +1 650-320-8549
Email: ekr@rtfm.com EMail: ekr@rtfm.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
skipping to change at page 20, line 44 skipping to change at line 841
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 90 change blocks. 
230 lines changed or deleted 208 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/