Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Appl. Sciences
Updates: 6951 (if approved) R. Stewart
Intended status: Standards Track Netflix, Inc.
Expires: May 2, 2017 October 29, 2016
Additional Considerations for UDP Encapsulation of Stream Control
Transmission Protocol (SCTP) Packets
draft-tuexen-tsvwg-sctp-udp-encaps-cons-01.txt
Abstract
RFC 6951 specifies the UDP encapsulation of SCTP packets. The
described handling of received packets requires the check of the
verification tag. However, RFC 6951 misses a specification for the
handling of received packets for which this check is not possible.
This document updates RFC 6951 by specifying the handling of received
packets where the verification tag can not be checked.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 2, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Tuexen & Stewart Expires May 2, 2017 [Page 1]
Internet-Draft Additional Considerations for SCTP over UDP October 2016
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Handling of Out of the Blue Packets . . . . . . . . . . . . . 2
4. Handling of SCTP Packets Containing an INIT Chunk Matching an
Existing Association . . . . . . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
8. Normative References . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
[RFC6951] specifies the UDP encapsulation of SCTP packets. To be
able to adopt automatically to changes of the remote UDP
encapsulation port number, it is updated automatically when
processing received packets. This includes automatic enabling and
disabling of UDP encapsulation.
Section 5.4 of [RFC6951] describes the processing of received packets
and requires the check of the verification tag before updating the
remote UDP encapsulation port and the possible enabling or disabling
of UDP encapsulation.
[RFC6951] basically misses a description for the handling of received
packets where this verification tag check is not possible. This
includes packets for which no association can be found and packets
containing an INIT chunk, since the verification tag for these
packets must be 0.
2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Handling of Out of the Blue Packets
If the processing of an out of the blue packet requires the sending
of a packet in response according to the rules specified in
Section 8.4 of [RFC4960], the following rules apply:
Tuexen & Stewart Expires May 2, 2017 [Page 2]
Internet-Draft Additional Considerations for SCTP over UDP October 2016
1. If the received packet was encapsulated in UDP, the response
packets MUST also be encapsulated in UDP. The UDP source port
and UDP destination port used for sending the response packet are
the UDP destination port and UDP source port of the received
packet.
2. If the receive packet was not encapsulated in UDP, the response
packet MUST NOT be encapsulated in UDP.
Please not that in these cases a check of the of the verification tag
is not possible.
4. Handling of SCTP Packets Containing an INIT Chunk Matching an
Existing Association
SCTP packets containing an INIT chunk have the verification tag 0 in
the common header. Therefore the verification can't be checked.
The following rules apply when processing the received packet:
1. The remote UDP encapsulation port for the source address of the
received SCTP packet MUST NOT be updated if the encapsulation of
outgoing packets is enabled and the received SCTP packet is
encapsulated.
2. The UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet MUST NOT be enabled, if it is
disabled and the received SCTP packet is encapsulated.
3. The UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet MUST NOT be disabled, if it
is enabled and the received SCTP packet is not encapsulated.
4. If the UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet is disabled and the received
SCTP packet is encapsulated, an SCTP packet containing an ABORT
chunk MUST be sent. The ABORT chunk MAY include the error cause
defined below indicating an "Restart of an Association with New
Encapsulation Port". This packet containing the ABORT chunk MUST
be encapsulated in UDP. The UDP source port and UDP destination
port used for sending the packet containing the ABORT chunk are
the UDP destination port and UDP source port of the received
packet containing the INIT chunk.
5. If the UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet is disabled and the received
SCTP packet is not encapsulated, the processing defined in
Tuexen & Stewart Expires May 2, 2017 [Page 3]
Internet-Draft Additional Considerations for SCTP over UDP October 2016
[RFC4960] MUST be performed. If a packet is sent in response, it
MUST NOT be encapsulated.
6. If the UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet is enabled and the received
SCTP packet is not encapsulated, an SCTP packet containing an
ABORT chunk MUST be sent. The ABORT chunk MAY include the error
cause defined below indicating an "Restart of an Association with
New Encapsulation Port". This packet containing the ABORT chunk
MUST NOT be encapsulated in UDP.
7. If the UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet is enabled and the received
SCTP packet is encapsulated, but the UDP source port of the
received SCTP packet is not equal to the remote UDP encapsulation
port for the source address of the received SCTP packet, an SCTP
packet containing an ABORT chunk MUST be sent. The ABORT chunk
MAY include the error cause defined below indicating an "Restart
of an Association with New Encapsulation Port". This packet
containing the ABORT chunk MUST be encapsulated in UDP. The UDP
source port and UDP destination port used for sending the packet
containing the ABORT chunk are the UDP destination port and UDP
source port of the received packet containing the INIT chunk.
8. If the UDP encapsulation for outgoing packets towards the source
address of the received SCTP packet is enabled and the received
SCTP packet is encapsulated and the UDP source port of the
received SCTP packet is equal to the remote UDP encapsulation
port for the source address of the received SCTP packet, the
processing defined in [RFC4960] MUST be performed. If a packet
is sent in response, it MUST be encapsulated. The UDP source
port and UDP destination port used for sending the packet
containing the ABORT chunk are the UDP destination port and UDP
source port of the received packet containing the INIT chunk.
The error cause indicating an "Restart of an Association with New
Encapsulation Port" is defined bytes the following figure.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 14 | Cause Length = 8 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Current Encapsulation Port | New Encapsulation Port |
+-------------------------------+-------------------------------+
Cause Code: 2 bytes (unsigned integer)
Tuexen & Stewart Expires May 2, 2017 [Page 4]
Internet-Draft Additional Considerations for SCTP over UDP October 2016
This field MUST hold the IANA defined error cause code for the
"Restart of an Association with New Encapsulation Port" error
cause. The suggested value of this field for IANA is 14.
Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause; the value
MUST be 8.
Current Encapsulation Port: 2 bytes (unsigned integer)
This field holds the remote encapsulation port currently being
used for the destination address the received packet containing
the INIT chunk was sent from. If the UDP encapsulation for
destination address is currently disabled, 0 is used.
New Encapsulation Port: 2 bytes (unsigned integer)
If the received SCTP packet containing the INIT chunk is
encapsulated in UDP, this field holds the UDP source port number
of the UDP packet. If the received SCTP packet is not
encapsulated in UDP, this field is 0.
All transported integer numbers are in "network byte order" a.k.a.,
Big Endian.
5. IANA Considerations
[NOTE to RFC-Editor:
"RFCXXXX" is to be replaced by the RFC number you assign this
document.
]
[NOTE to RFC-Editor:
The suggested value for the error cause code is tentative and to
be confirmed by IANA.
]
This document (RFCXXXX) is the reference for the registration
described in this section.
A new error cause code has to be assigned by IANA. This requires an
additional line in the "Error Cause Codes" registry for SCTP:
Tuexen & Stewart Expires May 2, 2017 [Page 5]
Internet-Draft Additional Considerations for SCTP over UDP October 2016
Error Cause Codes
Value Cause Code Reference
----- ---------- ---------
14 Restart of an Association with New Encapsulation Port [RFCXXXX]
6. Security Considerations
This document does not change the considerations given in [RFC6951].
However, not following the procedures given in this document might
allow an attacker to take over SCTP associations. The attacker needs
only to share the IP address of an existing SCTP association.
It should also be noted that if firewalls will be applied at the SCTP
association level they have to take the UDP encapsulation into
account.
7. Acknowledgments
The authors wish to thank Georgios Papastergiou for an initial
problem report.
The authors wish to thank Irene Ruengeler and Felix Weinrank for
their invaluable comments.
This work has received funding from the European Union's Horizon 2020
research and innovation programme under grant agreement No. 644334
(NEAT). The views expressed are solely those of the author(s).
8. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007,
<http://www.rfc-editor.org/info/rfc4960>.
[RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream
Control Transmission Protocol (SCTP) Packets for End-Host
to End-Host Communication", RFC 6951,
DOI 10.17487/RFC6951, May 2013,
<http://www.rfc-editor.org/info/rfc6951>.
Tuexen & Stewart Expires May 2, 2017 [Page 6]
Internet-Draft Additional Considerations for SCTP over UDP October 2016
Authors' Addresses
Michael Tuexen
Muenster University of Applied Sciences
Stegerwaldstrasse 39
48565 Steinfurt
Germany
Email: tuexen@fh-muenster.de
Randall R. Stewart
Netflix, Inc.
Chapin, SC 29036
United States
Email: randall@lakerest.net
Tuexen & Stewart Expires May 2, 2017 [Page 7]