draft-ietf-tsvwg-sctp-auth-06.txt   draft-ietf-tsvwg-sctp-auth-07.txt 
Network Working Group M. Tuexen Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Applied Sciences Internet-Draft Muenster Univ. of Applied Sciences
Intended status: Standards Track R. Stewart Intended status: Standards Track R. Stewart
Expires: May 28, 2007 P. Lei Expires: July 26, 2007 P. Lei
Cisco Systems, Inc. Cisco Systems, Inc.
E. Rescorla E. Rescorla
RTFM, Inc. RTFM, Inc.
November 24, 2006 January 22, 2007
Authenticated Chunks for Stream Control Transmission Protocol (SCTP) Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
draft-ietf-tsvwg-sctp-auth-06.txt draft-ietf-tsvwg-sctp-auth-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 28, 2007. This Internet-Draft will expire on July 26, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document describes a new chunk type, several parameters and This document describes a new chunk type, several parameters and
procedures for SCTP. This new chunk type can be used to authenticate procedures for SCTP. This new chunk type can be used to authenticate
SCTP chunks by using shared keys between the sender and receiver. SCTP chunks by using shared keys between the sender and receiver.
The new parameters are used to establish the shared keys. The new parameters are used to establish the shared keys.
Table of Contents Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 New Parameter Types . . . . . . . . . . . . . . . . . . . . . . 3 3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 3
3.1 Random Parameter (RANDOM) . . . . . . . . . . . . . . . . . 4 3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4
3.2 Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . . 4 3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 4
3.3 Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 5 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 5
4 New Error Cause . . . . . . . . . . . . . . . . . . . . . . . . 7 4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7
4.1 Unsupported HMAC Identifier error cause . . . . . . . . . . 7 4.1. Unsupported HMAC Identifier error cause . . . . . . . . . 7
5 New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 7 5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1 Authentication Chunk (AUTH) . . . . . . . . . . . . . . . . 8 5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8
6 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1 Establishment of an association shared key . . . . . . . . 9 6.1. Establishment of an association shared key . . . . . . . . 9
6.2 Sending authenticated chunks . . . . . . . . . . . . . . . 10 6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 10
6.3 Receiving authenticated chunks . . . . . . . . . . . . . . 11 6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 11
7 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8.1 A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 13 8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 14
8.2 Three New Parameter Types . . . . . . . . . . . . . . . . . 14 8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 14
8.3 A New Error Cause . . . . . . . . . . . . . . . . . . . . . 14 8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 14
8.4 A New Table For HMAC Identifiers . . . . . . . . . . . . . 14 8.4. A New Table For HMAC Identifiers . . . . . . . . . . . . . 15
9 Security Considerations . . . . . . . . . . . . . . . . . . . . 15 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 16 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
11 Normative References . . . . . . . . . . . . . . . . . . . . . 16 11. Normative References . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . . . 18
1 Introduction 1. Introduction
SCTP uses 32 bit verification tags to protect itself against blind SCTP uses 32 bit verification tags to protect itself against blind
attackers. These values are not changed during the lifetime of an attackers. These values are not changed during the lifetime of an
SCTP association. SCTP association.
Looking at new SCTP extensions there is the need to have a method of Looking at new SCTP extensions there is the need to have a method of
proving that an SCTP chunk(s) was really sent by the original peer proving that an SCTP chunk(s) was really sent by the original peer
that started the association and not by a malicious attacker. that started the association and not by a malicious attacker.
Using TLS as defined in RFC3436 [6] does not help here because it Using TLS as defined in RFC3436 [6] does not help here because it
skipping to change at page 3, line 30 skipping to change at page 3, line 30
shared keys are derived from endpoint pair shared keys, which are shared keys are derived from endpoint pair shared keys, which are
configured and might be empty, and data which is exchanged during the configured and might be empty, and data which is exchanged during the
SCTP association setup. SCTP association setup.
The extension presented in this document allows an SCTP sender to The extension presented in this document allows an SCTP sender to
sign chunks using shared keys between the sender and receiver. The sign chunks using shared keys between the sender and receiver. The
receiver can then verify that the chunks are sent from the sender and receiver can then verify that the chunks are sent from the sender and
not from a malicious attacker as long as the attacker does not know not from a malicious attacker as long as the attacker does not know
an association shared key. an association shared key.
2 Conventions 2. Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL", when they appear in this document, are to be interpreted "OPTIONAL", when they appear in this document, are to be interpreted
as described in RFC2119 [3]. as described in RFC2119 [3].
3 New Parameter Types 3. New Parameter Types
This section defines the new parameter types that will be used to This section defines the new parameter types that will be used to
negotiate the authentication during association setup. Table 1 negotiate the authentication during association setup. Table 1
illustrates the new parameter types. illustrates the new parameter types.
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
| Parameter Type | Parameter Name | | Parameter Type | Parameter Name |
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
| 0x8002 | Random Parameter (RANDOM) | | 0x8002 | Random Parameter (RANDOM) |
| 0x8003 | Chunk List Parameter (CHUNKS) | | 0x8003 | Chunk List Parameter (CHUNKS) |
| 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) | | 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) |
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
Table 1 Table 1
It should be noted that the parameter format requires the receiver to It should be noted that the parameter format requires the receiver to
ignore the parameter and continue processing if it is not understood. ignore the parameter and continue processing if it is not understood.
This is accomplished as described in RFC2960 [5] section 3.2.1. by This is accomplished as described in RFC2960 [5] section 3.2.1. by
the use of the upper bits of the parameter type. the use of the upper bits of the parameter type.
3.1 Random Parameter (RANDOM) 3.1. Random Parameter (RANDOM)
This parameter is used to carry an arbitrary length random number. This parameter is used to carry an arbitrary length random number.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8002 | Parameter Length | | Parameter Type = 0x8002 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
\ Random Number / \ Random Number /
skipping to change at page 4, line 40 skipping to change at page 4, line 40
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This value is the length of the Random Number in bytes plus 4. This value is the length of the Random Number in bytes plus 4.
Random Number: n bytes (unsigned integer) Random Number: n bytes (unsigned integer)
This value represents an arbitrary Random Number in network byte This value represents an arbitrary Random Number in network byte
order. order.
The RANDOM parameter MUST be included once in the INIT or INIT-ACK The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks. chunk if the sender wants to send or receive authenticated chunks.
3.2 Chunk List Parameter (CHUNKS) 3.2. Chunk List Parameter (CHUNKS)
This parameter is used to specify which chunk types are required to This parameter is used to specify which chunk types are required to
be sent authenticated by the peer. be sent authenticated by the peer.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8003 | Parameter Length | | Parameter Type = 0x8003 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 | | Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 |
skipping to change at page 5, line 40 skipping to change at page 5, line 40
The CHUNKS parameter MUST be included once in the INIT or INIT-ACK The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to receive authenticated chunks. Its chunk if the sender wants to receive authenticated chunks. Its
maximum length is 260 bytes. maximum length is 260 bytes.
The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks
MUST NOT be listed in the CHUNKS parameter. However, if a CHUNKS MUST NOT be listed in the CHUNKS parameter. However, if a CHUNKS
parameter is received then the types for INIT, INIT-ACK, SHUTDOWN- parameter is received then the types for INIT, INIT-ACK, SHUTDOWN-
COMPLETE and AUTH chunks MUST be ignored. COMPLETE and AUTH chunks MUST be ignored.
3.3 Requested HMAC Algorithm Parameter (HMAC-ALGO) 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO)
This parameter is used to list the HMAC identifiers the peer MUST This parameter is used to list the HMAC identifiers the peer MUST
use. use.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8004 | Parameter Length | | Parameter Type = 0x8004 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier 1 | HMAC Identifier 2 | | HMAC Identifier 1 | HMAC Identifier 2 |
skipping to change at page 7, line 5 skipping to change at page 7, line 5
| 0 | Reserved | | 0 | Reserved |
| 1 | SHA-1 defined in [6] | | 1 | SHA-1 defined in [6] |
| 3 | SHA-256 defined in [6] | | 3 | SHA-256 defined in [6] |
+-----------------+--------------------------+ +-----------------+--------------------------+
Table 2 Table 2
Every endpoint supporting SCTP chunk authentication MUST support the Every endpoint supporting SCTP chunk authentication MUST support the
HMAC based on the SHA-1 algorithm. HMAC based on the SHA-1 algorithm.
4 New Error Cause 4. New Error Cause
This section defines a new error cause that will be sent if an AUTH This section defines a new error cause that will be sent if an AUTH
chunk is received with an unsupported HMAC identifier. Table 3 chunk is received with an unsupported HMAC identifier. Table 3
illustrates the new error cause. illustrates the new error cause.
+------------+-----------------------------+ +------------+-----------------------------+
| Cause Code | Error Cause Name | | Cause Code | Error Cause Name |
+------------+-----------------------------+ +------------+-----------------------------+
| 0x0105 | Unsupported HMAC Identifier | | 0x0105 | Unsupported HMAC Identifier |
+------------+-----------------------------+ +------------+-----------------------------+
Table 3 Table 3
4.1 Unsupported HMAC Identifier error cause 4.1. Unsupported HMAC Identifier error cause
This error cause is used to indicate that an AUTH chunk was received This error cause is used to indicate that an AUTH chunk was received
with an unsupported HMAC Identifier. with an unsupported HMAC Identifier.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x0105 | Cause Length = 6 | | Cause Code = 0x0105 | Cause Length = 6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | Padding | | HMAC Identifier | Padding |
skipping to change at page 7, line 43 skipping to change at page 7, line 43
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This value MUST be set to 0x0105. This value MUST be set to 0x0105.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This value MUST be set to 6. This value MUST be set to 6.
HMAC Identifier: 2 bytes (unsigned integer) HMAC Identifier: 2 bytes (unsigned integer)
This value is the HMAC Identifier which is not supported. This value is the HMAC Identifier which is not supported.
5 New Chunk Type 5. New Chunk Type
This section defines the new chunk type that will be used to This section defines the new chunk type that will be used to
authenticate chunks. Table 4 illustrates the new chunk type. authenticate chunks. Table 4 illustrates the new chunk type.
+------------+-----------------------------+ +------------+-----------------------------+
| Chunk Type | Chunk Name | | Chunk Type | Chunk Name |
+------------+-----------------------------+ +------------+-----------------------------+
| 0x0F | Authentication Chunk (AUTH) | | 0x0F | Authentication Chunk (AUTH) |
+------------+-----------------------------+ +------------+-----------------------------+
Table 4 Table 4
It should be noted that the AUTH-chunk format requires the receiver It should be noted that the AUTH-chunk format requires the receiver
to ignore the chunk if it is not understood and silently discard all to ignore the chunk if it is not understood and silently discard all
chunks that follow. This is accomplished as described in RFC2960 [5] chunks that follow. This is accomplished as described in RFC2960 [5]
section 3.2. by the use of the upper bits of the chunk type. section 3.2. by the use of the upper bits of the chunk type.
5.1 Authentication Chunk (AUTH) 5.1. Authentication Chunk (AUTH)
This chunk is used to hold the result of the HMAC calculation. This chunk is used to hold the result of the HMAC calculation.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Length | | Type = 0x0F | Flags=0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier | | Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 9, line 15 skipping to change at page 9, line 15
HMAC: n bytes (unsigned integer) HMAC: n bytes (unsigned integer)
This hold the result of the HMAC calculation. This hold the result of the HMAC calculation.
The control chunk AUTH MUST NOT appear more than once in an SCTP The control chunk AUTH MUST NOT appear more than once in an SCTP
packet. All control and data chunks which are placed after the AUTH packet. All control and data chunks which are placed after the AUTH
chunk in the packet are sent in an authenticated way. Those chunks chunk in the packet are sent in an authenticated way. Those chunks
placed in a packet before the AUTH chunk are not authenticated. placed in a packet before the AUTH chunk are not authenticated.
Please note that DATA chunks can not appear before control chunks in Please note that DATA chunks can not appear before control chunks in
an SCTP packet. an SCTP packet.
6 Procedures 6. Procedures
6.1 Establishment of an association shared key 6.1. Establishment of an association shared key
An SCTP endpoint willing to receive or send authenticated chunks MUST An SCTP endpoint willing to receive or send authenticated chunks MUST
send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM
parameter MUST contain a 32 byte random number. If the random number parameter MUST contain a 32 byte random number. If the random number
is not 32 byte long the association MUST be aborted. The ABORT chunk is not 32 byte long the association MUST be aborted. The ABORT chunk
SHOULD contain the error cause 'Protocol Violation'. In case of INIT SHOULD contain the error cause 'Protocol Violation'. In case of INIT
collision, the rules governing the handling of this random number collision, the rules governing the handling of this random number
follow the same pattern as those for the Verification Tag, as follow the same pattern as those for the Verification Tag, as
explained in section 5.2.4 of RFC2960 [5]. Therefore each endpoint explained in section 5.2.4 of RFC2960 [5]. Therefore each endpoint
knows its own random number and the peer's random number after the knows its own random number and the peer's random number after the
skipping to change at page 9, line 50 skipping to change at page 9, line 50
be supported and included in the HMAC-ALGO parameter. An SCTP be supported and included in the HMAC-ALGO parameter. An SCTP
endpoint MUST NOT change the parameters listed in the HMAC-ALGO endpoint MUST NOT change the parameters listed in the HMAC-ALGO
parameter during the lifetime of the endpoint. parameter during the lifetime of the endpoint.
Both endpoints of an association MAY have endpoint pair shared keys Both endpoints of an association MAY have endpoint pair shared keys
which are byte vectors and pre-configured or established by another which are byte vectors and pre-configured or established by another
mechanism. They are identified by the shared key identifier. If no mechanism. They are identified by the shared key identifier. If no
endpoint pair shared keys are preconfigured or established by another endpoint pair shared keys are preconfigured or established by another
mechanism an empty byte vector is used. mechanism an empty byte vector is used.
The random number value, the list of chunks and the list of HMAC The RANDOM parameter, the CHUNKS parameter and the HMAC-ALGO
identifiers in network byte order sent by each endpoint are parameter sent by each endpoint are concatenated as byte vectors.
concatenated as byte vectors. The resulting two vectors are called
the two key numbers. Parameters which were not sent are simply omitted from the
concatenation process. The resulting two vectors are called the two
key numbers.
From the endpoint pair shared keys and the key numbers the From the endpoint pair shared keys and the key numbers the
association shared keys are computed. This is performed by selecting association shared keys are computed. This is performed by selecting
the smaller key number and concatenating it to the endpoint pair the smaller key number and concatenating it to the endpoint pair
shared key, and then concatenating the larger of the key numbers to shared key, and then concatenating the larger of the key numbers to
that. If both key numbers are equal, then the concatenation order is that. If both key numbers are equal, then the concatenation order is
the endpoint shared key, followed by the key number with the shorter the endpoint shared key, followed by the key number with the shorter
length, followed by the key number with the longer length. If the length, followed by the key number with the longer length. If the
key number lengths are the same, then they may be concatenated to the key number lengths are the same, then they may be concatenated to the
endpoint pair key in any order. The concatenation is performed on endpoint pair key in any order. The concatenation is performed on
byte vectors representing all numbers in network byte order. The byte vectors representing all numbers in network byte order. The
result is the association shared key. result is the association shared key.
6.2 Sending authenticated chunks 6.2. Sending authenticated chunks
Endpoints MUST send all requested chunks authenticated where this has Endpoints MUST send all requested chunks authenticated where this has
been requested by the peer. The other chunks MAY be sent been requested by the peer. The other chunks MAY be sent
authenticated or not. If endpoint pair shared keys are used, one of authenticated or not. If endpoint pair shared keys are used, one of
them MUST be selected for authentication. them MUST be selected for authentication.
To send chunks in an authenticated way, the sender MUST include these To send chunks in an authenticated way, the sender MUST include these
chunks after an AUTH chunk. This means that a sender MUST bundle chunks after an AUTH chunk. This means that a sender MUST bundle
chunks in order to authenticate them. chunks in order to authenticate them.
skipping to change at page 11, line 12 skipping to change at page 11, line 12
Figure 6 Figure 6
Please note that all fields are in network byte order and that the Please note that all fields are in network byte order and that the
field which will contain the complete HMAC is filled with zeroes. field which will contain the complete HMAC is filled with zeroes.
The length of the field shown as 0 is the length of the HMAC The length of the field shown as 0 is the length of the HMAC
described by the HMAC Identifier. The padding of all chunks being described by the HMAC Identifier. The padding of all chunks being
authenticated MUST be included in the HMAC computation. authenticated MUST be included in the HMAC computation.
The sender fills the HMAC into the HMAC field and sends the packet. The sender fills the HMAC into the HMAC field and sends the packet.
6.3 Receiving authenticated chunks 6.3. Receiving authenticated chunks
The receiver has a list of chunk types which it expects to be The receiver has a list of chunk types which it expects to be
received only after an AUTH-chunk. This list has been sent to the received only after an AUTH-chunk. This list has been sent to the
peer during the association setup. It MUST silently discard these peer during the association setup. It MUST silently discard these
chunks if they are not placed after an AUTH chunk in the packet. chunks if they are not placed after an AUTH chunk in the packet.
The receiver MUST use the HMAC algorithm indicated in the HMAC The receiver MUST use the HMAC algorithm indicated in the HMAC
Identifier field. If this algorithm was not specified by the Identifier field. If this algorithm was not specified by the
receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
during association setup, the AUTH chunk and all chunks after it MUST during association setup, the AUTH chunk and all chunks after it MUST
skipping to change at page 11, line 49 skipping to change at page 11, line 49
discarded. discarded.
It should be noted that if the receiver wants to tear down an It should be noted that if the receiver wants to tear down an
association in an authenticated way only, the handling of malformed association in an authenticated way only, the handling of malformed
packets should be in tune with this. packets should be in tune with this.
An SCTP implementation has to maintain state for each SCTP An SCTP implementation has to maintain state for each SCTP
association. In the following we call this data structure the SCTP association. In the following we call this data structure the SCTP
transmission control block (STCB). transmission control block (STCB).
If the receiver does not find a STCB for a packet containing an AUTH When an endpoint requires COOKIE-ECHO chunks to be authenticated some
chunk as a first chunk and a COOKIE-ECHO chunk as the second chunk special procedures have to be followed because the reception of an
and possibly more chunks after them, the receiver MUST authenticate COOKIE-ECHO chunk might result in the creation of an SCTP
the chunks by using the random numbers included in the COOKIE-ECHO, association. If the receiver does not find a STCB for a packet
and possibly the local shared secret. If authentication fails then containing an AUTH chunk as a first chunk and a COOKIE-ECHO chunk as
the packet discarded. If the authentication is successful the the second chunk and possibly more chunks after them, the receiver
COOKIE-ECHO and all chunks after the COOKIE-ECHO MUST be processed. MUST authenticate the chunks by using the random numbers included in
If the receiver has a STCB, it MUST process the AUTH chunk as the COOKIE-ECHO, and possibly the local shared secret. If
described above using the STCB from the existing association to authentication fails then the packet is discarded. If the
authenticate the COOKIE-ECHO chunk and all chunks after it. authentication is successful the COOKIE-ECHO and all chunks after the
COOKIE-ECHO MUST be processed. If the receiver has a STCB, it MUST
process the AUTH chunk as described above using the STCB from the
existing association to authenticate the COOKIE-ECHO chunk and all
chunks after it.
If the receiver does not find a STCB for a packet containing an AUTH If the receiver does not find a STCB for a packet containing an AUTH
chunk as the first chunk and not a COOKIE-ECHO chunk as the second chunk as the first chunk and not a COOKIE-ECHO chunk as the second
chunk, it MUST use the chunks after the AUTH chunk to look up an chunk, it MUST use the chunks after the AUTH chunk to look up an
existing association. If no association is found, the packet MUST be existing association. If no association is found, the packet MUST be
considered as out of the blue. The out of the blue handling MUST be considered as out of the blue. The out of the blue handling MUST be
based on the packet without taking the AUTH chunk into account. If based on the packet without taking the AUTH chunk into account. If
an association is found, it MUST process the AUTH chunk using the an association is found, it MUST process the AUTH chunk using the
STCB from the existing association as described earlier. STCB from the existing association as described earlier.
If the receiver of the packet does not have a STCB when it needs to If the receiver of the packet does not have a STCB when it needs to
process the AUTH chunk, it MUST ignore the AUTH chunk. This applies process the AUTH chunk, it MUST ignore the AUTH chunk. This applies
to a packet containing an AUTH chunk as a first chunk and an COOKIE- to a packet containing an AUTH chunk as a first chunk and an COOKIE-
ECHO chunk as the second chunk received in the CLOSED state. If the ECHO chunk as the second chunk received in the CLOSED state. If the
receiver has a STCB, it MUST process the AUTH chunk as described receiver has a STCB, it MUST process the AUTH chunk as described
above. above.
Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated
makes it impossible for an attacker to bring down or restart an makes it impossible for an attacker to bring down or restart an
association as long as the attacker does not know an association association as long as the attacker does not know the association
shared key. But it should also be noted that if an endpoint accepts shared key. But it should also be noted that if an endpoint accepts
ABORT chunks only in an authenticated way, it may take longer to ABORT chunks only in an authenticated way, it may take longer to
detect that the peer is no longer available. If an endpoint accepts detect that the peer is no longer available. If an endpoint accepts
COOKIE-ECHO chunks only in an authenticated way, the restart COOKIE-ECHO chunks only in an authenticated way, the restart
procedure does not work. procedure does not work, because the restarting end-point most likely
does not know the association shared key of the old association to be
restarted. However, if the restarting end-point does know the old
association shared key he can send successfully the COOKIE-ECHO chunk
in a way that it is accepted by the peer by using this old
association shared key for the packet containing the AUTH chunk.
After this operation both end-points have to use the new association
shared key.
If a server has an endpoint pair shared key with some clients it can
request the COOKIE_ECHO chunk to be authenticated and can ensure that
only associations from client with a correct endpoint pair shared key
are accepted.
Furthermore it is important that the cookie contained in an INIT-ACK Furthermore it is important that the cookie contained in an INIT-ACK
chunk and in a COOKIE-ECHO chunk MUST NOT contain the end-point pair chunk and in a COOKIE-ECHO chunk MUST NOT contain the end-point pair
shared key. shared key.
7 Examples 7. Examples
This section gives examples of message exchanges for association This section gives examples of message exchanges for association
setup. setup.
The simplest way of using the extension described in this document is The simplest way of using the extension described in this document is
given by the following message exchange. given by the following message exchange.
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
-------------------- COOKIE-ECHO --------------------> -------------------- COOKIE-ECHO -------------------->
skipping to change at page 13, line 34 skipping to change at page 13, line 46
the processing of the COOKIE-ECHO chunk (COMMUNICATION-UP the processing of the COOKIE-ECHO chunk (COMMUNICATION-UP
notification followed by the presentation of the endpoint pair shared notification followed by the presentation of the endpoint pair shared
key by the upper layer to the SCTP stack) and the processing of the key by the upper layer to the SCTP stack) and the processing of the
AUTH and DATA chunk at the server side. If this intervention is not AUTH and DATA chunk at the server side. If this intervention is not
possible due to limitations of the API (for example the socket API) possible due to limitations of the API (for example the socket API)
the server might discard the AUTH and DATA chunk making a the server might discard the AUTH and DATA chunk making a
retransmission of the DATA chunk necessary. If the same endpoint retransmission of the DATA chunk necessary. If the same endpoint
pair shared key is used for multiple endpoints and does not depend on pair shared key is used for multiple endpoints and does not depend on
the client this intervention might not be necessary. the client this intervention might not be necessary.
8 IANA Considerations 8. IANA Considerations
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
"RFCXXXX" is to be replaced by the RFC number you assign this "RFCXXXX" is to be replaced by the RFC number you assign this
document. document.
] ]
This document (RFCXXX) is the reference for all registrations This document (RFCXXX) is the reference for all registrations
described in this section. All registrations need to be listed in described in this section. All registrations need to be listed in
the document available at sctp-parameters [8]. The suggested changes the document available at sctp-parameters [8]. The suggested changes
are described below. are described below.
8.1 A New Chunk Type 8.1. A New Chunk Type
A chunk type for the AUTH chunk has to be assigned by IANA. It is A chunk type for the AUTH chunk has to be assigned by IANA. It is
suggested to use the value given in Table 4. This requires an suggested to use the value given in Table 4. This requires an
additional line in the "CHUNK TYPES" table of sctp-parameters [8]: additional line in the "CHUNK TYPES" table of sctp-parameters [8]:
CHUNK TYPES CHUNK TYPES
ID Value Chunk Type Reference ID Value Chunk Type Reference
----- ---------- --------- ----- ---------- ---------
15 Authentication Chunk (AUTH) [RFCXXXX] 15 Authentication Chunk (AUTH) [RFCXXXX]
8.2 Three New Parameter Types 8.2. Three New Parameter Types
Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC- Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC-
ALGO parameter by IANA. It is suggested to use the values given in ALGO parameter by IANA. It is suggested to use the values given in
Table 1. This requires two modifications of the "CHUNK PARAMETER Table 1. This requires two modifications of the "CHUNK PARAMETER
TPYES" tables in sctp-parameters [8]: The first change is the TPYES" tables in sctp-parameters [8]: The first change is the
addition of three new lines to the "INIT Chunk Parameter Types" addition of three new lines to the "INIT Chunk Parameter Types"
table: table:
Chunk Parameter Type Value Chunk Parameter Type Value
-------------------- ----- -------------------- -----
Random 32770 (0x8002) Random 32770 (0x8002)
Chunk List 32771 (0x8003) Chunk List 32771 (0x8003)
Requested HMAC Algorithm Parameter 32772 (0x8004) Requested HMAC Algorithm Parameter 32772 (0x8004)
The second required change is the addition of the same three lines to The second required change is the addition of the same three lines to
the to the "INIT ACK Chunk Parameter Types" table. the to the "INIT ACK Chunk Parameter Types" table.
8.3 A New Error Cause 8.3. A New Error Cause
An error cause for the Unsupported HMAC Identifier error cause has to An error cause for the Unsupported HMAC Identifier error cause has to
be assigned. It is suggested to use the value given in Table 3. be assigned. It is suggested to use the value given in Table 3.
This requires an additional line of the "CAUSE CODES" table in sctp- This requires an additional line of the "CAUSE CODES" table in sctp-
parameters [8]: parameters [8]:
VALUE CAUSE CODE REFERENCE VALUE CAUSE CODE REFERENCE
----- ---------------- --------- ----- ---------------- ---------
261 (0x0105) Unsupported HMAC Identifier RFCXXXX 261 (0x0105) Unsupported HMAC Identifier RFCXXXX
8.4 A New Table For HMAC Identifiers 8.4. A New Table For HMAC Identifiers
HMAC Identifiers have to be maintained by IANA. Three initial values HMAC Identifiers have to be maintained by IANA. Three initial values
should be assigned by IANA as described in Table 2. This requires a should be assigned by IANA as described in Table 2. This requires a
new table "HMAC IDENTIFIERS" in sctp-parameters [8]: new table "HMAC IDENTIFIERS" in sctp-parameters [8]:
HMAC Identifier Message Digest Algorithm REFERENCE HMAC Identifier Message Digest Algorithm REFERENCE
--------------- ------------------------ --------- --------------- ------------------------ ---------
0 Reserved RFCXXXX 0 Reserved RFCXXXX
1 SHA-1 RFCXXXX 1 SHA-1 RFCXXXX
3 SHA-256 RFCXXXX 3 SHA-256 RFCXXXX
skipping to change at page 15, line 4 skipping to change at page 15, line 20
HMAC Identifiers have to be maintained by IANA. Three initial values HMAC Identifiers have to be maintained by IANA. Three initial values
should be assigned by IANA as described in Table 2. This requires a should be assigned by IANA as described in Table 2. This requires a
new table "HMAC IDENTIFIERS" in sctp-parameters [8]: new table "HMAC IDENTIFIERS" in sctp-parameters [8]:
HMAC Identifier Message Digest Algorithm REFERENCE HMAC Identifier Message Digest Algorithm REFERENCE
--------------- ------------------------ --------- --------------- ------------------------ ---------
0 Reserved RFCXXXX 0 Reserved RFCXXXX
1 SHA-1 RFCXXXX 1 SHA-1 RFCXXXX
3 SHA-256 RFCXXXX 3 SHA-256 RFCXXXX
For registering at IANA a new HMAC Identifier in this table a request For registering at IANA a new HMAC Identifier in this table a request
has to be made to assign such a number. This number must be unique has to be made to assign such a number. This number must be unique
and a message digest algorithm usable with the HMAC defined in and a message digest algorithm usable with the HMAC defined in
RFC2104 [2] MUST be specified. The "Specification Required" policy RFC2104 [2] MUST be specified. The "Specification Required" policy
of RFC2434 [4] MUST be applied. of RFC2434 [4] MUST be applied.
9 Security Considerations 9. Security Considerations
Without using endpoint shared keys this extension only protects Without using endpoint shared keys this extension only protects
against modification or injection of authenticated chunks by against modification or injection of authenticated chunks by
attackers who did not capture the initial handshake setting up the attackers who did not capture the initial handshake setting up the
SCTP association. SCTP association.
If an endpoint pair shared key is used even a true man in the middle If an endpoint pair shared key is used even a true man in the middle
cannot inject chunks which are required to be authenticated even if cannot inject chunks which are required to be authenticated even if
he intercepts the initial message exchange. The endpoint also knows he intercepts the initial message exchange. The endpoint also knows
that it is accepting authenticated chunks from a peer who knows the that it is accepting authenticated chunks from a peer who knows the
endpoint pair shared key. endpoint pair shared key.
The establishment of endpoint pair shared keys is out of scope of The establishment of endpoint pair shared keys is out of scope of
this document. Other mechanisms can be used like using TLS or manual this document. Other mechanisms can be used like using TLS or manual
configuration. configuration.
When an endpoint accepts COOKIE-ECHO chunks only in an authenticated
way the restart procedure does not work. Neither an attacker nor a
restarted end-point not knowing the association shared key can
perform an restart. However, if the association shared key is known,
it is possible to restart the association.
Because SCTP has already a mechanism built-in that handles the Because SCTP has already a mechanism built-in that handles the
reception of duplicated chunks, the presented solution makes use of reception of duplicated chunks, the presented solution makes use of
this functionality and does not provide a method to avoid replay this functionality and does not provide a method to avoid replay
attacks by itself. Of course, this only works within each SCTP attacks by itself. Of course, this only works within each SCTP
association. Therefore a separate shared key is used for each SCTP association. Therefore a separate shared key is used for each SCTP
association to handle replay attacks covering multiple SCTP association to handle replay attacks covering multiple SCTP
associations. associations.
Each endpoint presenting a list of more than one element in the HMAC- Each endpoint presenting a list of more than one element in the HMAC-
ALGO parameter must be prepared that the peer uses the weakest ALGO parameter must be prepared that the peer uses the weakest
algorithm listed. algorithm listed.
If an endpoint requests the authentication of some chunks using the
CHUNKS parameter and an attacker intercepts the handshake used to
setup the association and modifies or removes this CHUNKS parameter
this endpoint will not accept chunks which are authenticated or needs
to be authenticated and are not. This might result in the failure of
the association.
When an endpoint pair uses non-NULL endpoint pair shared keys and one When an endpoint pair uses non-NULL endpoint pair shared keys and one
of the endpoints still accepts a NULL key an attacker who captured of the endpoints still accepts a NULL key an attacker who captured
the initial handshake can still inject or modify authenticated chunks the initial handshake can still inject or modify authenticated chunks
by using the NULL key. by using the NULL key.
10 Acknowledgments 10. Acknowledgments
The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, Irene The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, Irene
Ruengeler, and Magnus Westerlund for their invaluable comments. Ruengeler, and Magnus Westerlund for their invaluable comments.
11. Normative References 11. Normative References
[1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing [2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
skipping to change at page 18, line 7 skipping to change at page 18, line 7
RTFM, Inc. RTFM, Inc.
2064 Edgewood Drive 2064 Edgewood Drive
Palo Alto, CA 94303 Palo Alto, CA 94303
USA USA
Phone: +1 650-320-8549 Phone: +1 650-320-8549
Email: ekr@rtfm.com Email: ekr@rtfm.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
 End of changes. 37 change blocks. 
79 lines changed or deleted 97 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/