| draft-ietf-tsvwg-sctp-udp-encaps-06.txt | draft-ietf-tsvwg-sctp-udp-encaps-07.txt | |||
|---|---|---|---|---|
| Network Working Group M. Tuexen | Network Working Group M. Tuexen | |||
| Internet-Draft Muenster Univ. of Appl. Sciences | Internet-Draft Muenster Univ. of Appl. Sciences | |||
| Intended status: Standards Track R. Stewart | Intended status: Standards Track R. Stewart | |||
| Expires: April 23, 2013 Adara Networks | Expires: June 26, 2013 Adara Networks | |||
| October 20, 2012 | December 23, 2012 | |||
| UDP Encapsulation of SCTP Packets | UDP Encapsulation of SCTP Packets | |||
| draft-ietf-tsvwg-sctp-udp-encaps-06.txt | draft-ietf-tsvwg-sctp-udp-encaps-07.txt | |||
| Abstract | Abstract | |||
| This document describes a simple method of encapsulating SCTP Packets | This document describes a simple method of encapsulating SCTP Packets | |||
| into UDP packets and its limitations. This allows the usage of SCTP | into UDP packets and its limitations. This allows the usage of SCTP | |||
| in networks with legacy NAT not supporting SCTP. It can also be used | in networks with legacy NAT not supporting SCTP. It can also be used | |||
| to implement SCTP on hosts without directly accessing the IP-layer, | to implement SCTP on hosts without directly accessing the IP-layer, | |||
| for example implementing it as part of the application without | for example implementing it as part of the application without | |||
| requiring special privileges. | requiring special privileges. | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 23, 2013. | This Internet-Draft will expire on June 26, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 28 | skipping to change at page 2, line 28 | |||
| 4.4. Decapsulation Procedure . . . . . . . . . . . . . . . . . 6 | 4.4. Decapsulation Procedure . . . . . . . . . . . . . . . . . 6 | |||
| 4.5. ICMP Considerations . . . . . . . . . . . . . . . . . . . 6 | 4.5. ICMP Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.6. Path MTU Considerations . . . . . . . . . . . . . . . . . 7 | 4.6. Path MTU Considerations . . . . . . . . . . . . . . . . . 7 | |||
| 4.7. Handling of Embedded IP-addresses . . . . . . . . . . . . 7 | 4.7. Handling of Embedded IP-addresses . . . . . . . . . . . . 7 | |||
| 4.8. ECN Considerations . . . . . . . . . . . . . . . . . . . . 7 | 4.8. ECN Considerations . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Socket API Considerations . . . . . . . . . . . . . . . . . . 7 | 5. Socket API Considerations . . . . . . . . . . . . . . . . . . 7 | |||
| 5.1. Get or Set the Remote UDP Encapsulation Port Number | 5.1. Get or Set the Remote UDP Encapsulation Port Number | |||
| (SCTP_REMOTE_UDP_ENCAPS_PORT) . . . . . . . . . . . . . . 8 | (SCTP_REMOTE_UDP_ENCAPS_PORT) . . . . . . . . . . . . . . 8 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes a simple method of encapsulating SCTP packets | This document describes a simple method of encapsulating SCTP packets | |||
| into UDP packets. SCTP as defined in [RFC4960] runs directly over | into UDP packets. SCTP as defined in [RFC4960] runs directly over | |||
| IPv4 or IPv6. There are two main reasons for encapsulating SCTP | IPv4 or IPv6. There are two main reasons for encapsulating SCTP | |||
| packets: | packets: | |||
| o Allow SCTP traffic to pass legacy NATs, which do not provide | o Allow SCTP traffic to pass legacy NATs, which do not provide | |||
| skipping to change at page 4, line 29 | skipping to change at page 4, line 29 | |||
| 4. SCTP over UDP | 4. SCTP over UDP | |||
| 4.1. Architectural Considerations | 4.1. Architectural Considerations | |||
| An SCTP implementation supporting UDP encapsulation MUST store a | An SCTP implementation supporting UDP encapsulation MUST store a | |||
| remote UDP encapsulation port number per destination address for each | remote UDP encapsulation port number per destination address for each | |||
| SCTP association. | SCTP association. | |||
| Each SCTP stack uses a single local UDP encapsulation port number as | Each SCTP stack uses a single local UDP encapsulation port number as | |||
| the destination port for all its incoming SCTP packets. The IANA | the destination port for all its incoming SCTP packets. The IANA | |||
| assigned value of 9899 MAY be used as this port number. If there is | assigned value of 9899 (sctp-tunneling) MAY be used as this port | |||
| only a single SCTP implementation on a host (for example, a kernel | number. If there is only a single SCTP implementation on a host (for | |||
| implementation being part of the operating system), using a single | example, a kernel implementation being part of the operating system), | |||
| UDP encapsulation port number per host can be advantageous (e.g., | using a single UDP encapsulation port number per host can be | |||
| this reduces the number of mappings in firewalls and NATs, among | advantageous (e.g., this reduces the number of mappings in firewalls | |||
| other things). However, this is not possible if the SCTP stack is | and NATs, among other things). Using a single UDP encapsulation port | |||
| implemented as part of an application. | number per host is not possible if the SCTP stack is implemented as | |||
| part of an application. | ||||
| 4.2. Packet Format | 4.2. Packet Format | |||
| To encapsulate an SCTP packet, a UDP header as defined in [RFC0768] | To encapsulate an SCTP packet, a UDP header as defined in [RFC0768] | |||
| is inserted between the IP header as defined in [RFC0791] and the | is inserted between the IP header as defined in [RFC0791] and the | |||
| SCTP common header as defined in [RFC4960]. | SCTP common header as defined in [RFC4960]. | |||
| Figure 1 shows the packet format of an encapsulated SCTP packet when | Figure 1 shows the packet format of an encapsulated SCTP packet when | |||
| IPv4 is used. | IPv4 is used. | |||
| skipping to change at page 6, line 7 | skipping to change at page 6, line 7 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | ... | | | ... | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | SCTP Chunk #n | | | SCTP Chunk #n | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 2: An SCTP/UDP/IPv6 packet | Figure 2: An SCTP/UDP/IPv6 packet | |||
| 4.3. Encapsulation Procedure | 4.3. Encapsulation Procedure | |||
| When inserting the UDP header, the source port is the local UDP | When inserting the UDP header, the source port MUST be the local UDP | |||
| encapsulation port number of the SCTP stack, the destination port is | encapsulation port number of the SCTP stack, the destination port | |||
| the remote UDP encapsulation port number stored for the destination | MUST be the remote UDP encapsulation port number stored for the | |||
| address to which the packet is sent (see Section 4.1). | destination address to which the packet is sent (see Section 4.1). | |||
| The length of the UDP packet is the length of the SCTP packet plus | The length of the UDP packet MUST be the length of the SCTP packet | |||
| the size of the UDP header. | plus the size of the UDP header. | |||
| For IPv4, the UDP checksum SHOULD be computed and the SCTP checksum | For IPv4, the UDP checksum SHOULD be computed and the SCTP checksum | |||
| MUST be computed, whereas for IPv6, the UDP checksum and the SCTP | MUST be computed, whereas for IPv6, the UDP checksum and the SCTP | |||
| checksum MUST be computed. | checksum MUST be computed. | |||
| 4.4. Decapsulation Procedure | 4.4. Decapsulation Procedure | |||
| When an encapsulated packet is received, the UDP header is removed. | When an encapsulated packet is received, the UDP header is removed. | |||
| Then a lookup is performed to find the association for the received | Then a lookup is performed to find the association for the received | |||
| SCTP packet. The UDP source port is stored as the encapsulation port | SCTP packet. After finding the SCTP association (which includes | |||
| for the destination address the SCTP packet is received from (see | checking the verification tag), the UDP source port MUST be stored as | |||
| Section 4.1). | the encapsulation port for the destination address the SCTP packet is | |||
| received from (see Section 4.1). | ||||
| Please note that when a non-encapsulated SCTP packet is received, the | Please note that when a non-encapsulated SCTP packet is received, the | |||
| encapsulation of outgoing packets belonging to the same association | encapsulation of outgoing packets belonging to the same association | |||
| and the corresponding destination address is disabled. | and the corresponding destination address MUST be disabled. | |||
| 4.5. ICMP Considerations | 4.5. ICMP Considerations | |||
| When receiving ICMP or ICMPv6 response packets, there might not be | When receiving ICMP or ICMPv6 response packets, there might not be | |||
| enough bytes in the payload to identify the SCTP association which | enough bytes in the payload to identify the SCTP association which | |||
| the SCTP packet triggering the ICMP or ICMPv6 packet belongs to. If | the SCTP packet triggering the ICMP or ICMPv6 packet belongs to. If | |||
| a received ICMP or ICMPv6 packet can not be related to a specific | a received ICMP or ICMPv6 packet can not be related to a specific | |||
| SCTP association or the verification tag can't be verified, it MUST | SCTP association or the verification tag can't be verified, it MUST | |||
| be discarded silently. This means in particular that the SCTP stack | be discarded silently. This means in particular that the SCTP stack | |||
| MUST NOT rely on receiving ICMP or ICMPv6 messages. Implementation | MUST NOT rely on receiving ICMP or ICMPv6 messages. Implementation | |||
| skipping to change at page 8, line 43 | skipping to change at page 8, line 45 | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document does not require any actions from IANA. It refers to | This document does not require any actions from IANA. It refers to | |||
| the already assigned UDP port 9899 (sctp-tunneling). | the already assigned UDP port 9899 (sctp-tunneling). | |||
| 7. Security Considerations | 7. Security Considerations | |||
| Encapsulating SCTP into UDP does not add any additional security | Encapsulating SCTP into UDP does not add any additional security | |||
| considerations to the ones given in [RFC4960] and [RFC5061]. | considerations to the ones given in [RFC4960] and [RFC5061]. | |||
| An attacker might send a malicious UDP packet towards an SCTP end- | ||||
| point to change the encapsulation port for a single remote address of | ||||
| a particular SCTP association. However, as specified in Section 4.4, | ||||
| this requires the usage of one the two negotiated verification tags. | ||||
| This protects against blind attackers the same way as described in | ||||
| [RFC4960] for SCTP over IPv4 or IPv6. Non-blind attackers can affect | ||||
| SCTP association using the UDP encapsulation described in this | ||||
| document in the same way as SCTP associations not using the UDP | ||||
| encapsulation of SCTP described here. | ||||
| 8. Acknowledgments | 8. Acknowledgments | |||
| The authors wish to thank Gorry Fairhurst, Irene Ruengeler, and Dan | The authors wish to thank Gorry Fairhurst, Martin Stiemerling, Irene | |||
| Wing for their invaluable comments. | Ruengeler, and Dan Wing for their invaluable comments. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| August 1980. | August 1980. | |||
| [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, | [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, | |||
| September 1981. | September 1981. | |||
| [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, | [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, | |||
| RFC 792, September 1981. | RFC 792, September 1981. | |||
| skipping to change at page 10, line 11 | skipping to change at page 10, line 25 | |||
| [I-D.ietf-behave-sctpnat] | [I-D.ietf-behave-sctpnat] | |||
| Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control | Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control | |||
| Transmission Protocol (SCTP) Network Address Translation", | Transmission Protocol (SCTP) Network Address Translation", | |||
| draft-ietf-behave-sctpnat-07 (work in progress), | draft-ietf-behave-sctpnat-07 (work in progress), | |||
| October 2012. | October 2012. | |||
| [I-D.ietf-tsvwg-natsupp] | [I-D.ietf-tsvwg-natsupp] | |||
| Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control | Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control | |||
| Transmission Protocol (SCTP) Network Address Translation | Transmission Protocol (SCTP) Network Address Translation | |||
| for Endpoints", draft-ietf-tsvwg-natsupp-03 (work in | Support", draft-ietf-tsvwg-natsupp-04 (work in progress), | |||
| progress), October 2012. | October 2012. | |||
| Authors' Addresses | Authors' Addresses | |||
| Michael Tuexen | Michael Tuexen | |||
| Muenster University of Applied Sciences | Muenster University of Applied Sciences | |||
| Stegerwaldstrasse 39 | Stegerwaldstrasse 39 | |||
| 48565 Steinfurt | 48565 Steinfurt | |||
| DE | DE | |||
| Email: tuexen@fh-muenster.de | Email: tuexen@fh-muenster.de | |||
| End of changes. 14 change blocks. | ||||
| 27 lines changed or deleted | 40 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||