draft-ietf-tsvwg-tls-over-sctp-00.txt   rfc3436.txt 
Network Working Group A. Jungmaier Network Working Group A. Jungmaier
INTERNET DRAFT University of Essen Request for Comments: 3436 University of Essen
E. Rescorla Category: Standards Track E. Rescorla
RTFM Inc. RTFM Inc.
M. Tuexen (editor) M. Tuexen
Siemens AG Siemens AG
Expires May 14, 2002 November 14, 2001 December 2002
TLS over SCTP Transport Layer Security over
<draft-ietf-tsvwg-tls-over-sctp-00.txt> Stream Control Transmission Protocol
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document specifies an Internet standards track protocol for the
provisions of Section 10 of [RFC2026]. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Internet-Drafts are working documents of the Internet Engineering Task Official Protocol Standards" (STD 1) for the standardization state
Force (IETF), its areas, and its working groups. Note that other groups and status of this protocol. Distribution of this memo is unlimited.
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Copyright Notice
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at Copyright (C) The Internet Society (2002). All Rights Reserved.
http://www.ietf.org/shadow.html.
Abstract Abstract
This document describes the usage of the Transport Layer Security (TLS) This document describes the usage of the Transport Layer Security
protocol, as defined in [RFC2246], over the Stream Control Transmission (TLS) protocol, as defined in RFC 2246, over the Stream Control
Protocol (SCTP), as defined in [RFC2960]. Transmission Protocol (SCTP), as defined in RFC 2960 and RFC 3309.
The user of TLS can take advantage of the following features provided by
SCTP:
- Support of multiple streams to avoid head of line blocking.
- Support of multi-homing to provide network level fault The user of TLS can take advantage of the features provided by SCTP,
namely the support of multiple streams to avoid head of line blocking
and the support of multi-homing to provide network level fault
tolerance. tolerance.
Additionally currently being discussed extensions of SCTP are also
supported. This means especially: Additionally, discussions of extensions of SCTP are also supported,
meaning especially the support of dynamic reconfiguration of IP-
- Support of dynamic reconfiguration of IP-addresses. addresses.
1. Introduction 1. Introduction
1.1. Overview 1.1. Overview
This document describes the usage of the Transport Layer Security (TLS) This document describes the usage of the Transport Layer Security
protocol, as defined in [RFC2246], over the Stream Control Transmission (TLS) protocol, as defined in [RFC2246], over the Stream Control
Protocol (SCTP), as defined in [RFC2960]. Transmission Protocol (SCTP), as defined in [RFC2960] and [RFC3309].
TLS is designed to run on top of a byte-stream oriented transport TLS is designed to run on top of a byte-stream oriented transport
protocol providing a reliable, in-sequence delivery. Thus, TLS is protocol providing a reliable, in-sequence delivery. Thus, TLS is
currently mainly being used on top of the Transmission Control Protocol currently mainly being used on top of the Transmission Control
(TCP), as defined in [RFC793]. Protocol (TCP), as defined in [RFC793].
Comparing TCP and SCTP, the latter provides additional features and this Comparing TCP and SCTP, the latter provides additional features and
document shows how TLS should be used with SCTP to provide some of these this document shows how TLS should be used with SCTP to provide some
additional features to the TLS user. of these additional features to the TLS user.
This document defines This document defines:
- how to use the multiple streams feature of SCTP. - how to use the multiple streams feature of SCTP.
- how to handle the message oriented nature of SCTP. - how to handle the message oriented nature of SCTP.
It should be noted that the TLS user can take advantage of the multi- It should be noted that the TLS user can take advantage of the multi-
homing support of SCTP. The dynamic reconfiguration of IP-addresses as homing support of SCTP. The dynamic reconfiguration of IP-addresses,
currently being discussed can also be used with the described solution. as currently being discussed, can also be used with the described
solution.
The method described in this document does not require any changes of The method described in this document does not require any changes of
TLS or SCTP. It is only required that SCTP implementations support the TLS or SCTP. It is only required that SCTP implementations support
optional feature of fragmentation of SCTP user messages. the optional feature of fragmentation of SCTP user messages.
1.2. Terminology 1.2. Terminology
This document uses the following terms: This document uses the following terms:
Association: Association:
A SCTP association. An SCTP association.
Connection: Connection:
A TLS connection. A TLS connection.
Session: Session:
A TLS session. A TLS session.
Stream: Stream:
A unidirectional stream of a SCTP association. It is uniquely A unidirectional stream of an SCTP association. It is uniquely
identified by a stream identifier. identified by a stream identifier.
1.3. Abbreviations 1.3. Abbreviations
MTU: Maximum Transmission Unit MTU: Maximum Transmission Unit
SCTP: Stream Control Transmission Protocol SCTP: Stream Control Transmission Protocol
TCP: Transmission Control Protocol TCP: Transmission Control Protocol
TLS: Transport Layer Security TLS: Transport Layer Security
2. Conventions 2. Conventions
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD. SHOULD The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL, when they appear "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
in this document, are to be interpreted as described in [RFC2119]. "OPTIONAL", in this document are to be interpreted as described in
BCP 14, RFC 2119 [RFC2119].
3. SCTP Requirements 3. SCTP Requirements
3.1. Number of Inbound and Outbound Streams 3.1. Number of Inbound and Outbound Streams
An association between the endpoints A and Z provides n streams from A An association between the endpoints A and Z provides n streams from
to Z and m streams from Z to A. A to Z and m streams from Z to A.
A pair consisting of two streams with the same stream identifier is A pair consisting of two streams with the same stream identifier is
considered and used as one bi-directional stream. considered and used as one bi-directional stream.
Thus an SCTP association can be considered as a set of min(n,m) bi- Thus an SCTP association can be considered as a set of min(n,m) bi-
directional streams and (max(n,m) - min(n,m)) uni-directional streams. directional streams and (max(n,m) - min(n,m)) uni-directional
streams.
3.2. Fragmentation of User Messages 3.2. Fragmentation of User Messages
To avoid the knowledge and handling of the MTU inside TLS, SCTP MUST To avoid the knowledge and handling of the MTU inside TLS, SCTP MUST
provide fragmentation of user messages, which is an optional feature of provide fragmentation of user messages, which is an optional feature
[RFC2960]. Since SCTP is a message oriented protocol, it must be able of [RFC2960]. Since SCTP is a message oriented protocol, it must be
to transmit all TLS records as SCTP user messages. Thus the supported able to transmit all TLS records as SCTP user messages. Thus the
maximum length of SCTP user messages MUST be at least 2^14 + 2048 + 5 = supported maximum length of SCTP user messages MUST be at least 2^14
18437 bytes, which is the maximum length of a TLSCiphertext, as defined + 2048 + 5 = 18437 bytes, which is the maximum length of a
in [RFC2246]. TLSCiphertext, as defined in [RFC2246].
Please note that an SCTP implementation might need to support the
partial delivery API to be able to support the transport of user
messages of this size.
Therefore, SCTP takes care of fragmenting and reassembling the TLS Therefore, SCTP takes care of fragmenting and reassembling the TLS
records in order to avoid IP-fragmentation. records in order to avoid IP-fragmentation.
4. Connections and Bi-directional Streams 4. TLS Requirements
4.1 Supported Ciphersuites
A TLS implementation for TLS over SCTP MUST support at least the
ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA as defined in [RFC3268].
5. Connections and Bi-directional Streams
TLS makes use of a bi-directional stream by establishing a connection TLS makes use of a bi-directional stream by establishing a connection
over it. This means that the number of connections for an association over it. This means that the number of connections for an
is limited by the number of bi-directional streams. association is limited by the number of bi-directional streams.
The TLS handshake protocol is used on each bi-directional stream The TLS handshake protocol is used on each bi-directional stream
separately. Each handshake can be separately. Each handshake can be:
- a full handshake or - a full handshake or
- an abbreviated handshake that resumes a TLS session with a - an abbreviated handshake that resumes a TLS session with a session
session id from another connection (on the same or another id from another connection (on the same or another association).
association).
After completing the handshake for a connection, the bi-directional After completing the handshake for a connection, the bi-directional
stream can be used for TLS-based user data transmission. It should also stream can be used for TLS-based user data transmission. It should
be noted that the handshakes for the different connections are also be noted that the handshakes for the different connections are
independent and can be delayed until the bi-directional stream is used independent and can be delayed until the bi-directional stream is
for user data transmission. used for user data transmission.
5. Usage of bi-directional streams 6. Usage of bi-directional streams
It is not required that all bi-directional streams are used for TLS- It is not required that all bi-directional streams are used for TLS-
based user data transmission. If TLS is not used, it is called SCTP- based user data transmission. If TLS is not used, it is called SCTP-
based user data transmission. based user data transmission.
5.1. SCTP-based user data transmission 6.1. SCTP-based user data transmission
If a bi-directional stream is not used for TLS-based communication there If a bi-directional stream is not used for TLS-based communication
are no restrictions on the features provided by SCTP for SCTP-based user there are no restrictions on the features provided by SCTP for SCTP-
data transmission. based user data transmission.
5.2. TLS-based user data transmission 6.2. TLS-based user data transmission
In general, the bi-directional stream will be used for TLS-based user In general, the bi-directional stream will be used for TLS-based user
data transmission and it SHOULD NOT be used for SCTP-based user data data transmission and it SHOULD NOT be used for SCTP-based user data
transmission. The exception to this rule is protocols which contain transmission. The exception to this rule is for protocols which
upgrade-to-TLS mechanisms such as those of HTTP upgrade [RFC2817] and contain upgrade-to-TLS mechanisms, such as those of HTTP upgrade
SMTP over TLS [RFC2487]. [RFC2817] and SMTP over TLS [RFC3207].
TLS requires that the underlying transport delivers TLS records in TLS requires that the underlying transport delivers TLS records in
strict sequence. Thus, the 'unordered delivery' feature of SCTP MUST NOT strict sequence. Thus, the 'unordered delivery' feature of SCTP MUST
be used on streams which are used for TLS based user data transmission. NOT be used on streams which are used for TLS based user data
For the same reason, TLS records delivered to SCTP for transmission MUST transmission. For the same reason, TLS records delivered to SCTP for
NOT have limited lifetimes. transmission MUST NOT have limited lifetimes.
6. Usage of uni-directional streams 7. Usage of uni-directional streams
The uni-directional streams can not be used for TLS-based user data The uni-directional streams can not be used for TLS-based user data
transmission. Nevertheless they can be used without any restrictions for transmission. Nevertheless, they can be used without any
SCTP-based communication. restrictions for SCTP-based communication.
7. Examples 8. Examples
In these examples we consider the case of an association with two bi- In these examples we consider the case of an association with two
directional streams. bi-directional streams.
7.1. Two Bi-directional Streams with Full Handshake 8.1. Two Bi-directional Streams with Full Handshake
Just after the association has been established the client sends two Just after the association has been established, the client sends two
ClientHello messages on the bi-directional streams 0 and 1. After a ClientHello messages on the bi-directional streams 0 and 1. After a
full handshake has been completed on each bi-directional stream, TLS- full handshake has been completed on each bi-directional stream,
based user data transmission can take place on that stream. It is TLS-based user data transmission can take place on that stream. It
possible that on the bi-directional stream 0 the handshake has been is possible that on the bi-directional stream 0, the handshake has
completed, and user data transmission is ongoing, while on the bi- been completed, and user data transmission is ongoing, while on the
directional stream 1 the handshake has not been completed, or vice bi-directional stream 1, the handshake has not been completed, or
versa. vice versa.
7.2. Two Bi-directional Streams with an Abbreviated Handshake
After establishing the association, the client starts a full handshake 8.2. Two Bi-directional Streams with an Abbreviated Handshake
on the bi-directional stream 0. The server provides a session
identifier which allows session resumption. After the full handshake
has been completed, the client initiates an abbreviated handshake on the
bi-directional stream 1 using the session identifier from the handshake
on the bi-directional stream 0. User data can be transmitted on the bi-
directional stream 0, but not on the bi-directional stream stream 1 in
that state. After completion of the abbreviated handshake on the bi-
directional stream 1, user data can be transmitted on both streams.
Whether or not to use abbreviated handshakes during the setup phase of a After establishing the association, the client starts a full
TLS connection over an SCTP association depends on several factors: handshake on the bi-directional stream 0. The server provides a
session identifier which allows session resumption. After the full
handshake has been completed, the client initiates an abbreviated
handshake on the bi-directional stream 1, using the session
identifier from the handshake on the bi-directional stream 0. User
data can be transmitted on the bi-directional stream 0, but not on
the bi-directional stream stream 1 in that state. After completion
of the abbreviated handshake on the bi-directional stream 1, user
data can be transmitted on both streams.
- the complexity and duration of the initial handshake Whether or not to use abbreviated handshakes during the setup phase
processing (also determined by the number of connections), of a TLS connection over an SCTP association depends on several
factors:
- the complexity and duration of the initial handshake processing
(also determined by the number of connections),
- the network performance (round-trip times, bandwidth). - the network performance (round-trip times, bandwidth).
Abbreviated handshakes can reduce computational complexity of the Abbreviated handshakes can reduce computational complexity of the
handshake considerably, in case that this is a limiting resource. If a handshake considerably, in case this is a limiting resource. If a
large number of connections need to be established, it may be of large number of connections need to be established, it may be
advantage to use the TLS session resumption feature. On the other hand, advantageous to use the TLS session resumption feature. On the other
before an abbreviated handshakes can take place, a full handshake needs hand, before an abbreviated handshake can take place, a full
to have completed. In networks with large round-trip time delays, it may handshake needs to have been completed. In networks with large
round-trip time delays, it may be favorable to perform a number of
be favorable to perform a number of full handshakes in parallel. full handshakes in parallel. Therefore, both possibilities are
Therefore, both possibilities are allowed. allowed.
7.3. Two Bi-directional Streams with a Delayed Abbreviated Handshake 8.3. Two Bi-directional Streams with a Delayed Abbreviated Handshake
This example resembles the last one, but after the completion of the This example resembles the last one, but after the completion of the
full handshake on the bi-directional stream 0, the abbreviated handshake full handshake on the bi-directional stream 0, the abbreviated
on the bi-directional stream 1 is not started immediately. The bi- handshake on the bi-directional stream 1 is not started immediately.
directional stream 0 can be used for user data transmission. It is only The bi-directional stream 0 can be used for user data transmission.
when the user also wants to transmit data on the bi-directional stream 1 It is only when the user also wants to transmit data on the bi-
that the abbreviated handshake for the bi-directional stream 1 is directional stream 1 that the abbreviated handshake for the bi-
initiated. directional stream 1 is initiated.
This allows the user of TLS to request a large number of bi-directional This allows the user of TLS to request a large number of bi-
streams without having to provide all the resources at association directional streams without having to provide all the resources at
start-up if not all bi-directional streams are used right from the association start-up if not all bi-directional streams are used right
beginning. from the beginning.
7.4. Two Bi-directional Streams without Full Handshakes 8.4. Two Bi-directional Streams without Full Handshakes
This example is like the second or third one, but an abbreviated This example is like the second and third one, but an abbreviated
handshake is used for both bi-directional streams. This requires the handshake is used for both bi-directional streams. This requires the
existence of a valid session identifier from connections handled by existence of a valid session identifier from connections handled by
another association. another association.
8. Security Considerations 9. Security Considerations
Using TLS on top of SCTP does not provide any new security issues beside Using TLS on top of SCTP does not provide any new security issues
the ones discussed in [RFC2246] and [RFC2960]. beside the ones discussed in [RFC2246] and [RFC2960].
It is possible to authenticate TLS endpoints based on IP-addresses in It is possible to authenticate TLS endpoints based on IP-addresses in
certificates. Unlike TCP, SCTP associations can use multiple addresses certificates. Unlike TCP, SCTP associations can use multiple
per SCTP endpoint and therefore it is possible that TLS records will be addresses per SCTP endpoint. Therefore it is possible that TLS
sent from a different IP-address from that originally authenticated. records will be sent from a different IP-address than that originally
This is not a problem provided that no security decisions are made based authenticated. This is not a problem provided that no security
on that IP-address. This is a special case of a general rule: all decisions are made based on that IP-address. This is a special case
decisions should be based on the peer's authenticated identity, not on of a general rule: all decisions should be based on the peer's
its transport layer identity. authenticated identity, not on its transport layer identity.
9. Acknowledgements 10. Acknowledgements
The authors would like to thank P. Calhoun, J. Wood and many others for The authors would like to thank P. Calhoun, J. Wood, and many others
their invaluable comments and suggestions. for their invaluable comments and suggestions.
10. References 11. References
[RFC793] J. Postel (ed.), "Transmission Control Protocol", STP 7, RFC 11.1. Normative References
793, September 1981.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2026] S. Bradner, "The Internet Standards Process -- Revision 3", [RFC2246] Diercks, T. and C. Allen, "The TLS Protocol Version
RFC 2026, October 1996. 1.0", RFC 2246, January 1999.
[RFC2246] T. Diercks, C. Allen, "The TLS Protocol Version 1.0", RFC [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C.,
2246, January 1999. Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M.,
Zhang, L. and V. Paxon, "Stream Control Transmission
Protocol", RFC 2960, October 2000.
[RFC2487] P. Hoffman, "SMTP Service Extension for Secure SMTP over [RFC3268] Chown, P., "Advanced Encryption Standard (AES)
TLS", RFC 2487, January 1999. Ciphersuites for Transport Layer Security (TLS)", RFC
3268, June 2002.
[RFC2817] R. Khare and S. Lawrence, "Upgrading to TLS Within [RFC3309] Stone, J., Stewart, R., Otis, D., "Stream Control
Transmission Protocol (SCTP) Checksum Change", RFC 3309,
September 2002.
11.2. Informative References
[RFC793] Postel, J. (ed.), "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[RFC2026] Bradner, S., "The Internet Standards Process -- Revision
3", BCP 9, RFC 2026, October 1996.
[RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within
HTTP/1.1", RFC 2817, May 2000. HTTP/1.1", RFC 2817, May 2000.
[RFC2960] R. R. Stewart et al., "Stream Control Transmission [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Protocol", RFC 2960, November 2000. TLS", RFC 3207, February 2002.
11. Authors' Addresses 12. Authors' Addresses
Andreas Jungmaier Tel.: +49 201 1837636 Andreas Jungmaier
University of Essen e-mail: ajung@exp-math.uni-essen.de University of Essen
Networking Technology Group at the IEM Networking Technology Group at the IEM
Ellernstrasse 29 Ellernstrasse 29
D-45326 Essen D-45326 Essen
Germany Germany
Eric Rescorla Tel.: +1 650-320-8549 Phone: +49 201 1837667
RTFM, Inc. e-mail: ekr@rtfm.com EMail: ajung@exp-math.uni-essen.de
Eric Rescorla
RTFM, Inc.
2064 Edgewood Drive 2064 Edgewood Drive
Palo Alto, CA 94303 Palo Alto, CA 94303
USA USA
Michael Tuexen Tel.: +49 89 722 47210 Phone: +1 650-320-8549
Siemens AG e-mail: Michael.Tuexen@icn.siemens.de EMail: ekr@rtfm.com
ICN WN CS SE 5
Michael Tuexen
Siemens AG
D-81359 Munich D-81359 Munich
Germany Germany
This Internet Draft expires May 14, 2002.
Phone: +49 89 722 47210
EMail: Michael.Tuexen@siemens.com
13. Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/