One document matched: draft-ietf-tsvwg-sctp-auth-04.txt
Differences from draft-ietf-tsvwg-sctp-auth-03.txt
Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Applied Sciences
Intended status: Standards Track R. Stewart
Expires: March 7, 2007 P. Lei
Cisco Systems, Inc.
E. Rescorla
RTFM, Inc.
September 3, 2006
Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
draft-ietf-tsvwg-sctp-auth-04.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 7, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes a new chunk type, several parameters and
procedures for SCTP. This new chunk type can be used to authenticate
SCTP chunks by using shared keys between the sender and receiver.
The new parameters are used to establish the shared keys.
Tuexen, et al. Expires March 7, 2007 [Page 1]
Internet-Draft SCTP authentication chunk September 2006
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 3
3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4
3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 4
3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 5
4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Unsupported HMAC Identifier error cause . . . . . . . . . 7
5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8
6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Establishment of an association shared key . . . . . . . . 9
6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 10
6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 11
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 13
8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 14
8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 14
8.4. A New Table For HMAC Identifiers . . . . . . . . . . . . . 14
9. Security Considerations . . . . . . . . . . . . . . . . . . . 14
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
11. Normative References . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Intellectual Property and Copyright Statements . . . . . . . . . . 17
Tuexen, et al. Expires March 7, 2007 [Page 2]
Internet-Draft SCTP authentication chunk September 2006
1. Introduction
SCTP uses 32 bit verification tags to protect itself against blind
attackers. These values are not changed during the lifetime of an
SCTP association.
Looking at new SCTP extensions there is the need to have a method of
proving that an SCTP chunk(s) was really sent by the original peer
that started the association and not by a malicious attacker.
Using TLS as defined in RFC3436 [5] does not help here because it
only secures SCTP user data.
Therefore an SCTP extension is presented in this document which
allows an SCTP sender to sign chunks using shared keys between the
sender and receiver. The receiver can then verify that the chunks
are sent from the sender and not from a malicious attacker.
This extension also provides a mechanism for deriving a shared key
for each association. This association shared key is derived from
endpoint pair shared keys, which are preconfigured and might be
empty.
2. Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL", when they appear in this document, are to be interpreted
as described in RFC2119 [3].
3. New Parameter Types
This section defines the new parameter types that will be used to
negotiate the authentication during association setup. Table 1
illustrates the new parameter types.
+----------------+------------------------------------------------+
| Parameter Type | Parameter Name |
+----------------+------------------------------------------------+
| 0x8002 | Random Parameter (RANDOM) |
| 0x8003 | Chunk List Parameter (CHUNKS) |
| 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) |
+----------------+------------------------------------------------+
Table 1
Tuexen, et al. Expires March 7, 2007 [Page 3]
Internet-Draft SCTP authentication chunk September 2006
It should be noted that the parameter format requires the receiver to
ignore the parameter and continue processing if it is not understood.
This is accomplished as described in RFC2960 [4] section 3.2.1. by
the use of the upper bits of the parameter type.
3.1. Random Parameter (RANDOM)
This parameter is used to carry an arbitrary length random number.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8002 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ Random Number /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1
Parameter Type: 2 bytes (unsigned integer)
This value MUST be set to 0x8002.
Parameter Length: 2 bytes (unsigned integer)
This value is the length of the Random Number plus 4.
Random Number: n bytes (unsigned integer)
This value represents an arbitrary Random Number in network byte
order.
The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks.
3.2. Chunk List Parameter (CHUNKS)
This parameter is used to specify which chunk types are required to
be sent authenticated by the peer.
Tuexen, et al. Expires March 7, 2007 [Page 4]
Internet-Draft SCTP authentication chunk September 2006
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8003 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ ... \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2
Parameter Type: 2 bytes (unsigned integer)
This value MUST be set to 0x8003.
Parameter Length: 2 bytes (unsigned integer)
This value is the number of listed Chunk Types plus 4.
Chunk Type n: 1 byte (unsigned integer)
Each Chunk Type listed is required to be authenticated when sent
by the peer.
The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to receive authenticated chunks. Its
maximum length is 260 bytes.
The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks
MUST NOT be listed in the CHUNKS parameter. However, if a CHUNKS
parameter is received then the types for INIT, INIT-ACK, SHUTDOWN-
COMPLETE and AUTH chunks MUST be ignored.
3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO)
This parameter is used to list the HMAC identifiers the peer MUST
use.
Tuexen, et al. Expires March 7, 2007 [Page 5]
Internet-Draft SCTP authentication chunk September 2006
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8004 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier 1 | HMAC Identifier 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ ... \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3
Parameter Type: 2 bytes (unsigned integer)
This value MUST be set to 0x8004.
Parameter Length: 2 bytes (unsigned integer)
This value is the length of the number of HMAC identifiers
multiplied by 2 plus 4.
HMAC Identifier n: 2 bytes (unsigned integer)
The values is an HMAC Identifier which should be used. The values
are listed by priority. Highest priority first.
The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks.
The following Table 2 shows the currently defined values for HMAC
identifiers.
+-----------------+--------------------------+
| HMAC Identifier | Message Digest Algorithm |
+-----------------+--------------------------+
| 0 | Reserved |
| 1 | SHA-1 defined in [6] |
| 2 | MD-5 defined in [1] |
+-----------------+--------------------------+
Table 2
Every endpoint supporting SCTP chunk authentication MUST support the
HMAC based on the SHA-1 algorithm.
Tuexen, et al. Expires March 7, 2007 [Page 6]
Internet-Draft SCTP authentication chunk September 2006
4. New Error Cause
This section defines a new error cause that will be sent if an AUTH
chunk is received with an unsupported HMAC identifier. Table 3
illustrates the new error cause.
+------------+-----------------------------+
| Cause Code | Error Cause Name |
+------------+-----------------------------+
| 0x0105 | Unsupported HMAC Identifier |
+------------+-----------------------------+
Table 3
4.1. Unsupported HMAC Identifier error cause
This error cause is used to indicate that an AUTH chunk was received
with an unsupported HMAC Identifier.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x0105 | Cause Length = 6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4
Cause Code: 2 bytes (unsigned integer)
This value MUST be set to 0x0105.
Cause Length: 2 bytes (unsigned integer)
This value MUST be set to 6.
HMAC Identifier: 2 bytes (unsigned integer)
This value is the HMAC Identifier which is not supported.
5. New Chunk Type
This section defines the new chunk type that will be used to
authenticate chunks. Table 4 illustrates the new chunk type.
Tuexen, et al. Expires March 7, 2007 [Page 7]
Internet-Draft SCTP authentication chunk September 2006
+------------+-----------------------------+
| Chunk Type | Chunk Name |
+------------+-----------------------------+
| 0x0F | Authentication Chunk (AUTH) |
+------------+-----------------------------+
Table 4
It should be noted that the AUTH-chunk format requires the receiver
to ignore the chunk if it is not understood and silently discard all
chunks that follow. This is accomplished as described in RFC2960 [4]
section 3.2. by the use of the upper bits of the chunk type.
5.1. Authentication Chunk (AUTH)
This chunk is used to hold the result of the HMAC calculation.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ HMAC /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5
Type: 1 byte (unsigned integer)
This value MUST be set to 0x0F for all AUTH-chunks.
Flags: 1 byte (unsigned integer)
Set to zero on transmit and ignored on receipt.
Length: 2 bytes (unsigned integer)
This value holds the length of the HMAC plus 8.
Shared Key Identifier: 2 bytes (unsigned integer)
This value describes which endpoint pair shared key is used.
HMAC Identifier: 2 bytes (unsigned integer)
This value describes which message digest is being used. Table 2
shows the currently defined values.
Tuexen, et al. Expires March 7, 2007 [Page 8]
Internet-Draft SCTP authentication chunk September 2006
HMAC: n bytes (unsigned integer)
This hold the result of the HMAC calculation.
The control chunk AUTH MUST NOT appear more than once in an SCTP
packet. All control and data chunks which are placed after the AUTH
chunk in the packet are sent in an authenticated way. Those chunks
placed in a packet before the AUTH chunk are not authenticated.
Please note that DATA chunks can not appear before control chunks in
an SCTP packet.
6. Procedures
6.1. Establishment of an association shared key
An SCTP endpoint willing to receive or send authenticated chunks MUST
send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM
parameter SHOULD contain a 32 byte random number. In case of INIT
collision, the rules governing the handling of this random number
follow the same pattern as those for the Verification Tag, as
explained in section 5.2.4 of RFC2960 [4]. Therefore each endpoint
knows its own random number and the peer's random number after the
association has been established.
An SCTP endpoint has a list of chunks it only accepts if they are
received in an authenticated way. This list is included in the INIT
and INIT-ACK and MAY be omitted if it is empty. Since this list does
not change during the lifetime of there is no problem in case of INIT
collision.
Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO
parameter containing a list of HMAC Identifiers it requests the peer
to use. The receiver of a HMAC-ALGO parameter SHOULD use the first
listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST
be supported and included in the HMAC-ALGO parameter. An SCTP
endpoint MUST NOT change the parameters listed in the HMAC-ALGO
parameter during the lifetime of the endpoint.
Both endpoints of an association MAY have endpoint pair shared keys
which are byte vectors and preconfigured or established by another
mechanism. They are identified by the shared key identifier. If no
endpoint pair shared keys are preconfigured or established by another
mechanism an empty byte vector is used.
From these endpoint pair shared keys the association shared keys are
computed by concatenating the endpoint pair shared key with the
random numbers exchanged in the INIT and INIT-ACK. This is performed
by selecting the smaller random number value and concatenating it to
Tuexen, et al. Expires March 7, 2007 [Page 9]
Internet-Draft SCTP authentication chunk September 2006
the endpoint pair shared key, and then concatenating the larger of
the random number values to that. If both random numbers are equal,
then the concatenation order is the random number with the shorter
length, followed by the endpoint shared key, followed by the random
number with the longer length. If the random number lengths are the
same, then they may be concatenated to the endpoint pair key in any
order. The concatenation is performed on byte vectors representing
all numbers in network byte order. The result is the association
shared key.
6.2. Sending authenticated chunks
Endpoints MUST send all requested chunks authenticated where this has
been requested by the peer. The other chunks MAY be sent
authenticated or not. If endpoint pair shared keys are used, one of
them MUST be selected for authentication.
To send chunks in an authenticated way, the sender MUST include these
chunks after an AUTH chunk. This means that a sender MUST bundle
chunks in order to authenticate them.
If the endpoint has no endpoint shared key for the peer, it MUST use
Shared Key Identifier 0 with an empty endpoint pair shared key.
The sender MUST calculate the MAC using the hash function H as
described by the MAC Identifier and the shared association key K
based on the endpoint pair shared key described by the shared key
identifier. The 'data' used for the computation of the AUTH-chunk is
given by Figure 6 and all chunks that are placed after the AUTH chunk
in the SCTP packet. RFC2104 [2] can be used as a guideline for
generating the MAC.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ 0 /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6
Please note that all fields are in network byte order and that the
field which will contain the complete HMAC is filled with zeroes.
The length of the field shown as 0 is the length of the HMAC
described by the HMAC Identifier. The padding of all chunks being
Tuexen, et al. Expires March 7, 2007 [Page 10]
Internet-Draft SCTP authentication chunk September 2006
authenticated MUST be included in the HMAC computation.
The sender fills the HMAC into the HMAC field and sends the packet.
6.3. Receiving authenticated chunks
The receiver has a list of chunk types which it expects to be
received only after an AUTH-chunk. This list has been sent to the
peer during the association setup. It MUST silently discard these
chunks if they are not placed after an AUTH chunk in the packet.
The receiver MUST use the HMAC algorithm indicated in the HMAC
Identifier field. If this algorithm was not specified by the
receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
during association setup, the AUTH chunk and all chunks after it MUST
be discarded and an ERROR chunk SHOULD be sent with the error cause
defined in Section 4.1.
If an endpoint with no shared key receives a Shared Key Identifier
other than 0, it MUST silently discard all authenticated chunks. If
the endpoint has at least one endpoint pair shared key for the peer,
it MUST use the key specified by the Shared Key Identifier if a key
has been configured for that Shared Key Identifier. If no endpoint
pair shared key has been configured for that Shared Key Identifier,
all authenticated chunks MUST be silently discarded.
The receiver now performs the same calculation as described for the
sender based on Figure 6. If the result of the calculation is the
same as given in the HMAC field, all chunks following the AUTH chunk
are processed. If the field does not match the result of the
calculation, all the chunks following the AUTH chunk MUST be silently
discarded.
It should be noted that if the receiver wants to tear down an
association in an authenticated way only, the handling of malformed
packets should be in tune with this.
If the receiver does not find a TCB for a packet containing an AUTH
chunk as a first chunk and a COOKIE-ECHO chunk as the second chunk
and possibly more chunks after them, the receiver MUST authenticate
the chunks by using the random numbers included in the COOKIE-ECHO,
and possibly the local shared secret. If authentication fails then
the packet discarded. If the authentication is successful the
COOKIE-ECHO and all chunks after the COOKIE-ECHO MUST be processed.
If the receiver has a TCB, it MUST process the AUTH chunk as
described above using the TCB from the existing association to
authenticate the COOKIE-ECHO chunk and all chunks after it.
Tuexen, et al. Expires March 7, 2007 [Page 11]
Internet-Draft SCTP authentication chunk September 2006
If the receiver does not find an association for a packet containing
an AUTH chunk as the first chunk and not a COOKIE-ECHO chunk as the
second chunk, it MUST use the chunks after the AUTH chunk to look up
an existing association. If no association is found, the packet MUST
be considered as out of the blue. The out of the blue handling MUST
be based on the packet without taking the AUTH chunk into account.
If an association is found, it MUST process the AUTH chunk using the
TCB from the existing association as described earlier.
If the receiver of the packet does not have a TCB when it needs to
process the AUTH chunk, it MUST ignore the AUTH chunk. This applies
to a packet containing an AUTH chunk as a first chunk and an COOKIE-
ECHO chunk as the second chunk received in the CLOSED state. If the
receiver has a TCB, it MUST process the AUTH chunk as described
above.
It should also be noted that if an endpoint accepts ABORT chunks only
in an authenticated way, it may take longer to detect that the peer
is no longer available. If an endpoint accepts COOKIE chunks only in
an authenticated way, the restart procedure does not work.
Furthermore it is important that the cookie contained in an INIT-ACK
chunk and in a COOKIE_ECHO chunk MUST NOT contain the end-point pair
shared key.
7. Examples
This section gives examples of message exchanges for association
setup.
The simplest way of using the extension described in this document is
given by the following message exchange.
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
Please note that the CHUNKS parameter is optional in the INIT and
INIT-ACK.
If the server wants to receive DATA chunks in an authenticated way,
the following message exchange is possible:
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
--------------- COOKIE-ECHO; AUTH; DATA ------------->
Tuexen, et al. Expires March 7, 2007 [Page 12]
Internet-Draft SCTP authentication chunk September 2006
<----------------- COOKIE-ACK; SACK ------------------
Please note that if the endpoint pair shared key depends on the
client and the server and that it is only known by the upper layer
this message exchange requires an upper layer intervention between
the processing of the COOKIE-ECHO chunk (COMMUNICATION-UP
notification followed by the presentation of the endpoint pair shared
key by the upper layer to the SCTP stack) and the processing of the
AUTH and DATA chunk. If this intervention is not possible due to
limitations of the API the server might discard the AUTH and DATA
chunk making a retransmission of the DATA chunk necessary. If the
same endpoint pair shared key is used for multiple endpoints and does
not depend on the client this intervention might not be necessary.
8. IANA Considerations
[NOTE to RFC-Editor:
"RFCXXXX" is to be replaced by the RFC number you assign this
document.
The reference to sctp-parameters [7] should be removed from the
"Normative References" section after the IANA section has been
removed.
]
This document (RFCXXX) is the reference for all registrations
described in this section. All registrations need to be listed in
the document available at sctp-parameters [7]. The suggested changes
are described below.
8.1. A New Chunk Type
A chunk type for the AUTH chunk has to be assigned by IANA. It is
suggested to use the value given in Table 4. This requires an
additional line in the "CHUNK TYPES" table of sctp-parameters [7]:
CHUNK TYPES
ID Value Chunk Type Reference
----- ---------- ---------
15 Authentication Chunk (AUTH) [RFCXXXX]
Tuexen, et al. Expires March 7, 2007 [Page 13]
Internet-Draft SCTP authentication chunk September 2006
8.2. Three New Parameter Types
Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC-
ALGO parameter by IANA. It is suggested to use the values given in
Table 1. This requires two modifications of the "CHUNK PARAMETER
TPYES" tables in sctp-parameters [7]: The first change is the
addition of three new lines to the "INIT Chunk Parameter Types"
table:
Chunk Parameter Type Value
-------------------- -----
Random 32770 (0x8002)
Chunk List 32771 (0x8003)
Requested HMAC Algorithm Parameter 32772 (0x8004)
The second required change is the addition of the same three lines to
the to the "INIT ACK Chunk Parameter Types" table.
8.3. A New Error Cause
An error cause for the Unsupported HMAC Identifier error cause has to
be assigned. It is suggested to use the value given in Table 3.
This requires an additional line of the "CAUSE CODES" table in sctp-
parameters [7]:
VALUE CAUSE CODE REFERENCE
----- ---------------- ---------
261 (0x0105) Unsupported HMAC Identifier RFCXXXX
8.4. A New Table For HMAC Identifiers
HMAC Identifiers have to be maintained by IANA. Three initial values
should be assigned by IANA as described in Table 2. This requires a
new table "HMAC IDENTIFIERS" in sctp-parameters [7]:
HMAC Identifier Message Digest Algorithm REFERENCE
--------------- ------------------------ ---------
0 Reserved RFCXXXX
1 SHA-1 RFCXXXX
2 MD-5 RFCXXXX
9. Security Considerations
Without using endpoint shared keys this extensions only provides a
way of making sure that chunks being authenticated are received from
the same peer the association was established with. If an attacker
captures the association setup he can insert arbitrary packets in an
Tuexen, et al. Expires March 7, 2007 [Page 14]
Internet-Draft SCTP authentication chunk September 2006
authenticated way. But if the attacker does not capture the
association setup he can not inject packets.
If an endpoint pair shared key is used even a true man in the middle
cannot inject chunks which are required to be authenticated even if
he intercepts the initial message exchange. The endpoint also knows
that it is accepting authenticated chunks from a peer who knows the
endpoint pair shared key.
The establishment of endpoint pair shared keys is out of scope of
this document. Other mechanisms can be used like using TLS or manual
configuration.
Because SCTP has already a mechanism built-in that handles the
reception of duplicated chunks, the presented solution makes use of
this functionality and does not provide a method to avoid replay
attacks by itself. Of course, this only works within each SCTP
association. Therefore a separate shared key is used for each SCTP
association to handle replay attacks covering multiple SCTP
associations.
10. Acknowledgments
The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, and
Irene Ruengeler for their invaluable comments.
11. Normative References
[1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992.
[2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[4] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer,
H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson,
"Stream Control Transmission Protocol", RFC 2960, October 2000.
[5] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer
Security over Stream Control Transmission Protocol", RFC 3436,
December 2002.
[6] National Institute of Standards and Technology, "Secure Hash
Tuexen, et al. Expires March 7, 2007 [Page 15]
Internet-Draft SCTP authentication chunk September 2006
Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[7] <http://www.iana.org/assignments/sctp-parameters>
Authors' Addresses
Michael Tuexen
Muenster Univ. of Applied Sciences
Stegerwaldstr. 39
48565 Steinfurt
Germany
Email: tuexen@fh-muenster.de
Randall R. Stewart
Cisco Systems, Inc.
4875 Forest Drive
Suite 200
Columbia, SC 29206
USA
Email: rrs@cisco.com
Peter Lei
Cisco Systems, Inc.
8735 West Higgins Road
Suite 300
Chicago, IL 60631
USA
Phone:
Email: peterlei@cisco.com
Eric Rescorla
RTFM, Inc.
2064 Edgewood Drive
Palo Alto, CA 94303
USA
Phone: +1 650-320-8549
Email: ekr@rtfm.com
Tuexen, et al. Expires March 7, 2007 [Page 16]
Internet-Draft SCTP authentication chunk September 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Tuexen, et al. Expires March 7, 2007 [Page 17]
| PAFTECH AB 2003-2026 | 2026-04-23 11:27:24 |