One document matched: draft-tuexen-sctp-auth-chunk-01.txt
Differences from draft-tuexen-sctp-auth-chunk-00.txt
Network Working Group M. Tuexen
Internet-Draft Univ. of Applied Sciences Muenster
Expires: January 15, 2005 R. Stewart
P. Lei
Cisco Systems, Inc.
July 17, 2004
Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
draft-tuexen-sctp-auth-chunk-01.txt
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 15, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document describes a new chunk type, several parameters and
procedures for SCTP. This new chunk type can be used to authenticate
SCTP chunks by using a secret shared between the sender and receiver.
The new parameters can be used to establish a shared secret if one is
not pre-known between the two peers.
Tuexen, et al. Expires January 15, 2005 [Page 1]
Internet-Draft SCTP authentication chunk July 2004
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 3
3.1 Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4
3.2 Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 4
3.3 Diffie-Hellman Public Key Parameter (PUBKEY) . . . . . . . 5
4. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1 Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 6
5. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1 Establishment of an association secret . . . . . . . . . . 7
5.2 Sending authenticated chunks . . . . . . . . . . . . . . . 8
5.3 Receiving authenticated chunks . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1 Normative References . . . . . . . . . . . . . . . . . . . . 10
8.2 Informative References . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . 13
Tuexen, et al. Expires January 15, 2005 [Page 2]
Internet-Draft SCTP authentication chunk July 2004
1. Introduction
SCTP uses 32 bit verification tags to protect itself against blind
attackers. These values are not changed during the lifetime of an
SCTP association.
Looking at new SCTP extensions there is the need to have a method of
proving that an SCTP chunk(s) was really sent by the original peer
that started the association and not by a malicious attacker.
Using TLS as defined in RFC3436 [8] does not help here because it
only secures SCTP user data.
Therefore an SCTP extension is presented in this document which
allows an SCTP sender to sign chunks using a shared secret between
the sender and receiver. The receiver can then verify, that the
chunks are sent from the sender and not from a malicious attacker.
This extension also provides a mechanism for deriving a shared secret
for each association. This association secret will be derived from a
endpoint pair secret, which is either preconfigured or calculated by
using the Diffie-Hellman key agreement algorithm.
2. Conventions
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL, when
they appear in this document, are to be interpreted as described in
RFC2119 [4].
3. New Parameter Types
This section defines the new parameter types that will be used to
negotiate the authentication during association setup. Figure 1
illustrates the new parameter types.
Parameter Type Parameter Name
--------------------------------------------------------------
0x8002 Random Parameter (RANDOM)
0x8003 Chunk List Parameter (CHUNKS)
0x8004 Diffie-Hellman Public Key Parameter (PUBKEY)
Figure 1
It should be noted that the parameter format requires the receiver to
ignore the parameter and continue processing if it is not understood.
This is accomplished as described in RFC2960 [7] section 3.2.1. by
the use of the upper bit of the parameter type.
Tuexen, et al. Expires January 15, 2005 [Page 3]
Internet-Draft SCTP authentication chunk July 2004
3.1 Random Parameter (RANDOM)
This parameter is used to carry an arbitrary length random number.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8002 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ Random Number /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2
Parameter Type: 2 bytes (unsigned integer) This value MUST be set to
0x8002.
Parameter Length: 2 bytes (unsigned integer) This value is the length
of the Random Number plus 4.
Random Number: n bytes (unsigned integer) This value represents an
arbitrary Random Number in network byte order.
The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks.
3.2 Chunk List Parameter (CHUNKS)
This parameter is used to specify which chunk types are required to
be sent authenticated by the peer.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8003 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1 | Chunk Type 2 | Chunk Type 4 | Chunk Type 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ ... \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Tuexen, et al. Expires January 15, 2005 [Page 4]
Internet-Draft SCTP authentication chunk July 2004
Figure 3
Parameter Type: 2 bytes (unsigned integer) This value MUST be set to
0x8003.
Parameter Length: 2 bytes (unsigned integer) This value is the number
of listed Chunk Types plus 4.
Chunk Type n: 1 byte (unsigned integer) Each Chunk Type listed is
required to be authenticated when sent by the peer.
The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to receive authenticated chunks. Its
maximum length is 260 bytes.
3.3 Diffie-Hellman Public Key Parameter (PUBKEY)
This parameter specifies the public key of the sender and the
Diffie-Hellman group.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8004 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Diffie-Hellman Group Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ Public Key /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4
Parameter Type: 2 bytes (unsigned integer) This value MUST be set to
0x8004.
Parameter Length: 2 bytes (unsigned integer) This value is the length
of the public key plus 8.
Diffie-Hellman Group Identifier: 4 bytes (unsigned integer) This
value identifies the Diffie-Hellman Group where the Public Key
belongs to. The following table shows the currently defined
Diffie-Hellman Group identifiers.
Tuexen, et al. Expires January 15, 2005 [Page 5]
Internet-Draft SCTP authentication chunk July 2004
DH Group ID DH Group
----------------------------------------------------------
1 Group 1 defined in section 6.1 of RFC 2409
2 Group 2 defined in section 6.2 of RFC 2409
5 Group 5 defined in chapter 2 of RFC 3526
14 Group 14 defined in chapter 3 of RFC 3526
15 Group 15 defined in chapter 4 of RFC 3526
16 Group 16 defined in chapter 5 of RFC 3526
17 Group 17 defined in chapter 6 of RFC 3526
18 Group 18 defined in chapter 7 of RFC 3526
Figure 5
Public Key: n bytes (unsigned integer) This value is the Public Key,
an unsigned integer in network byte order.
The PUBKEY parameter MUST be included in the INIT and INIT-ACK if
there is no pre-configured shared secret for the two end-points. If
the sender of the INIT supports multiple groups the parameter can be
included multiple times with different Group IDs. The sender of the
INIT-ACK can include at most one PUBKEY parameter and chooses
therefore the DH-group to be used.
4. New Chunk Type
This section defines the new chunk type that will be used to
authenticate chunks. Figure 6 illustrates the new chunk type.
Chunk Type Chunk Name
--------------------------------------------------------------
0x10 Authentication Chunk (AUTH)
Figure 6
It should be noted that the AUTH-chunk format requires the receiver
to ignore the chunk if it is not understood and silently discard all
chunks that follow. This is accomplished as described in RFC2960 [7]
section 3.2. by the use of the upper bit of the chunk type.
4.1 Authentication Chunk (AUTH)
This chunk is used to hold the result of the HMAC calculation.
Tuexen, et al. Expires January 15, 2005 [Page 6]
Internet-Draft SCTP authentication chunk July 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x10 | Flags=0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ HMAC /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7
Type: 1 byte (unsigned integer) This value MUST be set to 0x83 for
all AUTH-chunks.
Flags: 1 byte (unsigned integer) Set to zero on transmit and ignored
on receipt.
Length: 2 bytes (unsigned integer) This value holds the length of the
HMAC plus 8.
HMAC Identifier: 4 bytes (unsigned integer) This value describes
which message digest is being used. The following Figure 8 shows
the currently defined values.
HMAC Identifier Message Digest Algorithm
---------------------------------------------------------------
0 MD-5 defined in [1]
1 SHA-1 defined in [10]
Figure 8
HMAC: n bytes (unsigned integer) This hold the result of the HMAC
calculation.
The control chunk AUTH can appear at most once in an SCTP packet.
All control and data chunks which are placed after the AUTH chunk in
the packet are sent in an authenticated way. Those chunks placed in
a packet before the AUTH chunk are not authenticated.
5. Procedures
5.1 Establishment of an association secret
An SCTP endpoint willing to receive or send authenticated chunks has
to send one RANDOM parameter in its INIT or INIT-ACK chunk. The
Tuexen, et al. Expires January 15, 2005 [Page 7]
Internet-Draft SCTP authentication chunk July 2004
RANDOM parameter MUST contain a 32 byte random number. This random
number is handled like the verification tag in case of INIT
collisions. Therefore each endpoint knows its own random number and
the peers random number after the association has been established.
An SCTP endpoint has a list of chunks it only accepts if they are
received in an authenticated way. This list is included in the INIT
and INIT-ACK and MAY be omitted if it is empty. Since this list is
for an endpoint there is no problem in case of INIT collision.
There are different ways of agreeing on an endpoint pair secret. The
first way is that this secret is simply pre-configured. The second
way is that both end points have pre-configured knowledge of the
public keys in one DH group of each other. Then the DH key agreement
procedure of RFC2631 [6] is used to compute an endpoint pair secret.
In case of no pre-configured data, the sender of the INIT chunk MAY
specify multiple DH groups and public keys by including multiple
PUBKEY parameters. The sender MUST NOT include multiple PUBKEY
parameters for the same DH group identifier. The sender specifies a
priority by the sequence. The first PUBKEY parameter is the one with
the highest priority. The receiver of the INIT chunk chooses a
PUBKEY parameter which is acceptable to it (i.e. it is supported)
and has the highest priority among the PUBKEY parameters in the INIT.
The INIT receiver then creates a PUBKEY parameter with its own public
key in the selected DH group and places that single PUBKEY parameter
within the INIT-ACK. This also will works in case of an INIT
collision since at the end of the exchange the highest priority DH
group will be selected that both sides support. After the exchange
of the PUBKEY parameters both end points can compute an endpoint pair
secret using the key agreement procedure of RFC2631 [6].
From this endpoint pair secret the association secret is computed by
concatenating the endpoint pair secret with the random numbers
exchanged in the INIT and INIT-ACK. This is performed by selecting
the smaller random number and concatenating it to the "endpoint pair
secret". Then concatenating the larger of the random numbers to
that. If both random numbers are equal they may be concatenated to
the "endpoint pair secret" in any order. The concatenation is
performed on byte vectors representing all numbers in network byte
order. The result is the association secret shared by the two
endpoints.
5.2 Sending authenticated chunks
Chunks can only be authenticated when the SCTP association is in the
ESTABLISHED state. Both endpoints MUST send all those chunks
authenticated where this has been requested by the peer. The other
chunks MAY be sent authenticated.
Tuexen, et al. Expires January 15, 2005 [Page 8]
Internet-Draft SCTP authentication chunk July 2004
To send chunks in an authenticated way, the sender has to include
these chunks after an AUTH chunk. This means that a sender MUST
bundle chunks in order to authenticate them.
The sender MUST calculate the HMAC as defined in RFC2104 [3] using
the hash function H as described by the HMAC Identifier and the
shared association secret K. The 'data' used for the computation is
the AUTH-chunk as given by Figure 9 and all chunks that are placed
after the AUTH chunk in the SCTP packet.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x10 | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ 0 /
/ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9
Please note that all fields are in network byte order.
The sender fills the HMAC then into the HMAC field and sends the
packet.
5.3 Receiving authenticated chunks
The receiver has a list of chunk types which it expects to be
received only after an AUTH-chunk. This list has been sent to the
peer during the association setup. It MUST silently discard these
chunks if they are not placed after an AUTH chunk in the packet.
The receiver MUST use the HMAC algorithm indicated in the HMAC
Identifier field. If this algorithm is not known the AUTH chunk and
all chunks after it MUST silently be discarded.
The receiver now performs the same calculation as described for the
sender based on Figure 9. If the result of the calculation is the
same as given in the HMAC field, all chunks following the AUTH chunk
are processed. If the field does not match the result of the
calculation all these chunks MUST be silently discarded.
6. IANA Considerations
A chunk type for the AUTH chunk has to be assigned by IANA. It is
suggested to use the value given above.
Tuexen, et al. Expires January 15, 2005 [Page 9]
Internet-Draft SCTP authentication chunk July 2004
Parameter types have to be assigned for the RANDOM, CHUNKS and PUBKEY
parameter by IANA. It is suggested to use the values given above.
The HMAC Identifier and the DH group identifier have to be handled by
IANA. Initially the values given above should be registered.
7. Security Considerations
This section is still incomplete and misses a lot of things.
If the Diffie Hellman key agreement procedure is used a true man in
the middle can attack the communication if he is a true man in the
middle during the association establishment and as long as he is a
true man in middle.
Because SCTP has already mechanism built-in that handles the
reception of outdated packets the presented solution makes use of
this functionality and does not provide a method to avoid replay
attacks by itself. Of course, this only applies to each SCTP
association. Therefore a separate shared secret is used for each
SCTP association to handle replay attacks covering multiple SCTP
associations.
8. References
8.1 Normative References
[1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
1992.
[2] Bradner, S., "The Internet Standards Process -- Revision 3",
BCP 9, RFC 2026, October 1996.
[3] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[5] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.
[6] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631,
June 1999.
[7] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer,
H., Taylor, T., Rytina, I., Kalla, M., Zhang, L. and V. Paxson,
"Stream Control Transmission Protocol", RFC 2960, October 2000.
Tuexen, et al. Expires January 15, 2005 [Page 10]
Internet-Draft SCTP authentication chunk July 2004
[8] Jungmaier, A., Rescorla, E. and M. Tuexen, "Transport Layer
Security over Stream Control Transmission Protocol", RFC 3436,
December 2002.
[9] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC
3526, May 2003.
[10] National Institute of Standards and Technology, "Secure Hash
Standard", FIPS PUB 180-1, April 1995, <http://
www.itl.nist.gov/fipspubs/fip180-1.htm>.
8.2 Informative References
[11] Stewart, R., "Stream Control Transmission Protocol (SCTP)
Dynamic Address Reconfiguration",
draft-ietf-tsvwg-addip-sctp-09 (work in progress), June 2004.
Authors' Addresses
Michael Tuexen
Univ. of Applied Sciences Muenster
Stegerwaldstr. 39
48565 Steinfurt
Germany
EMail: tuexen@fh-muenster.de
Randall R. Stewart
Cisco Systems, Inc.
4875 Forest Drive
Suite 200
Columbia, SC 29206
USA
EMail: rrs@cisco.com
Tuexen, et al. Expires January 15, 2005 [Page 11]
Internet-Draft SCTP authentication chunk July 2004
Peter Lei
Cisco Systems, Inc.
8735 West Higgins Road
Suite 300
Chicago, IL 60631
USA
Phone:
EMail: peterlei@cisco.com
Tuexen, et al. Expires January 15, 2005 [Page 12]
Internet-Draft SCTP authentication chunk July 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Tuexen, et al. Expires January 15, 2005 [Page 13]
| PAFTECH AB 2003-2026 | 2026-04-24 02:51:54 |