Gitiles
Code Review Sign In
realtimeroboticsgroup.org / RealtimeRoboticsGroup / test / 8d0a285bc1fbcd994610cfa09617d06afced3234 / . / doc / rfc4895.txt
blob: e877f5addc1275fe43396f237f25a003c7cf3126 [file] [log] [blame]
Austin Schuh8d0a2852019-12-28 22:54:28 -0800[diff] [blame^]1
2
3
4
5
6
7Network Working Group M. Tuexen
8Request for Comments: 4895 Muenster Univ. of Applied Sciences
9Category: Standards Track R. Stewart
10 P. Lei
11 Cisco Systems, Inc.
12 E. Rescorla
13 RTFM, Inc.
14 August 2007
15
16
17 Authenticated Chunks for
18 the Stream Control Transmission Protocol (SCTP)
19
20Status of This Memo
21
22 This document specifies an Internet standards track protocol for the
23 Internet community, and requests discussion and suggestions for
24 improvements. Please refer to the current edition of the "Internet
25 Official Protocol Standards" (STD 1) for the standardization state
26 and status of this protocol. Distribution of this memo is unlimited.
27
28Abstract
29
30 This document describes a new chunk type, several parameters, and
31 procedures for the Stream Control Transmission Protocol (SCTP). This
32 new chunk type can be used to authenticate SCTP chunks by using
33 shared keys between the sender and receiver. The new parameters are
34 used to establish the shared keys.
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58Tuexen, et al. Standards Track [Page 1]
59
60RFC 4895 SCTP Authentication Chunk August 2007
61
62
63Table of Contents
64
65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
66 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
67 3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 4
68 3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4
69 3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 5
70 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 6
71 4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7
72 4.1. Unsupported HMAC Identifier Error Cause . . . . . . . . . 7
73 5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 8
74 5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8
75 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 10
76 6.1. Establishment of an Association Shared Key . . . . . . . . 10
77 6.2. Sending Authenticated Chunks . . . . . . . . . . . . . . . 11
78 6.3. Receiving Authenticated Chunks . . . . . . . . . . . . . . 12
79 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
80 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
81 8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 15
82 8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 15
83 8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 15
84 8.4. A New Table for HMAC Identifiers . . . . . . . . . . . . . 16
85 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16
86 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
87 11. Normative References . . . . . . . . . . . . . . . . . . . . . 17
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114Tuexen, et al. Standards Track [Page 2]
115
116RFC 4895 SCTP Authentication Chunk August 2007
117
118
1191. Introduction
120
121 SCTP uses 32-bit verification tags to protect itself against blind
122 attackers. These values are not changed during the lifetime of an
123 SCTP association.
124
125 Looking at new SCTP extensions, there is the need to have a method of
126 proving that an SCTP chunk(s) was really sent by the original peer
127 that started the association and not by a malicious attacker.
128
129 Using Transport Layer Security (TLS), as defined in RFC 3436 [6],
130 does not help because it only secures SCTP user data.
131
132 Therefore, an SCTP extension that provides a mechanism for deriving
133 shared keys for each association is presented. These association
134 shared keys are derived from endpoint pair shared keys, which are
135 configured and might be empty, and data that is exchanged during the
136 SCTP association setup.
137
138 The extension presented in this document allows an SCTP sender to
139 authenticate chunks using shared keys between the sender and
140 receiver. The receiver can then verify that the chunks are sent from
141 the sender and not from a malicious attacker (as long as the attacker
142 does not know an association shared key).
143
144 The extension described in this document places the result of a
145 Hashed Message Authentication Code (HMAC) computation before the data
146 covered by that computation. Placing it at the end of the packet
147 would have required placing a control chunk after DATA chunks in case
148 of authenticating DATA chunks. This would break the rule that
149 control chunks occur before DATA chunks in SCTP packets. It should
150 also be noted that putting the result of the HMAC computation after
151 the data being covered would not allow sending the packet during the
152 computation of the HMAC because the result of the HMAC computation is
153 needed to compute the CRC32C checksum of the SCTP packet, which is
154 placed in the common header of the SCTP packet.
155
156 The SCTP extension for Dynamic Address Reconfiguration (ADD-IP)
157 requires the usage of the extension described in this document. The
158 SCTP Partial Reliability Extension (PR-SCTP) can be used in
159 conjunction with the extension described in this document.
160
1612. Conventions
162
163 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
165 "OPTIONAL", when they appear in this document, are to be interpreted
166 as described in RFC 2119 [3].
167
168
169
170Tuexen, et al. Standards Track [Page 3]
171
172RFC 4895 SCTP Authentication Chunk August 2007
173
174
1753. New Parameter Types
176
177 This section defines the new parameter types that will be used to
178 negotiate the authentication during association setup. Table 1
179 illustrates the new parameter types.
180
181 +----------------+------------------------------------------------+
182 | Parameter Type | Parameter Name |
183 +----------------+------------------------------------------------+
184 | 0x8002 | Random Parameter (RANDOM) |
185 | 0x8003 | Chunk List Parameter (CHUNKS) |
186 | 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) |
187 +----------------+------------------------------------------------+
188
189 Table 1
190
191 Note that the parameter format requires the receiver to ignore the
192 parameter and continue processing if the parameter is not understood.
193 This is accomplished (as described in RFC 2960 [5], Section 3.2.1.)
194 by the use of the upper bits of the parameter type.
195
1963.1. Random Parameter (RANDOM)
197
198 This parameter is used to carry a random number of an arbitrary
199 length.
200
201 0 1 2 3
202 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
204 | Parameter Type = 0x8002 | Parameter Length |
205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
206 | |
207 \ Random Number /
208 / +-------------------------------\
209 | | Padding |
210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
211
212 Figure 1
213
214 Parameter Type: 2 bytes (unsigned integer)
215 This value MUST be set to 0x8002.
216
217 Parameter Length: 2 bytes (unsigned integer)
218 This value is the length of the Random Number in bytes plus 4.
219
220
221
222
223
224
225
226Tuexen, et al. Standards Track [Page 4]
227
228RFC 4895 SCTP Authentication Chunk August 2007
229
230
231 Random Number: n bytes (unsigned integer)
232 This value represents an arbitrary Random Number in network byte
233 order.
234
235 Padding: 0, 1, 2, or 3 bytes (unsigned integer)
236 If the length of the Random Number is not a multiple of 4 bytes,
237 the sender MUST pad the parameter with all zero bytes to make the
238 parameter 32-bit aligned. The Padding MUST NOT be longer than 3
239 bytes and it MUST be ignored by the receiver.
240
241 The RANDOM parameter MUST be included once in the INIT or INIT-ACK
242 chunk, if the sender wants to send or receive authenticated chunks,
243 to provide a 32-byte Random Number. For 32-byte Random Numbers, the
244 Padding is empty.
245
2463.2. Chunk List Parameter (CHUNKS)
247
248 This parameter is used to specify which chunk types are required to
249 be authenticated before being sent by the peer.
250
251 0 1 2 3
252 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
254 | Parameter Type = 0x8003 | Parameter Length |
255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
256 | Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 |
257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
258 / /
259 \ ... \
260 / /
261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
262 | Chunk Type n | Padding |
263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
264
265 Figure 2
266
267 Parameter Type: 2 bytes (unsigned integer)
268 This value MUST be set to 0x8003.
269
270 Parameter Length: 2 bytes (unsigned integer)
271 This value is the number of listed Chunk Types plus 4.
272
273 Chunk Type n: 1 byte (unsigned integer)
274 Each Chunk Type listed is required to be authenticated when sent
275 by the peer.
276
277
278
279
280
281
282Tuexen, et al. Standards Track [Page 5]
283
284RFC 4895 SCTP Authentication Chunk August 2007
285
286
287 Padding: 0, 1, 2, or 3 bytes (unsigned integer)
288 If the number of Chunk Types is not a multiple of 4, the sender
289 MUST pad the parameter with all zero bytes to make the parameter
290 32-bit aligned. The Padding MUST NOT be longer than 3 bytes and
291 it MUST be ignored by the receiver.
292
293 The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
294 chunk if the sender wants to receive authenticated chunks. Its
295 maximum length is 260 bytes.
296
297 The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and AUTH
298 chunks MUST NOT be listed in the CHUNKS parameter. However, if a
299 CHUNKS parameter is received then the types for INIT, INIT-ACK,
300 SHUTDOWN-COMPLETE, and AUTH chunks MUST be ignored.
301
3023.3. Requested HMAC Algorithm Parameter (HMAC-ALGO)
303
304 This parameter is used to list the HMAC Identifiers the peer MUST
305 use.
306
307 0 1 2 3
308 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
309 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
310 | Parameter Type = 0x8004 | Parameter Length |
311 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
312 | HMAC Identifier 1 | HMAC Identifier 2 |
313 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
314 / /
315 \ ... \
316 / /
317 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
318 | HMAC Identifier n | Padding |
319 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
320
321 Figure 3
322
323 Parameter Type: 2 bytes (unsigned integer)
324 This value MUST be set to 0x8004.
325
326 Parameter Length: 2 bytes (unsigned integer)
327 This value is the number of HMAC Identifiers multiplied by 2, plus
328 4.
329
330 HMAC Identifier n: 2 bytes (unsigned integer)
331 The values expressed are a list of HMAC Identifiers that may be
332 used by the peer. The values are listed by preference, with
333 respect to the sender, where the first HMAC Identifier listed is
334 the one most preferable to the sender.
335
336
337
338Tuexen, et al. Standards Track [Page 6]
339
340RFC 4895 SCTP Authentication Chunk August 2007
341
342
343 Padding: 0 or 2 bytes (unsigned integer)
344 If the number of HMAC Identifiers is not even, the sender MUST pad
345 the parameter with all zero bytes to make the parameter 32-bit
346 aligned. The Padding MUST be 0 or 2 bytes long and it MUST be
347 ignored by the receiver.
348
349 The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK
350 chunk if the sender wants to send or receive authenticated chunks.
351
352 Table 2 shows the currently defined values for HMAC Identifiers.
353
354 +-----------------+--------------------------+
355 | HMAC Identifier | Message Digest Algorithm |
356 +-----------------+--------------------------+
357 | 0 | Reserved |
358 | 1 | SHA-1 defined in [8] |
359 | 2 | Reserved |
360 | 3 | SHA-256 defined in [8] |
361 +-----------------+--------------------------+
362
363 Table 2
364
365 Every endpoint supporting SCTP chunk authentication MUST support the
366 HMAC based on the SHA-1 algorithm.
367
3684. New Error Cause
369
370 This section defines a new error cause that will be sent if an AUTH
371 chunk is received with an unsupported HMAC Identifier. Table 3
372 illustrates the new error cause.
373
374 +------------+-----------------------------+
375 | Cause Code | Error Cause Name |
376 +------------+-----------------------------+
377 | 0x0105 | Unsupported HMAC Identifier |
378 +------------+-----------------------------+
379
380 Table 3
381
3824.1. Unsupported HMAC Identifier Error Cause
383
384 This error cause is used to indicate that an AUTH chunk has been
385 received with an unsupported HMAC Identifier.
386
387
388
389
390
391
392
393
394Tuexen, et al. Standards Track [Page 7]
395
396RFC 4895 SCTP Authentication Chunk August 2007
397
398
399 0 1 2 3
400 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
401 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
402 | Cause Code = 0x0105 | Cause Length = 6 |
403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
404 | HMAC Identifier | Padding |
405 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
406
407 Figure 4
408
409 Cause Code: 2 bytes (unsigned integer)
410 This value MUST be set to 0x0105.
411
412 Cause Length: 2 bytes (unsigned integer)
413 This value MUST be set to 6.
414
415 HMAC Identifier: 2 bytes (unsigned integer)
416 This value is the HMAC Identifier which is not supported.
417
418 Padding: 2 bytes (unsigned integer)
419 The sender MUST pad the error cause with all zero bytes to make
420 the cause 32-bit aligned. The Padding MUST be 2 bytes long and it
421 MUST be ignored by the receiver.
422
4235. New Chunk Type
424
425 This section defines the new chunk type that will be used to
426 authenticate chunks. Table 4 illustrates the new chunk type.
427
428 +------------+-----------------------------+
429 | Chunk Type | Chunk Name |
430 +------------+-----------------------------+
431 | 0x0F | Authentication Chunk (AUTH) |
432 +------------+-----------------------------+
433
434 Table 4
435
436 It should be noted that the AUTH-chunk format requires the receiver
437 to ignore the chunk if it is not understood and silently discard all
438 chunks that follow. This is accomplished (as described in RFC 2960
439 [5], Section 3.2.) by the use of the upper bits of the chunk type.
440
4415.1. Authentication Chunk (AUTH)
442
443 This chunk is used to hold the result of the HMAC calculation.
444
445
446
447
448
449
450Tuexen, et al. Standards Track [Page 8]
451
452RFC 4895 SCTP Authentication Chunk August 2007
453
454
455 0 1 2 3
456 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
457 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
458 | Type = 0x0F | Flags=0 | Length |
459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
460 | Shared Key Identifier | HMAC Identifier |
461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
462 | |
463 \ HMAC /
464 / \
465 / +-------------------------------\
466 | | Padding |
467 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
468
469 Figure 5
470
471 Type: 1 byte (unsigned integer)
472 This value MUST be set to 0x0F for all AUTH-chunks.
473
474 Flags: 1 byte (unsigned integer)
475 SHOULD be set to zero on transmit and MUST be ignored on receipt.
476
477 Length: 2 bytes (unsigned integer)
478 This value holds the length of the HMAC in bytes plus 8.
479
480 Shared Key Identifier: 2 bytes (unsigned integer)
481 This value describes which endpoint pair shared key is used.
482
483 HMAC Identifier: 2 bytes (unsigned integer)
484 This value describes which message digest is being used. Table 2
485 shows the currently defined values.
486
487 HMAC: n bytes (unsigned integer)
488 This holds the result of the HMAC calculation.
489
490 Padding: 0, 1, 2, or 3 bytes (unsigned integer)
491 If the length of the HMAC is not a multiple of 4 bytes, the sender
492 MUST pad the chunk with all zero bytes to make the chunk 32-bit
493 aligned. The Padding MUST NOT be longer than 3 bytes and it MUST
494 be ignored by the receiver.
495
496 The control chunk AUTH MUST NOT appear more than once in an SCTP
497 packet. All control and data chunks that are placed after the AUTH
498 chunk in the packet are sent in an authenticated way. Those chunks
499 placed in a packet before the AUTH chunk are not authenticated.
500 Please note that DATA chunks can not appear before control chunks in
501 an SCTP packet.
502
503
504
505
506Tuexen, et al. Standards Track [Page 9]
507
508RFC 4895 SCTP Authentication Chunk August 2007
509
510
5116. Procedures
512
5136.1. Establishment of an Association Shared Key
514
515 An SCTP endpoint willing to receive or send authenticated chunks MUST
516 send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM
517 parameter MUST contain a 32-byte Random Number. The Random Number
518 should be generated in accordance with RFC 4086 [7]. If the Random
519 Number is not 32 bytes, the association MUST be aborted. The ABORT
520 chunk SHOULD contain the error cause 'Protocol Violation'. In case
521 of INIT collision, the rules governing the handling of this Random
522 Number follow the same pattern as those for the Verification Tag, as
523 explained in Section 5.2.4 of RFC 2960 [5]. Therefore, each endpoint
524 knows its own Random Number and the peer's Random Number after the
525 association has been established.
526
527 An SCTP endpoint has a list of chunks it only accepts if they are
528 received in an authenticated way. This list is included in the INIT
529 and INIT-ACK, and MAY be omitted if it is empty. Since this list
530 does not change during the lifetime of the SCTP endpoint there is no
531 problem in case of INIT collision.
532
533 Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO
534 parameter containing a list of HMAC Identifiers it requests the peer
535 to use. The receiver of an HMAC-ALGO parameter SHOULD use the first
536 listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST
537 be supported and included in the HMAC-ALGO parameter. An SCTP
538 endpoint MUST NOT change the parameters listed in the HMAC-ALGO
539 parameter during the lifetime of the endpoint.
540
541 Both endpoints of an association MAY have endpoint pair shared keys
542 that are byte vectors and pre-configured or established by another
543 mechanism. They are identified by the Shared Key Identifier. For
544 each endpoint pair shared key, an association shared key is computed.
545 If there is no endpoint pair shared key, only one association shared
546 key is computed by using an empty byte vector as the endpoint pair
547 shared key.
548
549 The RANDOM parameter, the CHUNKS parameter, and the HMAC-ALGO
550 parameter sent by each endpoint are concatenated as byte vectors.
551 These parameters include the parameter type, parameter length, and
552 the parameter value, but padding is omitted; all padding MUST be
553 removed from this concatenation before proceeding with further
554 computation of keys. Parameters that were not sent are simply
555 omitted from the concatenation process. The resulting two vectors
556 are called the two key vectors.
557
558
559
560
561
562Tuexen, et al. Standards Track [Page 10]
563
564RFC 4895 SCTP Authentication Chunk August 2007
565
566
567 From the endpoint pair shared keys and the key vectors, the
568 association shared keys are computed. This is performed by selecting
569 the numerically smaller key vector and concatenating it to the
570 endpoint pair shared key, and then concatenating the numerically
571 larger key vector to that. If the key vectors are equal as numbers
572 but differ in length, then the concatenation order is the endpoint
573 shared key, followed by the shorter key vector, followed by the
574 longer key vector. Otherwise, the key vectors are identical, and may
575 be concatenated to the endpoint pair key in any order. The
576 concatenation is performed on byte vectors, and all numerical
577 comparisons use network byte order to convert the key vectors to a
578 number. The result of the concatenation is the association shared
579 key.
580
5816.2. Sending Authenticated Chunks
582
583 Endpoints MUST send all requested chunks that have been authenticated
584 where this has been requested by the peer. The other chunks MAY be
585 sent whether or not they have been authenticated. If endpoint pair
586 shared keys are used, one of them MUST be selected for
587 authentication.
588
589 To send chunks in an authenticated way, the sender MUST include these
590 chunks after an AUTH chunk. This means that a sender MUST bundle
591 chunks in order to authenticate them.
592
593 If the endpoint has no endpoint pair shared key for the peer, it MUST
594 use Shared Key Identifier zero with an empty endpoint pair shared
595 key. If there are multiple endpoint shared keys the sender selects
596 one and uses the corresponding Shared Key Identifier.
597
598 The sender MUST calculate the Message Authentication Code (MAC) (as
599 described in RFC 2104 [2]) using the hash function H as described by
600 the HMAC Identifier and the shared association key K based on the
601 endpoint pair shared key described by the Shared Key Identifier. The
602 'data' used for the computation of the AUTH-chunk is given by the
603 AUTH chunk with its HMAC field set to zero (as shown in Figure 6)
604 followed by all the chunks that are placed after the AUTH chunk in
605 the SCTP packet.
606
607
608
609
610
611
612
613
614
615
616
617
618Tuexen, et al. Standards Track [Page 11]
619
620RFC 4895 SCTP Authentication Chunk August 2007
621
622
623 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
624 | Type = 0x0F | Flags=0 | Chunk Length |
625 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
626 | Shared Key Identifier | HMAC Identifier |
627 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
628 | |
629 \ 0 /
630 / +-------------------------------\
631 | | Padding |
632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
633
634 Figure 6
635
636 Please note that all fields are in network byte order and that the
637 field that will contain the complete HMAC is filled with zeroes. The
638 length of the field shown as zero is the length of the HMAC described
639 by the HMAC Identifier. The padding of all chunks being
640 authenticated MUST be included in the HMAC computation.
641
642 The sender fills the HMAC into the HMAC field and sends the packet.
643
6446.3. Receiving Authenticated Chunks
645
646 The receiver has a list of chunk types that it expects to be received
647 only after an AUTH-chunk. This list has been sent to the peer during
648 the association setup. It MUST silently discard these chunks if they
649 are not placed after an AUTH chunk in the packet.
650
651 The receiver MUST use the HMAC algorithm indicated in the HMAC
652 Identifier field. If this algorithm was not specified by the
653 receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
654 during association setup, the AUTH chunk and all the chunks after it
655 MUST be discarded and an ERROR chunk SHOULD be sent with the error
656 cause defined in Section 4.1.
657
658 If an endpoint with no shared key receives a Shared Key Identifier
659 other than 0, it MUST silently discard all authenticated chunks. If
660 the endpoint has at least one endpoint pair shared key for the peer,
661 it MUST use the key specified by the Shared Key Identifier if a key
662 has been configured for that Shared Key Identifier. If no endpoint
663 pair shared key has been configured for that Shared Key Identifier,
664 all authenticated chunks MUST be silently discarded.
665
666 The receiver now performs the same calculation as described for the
667 sender based on Figure 6. If the result of the calculation is the
668
669
670
671
672
673
674Tuexen, et al. Standards Track [Page 12]
675
676RFC 4895 SCTP Authentication Chunk August 2007
677
678
679 same as given in the HMAC field, all the chunks following the AUTH
680 chunk are processed. If the field does not match the result of the
681 calculation, all the chunks following the AUTH chunk MUST be silently
682 discarded.
683
684 It should be noted that if the receiver wants to tear down an
685 association in an authenticated way only, the handling of malformed
686 packets should not result in tearing down the association.
687
688 An SCTP implementation has to maintain state for each SCTP
689 association. In the following, we call this data structure the SCTP
690 transmission control block (STCB).
691
692 When an endpoint requires COOKIE-ECHO chunks to be authenticated,
693 some special procedures have to be followed because the reception of
694 a COOKIE-ECHO chunk might result in the creation of an SCTP
695 association. If a packet arrives containing an AUTH chunk as a first
696 chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more
697 chunks after them, and the receiver does not have an STCB for that
698 packet, then authentication is based on the contents of the COOKIE-
699 ECHO chunk. In this situation, the receiver MUST authenticate the
700 chunks in the packet by using the RANDOM parameters, CHUNKS
701 parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO
702 chunk, and possibly a local shared secret as inputs to the
703 authentication procedure specified in Section 6.3. If authentication
704 fails, then the packet is discarded. If the authentication is
705 successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
706 MUST be processed. If the receiver has an STCB, it MUST process the
707 AUTH chunk as described above using the STCB from the existing
708 association to authenticate the COOKIE-ECHO chunk and all the chunks
709 after it.
710
711 If the receiver does not find an STCB for a packet containing an AUTH
712 chunk as the first chunk and does not find a COOKIE-ECHO chunk as the
713 second chunk, it MUST use the chunks after the AUTH chunk to look up
714 an existing association. If no association is found, the packet MUST
715 be considered as out of the blue. The out of the blue handling MUST
716 be based on the packet without taking the AUTH chunk into account.
717 If an association is found, it MUST process the AUTH chunk using the
718 STCB from the existing association as described earlier.
719
720 Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated
721 makes it impossible for an attacker to bring down or restart an
722 association as long as the attacker does not know the association
723 shared key. But it should also be noted that if an endpoint accepts
724 ABORT chunks only in an authenticated way, it may take longer to
725 detect that the peer is no longer available. If an endpoint accepts
726 COOKIE-ECHO chunks only in an authenticated way, the restart
727
728
729
730Tuexen, et al. Standards Track [Page 13]
731
732RFC 4895 SCTP Authentication Chunk August 2007
733
734
735 procedure does not work, because the restarting endpoint most likely
736 does not know the association shared key of the old association to be
737 restarted. However, if the restarting endpoint does know the old
738 association shared key, he can successfully send the COOKIE-ECHO
739 chunk in a way that it is accepted by the peer by using this old
740 association shared key for the packet containing the AUTH chunk.
741 After this operation, both endpoints have to use the new association
742 shared key.
743
744 If a server has an endpoint pair shared key with some clients, it can
745 request the COOKIE_ECHO chunk to be authenticated and can ensure that
746 only associations from clients with a correct endpoint pair shared
747 key are accepted.
748
749 Furthermore, it is important that the cookie contained in an INIT-ACK
750 chunk and in a COOKIE-ECHO chunk MUST NOT contain any endpoint pair
751 shared keys.
752
7537. Examples
754
755 This section gives examples of message exchanges for association
756 setup.
757
758 The simplest way of using the extension described in this document is
759 given by the following message exchange.
760
761 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
762 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
763 -------------------- COOKIE-ECHO -------------------->
764 <-------------------- COOKIE-ACK ---------------------
765
766 Please note that the CHUNKS parameter is optional in the INIT and
767 INIT-ACK.
768
769 If the server wants to receive DATA chunks in an authenticated way,
770 the following message exchange is possible:
771
772 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
773 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
774 --------------- COOKIE-ECHO; AUTH; DATA ------------->
775 <----------------- COOKIE-ACK; SACK ------------------
776
777 Please note that if the endpoint pair shared key depends on the
778 client and the server, and is only known by the upper layer, this
779 message exchange requires an upper layer intervention between the
780 processing of the COOKIE-ECHO chunk and the processing of the AUTH
781 and DATA chunk at the server side. This intervention may be realized
782 by a COMMUNICATION-UP notification followed by the presentation of
783
784
785
786Tuexen, et al. Standards Track [Page 14]
787
788RFC 4895 SCTP Authentication Chunk August 2007
789
790
791 the endpoint pair shared key by the upper layer to the SCTP stack,
792 see for example Section 10 of RFC 2960 [5]. If this intervention is
793 not possible due to limitations of the API (for example, the socket
794 API), the server might discard the AUTH and DATA chunk, making a
795 retransmission of the DATA chunk necessary. If the same endpoint
796 pair shared key is used for multiple endpoints and does not depend on
797 the client, this intervention might not be necessary.
798
7998. IANA Considerations
800
801 This document (RFC 4895) is the reference for all registrations
802 described in this section. All registrations need to be listed in
803 the document available at SCTP-parameters [9]. The changes are
804 described below.
805
8068.1. A New Chunk Type
807
808 A chunk type for the AUTH chunk has been assigned by IANA. IANA has
809 assigned the value (15), as given in Table 4. An additional line has
810 been added in the "CHUNK TYPES" table of SCTP-parameters [9]:
811
812 CHUNK TYPES
813
814 ID Value Chunk Type Reference
815 ----- ---------- ---------
816 15 Authentication Chunk (AUTH) [RFC4895]
817
8188.2. Three New Parameter Types
819
820 Parameter types have been assigned for the RANDOM, CHUNKS, and HMAC-
821 ALGO parameter by IANA. The values are as given in Table 1. This
822 required two modifications to the "CHUNK PARAMETER TYPES" tables in
823 SCTP-parameters [9]: the first is the addition of three new lines to
824 the "INIT Chunk Parameter Types" table:
825
826 Chunk Parameter Type Value
827 -------------------- -----
828 Random 32770 (0x8002)
829 Chunk List 32771 (0x8003)
830 Requested HMAC Algorithm Parameter 32772 (0x8004)
831
832 The second required change is the addition of the same three lines to
833 the to the "INIT ACK Chunk Parameter Types" table.
834
8358.3. A New Error Cause
836
837 An error cause for the Unsupported HMAC Identifier error cause has
838 been assigned. The value (261) has been assigned as in Table 3.
839
840
841
842Tuexen, et al. Standards Track [Page 15]
843
844RFC 4895 SCTP Authentication Chunk August 2007
845
846
847 This requires an additional line of the "CAUSE CODES" table in SCTP-
848 parameters [9]:
849
850 VALUE CAUSE CODE REFERENCE
851 ----- ---------------- ---------
852 261 (0x0105) Unsupported HMAC Identifier [RFC4895]
853
8548.4. A New Table for HMAC Identifiers
855
856 HMAC Identifiers have to be maintained by IANA. Four initial values
857 have been assigned by IANA as described in Table 2. This required a
858 new table "HMAC IDENTIFIERS" in SCTP-parameters [9]:
859
860 HMAC Identifier Message Digest Algorithm REFERENCE
861 --------------- ------------------------ ---------
862 0 Reserved [RFC4895]
863 1 SHA-1 [RFC4895]
864 2 Reserved [RFC4895]
865 3 SHA-256 [RFC4895]
866
867 For registering a new HMAC Identifier with IANA, in this table, a
868 request has to be made to assign such a number. This number must be
869 unique and a message digest algorithm usable with the HMAC defined in
870 RFC 2104 [2] MUST be specified. The "Specification Required" policy
871 of RFC 2434 [4] MUST be applied.
872
8739. Security Considerations
874
875 Without using endpoint shared keys, this extension only protects
876 against modification or injection of authenticated chunks by
877 attackers who did not capture the initial handshake setting up the
878 SCTP association.
879
880 If an endpoint pair shared key is used, even a true man in the middle
881 cannot inject chunks, which are required to be authenticated, even if
882 he intercepts the initial message exchange. The endpoint also knows
883 that it is accepting authenticated chunks from a peer who knows the
884 endpoint pair shared key.
885
886 The establishment of endpoint pair shared keys is out of the scope of
887 this document. Other mechanisms can be used, like using TLS or
888 manual configuration.
889
890 When an endpoint accepts COOKIE-ECHO chunks only in an authenticated
891 way the restart procedure does not work. Neither an attacker nor a
892 restarted endpoint not knowing the association shared key can perform
893 an restart. However, if the association shared key is known, it is
894 possible to restart the association.
895
896
897
898Tuexen, et al. Standards Track [Page 16]
899
900RFC 4895 SCTP Authentication Chunk August 2007
901
902
903 Because SCTP already has a built-in mechanism that handles the
904 reception of duplicated chunks, the presented solution makes use of
905 this functionality and does not provide a method to avoid replay
906 attacks by itself. Of course, this only works within each SCTP
907 association. Therefore, a separate shared key is used for each SCTP
908 association to handle replay attacks covering multiple SCTP
909 associations.
910
911 Each endpoint presenting a list of more than one element in the HMAC-
912 ALGO parameter must be prepared for the peer using the weakest
913 algorithm listed.
914
915 When an endpoint pair uses non-NULL endpoint pair shared keys and one
916 of the endpoints still accepts a NULL key, an attacker who captured
917 the initial handshake can still inject or modify authenticated chunks
918 by using the NULL key.
919
92010. Acknowledgments
921
922 The authors wish to thank David Black, Sascha Grau, Russ Housley,
923 Ivan Arias Rodriguez, Irene Ruengeler, and Magnus Westerlund for
924 their invaluable comments.
925
92611. Normative References
927
928 [1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
929 April 1992.
930
931 [2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
932 for Message Authentication", RFC 2104, February 1997.
933
934 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
935 Levels", BCP 14, RFC 2119, March 1997.
936
937 [4] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
938 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
939
940 [5] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer,
941 H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson,
942 "Stream Control Transmission Protocol", RFC 2960, October 2000.
943
944 [6] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer
945 Security over Stream Control Transmission Protocol", RFC 3436,
946 December 2002.
947
948 [7] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
949 Requirements for Security", BCP 106, RFC 4086, June 2005.
950
951
952
953
954Tuexen, et al. Standards Track [Page 17]
955
956RFC 4895 SCTP Authentication Chunk August 2007
957
958
959 [8] National Institute of Standards and Technology, "Secure Hash
960 Standard", FIPS PUB 180-2, August 2002,
961 <http://csrc.nist.gov/publications/fips/fips180-2/
962 fips180-2.pdf>.
963
964 [9] <http://www.iana.org/assignments/sctp-parameters>
965
966Authors' Addresses
967
968 Michael Tuexen
969 Muenster Univ. of Applied Sciences
970 Stegerwaldstr. 39
971 48565 Steinfurt
972 Germany
973
974 EMail: tuexen@fh-muenster.de
975
976
977 Randall R. Stewart
978 Cisco Systems, Inc.
979 4875 Forest Drive
980 Suite 200
981 Columbia, SC 29206
982 USA
983
984 EMail: rrs@cisco.com
985
986
987 Peter Lei
988 Cisco Systems, Inc.
989 8735 West Higgins Road
990 Suite 300
991 Chicago, IL 60631
992 USA
993
994 Phone:
995 EMail: peterlei@cisco.com
996
997
998 Eric Rescorla
999 RTFM, Inc.
1000 2064 Edgewood Drive
1001 Palo Alto, CA 94303
1002 USA
1003
1004 Phone: +1 650-320-8549
1005 EMail: ekr@rtfm.com
1006
1007
1008
1009
1010Tuexen, et al. Standards Track [Page 18]
1011
1012RFC 4895 SCTP Authentication Chunk August 2007
1013
1014
1015Full Copyright Statement
1016
1017 Copyright (C) The IETF Trust (2007).
1018
1019 This document is subject to the rights, licenses and restrictions
1020 contained in BCP 78, and except as set forth therein, the authors
1021 retain all their rights.
1022
1023 This document and the information contained herein are provided on an
1024 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1025 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1026 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1027 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1028 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1029 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1030
1031Intellectual Property
1032
1033 The IETF takes no position regarding the validity or scope of any
1034 Intellectual Property Rights or other rights that might be claimed to
1035 pertain to the implementation or use of the technology described in
1036 this document or the extent to which any license under such rights
1037 might or might not be available; nor does it represent that it has
1038 made any independent effort to identify any such rights. Information
1039 on the procedures with respect to rights in RFC documents can be
1040 found in BCP 78 and BCP 79.
1041
1042 Copies of IPR disclosures made to the IETF Secretariat and any
1043 assurances of licenses to be made available, or the result of an
1044 attempt made to obtain a general license or permission for the use of
1045 such proprietary rights by implementers or users of this
1046 specification can be obtained from the IETF on-line IPR repository at
1047 http://www.ietf.org/ipr.
1048
1049 The IETF invites any interested party to bring to its attention any
1050 copyrights, patents or patent applications, or other proprietary
1051 rights that may cover technology that may be required to implement
1052 this standard. Please address the information to the IETF at
1053 ietf-ipr@ietf.org.
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066Tuexen, et al. Standards Track [Page 19]
1067