/
draft-tuexen-tsvwg-sctp-udp-encaps-cons.xml
293 lines (276 loc) · 12.4 KB
/
draft-tuexen-tsvwg-sctp-udp-encaps-cons.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
<?xml version='1.0' encoding='utf-8'?>
<?rfc toc='yes'?>
<?rfc compact='yes'?>
<?rfc subcompact='no'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
xml:lang="en"
ipr="trust200902"
submissionType="IETF"
consensus="true"
category="std"
docName="draft-tuexen-tsvwg-sctp-udp-encaps-cons-10-to-be"
updates="6951"
version="3">
<front>
<title abbrev='Considerations for SCTP over UDP'>
Additional Considerations for UDP Encapsulation of Stream Control Transmission Protocol (SCTP) Packets
</title>
<seriesInfo name="Internet-Draft" value="draft-tuexen-tsvwg-sctp-udp-encaps-cons-10-to-be"/>
<!-- ************** MICHAEL TUEXEN *************** -->
<author initials="M." surname="Tüxen" fullname="Michael Tüxen">
<organization abbrev='Münster Univ. of Appl. Sciences'>
Münster University of Applied Sciences</organization>
<address>
<postal>
<street>Stegerwaldstrasse 39</street>
<city>48565 Steinfurt</city>
<country>Germany</country>
</postal>
<email>tuexen@fh-muenster.de</email>
</address>
</author>
<!-- *************** RANDALL STEWART *************** -->
<author initials="R. R." surname="Stewart" fullname="Randall R. Stewart">
<organization></organization>
<address>
<postal>
<street>15214 Pendio Drive</street>
<city>Bella Collina</city>
<region>FL</region>
<code>34756</code>
<country>United States of America</country>
</postal>
<email>randall@lakerest.net</email>
</address>
</author>
<date />
<abstract>
<t>RFC 6951 specifies the UDP encapsulation of SCTP packets.
The described handling of received packets requires the check of the
verification tag.
However, RFC 6951 misses a specification of the handling of received packets
for which this check is not possible.</t>
<t>This document updates RFC 6951 by specifying the handling of received
packets for which the verification tag can not be checked.</t>
</abstract>
</front>
<middle>
<section anchor='intro'>
<name>Introduction</name>
<t><xref target="RFC6951"/> specifies the UDP encapsulation of SCTP packets.
To be able to adopt automatically to changes of the remote UDP encapsulation
port number, it is updated when processing received packets.
This includes automatic enabling and disabling of UDP encapsulation.</t>
<t>Section 5.4 of <xref target="RFC6951"/> describes the processing of
received packets and requires the check of the verification tag before
updating the remote UDP encapsulation port and the possible enabling or
disabling of UDP encapsulation.</t>
<t><xref target="RFC6951"/> basically misses a description of the handling
of received packets where checking the verification tag is not possible.
This includes packets for which no association can be found and
packets containing an INIT chunk, since the verification tag of these
packets is 0.</t>
</section>
<section anchor='conventions'>
<name>Conventions</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when,
they appear in all capitals, as shown here.</t>
</section>
<section>
<name>Handling of Out of the Blue Packets</name>
<t>If the processing of an out of the blue packet requires the sending
of a packet in response according to the rules specified in Section 8.4 of
<xref target="RFC9260"/>, the following rules apply:</t>
<ol>
<li>
<t>If the received packet was encapsulated in UDP, the response packets
<bcp14>MUST</bcp14> also be encapsulated in UDP.
The UDP source port and UDP destination port used for sending the response
packet are the UDP destination port and UDP source port of the received
packet.</t>
</li>
<li>
<t>If the received packet was not encapsulated in UDP, the response packet
<bcp14>MUST NOT</bcp14> be encapsulated in UDP.</t>
</li>
</ol>
<t>Please note that in these cases a check of the verification tag is not
possible.</t>
</section>
<section>
<name>Handling of SCTP Packets Containing an INIT Chunk Matching an Existing Associations</name>
<t>SCTP packets containing an INIT chunk have the verification tag 0 in
the common header.
Therefore the verification tag can't be checked.</t>
<t>The following rules apply when processing the received packet:</t>
<ol>
<li><t>The remote UDP encapsulation port for the source address of the received
SCTP packet <bcp14>MUST NOT</bcp14> be updated if the encapsulation of outgoing
packets is enabled and the received SCTP packet is encapsulated.</t></li>
<li><t>The UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet <bcp14>MUST NOT</bcp14> be enabled, if it is
disabled and the received SCTP packet is encapsulated.</t></li>
<li><t>The UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet <bcp14>MUST NOT</bcp14> be disabled, if it is
enabled and the received SCTP packet is not encapsulated.</t></li>
<li><t>If the UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet is disabled and the received SCTP packet is
encapsulated, an SCTP packet containing an ABORT chunk <bcp14>MUST</bcp14> be
sent.
The ABORT chunk <bcp14>MAY</bcp14> include the error cause defined below
indicating an "Restart of an Association with New Encapsulation Port".
This packet containing the ABORT chunk <bcp14>MUST</bcp14> be encapsulated in
UDP.
The UDP source port and UDP destination port used for sending the
packet containing the ABORT chunk are the UDP destination port and
UDP source port of the received packet containing the INIT chunk.</t></li>
<li><t>If the UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet is disabled and the received SCTP packet is
not encapsulated, the processing defined in <xref target="RFC9260"/>
<bcp14>MUST</bcp14> be performed.
If a packet is sent in response, it <bcp14>MUST NOT</bcp14> be
encapsulated.</t></li>
<li><t>If the UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet is enabled and the received SCTP packet is not
encapsulated, an SCTP packet containing an ABORT chunk <bcp14>MUST</bcp14> be
sent.
The ABORT chunk <bcp14>MAY</bcp14> include the error cause defined below
indicating an "Restart of an Association with New Encapsulation Port".
This packet containing the ABORT chunk <bcp14>MUST NOT</bcp14> be encapsulated
in UDP.</t></li>
<li><t>If the UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet is enabled and the received SCTP packet is
encapsulated, but the UDP source port of the received SCTP packet is not
equal to the remote UDP encapsulation port for the source address of the
received SCTP packet, an SCTP packet containing an ABORT chunk
<bcp14>MUST</bcp14> be sent.
The ABORT chunk <bcp14>MAY</bcp14> include the error cause defined below
indicating an "Restart of an Association with New Encapsulation Port".
This packet containing the ABORT chunk <bcp14>MUST</bcp14> be encapsulated in
UDP.
The UDP source port and UDP destination port used for sending the
packet containing the ABORT chunk are the UDP destination port and
UDP source port of the received packet containing the INIT chunk.</t></li>
<li><t>If the UDP encapsulation for outgoing packets towards the source address
of the received SCTP packet is enabled and the received SCTP packet is
encapsulated and the UDP source port of the received SCTP packet is
equal to the remote UDP encapsulation port for the source address of the
received SCTP packet, the processing defined in <xref target="RFC9260"/>
<bcp14>MUST</bcp14> be performed.
If a packet is sent in response, it <bcp14>MUST</bcp14> be encapsulated.
The UDP source port and UDP destination port used for sending the
packet containing the ABORT chunk are the UDP destination port and
UDP source port of the received packet containing the INIT chunk.</t></li>
</ol>
<t>The error cause indicating an
"Restart of an Association with New Encapsulation Port" is defined by the
following figure.</t>
<figure>
<name>Restart of an Association with New Encapsulation Port Error Cause</name>
<artwork align="left">
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 14 (suggested) | Cause Length = 8 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Current Encapsulation Port | New Encapsulation Port |
+-------------------------------+-------------------------------+
</artwork>
</figure>
<dl newline="true">
<dt>Cause Code: 2 bytes (unsigned integer)</dt>
<dd>
<t>This field holds the IANA defined cause code for the
"Restart of an Association with New Encapsulation Port" error cause.
IANA is requested to assign the value 14 (suggested) for this cause code.</t>
</dd>
<dt>Cause Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This field holds the length in bytes of the error cause;
the value <bcp14>MUST</bcp14> be 8.</t>
</dd>
<dt>Current Encapsulation Port: 2 bytes (unsigned integer)</dt>
<dd>
<t>This field holds the remote encapsulation port currently being used
for the destination address the received packet containing the INIT chunk was
sent from.
If the UDP encapsulation for destination address is currently disabled,
0 is used.</t>
</dd>
<dt>New Encapsulation Port: 2 bytes (unsigned integer)</dt>
<dd>
<t>If the received SCTP packet containing the INIT chunk is encapsulated in UDP,
this field holds the UDP source port number of the UDP packet.
If the received SCTP packet is not encapsulated in UDP,
this field is 0.</t>
</dd>
</dl>
<t>All transported integer numbers are in "network byte order" a.k.a., Big Endian.</t>
</section>
<section>
<name>Middlebox Considerations</name>
<t>Middleboxes often use different timeouts for UDP based flows than
for other flows.
Therefore the HEARTBEAT.Interval parameter <bcp14>SHOULD</bcp14> be lowered to
15 seconds when UDP encapsulation is used.</t>
</section>
<section>
<name>IANA Considerations</name>
<t>[NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number you
assign this document.]</t>
<t>[NOTE to RFC-Editor: The requested values for the cause code are tentative
and to be confirmed by IANA.]</t>
<t>This document (RFCXXXX) is the reference for the registration
described in this section.</t>
<t>A new error cause code has to be assigned by IANA.
This requires an additional line in the "Error Cause Codes" registry for
SCTP:</t>
<table>
<name>New entry in Error Cause Codes registry</name>
<thead>
<tr><th>Value</th> <th>Cause Code </th> <th>Reference</th></tr>
</thead>
<tbody>
<tr><td>14 (suggested) </td> <td>Restart of an Association with New Encapsulation Port</td> <td>[RFCXXXX]</td></tr>
</tbody>
</table>
</section>
<section>
<name>Security Considerations</name>
<t>This document does not change the considerations given in
<xref target="RFC6951"/>.</t>
<t>However, not following the procedures given in this document might allow
an attacker to take over SCTP associations.
The attacker needs only to share the IP address of an existing
SCTP association.</t>
<t>If firewalls will be applied at the SCTP association level, they have to
take the UDP encapsulation into account.</t>
</section>
</middle>
<back>
<references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6951.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9260.xml"/>
</references>
<section numbered='false'>
<name>Acknowledgments</name>
<t>The authors wish to thank <contact fullname="Georgios Papastergiou"/> for the initial
problem report.</t>
<t>The authors wish to thank
<contact fullname="Irene Rüngeler"/> and
<contact fullname="Felix Weinrank"/>
for their invaluable comments.</t>
<t>This work has received funding from the European Union's Horizon 2020
research and innovation programme under grant agreement No. 644334 (NEAT).
The views expressed are solely those of the author(s).</t>
</section>
</back>
</rfc>