360 likes | 605 Views
Stream Control Transmission Protocol (SCTP). Acknowledgements Prof. Paul Amer Randall Stewart ~ Philip Conrad ~ Janardhan Iyengar. CISC 856: TCP/IP and Upper Layer Protocols Presented By : Nikhil Shirude November 15, 2007. Overview. Motivation for SCTP SCTP PDU and Chunk Format
E N D
Stream Control Transmission Protocol (SCTP) Acknowledgements Prof. Paul Amer Randall Stewart ~ Philip Conrad ~ Janardhan Iyengar CISC 856: TCP/IP and Upper Layer Protocols Presented By : Nikhil Shirude November 15, 2007
Overview • Motivation for SCTP • SCTP PDU and Chunk Format • SCTP 4-Way Association • SCTP Association Shutdown • SCTP Multi-Homing • Summary
Primary Motivation – Transportation of telephony signaling messages over IP networks Telephony Signaling – rigid timing & reliability requirements TCP Limitations head-of-line blocking does not preserve A-PDU boundaries no support for multi-homing vulnerable to SYN Flooding attacks SCTP Features 4 way handshake multihoming multistreaming framing SCTP Motivation
Services/Features SCTP TCP UDP Connection-oriented yes yes no Full duplex yes yes yes Reliable data transfer yes yes no Partial-reliable data transfer proposed no no Flow control yes yes no TCP-friendly congestion control yes yes no ECN capable yes yes no Ordered data delivery yes yes no Unordered data delivery yes no yes Uses selective ACKs yes optional no Path MTU discovery yes yes no Application PDU fragmentation yes yes no Application PDU bundling yes yes no Preserves application PDU boundaries yes no yes Multistreaming yes no no Multihoming yes no no Protection against SYN flooding attack yes no n/a Allows half-closed connections no yes n/a Reachability check yes yes no Pseudo-header for checksum no (uses vtags) yes yes Time wait state for vtags for 4-tuple n/a SCTP Overview
SCTP PDU Format Common Header SCTP PDU Chunks • Building blocks of an SCTP PDU • Common Header which occupies the first 12 bytes • Header has a CRC-32 checksum. • Chunks are of two types: Control chunks and Data chunks
SCTP Chunk Format • Type - Data, Init, SACK, Cookie Echo, HeartBeat … • Flag - Bit meanings depend on type • Length - Defines total size of the chunk including type, flags, length and data/parameters
SCTP Feature Summary What TCP and SCTP both have: • reliability (retransmissions) • congestion control • connection oriented SCTP adds the following: • 4-way handshake to reduce vulnerability to Denial of Service attacks • multihoming instead of one IP address per endpointa set of IP addresses per endpoint • framing preserve message boundaries • multistreaming instead of one ordered stream, up to 64K independent ordered streams
SYN SYN sent SYN-ACK 1RTT SYN recd (TCB created) ACK established data established First - TCP Connection Establishment t=0 closed listen
SYN 130.2.4.15 TCB TCB 228.3.14.5 SYN SYN 190.13.4.1 TCB SYN SYN SYN 190.13.4.1 228.3.14.5 130.2.4.15 Security: TCP Flooding Attack process SYN (victim) TCP-based web server (attackers) spoofed SYN’s Internet 128.3.4.5 192.10.2.8 221.3.5.10 flooded!! TCB = Transport Control Block
INIT 130.2.4.15 228.3.14.5 INIT INIT 190.13.4.1 INIT-ACK INIT-ACK INIT-ACK 190.13.4.1 130.2.4.15 228.3.14.5 The SCTP Way: 4-way handshake limits attack process INIT (victim) SCTP-based web server (attackers) spoofed INIT’s Internet 128.3.4.5 192.10.2.8 221.3.5.10 No reserved resources No flooding!!
SCTP: Four-way Association Setup V: Verification tag I : Initiate tag closed t=0 INIT(V=0) (I=TagA) cookie wait INIT–ACK(V=TagA) (I=TagB)(StateCookie) closed 1RTT COOKIE–ECHO(V=TagB) (StateCookie) cookie echoed COOKIE–ACK(V=TagA) 2RTT estab’d data (V=TagB) established
What does a Cookie contain? • Information from original INIT • Information from current INIT-ACK • Timestamp • Life span of cookie (Time to Live) • Signature for authentication (MD5)
SCTP Association Graceful Shutdown Upper layer invokes SHUTDOWN estbl’d estbl’d DATA DATA shutdown_pending SACK SHUTDOWN stop accepting data shutdown_sent
shutdown_pending SHUTDOWN stop accepting data DATA shutdown_sent shutdown_received SHUTDOWN + SACK SHUTDOWN_ACK shutdown_ack_sent SHUTDOWN_COMPLETE closed (delete TCB) closed (delete TCB)
SCTP Feature Summary What TCP and SCTP both have: • reliability (retransmissions) • congestion control • connection oriented SCTP adds the following: • 4-way handshake to reduce vulnerability to Denial of Service attacks • multihoming instead of one IP address per endpointa set of IP addresses per endpoint • framing preserve message boundaries • multistreaming instead of one ordered stream, up to 64K independent ordered streams
Multi-Homing port Application 132 (IANA) SCTP IPaddresses ... IP Link ... ... Physical ... Multi-Homing: Technique to improve reachability of hosts which are reachable on more than 1 destinations (interfaces)
Traditional “Uni” homing transport connection points of failure A Internet B client Web server
transport connection points of failure Traditional “Multi” homing (TCP) A1 Internet B1 A2 B2 client Web server • In TCP, host choose 1 of 4 possible combinations:(A1,B1) or (A1,B2) or (A2,B1) or (A2, B2)
Innovative “Multi” homing in SCTP transport “association” A1 Internet B1 A2 B2 client Web server SCTP Multihoming • Hosts use one association ({A1,A2}, {B1,B2}) • New data sent to one primary destination - Let B1 be the web server’s primary destination - Let A1 be the client’s primary destination • Path status and destination reachability constantly monitored.
Multi-homing Association single-homed SCTP endpoint multi-homed SCTP endpoint Host B Host A application application IP1=160.15.82.20 IP2=161.10.8.221 IP3=10.1.61.11 200 100 SCTP SCTP B1 B2 B3 A1 IP=128.33.6.12 endpoint=[128.33.6.12 : 100] endpoint=[160.15.82.20, 161.10.8.221, 10.1.61.11 : 200] SCTP association Host A Host B application application IP1=160.15.82.20 IP2=161.10.8.221 IP3=10.1.61.11 100 200 SCTP SCTP A1 B1 B2 B3 IP=128.33.6.12 association={ [128.33.6.12 : 100] : [160.15.82.20, 161.10.8.221, 10.1.61.11 : 200] }
TCP data transfer without loss data data sent by application delivered to application data to be sent receive buffer (6) 6 6 5 5 4 6 6 4 3 5 5 6 4 2 3 2 1 6 4 5 3 3 1 4 6 5 2 A1 B1 6 2 1 4 5 3 6 2 3 4 5 1 A2 B2
TCP data transfer with loss data data sent from application delivered to application data to be sent receive buffer (6) 6 5 6 5 4 4 3 3 2 2 1 6 5 4 3 1 2 retransmission loss A1 B1 1 2 6 5 4 3 4 1 5 2 6 3 A2 B2
TCP data transfer with single path failure data data sent by application delivered to application data to be sent receive buffer (6) 6 6 5 5 4 6 5 3 4 6 2 3 4 5 4 1 3 2 connection fails! 2 1 3 A1 B1 5 6 5 2 1 4 4 6 3 5 6 4 6 1 2 3 4 5 A2 B2
SCTP data transfer without loss data data sent by application delivered to application data to be sent receive buffer (6) 6 6 5 5 4 6 5 4 3 6 3 4 5 2 6 6 2 1 5 3 4 2 3 4 1 5 6 A1 B1 2 4 1 6 5 3 2 4 3 5 6 1 A2 B2
SCTP data transfer with loss data data sent from application delivered to application data to be sent receive buffer (6) 6 6 5 4 5 4 3 3 2 1 6 2 5 4 3 6 2 1 loss A1 B1 4 6 2 1 3 5 6 5 4 3 1 A2 B2 2 2 retransmission
SCTP data transfer with single path failure data data sent by application delivered to application data to be sent receive buffer (6) 6 5 6 5 4 6 5 4 3 6 5 2 6 4 3 1 5 6 4 2 3 5 3 1 4 2 6 A1 B1 6 3 4 5 1 2 5 4 2 1 3 6 A2 B2 6 5 6 5 4 4 retransmission
Multihoming Example • Laptop connected via Ethernet and Wireless. • Both the interfaces are reachable by the peer. • Ethernet gets disconnected, transmission of data fails. • Failure detected, SCTP uses the wireless interface to transmit. • HEARTBEAT is received. • Ethernet link is restored. Heartbeat received Ethernet B1 Ethernet Internet A1 B2 802.11 A2 802.11 Client Host (SCTP) New Transmission Path Server Host (SCTP)
SCTP Failure Detection • Host A monitors reachability of primary dest address of Host B Host A Host B application application primary 100 alternates 200 SCTP SCTP A1 B1 B2 B3 SACK DATA • Host A starts the retransmission timer • If timer expires • increment error_count • If error_count > threshold • path = inactive • If Host A receives SACK before timer expires error_count = 0 & path = active error_count --> variable associated with each destination address of a host. (initially zero)
Host A monitors reachability of idle destination addresses of Host B Host A Host B application application primary 100 alternates 200 SCTP SCTP A1 B1 B2 B3 HEARTBEAT-ACK HEARTBEAT • HEARTBEAT is sent periodically to each idle address • When a HEARTBEAT is sent • increment error_count • If error_count > threshold • path = inactive • If Host A receives a HEARTBEAT-ACK error_count = 0 & path = active • When primary dest. address is detected unreachable => SCTP sender chooses REACHABLE, alternate dest. address as primary
HEARTBEAT? HEARTBEAT is a chunk that an endpoint sends to its peer endpoints to probe the reachability of a particular destination transport address. In our case, the HEARTBEAT is sent to a destination address which has been idle for a long time to check for its reachability. HEARTBEAT ACK is a chunk which an endpoint sends to its peer endpoints as a response to a HEARBEAT chunk.
Summary of SCTP • SCTP used for applications which require data reliability and rigid timing. • SCTP provides security against DOS attacks by using cookies during association • SCTP association can bind multiple IP addresses at each endpoint • SCTP provides multi-homing for applications that require high degree of fault tolerance.
Reference Material Textbooks Stream Control Transmission Protocol (SCTP) Randall Stewart, Qiaobing Xie, Addison Wesley, 2002 TCP/IP Protocol Suite – Chapter 13 Behrouz Forouzan RFC’s • RFC 2960 - Stream Control Transmission Protocol • RFC 3286 - An Introduction to SCTP • RFC 4460 - SCTP Specification Errata and Issues