draft-ietf-tsvwg-rfc4895-bis.xml

<?xml version='1.0' encoding='utf-8'?>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     xml:lang="en"
     ipr="pre5378Trust200902"
     submissionType="IETF"
     consensus="true"
     category="std"
     docName="draft-ietf-tsvwg-rfc4895-bis-05-to-be"
     obsoletes="4895"
     version="3"
     tocDepth="4">

<!--
ToDo
  * Take https://www.rfc-editor.org/rfc/rfc7696 into account
-->

<front>
<title abbrev="SCTP Authentication Chunk">
Authenticated Chunks for the Stream Control Transmission Protocol (SCTP)
</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-tsvwg-rfc4895-bis-05-to-be"/>

<!-- ************** MICHAEL TUEXEN *************** -->
<author initials="M." surname="Tüxen" fullname="Michael Tüxen">
<organization>Münster Univ. of Applied Sciences</organization>
<address>
    <postal>
        <street>Stegerwaldstr. 39</street>
        <city>48565 Steinfurt</city>
        <country>Germany</country>
    </postal>
    <email>tuexen@fh-muenster.de</email>
</address>
</author>

<!-- ************** RANDALL STEWART ***************-->
<author initials="R." surname="Stewart" fullname="Randall R. Stewart">
<address>
    <postal>
        <street>15214 Pendio Drive</street>
        <city>Bella Collina</city>
        <region>FL</region>
        <code>34756</code>
        <country>United States of America</country>
    </postal>
    <email>randall@lakerest.net</email>
</address>
</author>

<!-- ************** PETER LEI ***************-->
<author initials="P." surname="Lei" fullname="Peter Lei">
<organization>Netflix, Inc.</organization>
<address>
    <postal>
        <street>8735 West Higgins Road</street>
        <street>Suite 300</street>
        <city>Chicago</city> <region>IL</region>
        <code>60631</code>
        <country>United States of America</country>
    </postal>
    <phone></phone>
    <email>peterlei@netflix.com</email>
</address>
</author>

<!-- ************** HANNES TSCHOFENIG *************** -->
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
<address>
    <email>hannes.tschofenig@gmx.net</email>
</address>
</author>

<date />

<keyword>Internet-Draft</keyword>

<abstract>
<t>This document describes a new chunk type, several parameters, and
procedures for the Stream Control Transmission Protocol (SCTP).
This new chunk type can be used to authenticate SCTP chunks by using
shared keys between the sender and receiver.
The new parameters are used to establish the shared keys.
This document obsoletes RFC 4895.
</t>
</abstract>

</front>

<middle>

<!-- ***** Introduction ******* -->
<section anchor="intro">
<name>Introduction</name>

<t>SCTP uses 32-bit verification tags to protect itself against blind attackers.
These values are not changed during the lifetime of an SCTP association.</t>

<t>Looking at new SCTP extensions, there is the need to
have a method of proving that an SCTP chunk(s) was really
sent by the original peer that started the association and not 
by a malicious attacker.</t>  

<t>Since it is required to protect SCTP control data, any solution only
protecting SCTP user data is not sufficient.</t>

<t>Therefore, an SCTP extension that provides a mechanism
for deriving shared keys for each association is presented.
These association shared keys are derived from endpoint pair shared keys,
which are configured and might be empty, and data that is exchanged
during the SCTP association setup.</t>

<t>The extension presented in this document allows an SCTP sender
to authenticate chunks using shared keys between the sender and receiver.
The receiver can then verify that the chunks are sent from the sender
and not from a malicious attacker (as long as the attacker does not know
an association shared key).</t>

<t>The extension described in this document places the result of a
Hashed Message Authentication Code (HMAC) computation before the data covered
by that computation.
Placing it at the end of the packet would have required placing a control chunk
after DATA chunks in case of authenticating DATA chunks.
This would break the rule that control chunks occur before DATA chunks in
SCTP packets.
It should also be noted that putting the result of the HMAC computation after
the data being covered would not allow sending the packet during the
computation of the HMAC because the result of the HMAC computation is needed
to compute the CRC32C checksum of the SCTP packet, which is placed in the
common header of the SCTP packet.</t>

<t>The protocol extension defined in this document can be used in combination
with any other currently defined SCTP extension.
Its usage is required by the SCTP extension for Dynamic Address Reconfiguration
as specified in <xref target="RFC5061"/>.</t>

</section>

<!-- ************** CONVENTIONS *************** -->
<section anchor="conventions">
<name>Conventions</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when,
they appear in all capitals, as shown here.</t>
</section>

<!-- **********Parameter types***************** -->
<section anchor="parametertypes">
<name>New Parameter Types</name>
<t>This section defines the new parameter types that will be used to
negotiate the authentication during association setup.
<xref target="parametertable"/> illustrates the new parameter types.</t>
<table anchor="parametertable">
<thead>
<tr><td>Parameter Type</td>    <td>Parameter Name</td></tr>
</thead>
<tbody>
<tr><td>0x8002</td>            <td>Random Parameter (RANDOM)</td></tr>
<tr><td>0x8003</td>            <td>Chunk List Parameter (CHUNKS)</td></tr>
<tr><td>0x8004</td>            <td>Requested HMAC Algorithm Parameter (HMAC ALGO)</td></tr>
<tr><td>0x8006 (suggested)</td><td>All Chunks Parameter (ALL CHUNKS)</td></tr>
</tbody>
</table>
<t>Note that the parameter format requires the
receiver to ignore the parameter and continue processing
if the parameter is not understood.
This is accomplished (as described  in <xref target="RFC9260"/>,
Section 3.2.1.) by the  use of the upper bits of the parameter type.</t>

<section anchor="random">
<name>Random Parameter (RANDOM)</name>
<t>This parameter is used to carry a random number of an arbitrary length.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Parameter Type = 0x8002    |       Parameter Length        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
\                          Random Number                        /
/                               +-------------------------------\
|                               |            Padding            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Parameter Type: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 0x8002.</t>
</dd>
<dt>Parameter Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value is the length of the Random Number in bytes plus 4.</t>
</dd>
<dt>Random Number: n bytes (unsigned integer)</dt>
<dd>
<t>This value represents an arbitrary Random Number in network byte order.</t>
</dd>
<dt>Padding: 0, 1, 2, or 3 bytes (unsigned integer)</dt>
<dd>
<t>If the length of the Random Number is not a multiple of 4 bytes,
the sender <bcp14>MUST</bcp14> pad the parameter with all zero bytes to make
the parameter 32-bit aligned.
The Padding <bcp14>MUST NOT</bcp14> be longer than 3 bytes and it MUST be
ignored by the receiver.</t>
</dd>
</dl>
<t>The RANDOM parameter <bcp14>MUST</bcp14> be included once in the INIT or
INIT ACK chunk, if the sender wants to send or receive authenticated chunks,
to provide a 32-byte Random Number.
For 32-byte Random Numbers, the Padding is empty.</t>
</section>

<section anchor="chunks">
<name>Chunk List Parameter (CHUNKS)</name>

<t>This parameter is used to specify which chunk types are
required to be authenticated before being sent by the peer.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Parameter Type = 0x8003    |       Parameter Length        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1  | Chunk Type 2  | Chunk Type 3  | Chunk Type 4  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/                                                               /
\                              ...                              \
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type n  |                    Padding                    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Parameter Type: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 0x8003.</t>
</dd>
<dt>Parameter Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value is the number of listed Chunk Types plus 4.</t>
</dd>
<dt>Chunk Type n: 1 byte (unsigned integer)</dt>
<dd>
<t>Each Chunk Type listed is required to be authenticated when
sent by the peer.</t>
</dd>
<dt>Padding: 0, 1, 2, or 3 bytes (unsigned integer)</dt>
<dd>
<t>If the number of Chunk Types is not a multiple of 4,
the sender <bcp14>MUST</bcp14> pad the parameter with all zero bytes to make
the parameter 32-bit aligned.
The Padding <bcp14>MUST NOT</bcp14> be longer than 3 bytes and it MUST be
ignored by the receiver.</t>
</dd>
</dl>
<t>Either the CHUNKS parameter or the ALL CHUNKS parameter <bcp14>MUST</bcp14>
be included once in the INIT or INIT ACK chunk if the sender wants to receive
authenticated chunks.
Its maximum length is 260 bytes.</t>
<t>The chunk types for INIT, INIT ACK, SHUTDOWN COMPLETE, and
AUTH chunks <bcp14>MUST NOT</bcp14> be listed in the CHUNKS parameter.
However, if a CHUNKS parameter is received then the types
for INIT, INIT ACK, SHUTDOWN COMPLETE, and AUTH chunks <bcp14>MUST</bcp14>
be ignored.</t>
<t>A CHUNKS parameter <bcp14>MAY</bcp14> contain chunk types being unknown to
the receiver.</t>
</section>

<section anchor="allchunks">
<name>All Chunks Parameter (ALL CHUNKS)</name>

<t>This parameter is used to specify that all allowed chunk types are
required to be authenticated before being sent by the peer.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Parameter Type = 0x8006    |     Parameter Length = 4      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Parameter Type: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 0x8006 (suggested).</t>
</dd>
<dt>Parameter Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 4.</t>
</dd>
</dl>
<t>Either the ALL CHUNKS parameter or the CHUNKS parameter <bcp14>MUST</bcp14>
be included once in the INIT or INIT ACK chunk if the sender wants to receive
authenticated chunks.</t>
<t>The ALL CHUNKS parameter <bcp14>MUST NOT</bcp14> be included in the INIT or
INIT ACK chunk, if the peer only supports <xref target="RFC4895"/>.</t>
</section>

<section anchor="hmacalgo">
<name>Requested HMAC Algorithm Parameter (HMAC ALGO)</name>

<t>This parameter is used to list the HMAC Identifiers the peer
<bcp14>MUST</bcp14> use.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Parameter Type = 0x8004    |       Parameter Length        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       HMAC Identifier 1       |       HMAC Identifier 2       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/                                                               /
\                              ...                              \
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       HMAC Identifier n       |            Padding            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Parameter Type: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 0x8004.</t>
</dd>
<dt>Parameter Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value is the number of HMAC Identifiers multiplied by 2, plus 4.</t>
</dd>
<dt>HMAC Identifier n: 2 bytes (unsigned integer)</dt>
<dd>
<t>The values expressed are a list of HMAC Identifiers that may be
used by the peer.
The values are listed by preference, with respect to the sender, where the
first HMAC Identifier listed is the one most preferable to the sender.
Any non-deprecated HMAC Identifier <bcp14>MUST</bcp14> be listed before any
deprecated HMAC Identifier.</t>
</dd>
<dt>Padding: 0 or 2 bytes (unsigned integer)</dt>
<dd>
<t>If the number of HMAC Identifiers is not even, the sender <bcp14>MUST</bcp14>
pad the parameter with all zero bytes to make the parameter 32-bit aligned.
The Padding <bcp14>MUST</bcp14> be 0 or 2 bytes long and it MUST be ignored by
the receiver.</t>
</dd>
</dl>
<t>The HMAC ALGO parameter <bcp14>MUST</bcp14> be included once in the INIT or
INIT ACK chunk if the sender wants to send or receive authenticated chunks.</t>

<t><xref target="Digesttable"/> shows the currently defined values for
HMAC Identifiers.</t>
<table anchor="Digesttable">
<thead>
<tr><td>HMAC Identifier</td><td>Message Digest Algorithm</td></tr>
</thead>
<tbody>
<tr><td>0</td>              <td>Reserved</td></tr>
<tr><td>1 (deprecated)</td> <td>SHA-1 defined in <xref target="NIST_FIPS_180_4"/></td></tr>
<tr><td>2</td>              <td>Reserved</td></tr>
<tr><td>3 (deprecated)</td> <td>SHA-256 defined in <xref target="NIST_FIPS_180_4"/></td></tr>
<tr><td>4 (suggested)</td>  <td>SHA-256 defined in <xref target="NIST_FIPS_180_4"/> with directional keys</td></tr>
</tbody>
</table>
<t>Every endpoint supporting SCTP chunk authentication <bcp14>MUST</bcp14>
support the HMAC based on the SHA-256 algorithm with directional keys.</t>
</section>
</section>

<section anchor="errorcauses">
<name>New Error Causes</name>
<t>This section defines two new error causes.
One that will be sent if there is a collision related to the RANDOM parameters,
and one that will be sent if an AUTH chunk is received with an unsupported
HMAC Identifier.
<xref target="causetable"/> illustrates the new error cause.</t>
<table anchor="causetable">
<thead>
<tr><td>Cause Code</td><td>Error Cause Name</td></tr>
</thead>
<tbody>
<tr><td>0x0100</td>    <td>RANDOM Collision</td></tr>
<tr><td>0x0105</td>    <td>Unsupported HMAC Identifier</td></tr>
</tbody>
</table>

<section anchor="randomcollision">
<name>RANDOM Collision Error Cause</name>
<t>This error cause is used to indicate a collision of Random Numbers
has happened.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Cause Code = 0x0100 (suggested)|       Cause Length = 4        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Cause Code: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to the IANA assigned cause code
for the 'RANDOM Collision' error cause.
IANA is requested to assign the value 0x0100 (suggested) for this cause code</t>
</dd>
<dt>Cause Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 4.</t>
</dd>
</dl>
</section>
<section anchor="unsupportedhmacid">
<name>Unsupported HMAC Identifier Error Cause</name>
<t>This error cause was used to indicate that an AUTH chunk has been received
with an unsupported HMAC Identifier as specified in <xref target="RFC4895"/>.
The use of this error cause is deprecated by this specification.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Cause Code = 0x0105      |       Cause Length = 6        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        HMAC Identifier        |            Padding            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Cause Code: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 0x0105.</t>
</dd>
<dt>Cause Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 6.</t>
</dd>
<dt>HMAC Identifier: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value is the HMAC Identifier which is not supported.</t>
</dd>
<dt>Padding: 2 bytes (unsigned integer)</dt>
<dd>
<t>The sender <bcp14>MUST</bcp14> pad the error cause with all zero bytes
to make the cause 32-bit aligned.
The Padding <bcp14>MUST</bcp14> be 2 bytes long and it MUST be ignored by the
receiver.</t>
</dd>
</dl>
</section>
</section>

<!-- **********Chunk types***************** -->
<section anchor="chunktypes">
<name>New Chunk Type</name>
<t>
This section defines the new chunk type that will be used to
authenticate chunks.
<xref target="chunktable"/> illustrates the new chunk type.</t>
<table anchor="chunktable">
<thead>
<tr><td>Chunk Type</td><td>Chunk Name</td></tr>
</thead>
<tbody>
<tr><td>0x0F</td>      <td>Authentication Chunk (AUTH)</td></tr>
</tbody>
</table>
<t>It should be noted that the AUTH-chunk format requires the
receiver to ignore the chunk if it is not understood and silently
discard all chunks that follow.
This is accomplished (as described in <xref target="RFC9260"/>,
Section 3.2.) by the use of the upper bits of the chunk type.</t>

<section anchor="auth">
<name>Authentication Chunk (AUTH)</name>

<t>This chunk is used to hold the result of the HMAC calculation.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Type = 0x0F  |   Flags = 0   |            Length             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Shared Key Identifier     |        HMAC Identifier        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
\                             HMAC                              /
/                                                               \
/                               +-------------------------------\
|                               |            Padding            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<dl newline="true">
<dt>Type: 1 byte (unsigned integer)</dt>
<dd>
<t>This value <bcp14>MUST</bcp14> be set to 0x0F for all AUTH-chunks.</t>
</dd>
<dt>Flags: 1 byte (unsigned integer)</dt>
<dd>
<t><bcp14>SHOULD</bcp14> be set to zero on transmit and <bcp14>MUST</bcp14> be
ignored on receipt.</t>
</dd>
<dt>Length: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value holds the length of the HMAC in bytes plus 8.</t>
</dd>
<dt>Shared Key Identifier: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value describes which endpoint pair shared key is used.</t>
</dd>
<dt>HMAC Identifier: 2 bytes (unsigned integer)</dt>
<dd>
<t>This value describes which message digest is being used.
<xref target="Digesttable"/> shows the currently defined values.</t>
</dd>
<dt>HMAC: n bytes (unsigned integer)</dt>
<dd>
<t>This holds the result of the HMAC calculation.</t>
</dd>
<dt>Padding: 0, 1, 2, or 3 bytes (unsigned integer)</dt>
<dd>
<t>If the length of the HMAC is not a multiple of 4 bytes,
the sender <bcp14>MUST</bcp14> pad the chunk with all zero bytes to make
the chunk 32-bit aligned.
The Padding <bcp14>MUST NOT</bcp14> be longer than 3 bytes and it
<bcp14>MUST</bcp14> be ignored by the receiver.</t>
</dd>
</dl>
<t>The control chunk AUTH <bcp14>MUST NOT</bcp14> appear more than once in an
SCTP packet.
All control and data chunks that are placed after the AUTH chunk in
the packet are sent in an authenticated way.
Those chunks placed in a packet before the AUTH chunk are not authenticated.
Please note that DATA chunks can not appear before control chunks in an
SCTP packet.</t>
</section>
</section>

<!-- **********PROCEDURES***************** -->
<section>
<name>Procedures</name>
<section anchor="establishproc">
<name>Association Shared Send and Receive Keys</name>
<section>
<name>Handling of RANDOM parameters</name>
<t>An SCTP endpoint willing to receive or send authenticated chunks
<bcp14>MUST</bcp14> send one RANDOM parameter in its INIT or INIT ACK chunk.
The RANDOM parameter <bcp14>MUST</bcp14> contain a 32-byte Random Number.
The Random Number should be generated in accordance with
<xref target="RFC4086"/>.</t>
<t>If the length of the received Random Number is not 32 bytes, the association
<bcp14>MUST</bcp14> be aborted.
The ABORT chunk <bcp14>SHOULD</bcp14> contain the error cause
'Protocol Violation'.</t>
<t>It is unlikely but possible that an endpoint receives a packet containing an
INIT chunk and all of the following three conditions are fulfilled:</t>
<ol>
<li><t>The endpoint is in the COOKIE_WAIT or COOKIE-ECHOED state.</t></li>
<li><t>The HMAC ALGO parameter contained in the INIT chunk lists at least one
non-deprecated HMAC algorithm.</t></li>
<li><t>The RANDOM parameter received in the INIT chunk is the same as the one
sent in the INIT chunk it sent earlier,
i.e. both Random parameter contain the same Random Number.</t></li>
</ol>
<t>In this case, the endpoint <bcp14>MUST</bcp14>
send a packet containing an ABORT chunk with the 'RANDOM Collision' error cause.
The endpoint <bcp14>SHOULD</bcp14> retry setting up an association by sending
packets with a new INIT chunk.</t>
<t>In any other case, an endpoint receiving a packet containing an
INIT chunk with a RANDOM parameter <bcp14>MUST</bcp14> select a Random Number
to be included in the INIT ACK it sends different from the Random Number
received.</t>
<t>These rules are similar to the one for the Verification Tag in case of
INIT collisions, as explained in Section 5.2.4 of
<xref target="RFC9260"/>.</t>
<t>If an endpoint lists at least one non-deprecated HMAC Identifier in the
HMAC ALGO parameter it sends in its INIT or INIT ACK chunk, it operates not
in legacy mode.
Only if all HMAC Identifiers listed are deprecated, the endpoint operates in
legacy mode.
Operating in legacy mode means supporting SCTP authentication as specified in
<xref target="RFC4895"/> and not as specified by this document.</t>
<t>After the association has been established, each endpoint knows its own
Random Number and the peer's Random Number and these two Random Numbers are
different if both endpoints are not operating in legacy mode.</t>
</section>

<section>
<name>Computation of the Local and Remote Key Vectors</name>
<t>An SCTP endpoint has a list of chunk types it only accepts if they are
received in an authenticated way.
If this list contains all chunk types except the ones for INIT, INIT ACK,
SHUTDOWN COMPLETE, and AUTH chunks and the peer does not operate in legacy mode,
the ALL CHUNKS parameter <bcp14>SHOULD</bcp14> be included in the INIT or
INIT ACK chunk.
If this is not the case, the chunk types are listed in the CHUNKS parameter,
which is included in the INIT or INIT ACK chunk.
The CHUNKS parameter <bcp14>MAY</bcp14> be omitted if it the list of chunk types
is empty.
Since this list does not change during the lifetime of the SCTP endpoint
there is no problem in case of an INIT collision.</t> 

<t>Each SCTP endpoint <bcp14>MUST</bcp14> include in the INIT and INIT ACK a
HMAC ALGO parameter containing a list of HMAC Identifiers it requests the peer
to use.
The receiver of an HMAC ALGO parameter <bcp14>SHOULD</bcp14> use the first
listed algorithm it supports.
The HMAC algorithm based on SHA-256 with directional keys <bcp14>MUST</bcp14>
be supported and included in the HMAC ALGO parameter.
An SCTP endpoint <bcp14>MUST NOT</bcp14> change the parameters listed in the
HMAC ALGO parameter during the lifetime of the endpoint.</t>

<t>The RANDOM parameter, the CHUNKS or ALL CHUNKS parameter, and the HMAC ALGO
parameter sent by each endpoint <bcp14>MUST</bcp14> be concatenated in this
sequence as byte vectors.
Parameters that were not sent <bcp14>MUST</bcp14> be omitted from the
concatenation process.
These parameters include the parameter type, parameter length,
and the parameter value, but padding is omitted; all padding
<bcp14>MUST</bcp14> be removed from this concatenation before proceeding with
further computation of keys.
The resulting vector based on the parameters sent by an endpoint are called
the local key vector and the resulting vector based on the parameters received
by an endpint are called the remote key vector.</t>
</section>

<section>
<name>Derivation of Association Send and Receive Keys</name>
<t>Both endpoints of an association <bcp14>MAY</bcp14> have endpoint pair
shared keys that are byte vectors and pre-configured or established by another
mechanism.
They are identified by the Shared Key Identifier.
For each endpoint pair shared key, an association shared send and receive key 
are computed.
If there are no endpoint pair shared keys configured, only one association
shared send key and one association receive key is computed by using an empty
byte vector as the endpoint pair shared key.</t>
<t>The way association shared send and receive keys are computed from the
endpoint pair shared keys depends on the peer operating in legacy mode or not.</t>
<t>If the peer operates in legacy mode, the association shared send key and
the association shared receive key are the same.
They are computed by selecting the numerically smaller key vector and
concatenating it to the endpoint pair shared key, and then concatenating the
numerically larger key vector to that.
If the key vectors are equal as numbers but differ in length, then the
concatenation order is the endpoint pair shared key, followed by the shorter
key vector, followed by the longer key vector.
Otherwise, the key vectors are identical, and may be concatenated to
the endpoint pair key in any order.
The concatenation is performed on byte vectors, and all numerical comparisons
use network byte order to convert the key vectors to a number.
The result of the concatenation is the association shared send key and the
association shared receive key.</t>
<t>If the peer does not operate in legacy mode, the send context is
defined as the concatenation of local key vector followed by the remote key
vector.
The receive context is defined as the concatenation of the remote key
vector followed by the local key vector.
For deriving the association shared send and receive keys, a method described
in Section 3.1 of <xref target="RFC5926"/> is used.
The association shared send key is the result of using HMAC-SHA512 as
the key derivation function with the endpoint pair shared key as the Master_Key,
the send context as the Context and 512 as the Output_Length. The association
shared receive key is computed the same way, just using the receive context
as the Context. In both cases "SCTP-AUTH" is used as the Label.</t>
</section>
</section>

<section anchor="senderproc">
<name>Sending Authenticated Chunks</name>

<t>All chunks, that have been requested by the peer to be sent authenticated,
<bcp14>MUST</bcp14> be sent authenticated.
The other chunks <bcp14>MAY</bcp14> be sent authenticated when possible.
If endpoint pair shared keys are configured, one of them <bcp14>MUST</bcp14> be
selected for authentication.</t>
<t>To send chunks in an authenticated way, the sender <bcp14>MUST</bcp14>
include these chunks after an AUTH chunk.
This means that a sender <bcp14>MUST</bcp14> bundle chunks in order to
authenticate them.</t>

<t>If the endpoint has no endpoint pair shared key for the peer, it
<bcp14>MUST</bcp14> use Shared Key Identifier zero with an empty endpoint pair
shared key.
If there are multiple endpoint pair shared keys the sender selects one and
uses the corresponding Shared Key Identifier.</t>

<t>The sender <bcp14>MUST</bcp14> calculate the Message Authentication Code (MAC)
(as described in <xref target="RFC2104"/>) using the hash
function H as described by the HMAC Identifier and the shared association send
key K based on the endpoint pair shared key described by the Shared Key
Identifier.
The 'data' used for the computation of the AUTH-chunk is given by the AUTH chunk
with its HMAC field set to zero (as depicted below) followed by all the chunks
that are placed after the AUTH chunk in the SCTP packet.</t>
<artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Type = 0x0F  |   Flags = 0   |         Chunk Length          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Shared Key Identifier     |        HMAC Identifier        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
\                               0                               /
/                               +-------------------------------\
|                               |            Padding            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<t>Please note that all fields are in network byte order and that
the field that will contain the complete HMAC is filled with zeroes.
The length of the field shown as zero is the length of the HMAC described
by the HMAC Identifier.
The padding of all chunks being authenticated <bcp14>MUST</bcp14> be included
in the HMAC computation.</t>

<t>The sender fills the HMAC into the HMAC field and sends the packet.</t>
</section>

<section anchor="recvproc">
<name>Receiving Authenticated Chunks</name>

<t>The receiver has a list of chunk types that
it expects to be received only after an AUTH-chunk.
This list has been sent to the peer during the association setup.
It <bcp14>MUST</bcp14> silently discard these chunks if they are not placed
after an AUTH chunk in the packet.</t>

<t>The receiver <bcp14>MUST</bcp14> use the HMAC algorithm indicated in
the HMAC Identifier field.
If this algorithm was not specified by the receiver in the HMAC ALGO parameter
in the INIT or INIT ACK chunk during association setup, the AUTH chunk and all
the chunks after it <bcp14>MUST</bcp14> be silently discarded.
Implementations compliant with <xref target="RFC4895"/> <bcp14>SHOULD</bcp14>
send an ERROR chunk with the error cause defined in
<xref target="unsupportedhmacid"/>.
An SCTP implementations following this specification <bcp14>MUST</bcp14>
silently discard ERROR chunks with the error cause defined in
<xref target="unsupportedhmacid"/>.</t>
<t>If an endpoint with no shared key receives a
Shared Key Identifier other than 0, it <bcp14>MUST</bcp14> silently discard
all authenticated chunks.
If the endpoint has at least one endpoint pair shared key for the
peer, it <bcp14>MUST</bcp14> use the key specified by the Shared Key Identifier
if a key has been configured for that Shared Key Identifier.
If no endpoint pair shared key has been configured for that
Shared Key Identifier, all authenticated chunks <bcp14>MUST</bcp14> be silently
discarded.</t>

<t>The receiver now performs the same calculation as described for the sender.
It uses the shared association receive key K based on the endpoint pair shared
key described by the Shared Key Identifier.
If the result of the calculation is the same as given in the
HMAC field, all the chunks following the AUTH chunk are processed.
If the field does not match the result of the calculation, all the
chunks following the AUTH chunk <bcp14>MUST</bcp14> be silently discarded.</t>

<t>It should be noted that if the receiver wants to tear down an association
in an authenticated way only, the handling of malformed packets should
not result in tearing down the association.</t>

<t>An SCTP implementation has to maintain state for each SCTP association.
In the following, we call this data structure the SCTP transmission
control block (STCB).</t>

<t>When an endpoint requires COOKIE ECHO chunks to be authenticated, some
special procedures have to be followed because the reception of a
COOKIE ECHO chunk might result in the creation of an SCTP association.
If a packet arrives containing an AUTH chunk as a first chunk, a
COOKIE ECHO chunk as the second chunk, and possibly more chunks
after them, and the receiver does not have an STCB for that
packet, then authentication is based on the contents of the COOKIE ECHO
chunk.
In this situation, the receiver <bcp14>MUST</bcp14> authenticate the chunks in
the packet by using the RANDOM parameters, CHUNKS or ALL CHUNKS parameters and
HMAC_ALGO parameters obtained from the COOKIE ECHO chunk, and
possibly a local shared secret as inputs to the authentication
procedure specified in <xref target="recvproc"/>.
If authentication fails, then the packet is discarded.
If the authentication is successful, the COOKIE ECHO and all the chunks after
the COOKIE ECHO <bcp14>MUST</bcp14> be processed.
If the receiver has an  STCB, it <bcp14>MUST</bcp14> process the AUTH chunk as
described above using the STCB from the existing association to authenticate
the COOKIE ECHO chunk and all the chunks after it.</t>

<t>If the receiver does not find an STCB for a packet
containing an AUTH chunk as the first chunk and does not find a COOKIE ECHO
chunk as the second chunk, it <bcp14>MUST</bcp14> use the chunks after the AUTH
chunk to look up an existing association.
If no association is found, the packet <bcp14>MUST</bcp14> be considered as out
of the blue.
The out of the blue handling <bcp14>MUST</bcp14> be based on the packet without
taking the AUTH chunk into account.
If an association is found, it <bcp14>MUST</bcp14> process the AUTH chunk using
the STCB from the existing association as described earlier.</t>

<!--
<t>If the receiver of the packet does not have a STCB when it needs to
process the AUTH chunk, it <bcp14>MUST</bcp14> ignore the AUTH chunk.
This applies to a packet containing an AUTH chunk as a first chunk and an
COOKIE ECHO chunk as the second chunk received in the CLOSED state.
If the receiver has a STCB, it <bcp14>MUST</bcp14> process the AUTH chunk as
described above.</t>
-->

<t>Requiring ABORT chunks and COOKIE ECHO chunks to be authenticated
makes it impossible for an attacker to bring down or restart an association as
long as the attacker does not know the association shared key.
But it should also be noted that if an endpoint accepts ABORT chunks only in
an authenticated way, it may take longer to detect that the peer is no longer
available.
If an endpoint accepts COOKIE ECHO chunks only in an authenticated way,
the restart procedure does not work, because the restarting endpoint
most likely does not know the association shared key of the old association
to be restarted.
However, if the restarting endpoint does know the old association shared key,
it can successfully send the COOKIE ECHO chunk in a way that it is accepted by
the peer by using this old association shared key for the packet containing
the AUTH chunk.
After this operation, both endpoints have to use the new association shared
key.</t>

<t>If a server has an endpoint pair shared key with some clients, it can
request the COOKIE_ECHO chunk to be authenticated and can ensure that
only associations from clients with a correct endpoint pair shared key
are accepted.</t>

<t>Furthermore, it is important that the cookie contained in an INIT ACK
chunk and in a COOKIE ECHO chunk <bcp14>MUST NOT</bcp14> contain any
endpoint pair shared keys.</t>
</section>

</section>

<section>
<name>Examples</name>
<t>This section gives examples of message exchanges
for association setup.</t>

<t>The simplest way of using the extension described in this document is
given by the following message exchange.</t>
<artwork>
    ---------- INIT[RANDOM; CHUNKS; HMAC ALGO] ---------->
    &lt;------- INIT ACK[RANDOM; CHUNKS; HMAC ALGO] ---------
    -------------------- COOKIE ECHO -------------------->
    &lt;-------------------- COOKIE ACK ---------------------
</artwork>
<t>Please note that the CHUNKS and ALL CHUNKS parameters are optional in the
INIT and INIT ACK chunks.</t>
<t>If the server wants to receive DATA chunks in an authenticated
way, the following message exchange is possible:</t>
<artwork>
    ---------- INIT[RANDOM; CHUNKS; HMAC ALGO] ---------->
    &lt;------- INIT ACK[RANDOM; CHUNKS; HMAC ALGO] ---------
    --------------- COOKIE ECHO; AUTH; DATA ------------->
    &lt;----------------- COOKIE ACK; SACK ------------------
</artwork>
<t>Please note that if the endpoint pair shared key depends on the
client and the server, and is only known by the upper layer,
this message exchange requires an upper layer intervention between
the processing of the COOKIE ECHO chunk and the processing of the AUTH
and DATA chunk at the server side.
This intervention may be realized by a COMMUNICATION-UP notification
followed by the presentation of the endpoint pair shared
key by the upper layer to the SCTP stack, see for example Section 11 of
<xref target="RFC9260"/>.
If this intervention is not possible due to limitations of the API
(for example, the socket API), the server might discard the AUTH and DATA chunk,
making a retransmission of the DATA chunk necessary.
If the same endpoint pair shared key is used for multiple endpoints and does
not depend on the client, this intervention might not be necessary.</t>
</section>

<section>
<name>Socket API Considerations</name>
<t>This section describes how the socket API defined in
<xref target="RFC6458"/> needs to be extended to provide a way for the
application to observe the HMAC algorithms used for sending and receiving of
AUTH chunks.</t>
<t>Please note that this section is informational only.</t>
<t>A socket API implementation based on <xref target="RFC6458"/> is, by means of
the existing SCTP_AUTHENTICATION_EVENT event, extended to provide the event
notification whenever a new HMAC algorithm is used in a received AUTH chunk.</t>
<t>Two new IPPROTO_SCTP-level socket options with the name
SCTP_EXPOSE_HMAC_IDENT_CHANGES and SCTP_SEND_HMAC_IDENT are defined as described
below.
The first socket option enables the monitoring of HMAC algorithms used in
received AUTH chunks via the SCTP_AUTHENTICATION_EVENT event.
The second socket option is used to query the HMAC algorithm used for sending
AUTH chunks.</t>
<t>Support for the SCTP_SEND_HMAC_IDENT and SCTP_EXPOSE_HMAC_IDENT_CHANGES
socket options also needs to be added to the function sctp_opt_info().</t>

<section anchor="api_expose_hmac_id_event">
<name>Extending the SCTP_AUTHENTICATION_EVENT event</name>
<t>Section 6.1.8 of <xref target="RFC6458"/> defines the
SCTP_AUTHENTICATION_EVENT event, which uses the following structure:</t>
<sourcecode>
struct sctp_authkey_event {
    uint16_t auth_type;
    uint16_t auth_flags;
    uint32_t auth_length;
    uint16_t auth_keynumber;
    uint32_t auth_indication;
    sctp_assoc_t auth_assoc_id;
};
</sourcecode>
<t>This document updates this structure to:</t>
<sourcecode>
struct sctp_authkey_event {
    uint16_t auth_type;
    uint16_t auth_flags;
    uint32_t auth_length;
    uint16_t auth_identifier; /* formerly auth_keynumber */
    uint16_t auth_reserved; /* Avoid hole in structure */
    uint32_t auth_indication;
    sctp_assoc_t auth_assoc_id;
};
</sourcecode>
<t>It renames auth_keynumber to auth_identifier.
auth_identifier just replaces auth_keynumber in the context of
<xref target="RFC6458"/>.
In addition to that, the SCTP_AUTHENTICATION_EVENT event is extended to
also indicate when a new HMAC Identifier is received and this reporting is
explicitly enabled as described in <xref target="api_expose_hmac_id_sock_opt"/>.
In this case auth_indication is SCTP_AUTH_NEW_HMAC and the new
HMAC identifier is reported in auth_identifier.</t>
</section>

<section anchor="api_expose_hmac_id_sock_opt">
<name>Expose HMAC Identifier Usage (SCTP_EXPOSE_HMAC_IDENT_CHANGES)</name>

<t>This option allows the application to enable or disable the
reception of SCTP_AUTHENTICATION_EVENT events when a new HMAC
Identifier has been received in an AUTH chunk
(see <xref target="api_expose_hmac_id_event"/>).
This read/write socket option uses the level IPPROTO_SCTP and the name
SCTP_EXPOSE_HMAC_IDENT_CHANGES.
By default these events are not reported to provide backwards compatibility.</t>
<t>The following structure is used to enable or disable the reporting
of newly received HMAC Identifiers in AUTH chunks:</t>
<sourcecode>
struct sctp_assoc_value {
    sctp_assoc_t assoc_id;
    uint32_t assoc_value;
};
</sourcecode>
<dl>
<dt>assoc_id:</dt>
<dd><t>This parameter is ignored for one-to-one style sockets.
For one-to-many style sockets, the application may fill in an association
identifier or SCTP_{FUTURE|CURRENT|ALL}_ASSOC.</t></dd>
<dt>assoc_value:</dt>
<dd><t>Newly received HMAC Identifiers are reported if, and only if, this
parameter is non-zero.</t></dd>
</dl>
</section>

<section>
<name>Get the HMAC Identifier being Sent (SCTP_SEND_HMAC_IDENT)</name>

<t>During the SCTP association establishment a HMAC Identifier is selected that
is used by an SCTP endpoint when sending AUTH chunks.
An application can access the result of this selection by using this read-only
socket option, which uses the level IPPROTO_SCTP and the name
SCTP_SEND_HMAC_IDENT.</t>
<t>The following structure is used to access HMAC Identifier used for
sending AUTH chunks:</t>
<sourcecode>
struct sctp_assoc_value {
    sctp_assoc_t assoc_id;
    uint32_t assoc_value;
};
</sourcecode>
<dl>
<dt>assoc_id:</dt>
<dd><t>This parameter is ignored for one-to-one style sockets.
For one-to-many style sockets, the application fills in an association
identifier.
It is an error to use SCTP_{FUTURE|CURRENT|ALL}_ASSOC in assoc_id.</t></dd>
<dt>assoc_value:</dt>
<dd><t>This parameter contains the HMAC Identifier used for sending
AUTH chunks.</t></dd>
</dl>
</section>
</section>

<section>
<name>IANA Considerations</name>
<!--
<t>A chunk type for the AUTH chunk has to be assigned by IANA.
It is suggested to use the value given above.</t>
<t>Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC ALGO
parameter by IANA.
It is suggested to use the values given above.</t>
<t>An error cause for the Unsupported HMAC Identifier error cause has to
be assigned.
It is suggested to use the value given above.</t>
<t>HMAC Identifiers have to be maintained by IANA.
Three initial values should be assigned by IANA as described above.</t>
-->
<!-- RFC Editor Comment: Please verify the IANA values as we have
updated them.
There were differences between your suggested values and the IANA registries.
We attempted to update the text to refer to the IANA assigned values and use
hex where you had used it.
Please review these updates closely.-->
<!-- Answer: Here is a *BIG PROBLEM*:
             You use the error cause 11 (0x00B) which is already taken by
             RFC 4460.
             So it seems we missed to write an appropiate IANA section
             for RFC 4460.
             But we need to resolve this.
             Could the suggested number 0x0105 be used? -->
             

<t>[NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number you
assign this document.]</t>
<t>[NOTE to RFC-Editor: The requested values for the cause code are tentative
and to be confirmed by IANA.]</t>
<t>IANA is requested to perform the following updates to
<eref target="http://www.iana.org/assignments/sctp-parameters">SCTP-parameters</eref>:</t>
<ul>
<li><t>In the Chunk Types Registry replace in the entry for the AUTH Chunk Type
the reference to <xref target="RFC4895"/> by a reference to RFCXXXX.
</t></li>
<li><t>In the Parameter Types Registry replace in the entry for the Random,
the Chunk List, and the Requested HMAC Algorithm Parameter Chunk Parameter Type
the reference to <xref target="RFC4895"/> by a reference to RFCXXXX.
</t></li>
<li><t>In the Error Cause Codes Registry replace in the entry for the
Unsupported HMAC Identifier Cause Code the reference to <xref target="RFC4895"/>
by a reference to RFCXXXX. Additionally, mark the assignment as deprecated.
</t></li>
<li><t>In the Hashed Message Authentication Code (HMAC) Identifiers Registry
replace in the Reference section the reference to <xref target="RFC4895"/>
by a reference to RFCXXXX.</t>
<t>Replace each reference to <xref target="RFC4895"/> by a reference to
RFCXXXX for all currently registered Message Digest Algorithms.</t></li>
</ul>
<t>A new chunk parameter type has to be assigned by IANA.
This requires an additional line in the "Chunk Parameter Types" registry for
SCTP:</t>
<table>
<name>New Entry in Chunk Paramter Types Registry</name>
<thead>
<tr><th>ID</th>               <th>Chunk Parameter Type</th><th>Reference</th></tr>
</thead>
<tbody>
<tr><td>0x8006 (suggested) </td> <td>All Chunks</td> <td>[RFCXXXX]</td></tr>
</tbody>
</table>

<t>A new error cause code has to be assigned by IANA.
This requires an additional line in the "Error Cause Codes" registry for
SCTP:</t>
<table>
<name>New Entry in Error Cause Codes Registry</name>
<thead>
<tr><th>Value</th>               <th>Cause Code</th>       <th>Reference</th></tr>
</thead>
<tbody>
<tr><td>0x0100 (suggested) </td> <td>RANDOM Collision</td> <td>[RFCXXXX]</td></tr>
</tbody>
</table>
<t>A new HMAC Identifier has to be assigned by IANA.
This requires an additional line in the
"Hashed Message Authentication Code (HMAC) Identifiers" registry for SCTP:</t>
<table>
<name>New Entry in HMAC Identifier Registry</name>
<thead>
<tr><th>HMAC Identifier</th><th>Message Digest Algorithm      </th><th>Reference</th></tr>
</thead>
<tbody>
<tr><td>4 (suggested)  </td><td>SHA-256 with directional keys</td> <td>[RFCXXXX]</td></tr>
</tbody>
</table>
<!--
<t>This document also defines one registry that IANA maintains through the
definition of additional HMAC Identifiers.</t>
<section>
<name>IETF-Defined HMAC Identifiers</name>
<t>Additional HMAC Identifier can be allocated in the range 4 to 65535
through a Specification Required action as defined in <xref target='RFC8126'/>.
Provided documentation MUST include the following information:</t>
<ol type='%c)'>
<li><t>A message digest algorithm usable with the HMAC defined in
<xref target='RFC2104'/> <bcp14>MUST</bcp14> be specified.</t></li>
<li><t>A short name of the message digest algorithm.</t></li>
</ol>
</section>
-->
</section>

<section>
<name>Security Considerations</name>
<t>Without using endpoint pair shared keys, this extension only protects
against modification or injection of authenticated chunks by attackers
who did not capture the initial handshake setting up the SCTP association.</t>

<t>If an endpoint pair shared key is used, even a true man in the middle
cannot inject chunks, which are required to be authenticated,
even if he intercepts the initial message exchange.
The endpoint also knows that it is accepting authenticated chunks from a peer
who knows the endpoint pair shared key.</t>

<t>The establishment of endpoint pair shared keys is out of the scope
of this document.
Other mechanisms can be used, like using TLS or manual configuration.</t>
<t>When an endpoint accepts COOKIE ECHO chunks only in an
authenticated way the restart procedure does not work.
Neither an attacker nor a restarted endpoint not knowing the association
shared key can perform an restart.
However, if the association shared key is known, it is possible to restart
the association.</t>

<t>Because SCTP already has a built-in mechanism that handles the
reception of duplicated chunks, the presented solution makes
use of this functionality and does not provide a method which improves
the protection against replay attacks. 
Of course, this only works within each SCTP association.
Therefore, a separate association shared key is used for each SCTP association
to handle replay attacks covering multiple SCTP associations.</t>

<t>Each endpoint presenting a list of more than one element in the
HMAC ALGO parameter must be prepared for the peer using the weakest
algorithm listed.</t>

<!--
<t>If an endpoint requests the authentication of some chunks using
the CHUNKS parameter and an attacker intercepts the handshake used
to setup the association and modifies or removes this CHUNKS parameter
this endpoint will not accept chunks which are authenticated or
needs to be authenticated and are not.
This might result in the failure of the association.</t>
-->

<t>When an endpoint pair uses non-NULL endpoint pair shared keys
and one of the endpoints still accepts a NULL key, an attacker who
captured the initial handshake can still inject or modify 
authenticated chunks by using the NULL key.</t>
</section>

<section anchor="acks">
<name>Acknowledgments</name>
<t>The authors wish to thank Eric Rescorla for being a coauthor of
<xref target="RFC4895"/>, which is the basis of this document.</t>

<t>The authors wish to thank
<contact fullname="David Black"/>,
<contact fullname="Sascha Grau"/>,
<contact fullname="Russ Housley"/>,
<contact fullname="Ivan Arias Rodriguez"/>,
<contact fullname="Irene Rüngeler"/>,
<contact fullname="Nagesh Shamnur"/>,
and
<contact fullname="Magnus Westerlund"/>
for their invaluable comments on <xref target="RFC4895"/>.</t>
<t>Finally, the authors wish to thank
<contact fullname="Timo Völker "/> and
<contact fullname="Magnus Westerlund"/>
for his invaluable comments on this document.</t>
</section>
</middle>

<back>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5926.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9260.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml-nist/reference.NIST.NIST_FIPS_180-4.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4895.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5061.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6458.xml"/>
</references>
</references>
</back>
</rfc>