-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrfc4895.xml
1214 lines (1097 loc) · 49.5 KB
/
rfc4895.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc rfcedstyle="yes" ?>
<?rfc toc="yes"?>
<?rfc subcompact="no" ?>
<!-- <?rfc strict="yes" ?> -->
<rfc number="4895" category="std">
<front>
<title abbrev="SCTP Authentication Chunk">
Authenticated Chunks for Stream Control Transmission Protocol (SCTP)
</title>
<!-- ************** MICHAEL TUEXEN *************** -->
<author initials="M." surname="Tuexen" fullname="Michael Tuexen">
<organization>Muenster Univ. of Applied Sciences</organization>
<address>
<postal>
<street>Stegerwaldstr. 39</street>
<city>48565 Steinfurt</city>
<country>Germany</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<!-- ************** RANDALL STEWART ***************-->
<author initials="R. R." surname="Stewart" fullname="Randall R. Stewart">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>4875 Forest Drive</street>
<street> Suite 200</street>
<city>Columbia</city> <region>SC</region>
<code>29206</code>
<country>USA</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<!-- ************** PETER LEI ***************-->
<author initials="P." surname="Lei" fullname="Peter Lei">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>8735 West Higgins Road</street>
<street>Suite 300</street>
<city>Chicago</city> <region>IL</region>
<code>60631</code>
<country>USA</country>
</postal>
<phone></phone>
<email>[email protected]</email>
</address>
</author>
<!-- ************** ERIC RESCORLA *************** -->
<author initials="E." surname="Rescorla" fullname="Eric Rescorla">
<organization>RTFM, Inc.</organization>
<address>
<postal>
<street>2064 Edgewood Drive</street>
<city>Palo Alto, CA 94303</city>
<country>USA</country>
</postal>
<phone>+1 650-320-8549</phone>
<email>[email protected]</email>
</address>
</author>
<date month="August" year="2007" />
<!-- RFC Editor Comment: Please insert any keywords (beyond those that
appear in the title) for use on
http://www.rfc-editor.org/search.html. Use the keyword tag as it is
used below. -->
<keyword>Internet-Draft</keyword>
<abstract>
<t>This document describes a new chunk type, several parameters, and
procedures for the Stream Control Transmission Protocol (SCTP).
This new chunk type can be used to authenticate SCTP chunks by using
shared keys between the sender and receiver.
The new parameters are used to establish the shared keys.
</t>
</abstract>
</front>
<middle>
<!-- ***** Introduction ******* -->
<section anchor="intro" title="Introduction">
<t>SCTP uses 32-bit verification tags to protect itself
against blind attackers. These values are not changed
during the lifetime of an SCTP association.</t>
<t>Looking at new SCTP extensions, there is the need to
have a method of proving that an SCTP chunk(s) was really
sent by the original peer that started the association and not
by a malicious attacker.</t>
<t>Using Transport Layer Security (TLS), as defined in <xref
target="RFC3436">RFC 3436</xref>,
does not help because it only secures SCTP user data.</t>
<t>Therefore, an SCTP extension that provides a mechanism
for deriving shared keys for each association is presented.
These association shared keys are derived from endpoint pair shared keys,
which are configured and might be empty, and data that is exchanged
during the SCTP association setup.</t>
<t>The extension presented in this document allows an SCTP sender
to authenticate chunks using shared keys between the sender and receiver.
The receiver can then verify that the chunks are sent from the sender
and not from a malicious attacker (as long as the attacker does not know
an association shared key).</t>
<t>The extension described in this document places the result
of a Hashed Message Authentication Code (HMAC) computation before the data covered by that computation.
Placing it at the end of the packet would have required placing
a control chunk after DATA chunks in case of authenticating DATA
chunks. This would break the rule that control chunks occur before
DATA chunks in SCTP packets. It should also be noted that putting
the result of the HMAC computation after the data being covered would
not allow sending the packet during the computation of the HMAC because
the result of the HMAC computation is needed to compute the CRC32C checksum
of the SCTP packet, which is placed in the common header of the
SCTP packet.</t>
<t>The SCTP extension for Dynamic Address Reconfiguration (ADD-IP)
requires the usage of the extension described in this document.
The SCTP Partial Reliability Extension (PR-SCTP) can be used in
conjunction with the extension described in this document.</t>
</section>
<!-- ************** CONVENTIONS *************** -->
<section anchor="conventions" title="Conventions">
<t>The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL", when
they appear in this document, are to be interpreted as described in
<xref target="RFC2119">RFC 2119</xref>.</t>
</section> <!-- conventions -->
<!-- **********Parameter types***************** -->
<section anchor="parametertypes" title="New Parameter Types">
<t>
This section defines the new parameter types that will be used to
negotiate the authentication during association setup.
<xref target="parametertable"/> illustrates the new parameter types.
</t>
<texttable anchor="parametertable">
<ttcol align='left'>Parameter Type</ttcol>
<ttcol align='left'>Parameter Name</ttcol>
<c>0x8002</c> <c>Random Parameter (RANDOM)</c>
<c>0x8003</c> <c>Chunk List Parameter (CHUNKS)</c>
<c>0x8004</c> <c>Requested HMAC Algorithm Parameter (HMAC-ALGO)</c>
</texttable>
<t>
Note that the parameter format requires the
receiver to ignore the parameter and continue processing
if the parameter is not understood. This is accomplished (as described
in <xref target="RFC2960">RFC 2960</xref>, Section 3.2.1.) by the
use of the upper bits of the parameter type.
</t>
<section anchor="random" title="Random Parameter (RANDOM)">
<t>This parameter is used to carry a random number of an arbitrary length.</t>
<figure anchor="randparameterformat">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8002 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ Random Number /
/ +-------------------------------\
| | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t><list style="hanging">
<t hangText="Parameter Type: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value MUST be set to 0x8002.</t>
<t hangText="Parameter Length: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value is the length of the Random Number in bytes plus 4.</t>
<t hangText="Random Number: n bytes (unsigned integer)">
<vspace blankLines="0"/>
This value represents an arbitrary Random Number in network
byte order.</t>
<t hangText="Padding: 0, 1, 2, or 3 bytes (unsigned integer)">
<vspace blankLines="0"/>
If the length of the Random Number is not a multiple of 4 bytes,
the sender MUST pad the parameter with all zero bytes to make
the parameter 32-bit aligned.
The Padding MUST NOT be longer than 3 bytes and it MUST be ignored by the receiver.
</t>
</list>
The RANDOM parameter MUST be included once in the INIT or INIT-ACK
chunk, if the sender wants to send or receive authenticated chunks,
to provide a 32-byte Random Number. For 32-byte Random Numbers,
the Padding is empty.</t>
</section>
<section anchor="chunks" title="Chunk List Parameter (CHUNKS)">
<t>This parameter is used to specify which chunk types are
required to be authenticated before being sent by the peer.</t>
<figure anchor="chunksparameterformat">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8003 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ ... \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t><list style="hanging">
<t hangText="Parameter Type: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value MUST be set to 0x8003.</t>
<t hangText="Parameter Length: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value is the number of listed Chunk Types plus 4.</t>
<t hangText="Chunk Type n: 1 byte (unsigned integer)">
<vspace blankLines="0"/>
Each Chunk Type listed is required to be authenticated when
sent by the peer.</t>
<t hangText="Padding: 0, 1, 2, or 3 bytes (unsigned integer)">
<vspace blankLines="0"/>
If the number of Chunk Types is not a multiple of 4,
the sender MUST pad the parameter with all zero bytes to make
the parameter 32-bit aligned.
The Padding MUST NOT be longer than 3 bytes and it MUST be ignored by the receiver.
</t>
</list>
The CHUNKS parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to receive authenticated chunks.
Its maximum length is 260 bytes.</t>
<t>The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and
AUTH chunks MUST NOT be listed in the CHUNKS parameter.
However, if a CHUNKS parameter is received then the types
for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and AUTH chunks MUST
be ignored.</t>
</section>
<section anchor="hmacalgo" title="Requested HMAC Algorithm Parameter (HMAC-ALGO)">
<t>This parameter is used to list the HMAC Identifiers the peer
MUST use.</t>
<figure anchor="hmacalgoparameterformat">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0x8004 | Parameter Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier 1 | HMAC Identifier 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ ... \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier n | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t><list style="hanging">
<t hangText="Parameter Type: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value MUST be set to 0x8004.</t>
<t hangText="Parameter Length: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value is the number of HMAC Identifiers multiplied by 2, plus 4.</t>
<t hangText="HMAC Identifier n: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
The values expressed are a list of HMAC Identifiers that may be
used by the peer. The values are listed by preference, with respect
to the sender, where the first HMAC Identifier listed is the one
most preferable to the sender.</t>
<t hangText="Padding: 0 or 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
If the number of HMAC Identifiers is not even,
the sender MUST pad the parameter with all zero bytes to make
the parameter 32-bit aligned.
The Padding MUST be 0 or 2 bytes long and it MUST be ignored by the receiver.
</t>
</list>
The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK
chunk if the sender wants to send or receive authenticated chunks.</t>
<t><xref target="Digesttable"/> shows the currently defined
values for HMAC Identifiers.
</t>
<texttable anchor="Digesttable">
<ttcol align='left'>HMAC Identifier</ttcol>
<ttcol align='left'>Message Digest Algorithm</ttcol>
<c>0</c> <c>Reserved</c>
<c>1</c> <c>SHA-1 defined in [8]</c>
<c>2</c> <c>Reserved</c>
<c>3</c> <c>SHA-256 defined in [8]</c>
</texttable>
<t>Every endpoint supporting SCTP chunk authentication MUST support
the HMAC based on the SHA-1 algorithm.</t>
</section>
</section>
<section anchor="errorcauses" title="New Error Cause">
<t>This section defines a new error cause that will be sent if
an AUTH chunk is received with an unsupported HMAC Identifier.
<xref target="causetable"/> illustrates the new error cause.</t>
<texttable anchor="causetable">
<ttcol align='left'>Cause Code</ttcol>
<ttcol align='left'>Error Cause Name</ttcol>
<c>0x0105</c> <c>Unsupported HMAC Identifier</c>
</texttable>
<section anchor="unsupportedhmacid" title="Unsupported HMAC Identifier Error Cause">
<t>This error cause is used to indicate that an AUTH chunk has been received
with an unsupported HMAC Identifier.</t>
<figure anchor="unsupportedhmacidformat">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x0105 | Cause Length = 6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Identifier | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t><list style="hanging">
<t hangText="Cause Code: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value MUST be set to 0x0105.</t>
<t hangText="Cause Length: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value MUST be set to 6.</t>
<t hangText="HMAC Identifier: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value is the HMAC Identifier which is not supported.</t>
<t hangText="Padding: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
The sender MUST pad the error cause with all zero bytes to make
the cause 32-bit aligned.
The Padding MUST be 2 bytes long and it MUST be ignored by the receiver.
</t>
</list>
</t>
</section>
</section>
<!-- **********Chunk types***************** -->
<section anchor="chunktypes" title="New Chunk Type">
<t>
This section defines the new chunk type that will be used to
authenticate chunks.
<xref target="chunktable"/> illustrates the new chunk type.
</t>
<texttable anchor="chunktable">
<ttcol align='left'>Chunk Type</ttcol>
<ttcol align='left'>Chunk Name</ttcol>
<c>0x0F</c> <c>Authentication Chunk (AUTH)</c>
</texttable>
<t>
It should be noted that the AUTH-chunk format requires the
receiver to ignore the chunk if it is not understood and silently
discard all chunks that follow. This is
accomplished (as described in <xref target="RFC2960">RFC 2960</xref>,
Section 3.2.) by the use of the upper bits of the chunk type.
</t>
<section anchor="auth" title="Authentication Chunk (AUTH)">
<t>This chunk is used to hold the result of the HMAC calculation.</t>
<figure anchor="chunkformat">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ HMAC /
/ \
/ +-------------------------------\
| | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t><list style="hanging">
<t hangText="Type: 1 byte (unsigned integer)">
<vspace blankLines="0"/>
This value MUST be set to 0x0F for all AUTH-chunks.</t>
<t hangText="Flags: 1 byte (unsigned integer)">
<vspace blankLines="0"/>
SHOULD be set to zero on transmit and MUST be ignored on receipt.</t>
<t hangText="Length: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value holds the length of the HMAC in bytes plus 8.</t>
<t hangText="Shared Key Identifier: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value describes which endpoint pair shared key is used.</t>
<t hangText="HMAC Identifier: 2 bytes (unsigned integer)">
<vspace blankLines="0"/>
This value describes which message digest is being used.
<xref target="Digesttable"/> shows the currently defined
values.</t>
<t hangText="HMAC: n bytes (unsigned integer)">
<vspace blankLines="0"/>
This holds the result of the HMAC calculation.</t>
<t hangText="Padding: 0, 1, 2, or 3 bytes (unsigned integer)">
<vspace blankLines="0"/>
If the length of the HMAC is not a multiple of 4 bytes,
the sender MUST pad the chunk with all zero bytes to make
the chunk 32-bit aligned.
The Padding MUST NOT be longer than 3 bytes and it MUST be ignored by the receiver.
</t>
</list>
The control chunk AUTH MUST NOT appear more than once in an SCTP packet. All
control and data chunks that are placed after the AUTH chunk in
the packet are sent in an authenticated way. Those chunks placed in
a packet before the AUTH chunk are not authenticated. Please note that
DATA chunks can not appear before control chunks in an SCTP packet.</t>
</section>
</section>
<!-- **********PROCEDURES***************** -->
<section title="Procedures">
<section anchor="establishproc" title="Establishment of an Association Shared Key">
<t>An SCTP endpoint willing to receive or send authenticated chunks
MUST send one RANDOM parameter in its INIT or INIT-ACK chunk. The
RANDOM parameter MUST contain a 32-byte Random Number.
The Random Number should be generated in accordance with
<xref target="RFC4086">RFC 4086</xref>.
If the Random Number is not 32 bytes, the association MUST be aborted.
The ABORT chunk SHOULD contain the error cause 'Protocol Violation'.
In case of INIT collision, the rules governing the handling of this
Random Number follow the same pattern as those for the Verification Tag,
as explained in Section 5.2.4 of <xref target="RFC2960">RFC 2960</xref>.
Therefore, each endpoint knows its own Random Number and the peer's
Random Number after the association has been established.</t>
<t>An SCTP endpoint has a list of chunks it only accepts if they are
received in an authenticated way. This list is included in the INIT and
INIT-ACK, and MAY be omitted if it is empty. Since this list does not
change during the lifetime of the SCTP endpoint
there is no problem in case of INIT collision.</t>
<t>Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO
parameter containing a list of HMAC Identifiers it requests the peer to use.
The receiver of an HMAC-ALGO parameter SHOULD use the first listed algorithm it
supports. The HMAC algorithm based on SHA-1 MUST be supported and
included in the HMAC-ALGO parameter. An SCTP endpoint MUST NOT
change the parameters listed in the HMAC-ALGO parameter during
the lifetime of the endpoint.</t>
<t>Both endpoints of an association MAY have endpoint pair shared keys
that are byte vectors and pre-configured or established by another
mechanism. They are identified by the Shared Key Identifier.
For each endpoint pair shared key, an association shared key is computed.
If there is no endpoint pair shared key, only one association shared key
is computed by using an empty byte vector as the endpoint pair shared key.</t>
<t>The RANDOM parameter, the CHUNKS parameter, and the HMAC-ALGO
parameter sent by each endpoint are concatenated as byte vectors.
These parameters include the parameter type, parameter length,
and the parameter value, but padding is omitted; all padding
MUST be removed from this concatenation before proceeding with
further computation of keys.
Parameters that were not sent are simply omitted from the
concatenation process. The resulting two vectors are called the
two key vectors.</t>
<?rfc needLines="5" ?>
<t>From the endpoint pair shared keys and the key vectors, the
association shared keys are computed. This is performed by selecting
the numerically smaller key vector and concatenating it to the
endpoint pair shared key, and then concatenating the numerically larger key
vector to that. If the key vectors are equal as numbers but differ
in length, then the concatenation order is the endpoint shared key,
followed by the shorter key vector, followed by the longer key
vector.
Otherwise, the key vectors are identical, and may be concatenated to
the endpoint pair key in any order. The concatenation is performed
on byte vectors, and all numerical comparisons use network byte order
to convert the key vectors to a number. The result of the
concatenation is the association shared key.</t>
</section>
<section anchor="senderproc" title="Sending Authenticated Chunks" >
<t>Endpoints MUST send all requested chunks that have been authenticated where this
has been requested by the peer. The other chunks MAY be
sent whether or not they have been authenticated. If endpoint pair shared keys are used, one
of them MUST be selected for authentication.</t>
<t>To send chunks in an authenticated way, the
sender MUST include these chunks after an AUTH chunk.
This means that a sender MUST bundle chunks in order to
authenticate them.</t>
<t>If the endpoint has no endpoint pair shared key for the peer, it MUST use
Shared Key Identifier zero with an empty endpoint pair shared key. If
there are multiple endpoint shared keys the sender selects one and
uses the corresponding Shared Key Identifier.</t>
<t>The sender MUST calculate the Message Authentication Code (MAC) (as described in
<xref target="RFC2104">RFC 2104</xref>) using the hash function H as
described by the HMAC Identifier and the shared association key K
based on the endpoint pair shared key described by the Shared Key
Identifier.
The 'data' used for the computation of the AUTH-chunk
is given by the AUTH chunk with its HMAC field set to zero
(as shown in <xref target="dataformat"/>) followed
by all the chunks that are placed after the AUTH chunk in
the SCTP packet.</t>
<figure anchor="dataformat">
<artwork>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x0F | Flags=0 | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared Key Identifier | HMAC Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
\ 0 /
/ +-------------------------------\
| | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t>Please note that all fields are in network byte order and that
the field that will contain the complete HMAC is filled with zeroes.
The length of the field shown as zero is the length of the HMAC described
by the HMAC Identifier. The padding of all chunks being authenticated
MUST be included in the HMAC computation.</t>
<t>The sender fills the HMAC into the HMAC field and sends
the packet.</t>
</section>
<section anchor="recvproc" title="Receiving Authenticated Chunks" >
<t>The receiver has a list of chunk types that
it expects to be received only after an AUTH-chunk. This list
has been sent to the peer during the association setup.
It MUST silently discard these chunks if they are not placed
after an AUTH chunk in the packet.</t>
<t>The receiver MUST use the HMAC algorithm indicated in
the HMAC Identifier field. If this algorithm was not specified
by the receiver in the HMAC-ALGO parameter in the INIT or
INIT-ACK chunk during association setup,
the AUTH chunk and all the chunks after it MUST be discarded
and an ERROR chunk SHOULD be sent with the error cause
defined in <xref target="unsupportedhmacid"/>.</t>
<t>If an endpoint with no shared key receives a
Shared Key Identifier other than 0, it MUST silently discard
all authenticated chunks.
If the endpoint has at least one endpoint pair shared key for the
peer, it MUST use the key specified by the Shared Key Identifier
if a key has been configured for that Shared Key Identifier.
If no endpoint pair shared key has been configured for that
Shared Key Identifier, all authenticated chunks MUST be silently
discarded.</t>
<t>The receiver now performs the same calculation as described
for the sender based on <xref target="dataformat"/>.
If the result of the calculation is the
<?rfc needLines="10" ?>
same as given in the
HMAC field, all the chunks following the AUTH chunk are processed.
If the field does not match the result of the calculation, all the
chunks following the AUTH chunk MUST be silently discarded.</t>
<t>It should be noted that if the receiver wants to tear down an association
in an authenticated way only, the handling of malformed packets should
not result in tearing down the association.</t>
<t>An SCTP implementation has to maintain state for each SCTP association.
In the following, we call this data structure the SCTP transmission
control block (STCB).</t>
<t>When an endpoint requires COOKIE-ECHO chunks to be authenticated, some
special procedures have to be followed because the reception of a
COOKIE-ECHO chunk might result in the creation of an SCTP association.
If a packet arrives containing an AUTH chunk as a first chunk, a
COOKIE-ECHO chunk as the second chunk, and possibly more chunks
after them, and the receiver does not have an STCB for that
packet, then authentication is based on the contents of the COOKIE-ECHO
chunk.
In this situation, the receiver MUST authenticate the chunks in
the packet by using the RANDOM parameters, CHUNKS parameters and
HMAC_ALGO parameters obtained from the COOKIE-ECHO chunk, and
possibly a local shared secret as inputs to the authentication
procedure specified in <xref target="recvproc"/>.
If authentication fails, then the packet is discarded. If the authentication
is successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO MUST be processed.
If the receiver has an STCB, it MUST process the AUTH chunk as described above
using the STCB from the existing association to authenticate the COOKIE-ECHO
chunk and all the chunks after it.</t>
<t>If the receiver does not find an STCB for a packet
containing an AUTH chunk as the first chunk and does not find a COOKIE-ECHO
chunk as the second chunk, it MUST use the chunks after the AUTH
chunk to look up an existing association. If no association is
found, the packet MUST be considered as out of the blue.
The out of the blue handling MUST be based on the packet without
taking the AUTH chunk into account. If an association is found, it
MUST process the AUTH chunk using the STCB from the existing
association as described earlier.</t>
<!--
<t>If the receiver of the packet does not have a STCB when it needs to
process the AUTH chunk, it MUST ignore the AUTH chunk. This applies to
a packet containing an AUTH chunk as a first chunk and an COOKIE-ECHO
chunk as the second chunk received in the CLOSED state.
If the receiver has a STCB, it MUST process the AUTH chunk as described above.</t>
-->
<t>Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated
makes it impossible for an attacker to bring down or restart an association as
long as the attacker does not know the association shared key. But it should also
be noted that if an endpoint accepts ABORT chunks only in an authenticated
way, it may take longer to detect that the peer is no longer available.
If an endpoint accepts COOKIE-ECHO chunks only in an authenticated way,
the restart procedure does not work, because the restarting endpoint
most likely does not know the association shared key of the old association
to be restarted. However, if the restarting endpoint does know the old
association shared key, he can successfully send the COOKIE-ECHO chunk
in a way that it is accepted by the peer by using this old association
shared key for the packet containing the AUTH chunk. After this operation, both
endpoints have to use the new association shared key.</t>
<t>If a server has an endpoint pair shared key with some clients, it can
request the COOKIE_ECHO chunk to be authenticated and can ensure that
only associations from clients with a correct endpoint pair shared key
are accepted.</t>
<t>Furthermore, it is important that the cookie contained in an INIT-ACK
chunk and in a COOKIE-ECHO chunk MUST NOT contain any endpoint pair
shared keys.</t>
</section>
</section>
<section title="Examples">
<t>This section gives examples of message exchanges
for association setup.</t>
<t>The simplest way of using the extension described in this document is
given by the following message exchange.</t>
<figure>
<artwork>
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
</artwork>
</figure>
<t>Please note that the CHUNKS parameter is optional in the
INIT and INIT-ACK.</t>
<t>If the server wants to receive DATA chunks in an authenticated
way, the following message exchange is possible:</t>
<figure>
<artwork>
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
--------------- COOKIE-ECHO; AUTH; DATA ------------->
<----------------- COOKIE-ACK; SACK ------------------
</artwork>
</figure>
<t>Please note that if the endpoint pair shared key depends on the
client and the server, and is only known by the upper layer,
this message exchange requires an upper layer intervention between
the processing of the COOKIE-ECHO chunk and the processing of the AUTH
and DATA chunk at the server side.
This intervention may be realized by a COMMUNICATION-UP notification
followed by the presentation of the endpoint pair shared
key by the upper layer to the SCTP stack, see for example Section 10 of
<xref target="RFC2960">RFC 2960</xref>.
If this intervention is not possible due to limitations of the API
(for example, the socket API), the server might discard the AUTH and DATA chunk,
making a retransmission of the DATA chunk necessary. If the same endpoint
pair shared key is used for multiple endpoints and does not depend on the
client, this intervention might not be necessary.</t>
</section>
<section title="IANA Considerations">
<!--
<t>A chunk type for the AUTH chunk has to be assigned by IANA. It is
suggested to use the value given above.</t>
<t>Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC-ALGO
parameter by IANA. It is suggested to use the values given above.</t>
<t>An error cause for the Unsupported HMAC Identifier error cause has to
be assigned. It is suggested to use the value given above.</t>
<t>HMAC Identifiers have to be maintained by IANA. Three initial values
should be assigned by IANA as described above.</t>
-->
<!-- RFC Editor Comment: Please verify the IANA values as we have
updated them. There were differences between your suggested values
and the IANA registries. We attempted to update the text to refer to
the IANA assigned values and use hex where you had used it. Please
review these updates closely. -->
<!-- Answer: Here is a *BIG PROBLEM*:
You use the error cause 11 (0x00B) which is already taken by
RFC 4460. So it seems we missed to write an appropiate IANA section
for RFC 4460. But we need to resolve this. Could the suggested number
0x0105 be used? -->
<t>This document (RFC 4895) is the reference for all registrations
described in this section. All registrations need to be listed
in the document available at
<eref target="http://www.iana.org/assignments/sctp-parameters">SCTP-parameters</eref>.
The changes are described below.</t>
<section title="A New Chunk Type">
<t>A chunk type for the AUTH chunk has been assigned by IANA.
IANA has assigned the value (15), as given in <xref target="chunktable"/>.
An additional line has been added in the "CHUNK TYPES" table of
<eref target="http://www.iana.org/assignments/sctp-parameters">SCTP-parameters</eref>:
<figure>
<artwork>
CHUNK TYPES
ID Value Chunk Type Reference
----- ---------- ---------
15 Authentication Chunk (AUTH) [RFC4895]
</artwork>
</figure>
</t>
</section>
<section title="Three New Parameter Types">
<t>Parameter types have been assigned for the RANDOM, CHUNKS, and HMAC-ALGO
parameter by IANA. The values are as given in
<xref target="parametertable"/>. This required two modifications to the "CHUNK
PARAMETER TYPES" tables in
<eref target="http://www.iana.org/assignments/sctp-parameters">SCTP-parameters</eref>:
the first is the addition of three new lines to the "INIT Chunk Parameter Types"
table:
<figure>
<artwork>
Chunk Parameter Type Value
-------------------- -----
Random 32770 (0x8002)
Chunk List 32771 (0x8003)
Requested HMAC Algorithm Parameter 32772 (0x8004)
</artwork>
</figure>
The second required change is the addition of the same three lines to the
to the "INIT ACK Chunk Parameter Types" table.</t>
</section>
<section title="A New Error Cause">
<t>An error cause for the Unsupported HMAC Identifier error cause has
been assigned. The value (261) has been assigned as in <xref target="causetable"/>.
This requires an additional line of the "CAUSE CODES" table in
<eref target="http://www.iana.org/assignments/sctp-parameters">SCTP-parameters</eref>:
<figure>
<artwork>
VALUE CAUSE CODE REFERENCE
----- ---------------- ---------
261 (0x0105) Unsupported HMAC Identifier [RFC4895]
</artwork>
</figure>
</t>
</section>
<section title="A New Table for HMAC Identifiers">
<t>HMAC Identifiers have to be maintained by IANA. Four initial values
have been assigned by IANA as described in <xref target="Digesttable"/>. This required
a new table "HMAC IDENTIFIERS" in
<eref target="http://www.iana.org/assignments/sctp-parameters">SCTP-parameters</eref>:
<figure>
<artwork>
HMAC Identifier Message Digest Algorithm REFERENCE
--------------- ------------------------ ---------
0 Reserved [RFC4895]
1 SHA-1 [RFC4895]
2 Reserved [RFC4895]
3 SHA-256 [RFC4895]
</artwork>
</figure>
</t>
<t>For registering a new HMAC Identifier with IANA, in this table, a request
has to be made to assign such a number. This number must be unique and
a message digest algorithm usable with the HMAC defined in
<xref target="RFC2104">RFC 2104</xref> MUST be specified.
The "Specification Required" policy of
<xref target="RFC2434">RFC 2434</xref> MUST be applied.
</t>
</section>
</section>
<section title="Security Considerations">
<t>Without using endpoint shared keys, this extension only protects
against modification or injection of authenticated chunks by attackers
who did not capture the initial handshake setting up the SCTP association.</t>
<t>If an endpoint pair shared key is used, even a true man in the middle
cannot inject chunks, which are required to be authenticated,
even if he intercepts the initial message exchange. The endpoint also
knows that it is accepting authenticated chunks from a peer who knows
the endpoint pair shared key.</t>
<t>The establishment of endpoint pair shared keys is out of the scope
of this document. Other mechanisms can be used, like using TLS or
manual configuration.</t>
<?rfc needLines="5" ?>
<t>When an endpoint accepts COOKIE-ECHO chunks only in an
authenticated way the restart procedure does not work. Neither
an attacker nor a restarted endpoint not knowing the association
shared key can perform an restart. However, if the association
shared key is known, it is possible to restart the association.</t>
<t>Because SCTP already has a built-in mechanism that handles the
reception of duplicated chunks, the presented solution makes
use of this functionality and does not provide a method to avoid
replay attacks by itself. Of course, this only works
within each SCTP association. Therefore, a separate shared key
is used for each SCTP association to handle replay attacks covering
multiple SCTP associations.</t>
<t>Each endpoint presenting a list of more than one element in the
HMAC-ALGO parameter must be prepared for the peer using the weakest
algorithm listed.</t>
<!--
<t>If an endpoint requests the authentication of some chunks using
the CHUNKS parameter and an attacker intercepts the handshake used
to setup the association and modifies or removes this CHUNKS parameter
this endpoint will not accept chunks which are authenticated or
needs to be authenticated and are not. This might result in the
failure of the association.</t>
-->
<t>When an endpoint pair uses non-NULL endpoint pair shared keys
and one of the endpoints still accepts a NULL key, an attacker who
captured the initial handshake can still inject or modify
authenticated chunks by using the NULL key.</t>
</section>
<section anchor="acks" title="Acknowledgments">
<t>The authors wish to thank
David Black,
Sascha Grau,
Russ Housley,
Ivan Arias Rodriguez,
Irene Ruengeler,
and Magnus Westerlund
for their invaluable comments.</t>
</section>
</middle>
<?rfc needLines="25" ?>
<back>
<references title='Normative References'>
<?rfc?><?rfc linefile="1:reference.RFC.1321"?>
<reference anchor='RFC1321'>
<front>
<title abbrev='MD5 Message-Digest Algorithm'>The MD5 Message-Digest
Algorithm</title>
<author initials='R.' surname='Rivest' fullname='Ronald L. Rivest'>
<organization>Massachusetts Institute of Technology, (MIT) Laboratory
for Computer Science</organization>
<address>
<postal>
<street>545 Technology Square</street>
<street>NE43-324</street>
<city>Cambridge</city>
<region>MA</region>
<code>02139-1986</code>
<country>US</country></postal>
<phone>+1 617 253 5880</phone>
<email>[email protected]</email></address></author>
<date year='1992' month='April' /></front>
<seriesInfo name='RFC' value='1321' />
<format type='TXT' octets='35222'
target='ftp://ftp.isi.edu/in-notes/rfc1321.txt' />
</reference>
<?rfc?><?rfc linefile="1:reference.RFC.2104"?>
<reference anchor='RFC2104'>
<front>
<title abbrev='HMAC'>HMAC: Keyed-Hashing for Message
Authentication</title>
<author initials='H.' surname='Krawczyk' fullname='Hugo Krawczyk'>
<organization>IBM, T.J. Watson Research Center</organization>
<address>
<postal>
<street>P.O.Box 704</street>
<city>Yorktown Heights</city>
<region>NY</region>
<code>10598</code>
<country>US</country></postal>
<email>[email protected]</email></address></author>
<author initials='M.' surname='Bellare' fullname='Mihir Bellare'>
<organization>University of California at San Diego, Dept of Computer
Science and Engineering</organization>
<address>
<postal>
<street>9500 Gilman Drive</street>
<street>Mail Code 0114</street>
<city>La Jolla</city>
<region>CA</region>
<code>92093</code>
<country>US</country></postal>
<email>[email protected]</email></address></author>
<author initials='R.' surname='Canetti' fullname='Ran Canetti'>
<organization>IBM T.J. Watson Research Center</organization>
<address>
<postal>
<street>P.O.Box 704</street>
<city>Yorktown Heights</city>
<region>NY</region>
<code>10598</code>
<country>US</country></postal>
<email>[email protected]</email></address></author>
<date year='1997' month='February' />
<abstract>
<t>This document describes HMAC, a mechanism for message
authentication using cryptographic hash functions. HMAC can be used
with any iterative cryptographic hash function, e.g., MD5, SHA-1, in
combination with a secret shared key. The cryptographic strength of
HMAC depends on the properties of the underlying hash
function.</t></abstract></front>
<seriesInfo name='RFC' value='2104' />
<format type='TXT' octets='22297'
target='ftp://ftp.isi.edu/in-notes/rfc2104.txt' />
</reference>
<?rfc?><?rfc linefile="1:reference.RFC.2119"?>
<reference anchor='RFC2119'>
<front>
<title abbrev='RFC Key Words'>Key words for use in RFCs to Indicate
Requirement Levels</title>
<author initials='S.' surname='Bradner' fullname='Scott Bradner'>
<organization>Harvard University</organization>
<address>
<postal>
<street>1350 Mass. Ave.</street>
<street>Cambridge</street>
<street>MA 02138</street></postal>
<phone>- +1 617 495 3864</phone>
<email>[email protected]</email></address></author>
<date year='1997' month='March' />
<area>General</area>
<keyword>keyword</keyword>
<abstract>
<t>
In many standards track documents several words are used to signify
the requirements in the specification. These words are often
capitalized. This document defines these words as they should be
interpreted in IETF documents. Authors who follow these guidelines
should incorporate this phrase near the beginning of their
document: