1 / 21

Stream Control Transmission Protocol

Stream Control Transmission Protocol. The design of a new reliable transport protocol for IP networks. Table of contents. Why a new reliable transport protocol? Datagram structure of SCTP. The SYN attack in TCP Establishment procedure in SCTP. Transmission of data.

karli
Télécharger la présentation

Stream Control Transmission Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stream Control Transmission Protocol The design of a new reliable transport protocol for IP networks

  2. Table of contents • Why a new reliable transport protocol? • Datagram structure of SCTP. • The SYN attack in TCP • Establishment procedure in SCTP. • Transmission of data. • Taking profit of multihomed hosts. • The Head Of Line (HOL) blocking in TCP. • Avoiding the HOL blocking in TCP using several connections. • Avoiding the HOL blocking in SCTP using several streams. • Avoiding the HOL blocking in SCTP using unordered DATA chunks. • The path heartbeat mechanism. • Reporting non fatal errors in SCTP. • Aborting associations in SCTP. • Gracefully termination of an association. • Summarizing: Main characteristics of SCTP

  3. Why a new reliable transport protocol? • There is an increasing interest in merging IP and telephony networks. • Among the problems that TCP has regarding telephony signaling transport we can cite: • It suffers from the so-called Head Of Line (HOL) blocking. • It is stream oriented. There are no message delimiters. • TCP is not designed to be multihomed. • It is relatively vulnerable to denial of service attacks. • TCP is very difficult to extend. These problems could not be solved by any TCP extension. • The SIGTRAN working group of the IETF started to design a new reliable transport protocol in summer 1998. • The initial design was called Multi-Network Datagram Transmission Protocol (MDTP). It ran on top of UDP instead of directly over IP. • The design of SCTP took about two years and a half. SCTP specifications are published in RFC 2960. However, a second version of them will be published soon.

  4. 00010203040506070809101112131415161718192021222324252627282930310001020304050607080910111213141516171819202122232425262728293031 Common Header Verification Tag Checksum 0001020304050607080910111213141516171819202122232425262728293031 0001020304050607080910111213141516171819202122232425262728293031 Source Port Number Destination Port Number 0001020304050607080910111213141516171819202122232425262728293031 Chunks Chunk Type Chunk Flags Chunk Length Fixed Fields Parameters or Error Causes Parameter Type Cause Code Parameter Length Cause Length Parameter Value Cause Value Datagram structure of SCTP • An SCTP datagram is composed of a Common Header and at least one Chunk. • Inside an SCTP datagram there can be many chunks. Its number is only restricted by the Maximum Transfer Unit (MTU). • They are Type-Length-Value (TLV) structures. They all have a Chunk Type, the Chunk Flags, the Chunk Length and optionally Fixed Fields and either Parameters or Error Causes. • An SCTP datagram is composed of a Common Header and at least one Chunk. • The Parameters are optional or variable length fields. • Inside an SCTP datagram there can be many Chunks. The quantity of chunks is only restricted by the Maximum Transfer Unit (MTU). • They are Type-Length-Value (TLV) structures. They all have a Chunk Type, the Chunk Flags, the Chunk Length and optionally Fixed Fields and either Parameters or Error Causes. • The Parameters are optional or variable length fields. • The Error Causes are syntactically the same as the Parameters but semantically different. They help discovering anomalous situations.

  5. SYN SYN SYN SYN SYN SYN SYN-ACK SYN-ACK SYN-ACK The SYN attack in TCP • The attacker sends SYN segments to a server. This attacker uses IP spoofing, forging the source address of the IP datagrams containing those TCP segments. Fake IP Source Address A Fake IP Source Address B Attacker Fake IP Source Address Z IP Destination Address A IP Destination Address B IP Destination Address Z Server • The receiver of the SYN segment saves the state of the future connection. • The server sends back a SYN-ACK segment to the source address of the SYN segment. Normally nobody listens to that address, and the segment is lost. • The attacker sends many SYN segments and the receiver keeps filling its buffers. • At some point, the server is out of resources and legitimate users can not access its services. The attacker has successfully made a Denial of Service attack.

  6. Source Port Number Source Port Number Destination Port Number Destination Port Number Verification Tag = 0 Verification Tag = Tag A Checksum Chunk Length Chunk Length Chunk Type = 10 (COOKIE ECHO) Chunk Type = 2 (INIT ACK) Chunk Type = 1 (INIT) ChunkType=10 (COOKIE ECHO) Chunk Type = 11 (COOKIE ACK) ChunkType=11 (COOKIE ACK) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Length Chunk Length Chunk Length Chunk Length Chunk Length Chunk Length Initiate Tag = Tag A Initiate Tag = Tag Z Advertised Receiver Window Credit Advertised Receiver Window Credit Initial TSN Initial TSN Source Port Number Source Port Number Source Port Number Number of Outbound Streams Source Port Number Number of Outbound Streams Source Port Number Number of Outbound Streams Number of Outbound Streams Destination Port Number Destination Port Number Number of Inbound Streams Destination Port Number Number of Inbound Streams Destination Port Number Number of Inbound Streams Destination Port Number Number of Inbound Streams Chunk Type = 1 (INIT) Chunk Type = 2 (INIT ACK) Chunk Flags (Reserved) Chunk Flags (Reserved) Verification Tag = 0 Verification Tag = Tag A Verification Tag = A Checksum Checksum Checksum Initiate Tag = Tag Z Initiate Tag = Tag A Parameters State Cookie + Other Parameters Advertised Receiver Window Credit Advertised Receiver Window Credit Verification Tag = Tag Z Checksum Initial TSN Initial TSN Received Cookie Verification Tag = Tag A Source Port Number Verification Tag = Tag Z Checksum Received Cookie Checksum Cookie + Other Parameters Parameters Establishment procedure in SCTP • The client sends to the server a datagram containing only an INIT chunk. • The INIT chunk contains the Initiate Tag, the Advertised Receiver Window Credit, the Number of Outbound and Inbound Streams, and the Initial TSN. • It can also include Parameters. • The client sends to the server a datagram containing only an INIT chunk. • The INIT chunk contains the Initiate Tag, the Advertised Receiver Window Credit, the Number of Outbound and Inbound Streams, and the Initial TSN. • It can also include Parameters. • The server answers with an INIT ACK chunk, which has a similar structure than the INIT chunk. However, it does not save any state about the future association. • The INIT ACK chunk compulsorily includes the State Cookie parameter. It carries the information that came inside the INIT chunk plus server specific data, and a Message Authentication Code calculated with a Secret Key. • The State Cookie parameter is sent back inside the COOKIE ECHO chunk. • The State Cookie parameter is sent back inside the COOKIE ECHO chunk. • Using its secret key, the server verifies that the information inside the COOKIE ECHO chunk has not been modified. • If so, the server opens a new association. This way, the server has not reserved any resource until checking that the client included its real address in the first datagram. • The final step is answering to the client with a COOKIE ACK chunk. • The server answers with an INIT ACK chunk, which has a similar structure than the INIT chunk. However, it does not save any state about the future association. • The INIT ACK chunk compulsorily includes the State Cookie parameter. It carries the information that came inside the INIT chunk plus server specific data, and a Message Authentication Code calculated with a Secret Key.

  7. Verification Tag = Tag Z Checksum Chunk Type = 0 (DATA) Reserved U B E Chunk Length Verification Tag = Tag Z Checksum Transmission Sequence Number Chunk Length Cumulative TSN Acknowledgement Advertised Receiver Window Credit Payload Protocol Identifier . . . Duplicate TSN #1 . . . Duplicate TSN #D User Data Chunk Type = 3 (SACK) Chunk Type = 3 (SACK) Chunk Type = 0 (DATA) Chunk Flags ( Reserved) Chunk Flags ( Reserved) Reserved U B E Chunk Length Chunk Length Gap Ack Block #1 Start Source Port Number Stream Identifier Number of Gap Ack Blocks = G Stream Identifier Source Port Number Gap Ack Block #G Start Source Port Number Gap Ack Block #G Start Source Port Number Number of Gap Ack Blocks = G Gap Ack Block #1 Start Stream Sequence Number Stream Sequence Number Destination Port Number Number of Duplicate TSNs = D Gap Ack Block #G End Gap Ack Block #1 End Number of Duplicate TSNs = D Destination Port Number Gap Ack Block #G End Destination Port Number Gap Ack Block #1 End Destination Port Number Verification Tag = Tag Z Checksum Verification Tag = Tag Z Checksum Transmission Sequence Number Payload Protocol Identifier . . . . . . User Data Cumulative TSN Acknowledgement Advertised Receiver Window Credit Duplicate TSN #1 Duplicate TSN #D Transmission of data • The user data is sent inside the DATA chunks. The Payload Protocol Identifier (PPI) identifies the upper user that generated the DATA chunk. • A DATA chunk is uniquely identified by its Transmission Sequence Number (TSN). Its order inside the Stream is given by the Stream Sequence Number (SSN). • The B (Beginning) and E (End) flags are used when fragmenting the user data. The U (Unordered) flag identifies the unordered DATA chunks. • The user data is sent inside the DATA chunks. The Payload Protocol Identifier (PPI) identifies the upper user that generated the DATA chunk. • A DATA chunk is uniquely identified by its Transmission Sequence Number (TSN). Its order inside the Stream is given by the Stream Sequence Number (SSN). • The B (Beginning) and E (End) flags are used when fragmenting the user data. The U (Unordered) flag identifies the unordered DATA chunks. • The DATA chunks are acknowledged by the SACK chunks. • A SACK chunk acknowledges all TSNs previous to (and including) the Cumulative TSN Acknowledgement. The Gap Ack Blocks are included if there is a hole in the reception sequence. • If a duplicate TSN was received duplicated, its TSN is included in a Duplicate TSN.

  8. Verification Tag = Tag Z Verification Tag = Tag Z Verification Tag = Tag Z Checksum Checksum Checksum Chunk Length Chunk Length Chunk Length Cumulative TSN Acknowledgement Cumulative TSN Acknowledgement Cumulative TSN Acknowledgement Advertised Receiver Window Credit Advertised Receiver Window Credit Advertised Receiver Window Credit . . . . . . . . . Duplicate TSN #1 Duplicate TSN #1 Duplicate TSN #1 . . . . . . . . . Duplicate TSN #D Duplicate TSN #D Duplicate TSN #D User Data User Data User Data User Data Chunk Type = 0 (DATA) Chunk Type = 0 (DATA) Chunk Type = 0 (DATA) Chunk Type = 0 (DATA) Chunk Type = 3 (SACK) Chunk Type = 3 (SACK) Chunk Type = 3 (SACK) Reserved U B E Chunk Flags ( Reserved) Chunk Flags ( Reserved) Reserved U B E Reserved U B E Reserved U B E Chunk Flags ( Reserved) Chunk Length Chunk Length Chunk Length Chunk Length IP Network Gap Ack Block #1 Start Gap Ack Block #G Start Gap Ack Block #1 Start Stream Identifier Gap Ack Block #1 Start Number of Gap Ack Blocks = G Source Port Number Source Port Number Number of Gap Ack Blocks = G Source Port Number Stream Identifier Source Port Number Source Port Number Number of Gap Ack Blocks = G Source Port Number Gap Ack Block #G Start Gap Ack Block #G Start Stream Identifier Source Port Number Stream Identifier Stream Sequence Number Number of Duplicate TSNs = D Gap Ack Block #G End Number of Duplicate TSNs = D Gap Ack Block #1 End Gap Ack Block #G End Destination Port Number Stream Sequence Number Stream Sequence Number Gap Ack Block #1 End Destination Port Number Destination Port Number Gap Ack Block #1 End Number of Duplicate TSNs = D Destination Port Number Destination Port Number Stream Sequence Number Destination Port Number Destination Port Number Gap Ack Block #G End Verification Tag = Tag Z Verification Tag = Tag Z Verification Tag = Tag Z Verification Tag = Tag Z Checksum Checksum Checksum Checksum Transmission Sequence Number Transmission Sequence Number Transmission Sequence Number Transmission Sequence Number Payload Protocol Identifier Payload Protocol Identifier Payload Protocol Identifier Payload Protocol Identifier Taking profit of multihomed hosts • During the establishment phase the two peers exchange their IP addresses. • All of them can be used as source or destination addresses. • However, one of them is the Primary Address and is the one normally used as the destination address. The rest are kept as a backup in case the Primary Address fails and also used for the retransmissions. • In case the Primary Address fails, we can use any of the other addresses. • This way we have network redundancy and it is less probable to loose an association due to network failures.

  9. 6 6 5 5 4 4 3 3 2 2 1 1 1 5 2 3 4 6 2 2 2 3 3 2 3 4 4 6 5 4 3 3 4 2 5 5 6 5 4 4 5 3 6 6 6 5 The Head Of Line (HOL) blocking in TCP TCP User • It happens when the data sender sends unrelated messages through the same TCP connection and one segment is lost in the way to the receiver. 6 1 TCP connection 2 Receiver's Buffer • Even if all the subsequent of segments arrive normally to the receiver, they will be kept at the receiver. • Only when the lost segment is retransmitted and arrives to the receiver the rest of messages can be delivered to the upper user.

  10. 2 2 2 1 1 2 1 2 1 1 2 1 2 2 1 Avoiding the HOL blocking in TCP using several connections • The HOL blocking can be avoided using different TCP connections for different user messages. TCP User A TCP User B TCP User C 2 TCP connection A TCP connection B 2 TCP connection C Receiver's Buffer A Receiver's Buffer B Receiver's Buffer C • If one segment is lost in one of the connections, it does not affect the other user messages. • However, having many open connections is expensive.

  11. 2/1 1/1 2/1 2/1 1/1 1/1 Stream 0 2/1 1/1 4/1 3/1 2/1 Stream 1 SCTP association 6/1 6/1 6/1 5/1 5/1 5/1 3/1 5/1 Stream 2 4/1 6/1 Avoiding the HOL blocking in SCTP using several streams • In SCTP, a stream represents an uni-directional logical channel within which all user messages are delivered in sequence. • The TSN uniquely identifies the DATA chunks belonging to an association, and the SSN is used to order those DATA chunks within a stream, independently of the other streams. The Stream Identifier in the DATA chunk identifies the stream used. SCTP User Stream 0 Stream 1 Stream 2 2/1 2/1 Receiver's Buffer • A DATA chunk can be sent to any existing stream of the association. • A missing TSN sent to one stream does not affect to any TSN sent to another stream. • The streams are cheap. They all share the same buffer and congestion variables.

  12. 6/0 6/0 5/0 5/0 4/0 4/0 3/0 3/0 2/0 2/0 1/0 1 5/0 4/0 2/0 3/0 6/0 2/0 2/0 2/0 6/0 5/0 4/0 3/0 3/0 2/0 6/0 5/0 4/0 4/0 3/0 6/0 5/0 5/0 5/0 6/0 Avoiding the HOL blocking in SCTP using unordered DATA chunks • The DATA chunks sent with the U flag set are delivered to the upper user as soon as they are reassembled at the receiver. • They are not directed to any specific stream. SCTP User SCTP User 6/0 SCTP association Stream 0 2/0 2/0 2/0 Receiver's Buffer • Unordered DATA chunks are conceptually similar to UDP datagrams. However, unordered messages are normally acknowledged and can also be fragmented. • Using unordered data we can also avoid the HOL blocking without even using streams. However, this scheme can be used only if the order of delivery of user messages does not matter.

  13. Verification Tag = Tag Z Verification Tag = Tag A Checksum Checksum Chunk Length Chunk Length Sender-specific Heartbeat Info Sender-specific Heartbeat Info Verification Tag = Tag A Verification Tag = Tag Z Checksum Checksum Chunk Type = 4 (HEARTBEAT) Chunk Type = 4 (HEARTBEAT) Chunk Type = 5 (HEARTBEAT A.) Chunk Type = 5 (HEARTBEAT A.) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Length Chunk Length Heartbeat Info Type = 1 Source Port Number Source Port Number Heartbeat Info Type = 1 Heartbeat Info Type = 1 Source Port Number Source Port Number Heartbeat Info Type = 1 Destination Port Number Destination Port Number Heartbeat Info Length Destination Port Number Destination Port Number Heartbeat Info Length Heartbeat Info Length Heartbeat Info Length Sender-specific Heartbeat Info Sender-specific Heartbeat Info The path heartbeat mechanism • One host sends the HEARTBEAT chunk to its peer. It contains a TLV structure similar to a Parameter, called Heartbeat Info. Its internal structure is implementation specific. • Upon receipt of this chunk, the receiver must answer with a HEARTBEAT ACK chunk, copying the Heartbeat Info inside the HEARTBEAT ACK chunk. • If the HEARTBEAT ACK chunk is not received on time, it counts as an error on the address used. Too many errors make the address to be considered as unreachable.

  14. Parameters Chunk Type = 9 (ERROR) Chunk Flags (Reserved) Chunk Length Source Port Number Source Port Number Destination Port Number Destination Port Number Verification Tag = Tag Z Checksum Chunk Length Chunk Typ = 9 (ERROR) Chunk Flags (Reserved) Verification Tag = Tag Z Checksum Error Causes Reporting non fatal errors in SCTP • If one of the hosts involved in an association has any non-fatal problem, it sends an ERROR chunk to its peer endpoint. • An ERROR chunk must include at least one Error Cause indicating the reason(s) why the chunk was sent. • They are used to indicate solvable problems, to help debugging SCTP implementations and to make SCTP extensions backward compatibles.

  15. Verification Tag = Tag Z Checksum Chunk Type = 6 (ABORT) Reserved T Chunk Length Parameters Source Port Number Source Port Number Destination Port Number Destination Port Number Verification Tag = Tag Z Checksum Chunk Typ = 6 (ABORT) Reserveddf T Chunk Length Error Causes Aborting associations in SCTP • When a host has a problem that makes impossible continuing with an existing association, it sends the ABORT chunk. • As the ERROR chunk, the ABORT chunk can carry Error Causes to state which was the problem. However, they are not compulsory in the ABORT chunk. • Once the ABORT chunk is received, the association ceases to exist. The abort procedure should not be used to terminate associations if possible.

  16. Chunk Type = 10 (COOKIE ECHO) ChunkType=9 (SHUTDOWN A.) ChunkType=8 (SHUTDOWN) Chunk Type = 8 (SHUTDOWN) Chunk Type = 9 (SHUTDOWN A.) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Flags (Reserved) Chunk Length Chunk Length Chunk Length Source Port Number Source Port Number Source Port Number Source Port Number Source Port Number Destination Port Number Destination Port Number Destination Port Number Destination Port Number Destination Port Number Verification Tag = Tag Z Checksum ChunkType=14 (SHUTDOWN C.) Reserved T Chunk Length Verification Tag = Tag A Source Port Number Verification Tag = Tag Z Checksum Received Cookie Checksum Verification Tag = Tag Z Verification Tag = Tag Z Checksum Chunk Length Chunk Length Cumulative TSN ACK Checksum Verification Tag = Tag A Checksum Cumulative TSN ACK Gracefully termination of an association • If a host wants to start the shutdown procedure, it sends the SHUTDOWN chunk. • Is the responsibility of the sender to send this chunk when all the data it wants to send has been already acknowledged. • The SHUTDOWN chunk also includes the Cumulative TSN Acknowledgement as the SACK chunk does. • If a host wants to start the shutdown procedure, it sends the SHUTDOWN chunk. • Is the responsibility of the sender to send this chunk when all the data it wants to send has been already acknowledged. • The SHUTDOWN chunk includes the Cumulative TSN Acknowledgement as the SACK chunk does. • When the peer endpoint has also received the acknowledgement of all the DATA chunks, it sends back the SHUTDOWN ACK chunk. • When the peer endpoint has also received the acknowledgement of all the DATA chunks, it sends back the SHUTDOWN ACK chunk. • The last chunk used in the shutdown procedure is the SHUTDOWN COMPLETE. • The T (TCB missing) flag is set when there is not a TCB at the SHUTDOWN ACK receiver. This can happen if the peer has restarted. • In SCTP there are not half closed associations as in TCP. The shutdown procedure is asymmetric.

  17. Summarizing: Main characteristics of SCTP • It is able to take profit of multihomed hosts. • It can avoid the SYN attack thanks to its cookie mechanism. • The existence of independent streams helps avoiding the HOL blocking. • It is message-oriented as UDP, but at the same time reliable as TCP is. • It is able to notify error conditions, thus making possible solving certain errors at the transport level. • It is highly inspired in TCP. Most of the optional features of TCP are compulsory in SCTP. The congestion avoidance mechanism is the same as in TCP. • SCTP uses a very similar socket interface than the one TCP uses. • There are already some open source SCTP implementations. • SCTP performance is at least as good as TCP's one.

  18. Questions?

  19. Extra slides

  20. Any State CLOSED COOKIE-WAIT ABORT COOKIE-ECHOED ABORT ABORT ESTABLISHED CLIENT SERVER INIT INIT ACK INIT ASSOCIATE COOKIE ECHO INIT ACK COOKIE ACK COOKIE ECHO COOKIE ACK SHUTDOWN SHUTDOWN ESTABLISHED State User Primitive Call Control chunk sent or received ASSOCIATE SHUTDOWN COMPLETE State change The finite state machine model (I) • As TCP, SCTP is a symmetrical protocol. The client and the server are functionally identical. • It uses a four-way handshake establishment procedure. However, the last two legs can already carry user data. • It provides mechanisms to solve initiation collisions or to realize about a restart of the peer.

  21. ESTABLISHED CLIENT SERVER SHUTDOWN- PENDING SHUTDOWN- RECEIVED SHUTDOWN- SENT SHUTDOWN- ACK-SENT * The state is changed and the signal is sent when there are no more outstanding DATA chunks. CLOSED SHUTDOWN SHUTDOWN * SHUTDOWN SHUTDOWN ACK SHUTDOWN SHUTDOWN ACK SHUTDOWN COMPLETE * SHUTDOWN COMPLETE ESTABLISHED State User Primitive Call Control chunk sent or received ASSOCIATE SHUTDOWN COMPLETE State change The finite state machine model (II) • SCTP uses a three-way handshake shutdown algorithm. • There is not half closed associations in SCTP. • The shutdown algorithm is asymmetric. Once one endpoint starts closing the association, the other host must do the same.

More Related