1 / 31

STREAM CONTROL TRANSMISSION PROTOCOL (SCTP)

STREAM CONTROL TRANSMISSION PROTOCOL (SCTP). SCTP service model. connection oriented reliable data transfer - no loss - no duplicates - data integrity ordered / unordered delivery TCP provides only ordered service. If the application desires unordered service,

aquila
Télécharger la présentation

STREAM CONTROL TRANSMISSION PROTOCOL (SCTP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. STREAM CONTROL TRANSMISSION PROTOCOL (SCTP)

  2. SCTP service model • connection oriented • reliable data transfer - no loss - no duplicates - data integrity • ordered / unordered delivery TCP provides only ordered service. If the application desires unordered service, • it has the option of using UDP => unreliable • SCTP separates data reliability from ordered delivery • SCTP can provide unordered service with reliability • SCTP can provide ordered service with reliability

  3. SCTP preserves message boundaries • TCP is byte-oriented. Applications must add their own • record marking to delineate messages. • concept of chunks • security against SYN flooding attack • multi-homing • multi-streaming • message fragmentation and bundling • congestion control

  4. Comparison between SCTP, TCP and UDP

  5. SCTP PDU format 1 common header + chunks (control or data)

  6. Motivation • Many applications need reliable message delivery – they do so by delineating a TCP stream • TCP provides both strict-ordering and reliability – many applications may not need both

  7. Motivation (contd) • HTTP is one such application • While transferring multiple embedded files we only want • Reliable file transfer for each file • Partial ordering for the packets of each file but not total ordering amongst all the packets • TCP provides more than this (but overhead?) • SCTP may help (how? – later)

  8. Client Server Request file 0 Fork child Send file 0 Request file 1..N Send file 1,2,…N HTTP ServerArchitecture Multiple File Transfer (Embedded files) - TCP Child process

  9. Client Server Request file 0 Fork child Send file 0 – stream 0 Request files 1..N Send file 1 – stream 1 Send file N – stream N HTTP ServerArchitecture Multiple Files Transfer (Embedded Files) - SCTP Child process

  10. Reason Server Client 3 2 1 3 2 3 2 1 3 2 1 1 File 3 File 2 TCP Send buffer in kernel TCP Receive buffer in kernel

  11. Reason Server Client 3 3 2 2 3 2 1 3 2 1 1 1 File 3 File 2 SCTP Receive buffer in kernel SCTP Receive buffer in kernel

  12. Multi-homing

  13. multi-homing single-homed SCTP endpoint multi-homed SCTP endpoint Host B Host A application application IP1=160.15.82.20 IP2=161.10.8.221 IP3=10.1.61.11 200 100 SCTP SCTP B1 B2 B3 A1 IP=128.33.6.12 endpoint=[128.33.6.12 : 100] endpoint=[160.15.82.20, 161.10.8.221, 10.1.61.11 : 200] SCTP association Host A Host B application application IP1=160.15.82.20 IP2=161.10.8.221 IP3=10.1.61.11 100 200 SCTP SCTP A1 B1 B2 B3 IP=128.33.6.12 association={ [128.33.6.12 : 100] : [160.15.82.20, 161.10.8.221, 10.1.61.11 : 200] }

  14. 4 possible TCP connections: • (A1,B1) or (A1,B2) or (A2,B1) or (A2,B2) • 1 SCTP association: • ({A1,A2},{B1,B2}) • Primary destinations for A & B (e.g., A1 & B1) A1 B1 Host A Host B Network A2 B2 X • What happens if a primary fails? • TCP connection is broken • whereas SCTP association can continue to transmit to an alternate destination • address

  15. failure detection • Host A monitors reachability of the primary destination address of Host B Host A Host B application application 100 primary 200 alternates SCTP SCTP A1 B1 B2 B3 SACK DATA • error_count is a variable associated • with each destination address of a • host. It is set to zero initially. • Host A starts the retransmission timer • If timer expires • increment error_count • If error_count > threshold • state = inactive • If Host A receives SACK before timer expires error_count = 0 & state = active

  16. Host A monitors reachability of alternate destination addresses of Host B Host A Host B application application 100 primary 200 alternates SCTP SCTP A1 B1 B2 B3 HEARTBEAT HEARTBEAT-ACK • HEARTBEAT is sent periodically to each alternate address • When a HEARTBEAT is sent • increment error_count • If error_count > threshold • state = inactive • If Host A receives a HEARTBEAT-ACK error_count = 0 & state = active • When the primary destination address is detected unreachable => SCTP sender chooses 1 of the REACHABLE, alternate destination addresses as primary

  17. association setup How many way handshake ? V: verification tag I: initiation tag Host A Host B closed • mandatory - • type • chunk flags • chunk length • initiation tag • a_rwnd • outbound streams • maximum inbound streams • initial TSN • optional - • addresses(IPv4,IPv6, hostname) • supported address types • ECN capable • cookie preservative INIT (V=0) (I=TagA) cookie wait closed

  18. SCTP INIT PDU

  19. association setup V: verification tag I: initiation tag Host A Host B closed INIT (V=0) (I=TagA) cookie wait closed INIT-ACK (V=TagA) (I=TagB) • mandatory – • All fields present in mandatory INIT + • state cookie • optional - • addresses(IPv4,IPv6, hostname) • ECN Capable • error reporting for unrecognized • parameters

  20. association setup V: verification tag I: initiation tag Host A Host B closed INIT (V=0) (I=TagA) • type • chunk flags • chunk length • state cookie • DATA chunk can be sent along with COOKIE-ECHO cookie wait INIT-ACK (V=TagA) (I=TagB) closed COOKIE-ECHO (V=TagB) cookie echoed

  21. why COOKIE ??? attackers Flooded!! victim 130.2.4.15 128.3.4.5 SYN SYN buffer holding half-open (pending) connections SYN 228.3.14.5 192.10.2.8 SYN SYN SYN 190.13.4.1 SYN SYN 221.3.5.10 TCP SYN flooding attack • There is no ACK in response to the SYN-ACK, hence connection • remains half-open • Other genuine clients cannot open connections to the victim • The victim is unable to provide service

  22. how does COOKIE help ? Host B receives INIT • Receiver of INIT does not make the • Transmission Control Block (TCB) [i.e no • pending connection information kept] • Remains in CLOSED state • In case of attack, COOKIE-ECHO won’t • arrive but receiver is unaffected Send INIT_ACK with COOKIE Prepare COOKIE

  23. how does COOKIE help ? Host B receives INIT Send INIT_ACK with COOKIE Prepare COOKIE Host B receives COOKIE-ECHO invalid Extract & Validate COOKIE Discard SCTP PDU valid yes Sender can request longer cookie life next time through the Cookie - preservative parameter in the INIT chunk Send ERROR chunk COOKIE expired ? no Unpack COOKIE and build association TCB Discard SCTP PDU

  24. association setup V: verification tag I: initiation tag Host A Host B closed INIT (V=0) (I=TagA) • type • chunk flags • chunk length • DATA chunk can be sent along with COOKIE-ACK cookie wait INIT-ACK (V=TagA) (I=TagB) closed COOKIE-ECHO (V=TagB) cookie echoed COOKIE-ACK (V=TagA) 4 – way handshake ! established established

  25. association shutdown Host A Host B upper layer invokes SHUTDOWN established established DATA DATA shutdown_pending SACK SHUTDOWN shutdown_sent

  26. stop accepting data SHUTDOWN DATA shutdown_sent shutdown_received SHUTDOWN+ SACK SHUTDOWN_ACK shutdown_ack_sent SHUTDOWN_COMPLETE delete TCB closed delete TCB closed

  27. when should a SACK be sent ? Host B Host A DATA (TSN 1) Endpoint sends DATA to its peer, always bundle a SACK chunk to ack any new DATA chunks SACK 1 + DATA DATA (TSN 2) If no DATA to be sent to the peer, then SACK is DELAYED Delay – 200 to 500 ms 200 ms SACK 2 DATA (TSN 2) Duplicate data chunks => immediately send SACK without any delay SACK 2

  28. when should a SACK be sent ? Host A Host B DATA (TSN 3) Must send a SACK for every other SCTP PDU received without any delay DATA (TSN 4) 200 ms SACK 4 DATA (TSN 5) One or more TSNs missing => immediately send SACK with Gap Ack blocks without any delay X DATA (TSN 6) SACK 4

  29. summary • SCTP PDU = 1 common header + 1 or more chunks ( control or data) • Association setup = 4 way handshake (INIT, INIT-ACK, COOKIE-ECHO, • COOKIE_ACK) • COOKIE mechanism to prevent SYN flooding attack • Graceful shutdown(SHUTDOWN, SHUTDOWN-ACK, • SHUTDOWN-COMPLETE) no half-close as in TCP • Separates reliability from ordered delivery • Preserves message boundaries • SACK chunks to ack cumulative TSN + gap ack blocks + duplicate TSNs • Achieves link / path redundancy by supporting multi-homed hosts along with • reachability check

  30. References • Randall R. Stewart, Qiaobing Xie. • Stream Control Transmission Protocol (SCTP) A Reference Guide • Stewart et. al. Stream Contol Transmission Protocol RFC-2960, October 2000. • URL: http://www.ietf.org/rfc/rfc2960.txt • SCTP for Beginners • URL:http://tdrwww.exp-math.uni essen.de/inhalt/forschung/sctp_fb/index.html • SCTP overview • http://www.sctp.org/sctpoverview.html • SCTP tutorial • http://www.iec.org/online/tutorials/sctp/ • SCTP applicability statement • http://www.ietf.org/rfc/rfc3257.txt

  31. References Slides collected from various sources including Keyur Shah, Sourabh Ladha, P. Amer, P. Conrad, Sam Baskinger

More Related