idnits 2.17.1 draft-ietf-tsvwg-sctp-udp-encaps-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 23, 2012) is 4135 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-09) exists of draft-ietf-behave-sctpnat-07 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-04 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Tuexen 3 Internet-Draft Muenster Univ. of Appl. Sciences 4 Intended status: Standards Track R. Stewart 5 Expires: June 26, 2013 Adara Networks 6 December 23, 2012 8 UDP Encapsulation of SCTP Packets 9 draft-ietf-tsvwg-sctp-udp-encaps-07.txt 11 Abstract 13 This document describes a simple method of encapsulating SCTP Packets 14 into UDP packets and its limitations. This allows the usage of SCTP 15 in networks with legacy NAT not supporting SCTP. It can also be used 16 to implement SCTP on hosts without directly accessing the IP-layer, 17 for example implementing it as part of the application without 18 requiring special privileges. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on June 26, 2013. 37 Copyright Notice 39 Copyright (c) 2012 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3.1. Portable SCTP Implementations . . . . . . . . . . . . . . 3 58 3.2. Legacy NAT Traversal . . . . . . . . . . . . . . . . . . . 4 59 4. SCTP over UDP . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4.1. Architectural Considerations . . . . . . . . . . . . . . . 4 61 4.2. Packet Format . . . . . . . . . . . . . . . . . . . . . . 4 62 4.3. Encapsulation Procedure . . . . . . . . . . . . . . . . . 6 63 4.4. Decapsulation Procedure . . . . . . . . . . . . . . . . . 6 64 4.5. ICMP Considerations . . . . . . . . . . . . . . . . . . . 6 65 4.6. Path MTU Considerations . . . . . . . . . . . . . . . . . 7 66 4.7. Handling of Embedded IP-addresses . . . . . . . . . . . . 7 67 4.8. ECN Considerations . . . . . . . . . . . . . . . . . . . . 7 68 5. Socket API Considerations . . . . . . . . . . . . . . . . . . 7 69 5.1. Get or Set the Remote UDP Encapsulation Port Number 70 (SCTP_REMOTE_UDP_ENCAPS_PORT) . . . . . . . . . . . . . . 8 71 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 72 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 73 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 74 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 75 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 76 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 79 1. Introduction 81 This document describes a simple method of encapsulating SCTP packets 82 into UDP packets. SCTP as defined in [RFC4960] runs directly over 83 IPv4 or IPv6. There are two main reasons for encapsulating SCTP 84 packets: 86 o Allow SCTP traffic to pass legacy NATs, which do not provide 87 native SCTP support as specified in [I-D.ietf-behave-sctpnat] and 88 [I-D.ietf-tsvwg-natsupp]. 90 o Allow SCTP to be implemented on hosts which do not provide direct 91 access to the IP-layer. In particular, applications can use their 92 own SCTP implementation if the operating system does not provide 93 one. 95 2. Conventions 97 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 98 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 99 document are to be interpreted as described in [RFC2119]. 101 3. Use Cases 103 This section discusses two important use cases for encapsulating SCTP 104 into UDP. 106 3.1. Portable SCTP Implementations 108 Some operating systems support SCTP natively. For other operating 109 systems implementations are available, but require special privileges 110 to install and/or use them. In some cases no kernel implementation 111 might be available at all. When proving an SCTP implementation as 112 part of a user process, most operating systems require special 113 privileges to access the IP layer directly. 115 Using UDP encapsulation makes it possible to provide an SCTP 116 implementation as part of a user process which does not require any 117 special privileges. 119 A crucial point for implementing SCTP in user-land is controlling the 120 source address of outgoing packets. This is not an issue when using 121 all available addresses. However, this is not the case when also 122 using the address management required for NAT traversal described in 123 Section 4.7. 125 3.2. Legacy NAT Traversal 127 Using UDP encapsulation allows SCTP communication when traversing 128 legacy NATs (i.e those NATs not supporting SCTP as described in 129 [I-D.ietf-behave-sctpnat] and [I-D.ietf-tsvwg-natsupp]). It is 130 important to realize that for single homed associations it is only 131 necessary that no IP addresses are listed in the INIT and INIT-ACK 132 chunks. To use multiple addresses, the dynamic address 133 reconfiguration extension described in [RFC5061] MUST be used with 134 wildcard addresses in combination with [RFC4895]. 136 For multi-homed SCTP association the address management as described 137 in Section 4.7 MUST be performed. 139 4. SCTP over UDP 141 4.1. Architectural Considerations 143 An SCTP implementation supporting UDP encapsulation MUST store a 144 remote UDP encapsulation port number per destination address for each 145 SCTP association. 147 Each SCTP stack uses a single local UDP encapsulation port number as 148 the destination port for all its incoming SCTP packets. The IANA 149 assigned value of 9899 (sctp-tunneling) MAY be used as this port 150 number. If there is only a single SCTP implementation on a host (for 151 example, a kernel implementation being part of the operating system), 152 using a single UDP encapsulation port number per host can be 153 advantageous (e.g., this reduces the number of mappings in firewalls 154 and NATs, among other things). Using a single UDP encapsulation port 155 number per host is not possible if the SCTP stack is implemented as 156 part of an application. 158 4.2. Packet Format 160 To encapsulate an SCTP packet, a UDP header as defined in [RFC0768] 161 is inserted between the IP header as defined in [RFC0791] and the 162 SCTP common header as defined in [RFC4960]. 164 Figure 1 shows the packet format of an encapsulated SCTP packet when 165 IPv4 is used. 167 0 1 2 3 168 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 | IPv4 Header | 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | UDP Header | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 174 | SCTP Common Header | 175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 176 | SCTP Chunk #1 | 177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 178 | ... | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 | SCTP Chunk #n | 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 183 Figure 1: An SCTP/UDP/IPv4 packet 185 The packet format for an encapsulated SCTP packet when using IPv6 as 186 defined in [RFC2460] is shown in Figure 2. Please note the the 187 number m of IPv6 extension headers can be 0. 189 0 1 2 3 190 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 192 | IPv6 Base Header | 193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 194 | IPv6 Extension Header #1 | 195 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 | ... | 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 198 | IPv6 Extension Header #m | 199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 | UDP Header | 201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 202 | SCTP Common Header | 203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 204 | SCTP Chunk #1 | 205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 206 | ... | 207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 208 | SCTP Chunk #n | 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 Figure 2: An SCTP/UDP/IPv6 packet 213 4.3. Encapsulation Procedure 215 When inserting the UDP header, the source port MUST be the local UDP 216 encapsulation port number of the SCTP stack, the destination port 217 MUST be the remote UDP encapsulation port number stored for the 218 destination address to which the packet is sent (see Section 4.1). 220 The length of the UDP packet MUST be the length of the SCTP packet 221 plus the size of the UDP header. 223 For IPv4, the UDP checksum SHOULD be computed and the SCTP checksum 224 MUST be computed, whereas for IPv6, the UDP checksum and the SCTP 225 checksum MUST be computed. 227 4.4. Decapsulation Procedure 229 When an encapsulated packet is received, the UDP header is removed. 230 Then a lookup is performed to find the association for the received 231 SCTP packet. After finding the SCTP association (which includes 232 checking the verification tag), the UDP source port MUST be stored as 233 the encapsulation port for the destination address the SCTP packet is 234 received from (see Section 4.1). 236 Please note that when a non-encapsulated SCTP packet is received, the 237 encapsulation of outgoing packets belonging to the same association 238 and the corresponding destination address MUST be disabled. 240 4.5. ICMP Considerations 242 When receiving ICMP or ICMPv6 response packets, there might not be 243 enough bytes in the payload to identify the SCTP association which 244 the SCTP packet triggering the ICMP or ICMPv6 packet belongs to. If 245 a received ICMP or ICMPv6 packet can not be related to a specific 246 SCTP association or the verification tag can't be verified, it MUST 247 be discarded silently. This means in particular that the SCTP stack 248 MUST NOT rely on receiving ICMP or ICMPv6 messages. Implementation 249 constraints could prevent processing received ICMP or ICMPv6 250 messages. 252 If received ICMP or ICMPv6 messages are processed, the following 253 mapping SHOULD apply: 255 1. ICMP messages with type 'Destination Unreachable' and code 'Port 256 Unreachable' SHOULD be treated as ICMP messages with type 257 'Protocol Unreachable' and code 'Destination Port unreachable. 258 See [RFC0792] for more details. 260 2. ICMPv6 messages with type 'Destination Unreachable' and code 261 'Port unreachable' SHOULD be treated as ICMPv6 messages with type 262 'Parameter Problem' and code 'Unrecognized Next Header type 263 encountered'. See [RFC4443] for more details. 265 4.6. Path MTU Considerations 267 If an SCTP endpoint starts to encapsulate the packets of a path, it 268 MUST decrease the Path MTU of that path by the size of the UDP 269 header. If it stops encapsulating them, the Path MTU SHOULD be 270 increased by the size of the UDP header. 272 When performing Path MTU discovery as described in [RFC4820] and 273 [RFC4821] it MUST be taken into account that one cannot rely on the 274 feedback provided by ICMP or ICMPv6 due to the limitation laid out in 275 Section 4.5. 277 If the implementation does not allow to control the dont't fragment 278 (DF)-bit contained in the IPv4 header, then Path MTU discovery can't 279 be used. In this case, an implementation specific value should be 280 used instead. 282 4.7. Handling of Embedded IP-addresses 284 When using UDP encapsulation for legacy NAT traversal, IP addresses 285 that might require translation MUST NOT be put into any SCTP packet. 287 This means that a multi homed SCTP association is setup initially as 288 a singled homed one and the protocol extension [RFC5061] in 289 combination with [RFC4895] is used to add the other addresses. Only 290 wildcard addresses are put into the SCTP packet. 292 When addresses are changed during the lifetime of an association 293 [RFC5061] MUST be used with wildcard addresses only. 295 4.8. ECN Considerations 297 If the implementation supports the sending and receiving of the ECN 298 bits for the IP protocols being used by an SCTP association, the ECN 299 bits MUST NOT be changed during sending and receiving. In the other 300 case, ECN MUST NOT be used for such an SCTP association. 302 5. Socket API Considerations 304 This section describes how the socket API defined in [RFC6458] is 305 extended to provide a way for the application to control the UDP 306 encapsulation. 308 Please note that this section is informational only. 310 A socket API implementation based on [RFC6458] is extended by 311 supporting one new read/write socket option. 313 5.1. Get or Set the Remote UDP Encapsulation Port Number 314 (SCTP_REMOTE_UDP_ENCAPS_PORT) 316 This socket option can be used to set and retrieve the UDP 317 encapsulation port number. This allows an endpoint to encapsulate 318 initial packets. 320 struct sctp_udpencaps { 321 sctp_assoc_t sue_assoc_id; 322 struct sockaddr_storage sue_address; 323 uint16_t sue_port; 324 }; 326 sue_assoc_id: This parameter is ignored for one-to-one style 327 sockets. For one-to-many style sockets the application may fill 328 in an association identifier or SCTP_FUTURE_ASSOC for this query. 329 It is an error to use SCTP_{CURRENT|ALL}_ASSOC in sue_assoc_id. 331 sue_address: This specifies which address is of interest. If a 332 wildcard address is provided it applies only to future paths. 334 sue_port: The UDP port number in network byte order used as the 335 destination port number for UDP encapsulation. Providing a value 336 of 0 disables UDP encapsulation. 338 6. IANA Considerations 340 This document does not require any actions from IANA. It refers to 341 the already assigned UDP port 9899 (sctp-tunneling). 343 7. Security Considerations 345 Encapsulating SCTP into UDP does not add any additional security 346 considerations to the ones given in [RFC4960] and [RFC5061]. 348 An attacker might send a malicious UDP packet towards an SCTP end- 349 point to change the encapsulation port for a single remote address of 350 a particular SCTP association. However, as specified in Section 4.4, 351 this requires the usage of one the two negotiated verification tags. 352 This protects against blind attackers the same way as described in 353 [RFC4960] for SCTP over IPv4 or IPv6. Non-blind attackers can affect 354 SCTP association using the UDP encapsulation described in this 355 document in the same way as SCTP associations not using the UDP 356 encapsulation of SCTP described here. 358 8. Acknowledgments 360 The authors wish to thank Gorry Fairhurst, Martin Stiemerling, Irene 361 Ruengeler, and Dan Wing for their invaluable comments. 363 9. References 365 9.1. Normative References 367 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 368 August 1980. 370 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 371 September 1981. 373 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 374 RFC 792, September 1981. 376 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 377 Requirement Levels", BCP 14, RFC 2119, March 1997. 379 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 380 (IPv6) Specification", RFC 2460, December 1998. 382 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control 383 Message Protocol (ICMPv6) for the Internet Protocol 384 Version 6 (IPv6) Specification", RFC 4443, March 2006. 386 [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and 387 Parameter for the Stream Control Transmission Protocol 388 (SCTP)", RFC 4820, March 2007. 390 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 391 Discovery", RFC 4821, March 2007. 393 [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, 394 "Authenticated Chunks for the Stream Control Transmission 395 Protocol (SCTP)", RFC 4895, August 2007. 397 [RFC4960] Stewart, R., "Stream Control Transmission Protocol", 398 RFC 4960, September 2007. 400 [RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M. 401 Kozuka, "Stream Control Transmission Protocol (SCTP) 402 Dynamic Address Reconfiguration", RFC 5061, 403 September 2007. 405 9.2. Informative References 407 [RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V. 408 Yasevich, "Sockets API Extensions for the Stream Control 409 Transmission Protocol (SCTP)", RFC 6458, December 2011. 411 [I-D.ietf-behave-sctpnat] 412 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 413 Transmission Protocol (SCTP) Network Address Translation", 414 draft-ietf-behave-sctpnat-07 (work in progress), 415 October 2012. 417 [I-D.ietf-tsvwg-natsupp] 418 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 419 Transmission Protocol (SCTP) Network Address Translation 420 Support", draft-ietf-tsvwg-natsupp-04 (work in progress), 421 October 2012. 423 Authors' Addresses 425 Michael Tuexen 426 Muenster University of Applied Sciences 427 Stegerwaldstrasse 39 428 48565 Steinfurt 429 DE 431 Email: tuexen@fh-muenster.de 433 Randall R. Stewart 434 Adara Networks 435 Chapin, SC 29036 436 US 438 Email: randall@lakerest.net