idnits 2.17.1 draft-ietf-tsvwg-sctp-udp-encaps-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 22, 2013) is 4110 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-09) exists of draft-ietf-behave-sctpnat-07 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-04 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Tuexen 3 Internet-Draft Muenster Univ. of Appl. Sciences 4 Intended status: Standards Track R. Stewart 5 Expires: July 26, 2013 Adara Networks 6 January 22, 2013 8 UDP Encapsulation of SCTP Packets 9 draft-ietf-tsvwg-sctp-udp-encaps-09.txt 11 Abstract 13 This document describes a simple method of encapsulating SCTP Packets 14 into UDP packets and its limitations. This allows the usage of SCTP 15 in networks with legacy NAT not supporting SCTP. It can also be used 16 to implement SCTP on hosts without directly accessing the IP-layer, 17 for example implementing it as part of the application without 18 requiring special privileges. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on July 26, 2013. 37 Copyright Notice 39 Copyright (c) 2013 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3.1. Portable SCTP Implementations . . . . . . . . . . . . . . 3 58 3.2. Legacy NAT Traversal . . . . . . . . . . . . . . . . . . . 4 59 4. SCTP over UDP . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4.1. Architectural Considerations . . . . . . . . . . . . . . . 4 61 4.2. Packet Format . . . . . . . . . . . . . . . . . . . . . . 4 62 4.3. Encapsulation Procedure . . . . . . . . . . . . . . . . . 6 63 4.4. Decapsulation Procedure . . . . . . . . . . . . . . . . . 6 64 4.5. ICMP Considerations . . . . . . . . . . . . . . . . . . . 6 65 4.6. Path MTU Considerations . . . . . . . . . . . . . . . . . 7 66 4.7. Handling of Embedded IP-addresses . . . . . . . . . . . . 7 67 4.8. ECN Considerations . . . . . . . . . . . . . . . . . . . . 7 68 5. Socket API Considerations . . . . . . . . . . . . . . . . . . 7 69 5.1. Get or Set the Remote UDP Encapsulation Port Number 70 (SCTP_REMOTE_UDP_ENCAPS_PORT) . . . . . . . . . . . . . . 8 71 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 72 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 73 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 74 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 75 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 76 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 79 1. Introduction 81 This document describes a simple method of encapsulating SCTP packets 82 into UDP packets. SCTP as defined in [RFC4960] runs directly over 83 IPv4 or IPv6. There are two main reasons for encapsulating SCTP 84 packets: 86 o Allow SCTP traffic to pass legacy NATs, which do not provide 87 native SCTP support as specified in [I-D.ietf-behave-sctpnat] and 88 [I-D.ietf-tsvwg-natsupp]. 90 o Allow SCTP to be implemented on hosts which do not provide direct 91 access to the IP-layer. In particular, applications can use their 92 own SCTP implementation if the operating system does not provide 93 one. 95 2. Conventions 97 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 98 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 99 document are to be interpreted as described in [RFC2119]. 101 3. Use Cases 103 This section discusses two important use cases for encapsulating SCTP 104 into UDP. 106 3.1. Portable SCTP Implementations 108 Some operating systems support SCTP natively. For other operating 109 systems implementations are available, but require special privileges 110 to install and/or use them. In some cases no kernel implementation 111 might be available at all. When proving an SCTP implementation as 112 part of a user process, most operating systems require special 113 privileges to access the IP layer directly. 115 Using UDP encapsulation makes it possible to provide an SCTP 116 implementation as part of a user process which does not require any 117 special privileges. 119 A crucial point for implementing SCTP in user space is controlling 120 the source address of outgoing packets. This is not an issue when 121 using all available addresses. However, this is not the case when 122 also using the address management required for NAT traversal 123 described in Section 4.7. 125 3.2. Legacy NAT Traversal 127 Using UDP encapsulation allows SCTP communication when traversing 128 legacy NATs (i.e those NATs not supporting SCTP as described in 129 [I-D.ietf-behave-sctpnat] and [I-D.ietf-tsvwg-natsupp]). It is 130 important to realize that for single homed associations it is only 131 necessary that no IP addresses are listed in the INIT and INIT-ACK 132 chunks. To use multiple addresses, the dynamic address 133 reconfiguration extension described in [RFC5061] MUST be used with 134 wildcard addresses in combination with [RFC4895]. 136 For multi-homed SCTP association the address management as described 137 in Section 4.7 MUST be performed. 139 SCTP sends periodically HEARTBEAT chunks on all idle paths. These 140 can be used to keep the NAT state alive. 142 4. SCTP over UDP 144 4.1. Architectural Considerations 146 An SCTP implementation supporting UDP encapsulation MUST store a 147 remote UDP encapsulation port number per destination address for each 148 SCTP association. 150 Each SCTP stack uses a single local UDP encapsulation port number as 151 the destination port for all its incoming SCTP packets. The IANA 152 assigned value of 9899 (sctp-tunneling) MAY be used as this port 153 number. If there is only a single SCTP implementation on a host (for 154 example, a kernel implementation being part of the operating system), 155 using a single UDP encapsulation port number per host can be 156 advantageous (e.g., this reduces the number of mappings in firewalls 157 and NATs, among other things). Using a single UDP encapsulation port 158 number per host is not possible if the SCTP stack is implemented as 159 part of an application. 161 4.2. Packet Format 163 To encapsulate an SCTP packet, a UDP header as defined in [RFC0768] 164 is inserted between the IP header as defined in [RFC0791] and the 165 SCTP common header as defined in [RFC4960]. 167 Figure 1 shows the packet format of an encapsulated SCTP packet when 168 IPv4 is used. 170 0 1 2 3 171 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 | IPv4 Header | 174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 | UDP Header | 176 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 177 | SCTP Common Header | 178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 | SCTP Chunk #1 | 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 181 | ... | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 183 | SCTP Chunk #n | 184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 Figure 1: An SCTP/UDP/IPv4 packet 188 The packet format for an encapsulated SCTP packet when using IPv6 as 189 defined in [RFC2460] is shown in Figure 2. Please note the the 190 number m of IPv6 extension headers can be 0. 192 0 1 2 3 193 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 195 | IPv6 Base Header | 196 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 197 | IPv6 Extension Header #1 | 198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 199 | ... | 200 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 201 | IPv6 Extension Header #m | 202 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 203 | UDP Header | 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 205 | SCTP Common Header | 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 | SCTP Chunk #1 | 208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 209 | ... | 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 | SCTP Chunk #n | 212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 Figure 2: An SCTP/UDP/IPv6 packet 216 4.3. Encapsulation Procedure 218 When inserting the UDP header, the source port MUST be the local UDP 219 encapsulation port number of the SCTP stack, the destination port 220 MUST be the remote UDP encapsulation port number stored for the 221 association and the destination address to which the packet is sent 222 (see Section 4.1). 224 The length of the UDP packet MUST be the length of the SCTP packet 225 plus the size of the UDP header. 227 For IPv4, the UDP checksum SHOULD be computed and the SCTP checksum 228 MUST be computed, whereas for IPv6, the UDP checksum and the SCTP 229 checksum MUST be computed. 231 4.4. Decapsulation Procedure 233 When an encapsulated packet is received, the UDP header is removed. 234 Then a lookup is performed to find the association for the received 235 SCTP packet. After finding the SCTP association (which includes 236 checking the verification tag), the UDP source port MUST be stored as 237 the encapsulation port for the destination address the SCTP packet is 238 received from (see Section 4.1). 240 Please note that when a non-encapsulated SCTP packet is received, the 241 encapsulation of outgoing packets belonging to the same association 242 and the corresponding destination address MUST be disabled. 244 4.5. ICMP Considerations 246 When receiving ICMP or ICMPv6 response packets, there might not be 247 enough bytes in the payload to identify the SCTP association which 248 the SCTP packet triggering the ICMP or ICMPv6 packet belongs to. If 249 a received ICMP or ICMPv6 packet can not be related to a specific 250 SCTP association or the verification tag can't be verified, it MUST 251 be discarded silently. This means in particular that the SCTP stack 252 MUST NOT rely on receiving ICMP or ICMPv6 messages. Implementation 253 constraints could prevent processing received ICMP or ICMPv6 254 messages. 256 If received ICMP or ICMPv6 messages are processed, the following 257 mapping SHOULD apply: 259 1. ICMP messages with type 'Destination Unreachable' and code 'Port 260 Unreachable' SHOULD be treated as ICMP messages with type 261 'Protocol Unreachable' and code 'Destination Port unreachable. 262 See [RFC0792] for more details. 264 2. ICMPv6 messages with type 'Destination Unreachable' and code 265 'Port unreachable' SHOULD be treated as ICMPv6 messages with type 266 'Parameter Problem' and code 'Unrecognized Next Header type 267 encountered'. See [RFC4443] for more details. 269 4.6. Path MTU Considerations 271 If an SCTP endpoint starts to encapsulate the packets of a path, it 272 MUST decrease the Path MTU of that path by the size of the UDP 273 header. If it stops encapsulating them, the Path MTU SHOULD be 274 increased by the size of the UDP header. 276 When performing Path MTU discovery as described in [RFC4820] and 277 [RFC4821] it MUST be taken into account that one cannot rely on the 278 feedback provided by ICMP or ICMPv6 due to the limitation laid out in 279 Section 4.5. 281 If the implementation does not allow to control the dont't fragment 282 (DF)-bit contained in the IPv4 header, then Path MTU discovery can't 283 be used. In this case, an implementation specific value should be 284 used instead. 286 4.7. Handling of Embedded IP-addresses 288 When using UDP encapsulation for legacy NAT traversal, IP addresses 289 that might require translation MUST NOT be put into any SCTP packet. 291 This means that a multi homed SCTP association is setup initially as 292 a singled homed one and the protocol extension [RFC5061] in 293 combination with [RFC4895] is used to add the other addresses. Only 294 wildcard addresses are put into the SCTP packet. 296 When addresses are changed during the lifetime of an association 297 [RFC5061] MUST be used with wildcard addresses only. 299 4.8. ECN Considerations 301 If the implementation supports the sending and receiving of the ECN 302 bits for the IP protocols being used by an SCTP association, the ECN 303 bits MUST NOT be changed during sending and receiving. In the other 304 case, ECN MUST NOT be used for such an SCTP association. 306 5. Socket API Considerations 308 This section describes how the socket API defined in [RFC6458] is 309 extended to provide a way for the application to control the UDP 310 encapsulation. 312 Please note that this section is informational only. 314 A socket API implementation based on [RFC6458] is extended by 315 supporting one new read/write socket option. 317 5.1. Get or Set the Remote UDP Encapsulation Port Number 318 (SCTP_REMOTE_UDP_ENCAPS_PORT) 320 This socket option can be used to set and retrieve the UDP 321 encapsulation port number. This allows an endpoint to encapsulate 322 initial packets. 324 struct sctp_udpencaps { 325 sctp_assoc_t sue_assoc_id; 326 struct sockaddr_storage sue_address; 327 uint16_t sue_port; 328 }; 330 sue_assoc_id: This parameter is ignored for one-to-one style 331 sockets. For one-to-many style sockets the application may fill 332 in an association identifier or SCTP_FUTURE_ASSOC for this query. 333 It is an error to use SCTP_{CURRENT|ALL}_ASSOC in sue_assoc_id. 335 sue_address: This specifies which address is of interest. If a 336 wildcard address is provided it applies only to future paths. 338 sue_port: The UDP port number in network byte order used as the 339 destination port number for UDP encapsulation. Providing a value 340 of 0 disables UDP encapsulation. 342 6. IANA Considerations 344 This document does not require any actions from IANA. It refers to 345 the already assigned UDP port 9899 (sctp-tunneling). 347 7. Security Considerations 349 Encapsulating SCTP into UDP does not add any additional security 350 considerations to the ones given in [RFC4960] and [RFC5061]. 352 Firewalls inspecting SCTP packets must also be aware of the 353 encapsulation and apply corresponding rules to the encapsulated 354 packets. 356 An attacker might send a malicious UDP packet towards an SCTP end- 357 point to change the encapsulation port for a single remote address of 358 a particular SCTP association. However, as specified in Section 4.4, 359 this requires the usage of one the two negotiated verification tags. 360 This protects against blind attackers the same way as described in 361 [RFC4960] for SCTP over IPv4 or IPv6. Non-blind attackers can affect 362 SCTP association using the UDP encapsulation described in this 363 document in the same way as SCTP associations not using the UDP 364 encapsulation of SCTP described here. 366 8. Acknowledgments 368 The authors wish to thank Gorry Fairhurst, Tero Kivinen, Martin 369 Stiemerling, Irene Ruengeler, and Dan Wing for their invaluable 370 comments. 372 9. References 374 9.1. Normative References 376 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 377 August 1980. 379 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 380 September 1981. 382 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 383 RFC 792, September 1981. 385 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 386 Requirement Levels", BCP 14, RFC 2119, March 1997. 388 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 389 (IPv6) Specification", RFC 2460, December 1998. 391 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control 392 Message Protocol (ICMPv6) for the Internet Protocol 393 Version 6 (IPv6) Specification", RFC 4443, March 2006. 395 [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and 396 Parameter for the Stream Control Transmission Protocol 397 (SCTP)", RFC 4820, March 2007. 399 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 400 Discovery", RFC 4821, March 2007. 402 [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, 403 "Authenticated Chunks for the Stream Control Transmission 404 Protocol (SCTP)", RFC 4895, August 2007. 406 [RFC4960] Stewart, R., "Stream Control Transmission Protocol", 407 RFC 4960, September 2007. 409 [RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M. 410 Kozuka, "Stream Control Transmission Protocol (SCTP) 411 Dynamic Address Reconfiguration", RFC 5061, 412 September 2007. 414 9.2. Informative References 416 [RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V. 417 Yasevich, "Sockets API Extensions for the Stream Control 418 Transmission Protocol (SCTP)", RFC 6458, December 2011. 420 [I-D.ietf-behave-sctpnat] 421 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 422 Transmission Protocol (SCTP) Network Address Translation", 423 draft-ietf-behave-sctpnat-07 (work in progress), 424 October 2012. 426 [I-D.ietf-tsvwg-natsupp] 427 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 428 Transmission Protocol (SCTP) Network Address Translation 429 Support", draft-ietf-tsvwg-natsupp-04 (work in progress), 430 October 2012. 432 Authors' Addresses 434 Michael Tuexen 435 Muenster University of Applied Sciences 436 Stegerwaldstrasse 39 437 48565 Steinfurt 438 DE 440 Email: tuexen@fh-muenster.de 442 Randall R. Stewart 443 Adara Networks 444 Chapin, SC 29036 445 US 447 Email: randall@lakerest.net