idnits 2.17.1 draft-nagesh-sctp-auth-4895bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4895, but the abstract doesn't seem to directly say this. It does mention RFC4895 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4895, updated by this document, for RFC5378 checks: 2005-06-15) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 21, 2019) is 1739 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 tsvwg N. Shamnur, Ed. 3 Internet-Draft Huawei 4 Obsoletes: 4895 (if approved) July 21, 2019 5 Updates: 4895 (if approved) 6 Intended status: Standards Track 7 Expires: January 22, 2020 9 Authenticated Chunks for the Stream Control Transmission Protocol (SCTP) 10 bis 11 draft-nagesh-sctp-auth-4895bis-00 13 Abstract 15 This document obsoletes RFC4895 if approved. This document describes 16 a new chunk type, several parameters, and procedures for the Stream 17 Control Transmission Protocol (SCTP). This new chunk type can be 18 used to authenticate SCTP chunks by using shared keys between the 19 sender and receiver. The new parameters are used to establish the 20 shared keys. 22 This document describes the limitations with the current SCTP AUTH 23 RFC4895 and thus enhances the document to resolve such ambiguities 24 and thus strengthen the overall AUTH procedure. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on January 22, 2020. 43 Copyright Notice 45 Copyright (c) 2019 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 4 63 3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4 64 3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 5 65 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . 6 66 3.4. Supported Extensions Parameter . . . . . . . . . . . . . 7 67 4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7 68 4.1. Unsupported HMAC Identifier Error Cause . . . . . . . . . 8 69 5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . 8 70 5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 9 71 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . 10 72 6.1. Establishment of an Association Shared Key . . . . . . . 10 73 6.2. Negotiation of Auth Procedure . . . . . . . . . . . . . . 11 74 6.2.1. Receiving INIT containing AUTH parameters when AUTH 75 extension is not supported . . . . . . . . . . . . . 12 76 6.2.2. Receiving INIT-ACK without AUTH parameters when AUTH 77 extension was sent in INIT chunk . . . . . . . . . . 12 78 6.2.3. Receiving INIT without AUTH parameters when AUTH is 79 supported locally . . . . . . . . . . . . . . . . . . 12 80 6.3. Association Initialization Collision . . . . . . . . . . 12 81 6.4. Sending Authenticated Chunks . . . . . . . . . . . . . . 12 82 6.5. Receiving Authenticated Chunks . . . . . . . . . . . . . 13 83 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 15 84 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 85 8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . 16 86 8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 17 87 8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 17 88 8.4. A New Table for HMAC Identifiers . . . . . . . . . . . . 17 89 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 90 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 91 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 92 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 93 11.2. Informative References . . . . . . . . . . . . . . . . . 20 94 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20 96 1. Introduction 98 SCTP uses 32-bit verification tags to protect itself against blind 99 attackers. These values are not changed during the lifetime of an 100 SCTP association. 102 Looking at new SCTP extensions, there is the need to have a method of 103 proving that an SCTP chunk(s) was really sent by the original peer 104 that started the association and not by a malicious attacker. 106 Using Transport Layer Security (TLS), as defined in RFC 3436 107 [RFC3436], does not help because it only secures SCTP user data. 109 Therefore, an SCTP extension that provides a mechanism for deriving 110 shared keys for each association is presented. These association 111 shared keys are derived from endpoint pair shared keys, which are 112 configured and might be empty, and data that is exchanged during the 113 SCTP association setup. 115 The extension presented in this document allows an SCTP sender to 116 authenticate chunks using shared keys between the sender and 117 receiver. The receiver can then verify that the chunks are sent from 118 the sender and not from a malicious attacker (as long as the attacker 119 does not know an association shared key). 121 The extension described in this document places the result of a 122 Hashed Message Authentication Code (HMAC) computation before the data 123 covered by that computation. Placing it at the end of the packet 124 would have required placing a control chunk after DATA chunks in case 125 of authenticating DATA chunks. This would break the rule that 126 control chunks occur before DATA chunks in SCTP packets. It should 127 also be noted that putting the result of the HMAC computation after 128 the data being covered would not allow sending the packet during the 129 computation of the HMAC because the result of the HMAC computation is 130 needed to compute the CRC32C checksum of the SCTP packet, which is 131 placed in the common header of the SCTP packet. 133 The SCTP extension for Dynamic Address Reconfiguration (ADD-IP) 134 requires the usage of the extension described in this document. The 135 SCTP Partial Reliability Extension (PR-SCTP) can be used in 136 conjunction with the extension described in this document. 138 2. Conventions 140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 142 document are to be interpreted as described in RFC 2119 [RFC2119]. 144 3. New Parameter Types 146 This section defines the new parameter types that will be used to 147 negotiate the authentication during association setup. Table 1 148 illustrates the new parameter types. 150 +----------------+------------------------------------------------+ 151 | Parameter Type | Parameter Name | 152 +----------------+------------------------------------------------+ 153 | 0x8002 | Random Parameter (RANDOM) | 154 | 0x8003 | Chunk List Parameter (CHUNKS) | 155 | 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) | 156 +----------------+------------------------------------------------+ 158 Note that the parameter format requires the receiver to ignore the 159 parameter and continue processing if the parameter is not understood. 160 This is accomplished (as described in RFC 4960 [RFC4960], 161 Section 3.2.1.) by the use of the upper bits of the parameter type. 163 3.1. Random Parameter (RANDOM) 165 This parameter is used to carry a random number of an arbitrary 166 length. 168 0 1 2 3 169 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 170 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 171 | Parameter Type = 0x8002 | Parameter Length | 172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 | | 174 \ Random Number / 175 / +-------------------------------\ 176 | | Padding | 177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 Figure 1: RANDOM Parameter 181 Parameter Type: 2 bytes (unsigned integer) 182 This value MUST be set to a value of 0x8002. 184 Parameter Length: 2 bytes (unsigned integer) 185 This value is the length of the Random Number in bytes plus 4. 187 Random Number: n bytes (unsigned integer) 188 This value represents an arbitrary Random Number in network byte 189 order. 191 Padding: 0, 1, 2, or 3 bytes (unsigned integer) 192 If the length of the Random Number is not a multiple of 4 bytes, the 193 sender MUST pad the parameter with all zero bytes to make the 194 parameter 32-bit aligned. The Padding MUST NOT be longer than 3 195 bytes and it MUST be ignored by the receiver. 197 The RANDOM parameter MUST be included once in the INIT or INIT-ACK 198 chunk, if the sender wants to send or receive authenticated chunks, 199 to provide a 32-byte Random Number. For 32-byte Random Numbers, the 200 Padding is empty. 202 3.2. Chunk List Parameter (CHUNKS) 204 This parameter is used to specify which chunk types are required to 205 be authenticated before being sent by the peer. 207 0 1 2 3 208 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 210 | Parameter Type = 0x8003 | Parameter Length | 211 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 212 | Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 | 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 / / 215 \ ... \ 216 / / 217 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 218 | Chunk Type n | Padding | 219 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 Figure 2: Chunks Parameter 223 Parameter Type: 2 bytes (unsigned integer) 224 This value MUST be set to 0x8003. 226 Parameter Length: 2 bytes (unsigned integer) 227 This value is the number of listed Chunk Types plus 4. 229 Chunk Type n: 1 byte (unsigned integer) 230 Each Chunk Type listed is required to be authenticated when sent by 231 the peer. 233 Padding: 0, 1, 2, or 3 bytes (unsigned integer) 234 If the number of Chunk Types is not a multiple of 4, the sender MUST 235 pad the parameter with all zero bytes to make the parameter 32-bit 236 aligned. The Padding MUST NOT be longer than 3 bytes and it MUST be 237 ignored by the receiver. 239 The CHUNKS parameter MUST be included once in the INIT or INIT-ACK 240 chunk if the sender wants to receive authenticated chunks. Its 241 maximum length is 260 bytes. 243 The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and AUTH 244 chunks MUST NOT be listed in the CHUNKS parameter. However, if a 245 CHUNKS parameter is received then the types for INIT, INIT-ACK, 246 SHUTDOWN-COMPLETE, and AUTH chunks MUST be ignored. 248 If the receiver of the CHUNKS parameters finds that a particular 249 chunk time is unknown or unrecognized, then the reciver SHOULD ignore 250 this chunk type and continue parsing and add only the valid and 251 recognized chunks to it's AUTH chunk list which it needs to send in 252 the authenticated way. 254 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) 256 This parameter is used to list the HMAC Identifiers the peer MUST 257 use. 259 0 1 2 3 260 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 262 | Parameter Type = 0x8004 | Parameter Length | 263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 264 | HMAC Identifier 1 | HMAC Identifier 2 | 265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 266 / / 267 \ ... \ 268 / / 269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 270 | HMAC Identifier n | Padding | 271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 273 Figure 3: HMAC-ALGO 275 Parameter Type: 2 bytes (unsigned integer) 276 This value MUST be set to 0x8004. 278 Parameter Length: 2 bytes (unsigned integer) 279 This value is the number of HMAC Identifiers multiplied by 2, plus 4. 281 HMAC Identifier n: 2 bytes (unsigned integer) 282 The values expressed are a list of HMAC Identifiers that may be used 283 by the peer. The values are listed by preference, with respect to 284 the sender, where the first HMAC Identifier listed is the one most 285 preferable to the sender. 287 Padding: 0 or 2 bytes (unsigned integer) 288 If the number of HMAC Identifiers is not even, the sender MUST pad 289 the parameter with all zero bytes to make the parameter 32-bit 290 aligned. The Padding MUST be 0 or 2 bytes long and it MUST be 291 ignored by the receiver. 293 The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK 294 chunk if the sender wants to send or receive authenticated chunks. 296 Table 2 shows the currently defined values for HMAC Identifiers. 298 +-----------------+--------------------------------+ 299 | HMAC Identifier | Message Digest Algorithm | 300 +-----------------+--------------------------------+ 301 | 0 | Reserved | 302 | 1 | SHA-1 defined in [FIPS180-2] | 303 | 2 | Reserved | 304 | 3 | SHA-256 defined in [FIPS180-2] | 305 +-----------------+--------------------------------+ 307 Every endpoint supporting SCTP chunk authentication MUST support the 308 HMAC based on the SHA-1 algorithm. 310 3.4. Supported Extensions Parameter 312 The supported Extensions parameter as defined in RFC 5061 [RFC5061] 313 section 4.2.7 MUST be exchanged by including AUTH chunk as defined in 314 Section 5.1 below to support this SCTP protocol extension. This is 315 done keeping in mind to make this extension consistent with all the 316 SCTP extensions which mandates sending this extension parameter in 317 INIT/INIT-ACK chunk whenever a new chunk type is added. 319 4. New Error Cause 321 This section defines a new error cause that will be sent if an AUTH 322 chunk is received with an unsupported HMAC Identifier. Table 3 323 illustrates the new error cause. 325 +------------+-----------------------------+ 326 | Cause Code | Error Cause Name | 327 +------------+-----------------------------+ 328 | 0x0105 | Unsupported HMAC Identifier | 329 +------------+-----------------------------+ 331 4.1. Unsupported HMAC Identifier Error Cause 333 This error cause is used to indicate that an AUTH chunk has been 334 received with an unsupported HMAC Identifier. 336 0 1 2 3 337 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 338 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 339 | Cause Code = 0x0105 | Cause Length | 340 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 341 | HMAC Identifier 1 | HMAC Identifier 2 | 342 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 343 / / 344 \ ... \ 345 / / 346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 347 | HMAC Identifier n | Padding | 348 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 350 Figure 4: UnSupported HMAC Identifier Error Cause 352 Cause Code: 2 bytes (unsigned integer) 353 This value MUST be set to 0x0105. 355 Cause Length: 2 bytes (unsigned integer) 356 This value is the number of unsupported HMAC Identifiers multiplied 357 by 2, plus 4. 359 HMAC Identifier: 2 bytes (unsigned integer) 360 This value is the HMAC Identifier which is not supported. 362 Padding: 0 to 2 bytes (unsigned integer) 363 If the number of unsupported HMAC Identifiers is not even, the sender 364 MUST pad the parameter with all zero bytes to make the parameter 365 32-bit aligned. The Padding MUST be 0 or 2 bytes long and it MUST be 366 ignored by the receiver. 368 5. New Chunk Type 370 This section defines the new chunk type that will be used to 371 authenticate chunks. Table 4 illustrates the new chunk type. 373 +------------+-----------------------------+ 374 | Chunk Type | Chunk Name | 375 +------------+-----------------------------+ 376 | 0x0F | Authentication Chunk (AUTH) | 377 +------------+-----------------------------+ 379 It should be noted that the AUTH-chunk format requires the receiver 380 to ignore the chunk if it is not understood and silently discard all 381 chunks that follow. This is accomplished (as described in RFC 4960 382 [RFC4960], Section 3.2.) by the use of the upper bits of the chunk 383 type. 385 5.1. Authentication Chunk (AUTH) 387 This chunk is used to hold the result of the HMAC calculation. 389 0 1 2 3 390 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 391 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 392 | Type = 0x0F | Flags=0 | Length | 393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 394 | Shared Key Identifier | HMAC Identifier | 395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 396 | | 397 \ HMAC / 398 / \ 399 / +-------------------------------\ 400 | | Padding | 401 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 403 Figure 5: AUTH Chunk 405 Type: 1 byte (unsigned integer) 406 This value MUST be set to 0x0F for all AUTH-chunks. 408 Flags: 1 byte (unsigned integer) 409 SHOULD be set to zero on transmit and MUST be ignored on receipt. 411 Length: 2 bytes (unsigned integer) 412 This value holds the length of the HMAC in bytes plus 8. 414 Shared Key Identifier: 2 bytes (unsigned integer) 415 This value describes which endpoint pair shared key is used. 417 HMAC Identifier: 2 bytes (unsigned integer) 418 This value describes which message digest is being used. Table 2 419 shows the currently defined values. 421 HMAC: n bytes (unsigned integer) 422 This holds the result of the HMAC calculation. 424 Padding: 0, 1, 2, or 3 bytes (unsigned integer) 425 If the length of the HMAC is not a multiple of 4 bytes, the sender 426 MUST pad the chunk with all zero bytes to make the chunk 32-bit 427 aligned. The Padding MUST NOT be longer than 3 bytes and it MUST be 428 ignored by the receiver. 430 The control chunk AUTH MUST NOT appear more than once in an SCTP 431 packet. All control and data chunks that are placed after the AUTH 432 chunk in the packet are sent in an authenticated way. Those chunks 433 placed in a packet before the AUTH chunk are not authenticated. 434 Please note that DATA chunks can not appear before control chunks in 435 an SCTP packet. 437 6. Procedures 439 6.1. Establishment of an Association Shared Key 441 An SCTP endpoint willing to receive or send authenticated chunks MUST 442 send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM 443 parameter MUST contain a 32-byte Random Number. Though the section 444 3.1 explains the random to be of arbitrary length keeping 445 extensibility in mind. But in the context of this document, it needs 446 to be 32-byte in size. The Random Number should be generated in 447 accordance with RFC 4086 [RFC4086]. If the Random Number is not 32 448 bytes, the association MUST be aborted. The ABORT chunk SHOULD 449 contain the error cause 'Protocol Violation'. In case of INIT 450 collision, the rules governing the handling of this Random Number 451 follow the same pattern as those for the Verification Tag, as 452 explained in Section 5.2.4 of RFC 4960 [RFC4960]. Therefore, each 453 endpoint knows its own Random Number and the peer's Random Number 454 after the association has been established. 456 An SCTP endpoint has a list of chunks it only accepts if they are 457 received in an authenticated way. This list is included in the INIT 458 and INIT-ACK, and MAY be omitted if it is empty. Since this list 459 does not change during the lifetime of the SCTP endpoint there is no 460 problem in case of INIT collision. 462 Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO 463 parameter containing a list of HMAC Identifiers it requests the peer 464 to use. The receiver of an HMAC-ALGO parameter SHOULD use the first 465 listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST 466 be supported and included in the HMAC-ALGO parameter. An SCTP 467 endpoint MUST NOT change the parameters listed in the HMAC-ALGO 468 parameter during the lifetime of the endpoint. 470 Additionally, local endpoint MUST also include supported extension 471 parameter as defined in RFC 5061 [RFC5061] section 4.2.7 containing 472 Auth chunk type as defined in Section 5.1 in INIT/INIT-ACK chunk to 473 notify the peer endpoint about the negotiation attempt to enable AUTH 474 extension which will be used to encode certain chunks based on 475 negotiation during the lifetime of this association. This parameter 476 is added to make this procedure consistent with all other SCTP 477 extensions with new chunk types which expects this parameter needs to 478 be sent in INIT/INIT-ACK messages. Some implementations supporting 479 this extension already mandates peer to include this parameter if 480 this procedure needs to be enabled. 482 Both endpoints of an association MAY have endpoint pair shared keys 483 that are byte vectors and pre-configured or established by another 484 mechanism. They are identified by the Shared Key Identifier. For 485 each endpoint pair shared key, an association shared key is computed. 486 If there is no endpoint pair shared key, only one association shared 487 key is computed by using an empty byte vector as the endpoint pair 488 shared key. 490 The RANDOM parameter, the CHUNKS parameter, and the HMAC-ALGO 491 parameter sent by each endpoint are concatenated as byte vectors. 492 The CHUNKS parameter received from peer endpoint without stripping 493 off any unrecognized chunks are used for concatenation, since doing 494 so will result in mimstach of CHUNKS parameter used betweeen the 495 local and remote endpoint. These parameters include the parameter 496 type, parameter length, and the parameter value, but padding is 497 omitted; all padding MUST be removed from this concatenation before 498 proceeding with further computation of keys. The concatenation MUST 499 follow the order of the parameters, RANDOM parameter, followed by the 500 CHUNKS parameter, followed by the HMAC-ALGO parameter. Parameters 501 that were not sent are simply omitted from the concatenation process. 502 The resulting two vectors are called the two key vectors. 504 From the endpoint pair shared keys and the key vectors, the 505 association shared keys are computed. This is performed by selecting 506 the numerically smaller key vector and concatenating it to the 507 endpoint pair shared key, and then concatenating the numerically 508 larger key vector to that. If the key vectors are equal as numbers 509 but differ in length, then the concatenation order is the endpoint 510 shared key, followed by the shorter key vector, followed by the 511 longer key vector. Otherwise, the key vectors are identical, and may 512 be concatenated to the endpoint pair key in any order. The 513 concatenation is performed on byte vectors, and all numerical 514 comparisons use network byte order to convert the key vectors to a 515 number. The result of the concatenation is the association shared 516 key. 518 6.2. Negotiation of Auth Procedure 520 Negotiation between SCTP peer endpoints would be required, when 521 either end of the SCTP endpoint doesn't support AUTH extension. If 522 the either end of the SCTP association doesn't support AUTH 523 extension, then the SCTP association MUST switch to normal mode 524 without AUTH support. Both the end of the association endpoint would 525 discover if the peer endpoint doesn't support the same by the time 526 INIT/INI-ACK message is exchanged between them. 528 6.2.1. Receiving INIT containing AUTH parameters when AUTH extension is 529 not supported 531 The endpoint receiving such an INIT would skip the AUTH related 532 parameter based on the upper 2 bits as explained in RFC 4960 533 [RFC4960] section 3.2.1. 535 6.2.2. Receiving INIT-ACK without AUTH parameters when AUTH extension 536 was sent in INIT chunk 538 On receiving such an INIT-ACK, then local endpoint SHOULD disable the 539 AUTH feature and continue normal assocation establishment considering 540 that the AUTH negotiation has failed. If AUTH is mandatory as per 541 local policies or the interface from the application layer mandates 542 it, then local endpoint MUST ABORT the assocation establishment 543 procedure by sending ABORT message in response to this INIT-ACK with 544 ABORT cause as User Initiated Abort and release all resources that 545 has been allocated for this association. 547 6.2.3. Receiving INIT without AUTH parameters when AUTH is supported 548 locally 550 On receiving such an INIT, endpoint can switch the association to 551 normal assocation establishment without AUTH enabled realizing that 552 peer endpoint is not AUTH enabled. If AUTH is mandatory as per local 553 policies or the interface from the application layer mandates it, 554 then remote endpoint MUST send ABORT message in response to this INIT 555 chunk with ABORT cause as User Initiated Abort. 557 6.3. Association Initialization Collision 559 No special handling is required in case of collision and the 560 procedures as explained in Section 6.2 above applies in this case as 561 well. 563 6.4. Sending Authenticated Chunks 565 Endpoints MUST send all requested chunks that have been authenticated 566 where this has been requested by the peer. The other chunks MAY be 567 sent whether or not they have been authenticated. If endpoint pair 568 shared keys are used, one of them MUST be selected for 569 authentication. 571 To send chunks in an authenticated way, the sender MUST include these 572 chunks after an AUTH chunk. This means that a sender MUST bundle 573 chunks in order to authenticate them. 575 If the endpoint has no endpoint pair shared key for the peer, it MUST 576 use Shared Key Identifier zero with an empty endpoint pair shared 577 key. If there are multiple endpoint shared keys the sender selects 578 one and uses the corresponding Shared Key Identifier. 580 The sender MUST calculate the Message Authentication Code (MAC) (as 581 described in RFC 6151 [RFC6151]) using the hash function H as 582 described by the HMAC Identifier and the shared association key K 583 based on the endpoint pair shared key described by the Shared Key 584 Identifier. The 'data' used for the computation of the AUTH-chunk is 585 given by the AUTH chunk with its HMAC field set to zero (as shown in 586 Figure 6) followed by all the chunks that are placed after the AUTH 587 chunk in the SCTP packet. 589 0 1 2 3 590 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 591 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 592 | Type = 0x0F | Flags=0 | Chunk Length | 593 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 594 | Shared Key Identifier | HMAC Identifier | 595 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 596 | | 597 \ 0 / 598 / +-------------------------------\ 599 | | Padding | 600 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 602 Figure 6: Sending Auth Chunk 604 Please note that all fields are in network byte order and that the 605 field that will contain the complete HMAC is filled with zeroes. The 606 length of the field shown as zero is the length of the HMAC described 607 by the HMAC Identifier. The padding of all chunks being 608 authenticated MUST be included in the HMAC computation. 610 The sender fills the HMAC into the HMAC field and sends the packet. 612 6.5. Receiving Authenticated Chunks 614 The receiver has a list of chunk types that it expects to be received 615 only after an AUTH-chunk. This list has been sent to the peer during 616 the association setup. It MUST silently discard these chunks if they 617 are not placed after an AUTH chunk in the packet. 619 The receiver MUST use the HMAC algorithm indicated in the HMAC 620 Identifier field. If this algorithm was not specified by the 621 receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 622 during association setup, the AUTH chunk and all the chunks after it 623 MUST be discarded and an ERROR chunk SHOULD be sent with the error 624 cause defined in Section 4.1. 626 If an endpoint with no shared key receives a Shared Key Identifier 627 other than 0, it MUST silently discard all authenticated chunks. If 628 the endpoint has at least one endpoint pair shared key for the peer, 629 it MUST use the key specified by the Shared Key Identifier if a key 630 has been configured for that Shared Key Identifier. If no endpoint 631 pair shared key has been configured for that Shared Key Identifier, 632 all authenticated chunks MUST be silently discarded. 634 he receiver now performs the same calculation as described for the 635 sender based on Figure 6. If the result of the calculation is the 636 same as given in the HMAC field, all the chunks following the AUTH 637 chunk are processed. If the field does not match the result of the 638 calculation, all the chunks following the AUTH chunk MUST be silently 639 discarded. 641 It should be noted that if the receiver wants to tear down an 642 association in an authenticated way only, the handling of malformed 643 packets should not result in tearing down the association. 645 An SCTP implementation has to maintain state for each SCTP 646 association. In the following, we call this data structure the SCTP 647 transmission control block (STCB). 649 When an endpoint requires COOKIE-ECHO chunks to be authenticated, 650 some special procedures have to be followed because the reception of 651 a COOKIE-ECHO chunk might result in the creation of an SCTP 652 association. If a packet arrives containing an AUTH chunk as a first 653 chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more 654 chunks after them, and the receiver does not have an STCB for that 655 packet, then authentication is based on the contents of the COOKIE- 656 ECHO chunk. In this situation, the receiver MUST authenticate the 657 chunks in the packet by using the RANDOM parameters, CHUNKS 658 parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO 659 chunk, and possibly a local shared secret as inputs to the 660 authentication procedure specified in Section 6.3. If authentication 661 fails, then the packet is discarded. If the authentication is 662 successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO 663 MUST be processed. If the receiver has an STCB, it MUST process the 664 AUTH chunk as described above using the STCB from the existing 665 association to authenticate the COOKIE-ECHO chunk and all the chunks 666 after it. 668 If the receiver does not find an STCB for a packet containing an AUTH 669 chunk as the first chunk and does not find a COOKIE-ECHO chunk as the 670 second chunk, it MUST use the chunks after the AUTH chunk to look up 671 an existing association. If no association is found, the packet MUST 672 be considered as out of the blue. The out of the blue handling MUST 673 be based on the packet without taking the AUTH chunk into account. 674 If an association is found, it MUST process the AUTH chunk using the 675 STCB from the existing association as described earlier. 677 Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated 678 makes it impossible for an attacker to bring down or restart an 679 association as long as the attacker does not know the association 680 shared key. But it should also be noted that if an endpoint accepts 681 ABORT chunks only in an authenticated way, it may take longer to 682 detect that the peer is no longer available. If an endpoint accepts 683 COOKIE-ECHO chunks only in an authenticated way, the restart 684 procedure does not work, because the restarting endpoint most likely 685 does not know the association shared key of the old association to be 686 restarted. However, if the restarting endpoint does know the old 687 association shared key, he can successfully send the COOKIE-ECHO 688 chunk in a way that it is accepted by the peer by using this old 689 association shared key for the packet containing the AUTH chunk. 690 After this operation, both endpoints have to use the new association 691 shared key. 693 If a server has an endpoint pair shared key with some clients, it can 694 request the COOKIE_ECHO chunk to be authenticated and can ensure that 695 only associations from clients with a correct endpoint pair shared 696 key are accepted. 698 Furthermore, it is important that the cookie contained in an INIT-ACK 699 chunk and in a COOKIE-ECHO chunk MUST NOT contain any endpoint pair 700 shared keys. 702 7. Examples 704 This section gives examples of message exchanges for association 705 setup. 707 The simplest way of using the extension described in this document is 708 given by the following message exchange. 710 ---------- INIT[RANDOM; CHUNKS[*]; HMAC-ALGO] ----------> 711 <------- INIT-ACK[RANDOM; CHUNKS[*]; HMAC-ALGO] --------- 712 ---------------------- COOKIE-ECHO ---------------------> 713 <--------------------- COOKIE-ACK ----------------------- 715 Figure 7: auth_negotiation_flow 717 Please note that the CHUNKS parameter is optional in the INIT and 718 INIT-ACK. 720 If the server wants to receive DATA chunks in an authenticated way, 721 the following message exchange is possible: 723 ---------- INIT[RANDOM; CHUNKS[*]; HMAC-ALGO] ----------> 724 <------- INIT-ACK[RANDOM; CHUNKS[ DATA ]; HMAC-ALGO] ------ 725 ------------------ COOKIE-ECHO; AUTH; DATA -------------> 726 <----------------- COOKIE-ACK; SACK --------------------- 728 Figure 8: data_chunk_auth_negotiation 730 Please note that if the endpoint pair shared key depends on the 731 client and the server, and is only known by the upper layer, this 732 message exchange requires an upper layer intervention between the 733 processing of the COOKIE-ECHO chunk and the processing of the AUTH 734 and DATA chunk at the server side. This intervention may be realized 735 by a COMMUNICATION-UP notification followed by the presentation of 736 the endpoint pair shared key by the upper layer to the SCTP stack, 737 see for example Section 10 of RFC 4960 [RFC4960]. If this 738 intervention is not possible due to limitations of the API (for 739 example, the socket API), the server might discard the AUTH and DATA 740 chunk, making a retransmission of the DATA chunk necessary. If the 741 same endpoint pair shared key is used for multiple endpoints and does 742 not depend on the client, this intervention might not be necessary. 744 8. IANA Considerations 746 This document (RFC 4895 [RFC4895]) is the reference for all 747 registrations described in this section. All registrations need to 748 be listed in the document available at [sctp-parameters]. The 749 changes are described below. 751 8.1. A New Chunk Type 753 A chunk type for the AUTH chunk has been assigned by IANA. IANA has 754 assigned the value (15), as given in Table 4. An additional line has 755 been added in the "CHUNK TYPES" table of [sctp-parameters]: 757 CHUNK TYPES 759 ID Value Chunk Type Reference 760 ----- ---------- --------- 761 15 Authentication Chunk (AUTH) [RFC4895] 763 Figure 9: New Chunk Type 765 8.2. Three New Parameter Types 767 Parameter types have been assigned for the RANDOM, CHUNKS, and HMAC- 768 ALGO parameter by IANA. The values are as given in Table 1. This 769 required two modifications to the "CHUNK PARAMETER TYPES" tables in 770 [sctp-parameters]: the first is the addition of three new lines to 771 the "INIT Chunk Parameter Types" table: 773 Chunk Parameter Type Value 774 -------------------- ----- 775 Random 32770 (0x8002) 776 Chunk List 32771 (0x8003) 777 Requested HMAC Algorithm Parameter 32772 (0x8004) 779 Figure 10: Chunk Parameter Type 781 The second required change is the addition of the same three lines to 782 the to the "INIT ACK Chunk Parameter Types" table. 784 8.3. A New Error Cause 786 An error cause for the Unsupported HMAC Identifier error cause has 787 been assigned. The value (261) has been assigned as in Table 3. 788 This requires an additional line of the "CAUSE CODES" table in 789 [sctp-parameters]: 791 VALUE CAUSE CODE REFERENCE 792 ----- ---------------- --------- 793 261 (0x0105) Unsupported HMAC Identifier [RFC4895] 795 Figure 11: New Cause Code 797 8.4. A New Table for HMAC Identifiers 799 HMAC Identifiers have to be maintained by IANA. Four initial values 800 have been assigned by IANA as described in Table 2. This required a 801 new table "HMAC IDENTIFIERS" in [sctp-parameters]: 803 HMAC Identifier Message Digest Algorithm REFERENCE 804 --------------- ------------------------ --------- 805 0 Reserved [RFC4895] 806 1 SHA-1 [RFC4895] 807 2 Reserved [RFC4895] 808 3 SHA-256 [RFC4895] 810 Figure 12: HMAC ID List 812 For registering a new HMAC Identifier with IANA, in this table, a 813 request has to be made to assign such a number. This number must be 814 unique and a message digest algorithm usable with the HMAC defined in 815 RFC 6151 [RFC6151] MUST be specified. The "Specification Required" 816 policy of RFC 8126 [RFC8126] MUST be applied. 818 9. Security Considerations 820 Without using endpoint shared keys, this extension only protects 821 against modification or injection of authenticated chunks by 822 attackers who did not capture the initial handshake setting up the 823 SCTP association. 825 If an endpoint pair shared key is used, even a true man in the middle 826 cannot inject chunks, which are required to be authenticated, even if 827 he intercepts the initial message exchange. The endpoint also knows 828 that it is accepting authenticated chunks from a peer who knows the 829 endpoint pair shared key. 831 The establishment of endpoint pair shared keys is out of the scope of 832 this document. Other mechanisms can be used, like using TLS or 833 manual configuration. 835 When an endpoint accepts COOKIE-ECHO chunks only in an authenticated 836 way the restart procedure does not work. Neither an attacker nor a 837 restarted endpoint not knowing the association shared key can perform 838 an restart. However, if the association shared key is known, it is 839 possible to restart the association. 841 Because SCTP already has a built-in mechanism that handles the 842 reception of duplicated chunks, the presented solution makes use of 843 this functionality and does not provide a method to avoid replay 844 attacks by itself. Of course, this only works within each SCTP 845 association. Therefore, a separate shared key is used for each SCTP 846 association to handle replay attacks covering multiple SCTP 847 associations. 849 Each endpoint presenting a list of more than one element in the HMAC- 850 ALGO parameter must be prepared for the peer using the weakest 851 algorithm listed. 853 When an endpoint pair uses non-NULL endpoint pair shared keys and one 854 of the endpoints still accepts a NULL key, an attacker who captured 855 the initial handshake can still inject or modify authenticated chunks 856 by using the NULL key. 858 10. Acknowledgements 860 I would like to thank shweta K R for her review and invaluable 861 comments. 863 11. References 865 11.1. Normative References 867 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 868 Requirement Levels", BCP 14, RFC 2119, 869 DOI 10.17487/RFC2119, March 1997, 870 . 872 [RFC3436] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport 873 Layer Security over Stream Control Transmission Protocol", 874 RFC 3436, DOI 10.17487/RFC3436, December 2002, 875 . 877 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 878 "Randomness Requirements for Security", BCP 106, RFC 4086, 879 DOI 10.17487/RFC4086, June 2005, 880 . 882 [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, 883 "Authenticated Chunks for the Stream Control Transmission 884 Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August 885 2007, . 887 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 888 RFC 4960, DOI 10.17487/RFC4960, September 2007, 889 . 891 [RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M. 892 Kozuka, "Stream Control Transmission Protocol (SCTP) 893 Dynamic Address Reconfiguration", RFC 5061, 894 DOI 10.17487/RFC5061, September 2007, 895 . 897 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 898 Writing an IANA Considerations Section in RFCs", BCP 26, 899 RFC 8126, DOI 10.17487/RFC8126, June 2017, 900 . 902 [sctp-parameters] 903 "sctp-parameters", 904 . 906 11.2. Informative References 908 [FIPS180-2] 909 National Institute of Standards and Technology, "Secure 910 Hash Standard", FIPS PUB 180-2, August 2002, 911 . 914 [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 915 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 916 RFC 6151, DOI 10.17487/RFC6151, March 2011, 917 . 919 Author's Address 921 Nagesh Shamnur (editor) 922 Huawei 923 Kundalahalli Village, Whitefield, 924 Bangalore, Karnataka 560037 925 India 927 Phone: +91-080-49160700 928 Email: nagesh.shamnur@gmail.com