idnits 2.17.1 draft-tuexen-tsvwg-sctp-udp-encaps-cons-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 29, 2016) is 2735 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCXXXX' is mentioned on line 241, but not defined ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Tuexen 3 Internet-Draft Muenster Univ. of Appl. Sciences 4 Updates: 6951 (if approved) R. Stewart 5 Intended status: Standards Track Netflix, Inc. 6 Expires: May 2, 2017 October 29, 2016 8 Additional Considerations for UDP Encapsulation of Stream Control 9 Transmission Protocol (SCTP) Packets 10 draft-tuexen-tsvwg-sctp-udp-encaps-cons-01.txt 12 Abstract 14 RFC 6951 specifies the UDP encapsulation of SCTP packets. The 15 described handling of received packets requires the check of the 16 verification tag. However, RFC 6951 misses a specification for the 17 handling of received packets for which this check is not possible. 19 This document updates RFC 6951 by specifying the handling of received 20 packets where the verification tag can not be checked. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 2, 2017. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 2 58 3. Handling of Out of the Blue Packets . . . . . . . . . . . . . 2 59 4. Handling of SCTP Packets Containing an INIT Chunk Matching an 60 Existing Association . . . . . . . . . . . . . . . . . . . . 3 61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 64 8. Normative References . . . . . . . . . . . . . . . . . . . . 6 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 67 1. Introduction 69 [RFC6951] specifies the UDP encapsulation of SCTP packets. To be 70 able to adopt automatically to changes of the remote UDP 71 encapsulation port number, it is updated automatically when 72 processing received packets. This includes automatic enabling and 73 disabling of UDP encapsulation. 75 Section 5.4 of [RFC6951] describes the processing of received packets 76 and requires the check of the verification tag before updating the 77 remote UDP encapsulation port and the possible enabling or disabling 78 of UDP encapsulation. 80 [RFC6951] basically misses a description for the handling of received 81 packets where this verification tag check is not possible. This 82 includes packets for which no association can be found and packets 83 containing an INIT chunk, since the verification tag for these 84 packets must be 0. 86 2. Conventions 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in [RFC2119]. 92 3. Handling of Out of the Blue Packets 94 If the processing of an out of the blue packet requires the sending 95 of a packet in response according to the rules specified in 96 Section 8.4 of [RFC4960], the following rules apply: 98 1. If the received packet was encapsulated in UDP, the response 99 packets MUST also be encapsulated in UDP. The UDP source port 100 and UDP destination port used for sending the response packet are 101 the UDP destination port and UDP source port of the received 102 packet. 104 2. If the receive packet was not encapsulated in UDP, the response 105 packet MUST NOT be encapsulated in UDP. 107 Please not that in these cases a check of the of the verification tag 108 is not possible. 110 4. Handling of SCTP Packets Containing an INIT Chunk Matching an 111 Existing Association 113 SCTP packets containing an INIT chunk have the verification tag 0 in 114 the common header. Therefore the verification can't be checked. 116 The following rules apply when processing the received packet: 118 1. The remote UDP encapsulation port for the source address of the 119 received SCTP packet MUST NOT be updated if the encapsulation of 120 outgoing packets is enabled and the received SCTP packet is 121 encapsulated. 123 2. The UDP encapsulation for outgoing packets towards the source 124 address of the received SCTP packet MUST NOT be enabled, if it is 125 disabled and the received SCTP packet is encapsulated. 127 3. The UDP encapsulation for outgoing packets towards the source 128 address of the received SCTP packet MUST NOT be disabled, if it 129 is enabled and the received SCTP packet is not encapsulated. 131 4. If the UDP encapsulation for outgoing packets towards the source 132 address of the received SCTP packet is disabled and the received 133 SCTP packet is encapsulated, an SCTP packet containing an ABORT 134 chunk MUST be sent. The ABORT chunk MAY include the error cause 135 defined below indicating an "Restart of an Association with New 136 Encapsulation Port". This packet containing the ABORT chunk MUST 137 be encapsulated in UDP. The UDP source port and UDP destination 138 port used for sending the packet containing the ABORT chunk are 139 the UDP destination port and UDP source port of the received 140 packet containing the INIT chunk. 142 5. If the UDP encapsulation for outgoing packets towards the source 143 address of the received SCTP packet is disabled and the received 144 SCTP packet is not encapsulated, the processing defined in 146 [RFC4960] MUST be performed. If a packet is sent in response, it 147 MUST NOT be encapsulated. 149 6. If the UDP encapsulation for outgoing packets towards the source 150 address of the received SCTP packet is enabled and the received 151 SCTP packet is not encapsulated, an SCTP packet containing an 152 ABORT chunk MUST be sent. The ABORT chunk MAY include the error 153 cause defined below indicating an "Restart of an Association with 154 New Encapsulation Port". This packet containing the ABORT chunk 155 MUST NOT be encapsulated in UDP. 157 7. If the UDP encapsulation for outgoing packets towards the source 158 address of the received SCTP packet is enabled and the received 159 SCTP packet is encapsulated, but the UDP source port of the 160 received SCTP packet is not equal to the remote UDP encapsulation 161 port for the source address of the received SCTP packet, an SCTP 162 packet containing an ABORT chunk MUST be sent. The ABORT chunk 163 MAY include the error cause defined below indicating an "Restart 164 of an Association with New Encapsulation Port". This packet 165 containing the ABORT chunk MUST be encapsulated in UDP. The UDP 166 source port and UDP destination port used for sending the packet 167 containing the ABORT chunk are the UDP destination port and UDP 168 source port of the received packet containing the INIT chunk. 170 8. If the UDP encapsulation for outgoing packets towards the source 171 address of the received SCTP packet is enabled and the received 172 SCTP packet is encapsulated and the UDP source port of the 173 received SCTP packet is equal to the remote UDP encapsulation 174 port for the source address of the received SCTP packet, the 175 processing defined in [RFC4960] MUST be performed. If a packet 176 is sent in response, it MUST be encapsulated. The UDP source 177 port and UDP destination port used for sending the packet 178 containing the ABORT chunk are the UDP destination port and UDP 179 source port of the received packet containing the INIT chunk. 181 The error cause indicating an "Restart of an Association with New 182 Encapsulation Port" is defined bytes the following figure. 184 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 | Cause Code = 14 | Cause Length = 8 | 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 188 | Current Encapsulation Port | New Encapsulation Port | 189 +-------------------------------+-------------------------------+ 191 Cause Code: 2 bytes (unsigned integer) 192 This field MUST hold the IANA defined error cause code for the 193 "Restart of an Association with New Encapsulation Port" error 194 cause. The suggested value of this field for IANA is 14. 196 Cause Length: 2 bytes (unsigned integer) 197 This field holds the length in bytes of the error cause; the value 198 MUST be 8. 200 Current Encapsulation Port: 2 bytes (unsigned integer) 201 This field holds the remote encapsulation port currently being 202 used for the destination address the received packet containing 203 the INIT chunk was sent from. If the UDP encapsulation for 204 destination address is currently disabled, 0 is used. 206 New Encapsulation Port: 2 bytes (unsigned integer) 207 If the received SCTP packet containing the INIT chunk is 208 encapsulated in UDP, this field holds the UDP source port number 209 of the UDP packet. If the received SCTP packet is not 210 encapsulated in UDP, this field is 0. 212 All transported integer numbers are in "network byte order" a.k.a., 213 Big Endian. 215 5. IANA Considerations 217 [NOTE to RFC-Editor: 219 "RFCXXXX" is to be replaced by the RFC number you assign this 220 document. 222 ] 224 [NOTE to RFC-Editor: 226 The suggested value for the error cause code is tentative and to 227 be confirmed by IANA. 229 ] 231 This document (RFCXXXX) is the reference for the registration 232 described in this section. 234 A new error cause code has to be assigned by IANA. This requires an 235 additional line in the "Error Cause Codes" registry for SCTP: 237 Error Cause Codes 239 Value Cause Code Reference 240 ----- ---------- --------- 241 14 Restart of an Association with New Encapsulation Port [RFCXXXX] 243 6. Security Considerations 245 This document does not change the considerations given in [RFC6951]. 247 However, not following the procedures given in this document might 248 allow an attacker to take over SCTP associations. The attacker needs 249 only to share the IP address of an existing SCTP association. 251 It should also be noted that if firewalls will be applied at the SCTP 252 association level they have to take the UDP encapsulation into 253 account. 255 7. Acknowledgments 257 The authors wish to thank Georgios Papastergiou for an initial 258 problem report. 260 The authors wish to thank Irene Ruengeler and Felix Weinrank for 261 their invaluable comments. 263 This work has received funding from the European Union's Horizon 2020 264 research and innovation programme under grant agreement No. 644334 265 (NEAT). The views expressed are solely those of the author(s). 267 8. Normative References 269 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 270 Requirement Levels", BCP 14, RFC 2119, 271 DOI 10.17487/RFC2119, March 1997, 272 . 274 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 275 RFC 4960, DOI 10.17487/RFC4960, September 2007, 276 . 278 [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream 279 Control Transmission Protocol (SCTP) Packets for End-Host 280 to End-Host Communication", RFC 6951, 281 DOI 10.17487/RFC6951, May 2013, 282 . 284 Authors' Addresses 286 Michael Tuexen 287 Muenster University of Applied Sciences 288 Stegerwaldstrasse 39 289 48565 Steinfurt 290 Germany 292 Email: tuexen@fh-muenster.de 294 Randall R. Stewart 295 Netflix, Inc. 296 Chapin, SC 29036 297 United States 299 Email: randall@lakerest.net