Post on 07-Jan-2016
description
STREAM CONTROL TRANSMISSION PROTOCOL (SCTP)
SCTP service model• connection oriented
• reliable data transfer - no loss - no duplicates - data integrity
• ordered / unordered delivery
TCP provides only ordered service.If the application desires unordered service,
it has the option of using UDP => unreliable
SCTP separates data reliability from ordered delivery SCTP can provide unordered service with reliability SCTP can provide ordered service with reliability
• SCTP preserves message boundaries TCP is byte-oriented. Applications must add their own record marking to delineate messages.
• concept of chunks
• security against SYN flooding attack
• multi-homing
• multi-streaming
• message fragmentation and bundling
• congestion control
Comparison between SCTP, TCP and UDP
Feature SCTP
TCP
UDP
State required at endpoints Yes Yes No
Reliable Data Transfer Yes Yes No
Multi-homed Host Support Yes No No
Multi-Stream Support Yes No No
Security against SYN attacks Yes No No
Unordered Data Delivery Yes No Yes
Failure detection (Heartbeat) Yes No No
SCTP PDU format
1 common header + chunks (control or data)
Motivation
• Many applications need reliable message
delivery – they do so by delineating a TCP
stream
• TCP provides both strict-ordering and
reliability – many applications may not
need both
Motivation (contd)
• HTTP is one such application– While transferring multiple embedded files we
only want• Reliable file transfer for each file• Partial ordering for the packets of each file but not
total ordering amongst all the packets
– TCP provides more than this (but overhead?)– SCTP may help (how? – later)
HTTP Server ArchitectureMultiple File Transfer (Embedded files) - TCP
Client
Server
Childprocess
Request file 0
Fork childSend file 0
Request file 1..N
Send file 1,2,…N
HTTP Server ArchitectureMultiple Files Transfer (Embedded Files) - SCTP
Client
Server
Childprocess
Request file 0
Fork childSend file 0 – stream 0
Request files 1..N
Send file 1 – stream 1
Send file N – stream N
Reason
3 2 1 3 2 1
File 2File 31
TCPReceive buffer in kernel
Server Client
TCPSend buffer in kernel
23123
Reason
3 2 1 3 2 1
File 2File 3
1
SCTPReceive buffer in kernel
Server Client
SCTPReceive buffer in kernel
2
3
1
2
3
Multi-homing
single-homed SCTP endpoint
A1
Host A
IP=128.33.6.12
endpoint=[128.33.6.12 : 100]
B2
multi-homed SCTP endpoint
B3B1
Host B
IP1=160.15.82.20IP2=161.10.8.221IP3=10.1.61.11
endpoint=[160.15.82.20, 161.10.8.221, 10.1.61.11 : 200]
B2 B3B1
Host B
association={ [128.33.6.12 : 100] : [160.15.82.20, 161.10.8.221, 10.1.61.11 : 200] }
SCTP association
application
SCTP100
application
SCTP200
A1
Host A
IP=128.33.6.12
application
SCTP100
SCTP200
applicationIP1=160.15.82.20IP2=161.10.8.221IP3=10.1.61.11
multi-homing
• 4 possible TCP connections:•(A1,B1) or (A1,B2) or (A2,B1) or (A2,B2)
• 1 SCTP association:•({A1,A2},{B1,B2}) •Primary destinations for A & B (e.g., A1 & B1)
NetworkHost A Host BB1
B2
A1
A2
X
• What happens if a primary fails? TCP connection is broken whereas SCTP association can continue to transmit to an alternate destination address
primary alternates
DATA
• Host A monitors reachability of the primary destination address of Host B
failure detection
Host A starts the retransmission timer
• If timer expires increment error_count
If error_count > threshold state = inactive
• If Host A receives SACK before timer expires error_count = 0 & state = active
SACK
A1
Host Aapplication
SCTP100
B2 B3B1
Host Bapplication
SCTP200
• error_count is a variable associated with each destination address of a host. It is set to zero initially.
• Host A monitors reachability of alternate destination addresses of Host B
• HEARTBEAT is sent periodically to each alternate address• When a HEARTBEAT is sent
increment error_count If error_count > threshold
state = inactive
• If Host A receives a HEARTBEAT-ACK error_count = 0 & state = active
• When the primary destination address is detected unreachable => SCTP sender chooses 1 of the REACHABLE, alternate destination addresses as primary
primary alternates
HEARTBEAT HEARTBEAT-ACK
A1
Host Aapplication
SCTP100
B2 B3B1
Host Bapplication
SCTP200
association setup
mandatory -• type• chunk flags• chunk length• initiation tag• a_rwnd• outbound streams• maximum inbound streams• initial TSN
optional - • addresses(IPv4,IPv6, hostname)• supported address types• ECN capable• cookie preservative
INIT (V=0) (I=TagA)
Host AV: verification tagI: initiation tag
closed
closed
cookiewait
How many way handshake ?
Host B
SCTP INIT PDU
association setup
mandatory –All fields present in mandatory INIT +• state cookie
optional -• addresses(IPv4,IPv6, hostname)• ECN Capable• error reporting for unrecognized parameters
INIT (V=0) (I=TagA)
INIT-ACK
(V=TagA) (I=TagB)
V: verification tag I: initiation tag
closed
closedcookiewait
Host A Host B
association setup
• type• chunk flags• chunk length• state cookie
DATA chunk can be sent along with COOKIE-ECHO
INIT (V=0) (I=TagA)INIT-ACK
(V=TagA) (I=TagB)
COOKIE-ECHO
(V=TagB)
V: verification tag I: initiation tag
closed
closed
cookiewait
cookieechoed
Host BHost A
SYN
victim Flooded!!
buffer holding half-open (pending)connections
why COOKIE ???
SYN
SYN
SYN
SYN
SYN
• There is no ACK in response to the SYN-ACK, hence connection remains half-open• Other genuine clients cannot open connections to the victim• The victim is unable to provide service
TCP SYN flooding attack
attackers
128.3.4.5
192.10.2.8
221.3.5.10 SYN
SYN
190.13.4.1
228.3.14.5
130.2.4.15
how does COOKIE help ?
PrepareCOOKIE
Send INIT_ACKwith COOKIE
Host BreceivesINIT • Receiver of INIT does not make the
Transmission Control Block (TCB) [i.e no pending connection information kept]• Remains in CLOSED state• In case of attack, COOKIE-ECHO won’t arrive but receiver is unaffected
COOKIE expired ? Send ERRORchunk
Discard SCTP PDU
validyes
Sender can requestlonger cookie lifenext time through theCookie - preservativeparameter in theINIT chunk
how does COOKIE help ?
PrepareCOOKIE
Send INIT_ACKwith COOKIE
Extract & ValidateCOOKIE
Host B receivesCOOKIE-ECHO
invalidDiscard SCTP PDU
Unpack COOKIE andbuild association TCB
no
Host BreceivesINIT
association setup
• type• chunk flags• chunk length
DATA chunk can be sent along with COOKIE-ACK
INIT (V=0) (I=TagA)INIT-ACK
(V=TagA) (I=TagB)COOKIE-ECHO
(V=TagB)
COOKIE-ACK
(V=TagA)
V: verification tag I: initiation tag
closed
closed
cookiewait
established
cookieechoed
established 4 – way handshake !
Host A Host B
association shutdown
upper layerinvokes SHUTDOWN
shutdown_pending
DATA
DATA
SACK
SHUTDOWN
shutdown_sent
established established
Host A Host B
SHUTDOWN
DATASHUTDOWN+ SACK
SHUTDOWN_ACK
SHUTDOWN_COMPLETE
shutdown_sentshutdown_received
delete TCBshutdown_ack_sent
delete TCBclosedclosed
stop accepting data
when should a SACK be sent ?
DATA (TSN 1)
SACK 1 + DATAEndpoint sends DATA to its peer, always bundlea SACK chunk to ack any new DATA chunks
DATA (TSN 2)
SACK 2
If no DATA to be sent to the peer, then SACK is DELAYED Delay – 200 to 500 ms
200 ms
Host A Host B
DATA (TSN 2)
SACK 2 Duplicate data chunks => immediately send SACK without any delay
when should a SACK be sent ?
DATA (TSN 3)
SACK 4
Must send a SACK for every other SCTP PDU received without any delay
Host A Host B
DATA (TSN 4)
XDATA (TSN 5)
DATA (TSN 6)
SACK 4
One or more TSNs missing => immediately send SACK with Gap Ack blocks without any delay
200 ms
summary• SCTP PDU = 1 common header + 1 or more chunks ( control or data)
• Association setup = 4 way handshake (INIT, INIT-ACK, COOKIE-ECHO, COOKIE_ACK)
• COOKIE mechanism to prevent SYN flooding attack
• Graceful shutdown(SHUTDOWN, SHUTDOWN-ACK, SHUTDOWN-COMPLETE) no half-close as in TCP
• Separates reliability from ordered delivery
• Preserves message boundaries
• SACK chunks to ack cumulative TSN + gap ack blocks + duplicate TSNs
• Achieves link / path redundancy by supporting multi-homed hosts along with reachability check
References
• Randall R. Stewart, Qiaobing Xie. Stream Control Transmission Protocol (SCTP) A Reference Guide
• Stewart et. al. Stream Contol Transmission Protocol RFC-2960, October 2000. URL: http://www.ietf.org/rfc/rfc2960.txt
• SCTP for Beginners URL:http://tdrwww.exp-math.uni essen.de/inhalt/forschung/sctp_fb/index.html
• SCTP overview http://www.sctp.org/sctpoverview.html
• SCTP tutorial http://www.iec.org/online/tutorials/sctp/
• SCTP applicability statement http://www.ietf.org/rfc/rfc3257.txt
References
Slides collected from various sources including Keyur Shah, Sourabh Ladha, P. Amer, P. Conrad, Sam Baskinger