Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and...
-
Upload
theodore-cooper -
Category
Documents
-
view
226 -
download
0
description
Transcript of Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and...
Ph.D Unurkhaan Esbold, Computer Science and Management School,
Mongolian University of Science and Technology
“InfoSec Mongolia 2006” conference, Ulaanbaatar, 2006-02-22..23
Secure End-to-End Transport over SCTP
U.EsboldSecure End-to-End Transport over SCTP
Overview
SCTP (Stream Control Transmission Protocol)– History, main features, SCTP extensions
Introduction and analysis of standardized SCTP security solutions– TLS over SCTP– SCTP over IPsec
Challenges for secure end-to-end transport over SCTP Secure SCTP
– Basic ideas– Functional structure and some highlights
Results of comparative performance measurements in lab testbed Conclusion and outlook
U.EsboldSecure End-to-End Transport over SCTP
Transport layer
IPNetwork layer
SCTP
App1
TCP
App2
UDP
App3
SIGTRAN WG: Signaling Transport Working Group TSV WG: Transport Area Working Group
Stream Control Transmission Protocol “SCTP” –History and purpose
Defined by SIGTRAN WG of IETF in RFC 2960 in October 2000 Initial SCTP focus:
– Transport of telephony signaling over IP networks Stream Control Transmission Protocol (SCTP)
– Reliable, message oriented general purpose IETF transport protocol
U.EsboldSecure End-to-End Transport over SCTP
Like TCP• checksum and sequence
number • reliable transmission• ordered delivery• flow and congestion control • fast retransmission
Unlike TCP• multihoming• multiple streams• unordered delivery • 32 bits checksum • protection against blind attack• selective acknowledgement
SCTP –Comparison with TCP
U.EsboldSecure End-to-End Transport over SCTP
SCTP – Terminology
A “stream” is a unidirectional logical channel transporting a sequence of messages
• SCTP supports multiple independent streams per association
Messages are transported in information units called “chunks”
Multiple chunks can be “bundled” together into a SCTP packet to reduce overhead
A “path” is a unidirectional network route between associated SCTP endpoints
• SCTP endpoints can use multiple redundant paths through the network
A “connection” between two SCTP endpoints is called “association”
S1
SCTP
S2 S3
App1 App3App 2
NI-2NI-1
IP-A1 IP-A2IP
SCTP Endpoint
SCTP PacketCH
U.EsboldSecure End-to-End Transport over SCTP
Data chunk1Control chunk(s)Common header Data chunkN
Dest. portSource port
32 bits
User Data
Chunk header
32 bits
Control Data
Chunk header
32 bits
SCTP –Packet format and chunks
Type
Type
U.EsboldSecure End-to-End Transport over SCTP
SCTP main features –Multi-Streaming
SCTP endpoint B
S2 S3 SNS1
D1D2D3D4 D5D6
S2 S3 SNS1
D1D2D3
D4 D5D6
S1, S2, S3, . . . , SN – SCTP streamsD1 – D6 – SCTP data chunks
SCTP endpoint A
Multiplexing of several independent message streams within one SCTP association via multiple streams
D1D2D3D4D5D6
packet stream
U.EsboldSecure End-to-End Transport over SCTP
SCTP main features –Multi-Homing
SCTP entities with multiple network addresses and redundant paths
NI-2NI-1
IP-A1 IP-A2IP
NI-2NI-1
IP-B1 IP-B2IP
SCTP Endpoint A
SCTP
IP network
SCTP
SCTP Endpoint B
NI – Network interface
Primary path
Primary path
U.EsboldSecure End-to-End Transport over SCTP
Upper layer
654721
Transmission link
1
2
7
4
5
Upper layer
54721
Transmission link
1
2
7
4
5
Receive buffer
Resequencing buffer
6
3
missing
SCTP main features –Flexible delivery
Flexible message delivery per stream: Ordered or unordered
3
3
All data chunks belong to the same stream Unordered message Ordered message
U.EsboldSecure End-to-End Transport over SCTP
SCTP –Protocol extensions
Partial reliability extension – Retransmission can be limited for some messages
• Some messages may not arrive at the receiving application – unreliable service
– Useful for real-time traffic where late messages are discarded anyway Dynamic address reconfiguration
– Add and drop IP addresses of established associations dynamically – Request peer endpoint to use specific path as primary path– Useful to support mobility of terminals
U.EsboldSecure End-to-End Transport over SCTP
TLS 2 TLS 2Secure Session 2
Secure Session 1TLS 1TLS 1
Standardized SCTP security solutions –TLS over SCTP
App3 App3
App 2 App 2
S1
SCTP
S2 S3
IP
S3
SCTP
S2 S1
IP
App1 App1
SCTP Endpoint A SCTP Endpoint B
Unsecured
Secured
SCTP Endpoint A
SCTP Endpoint B
TLS: Transport Layer Security
U.EsboldSecure End-to-End Transport over SCTP
Standardized SCTP security solutions –SCTP over IPsec
App1 App1
IPIPsec
IPIPsec
App3App 2 App3App 2
IPsec SAs
S1
SCTP
S2 S3 S1
SCTP
S2 S3
SCTP Endpoint A SCTP Endpoint B
Unsecured
Secured
IPSec: Internet Protocol Security
U.EsboldSecure End-to-End Transport over SCTP
Standardized SCTP security solutions –SCTP over IPsec
X, Y – number of IP addresses of the two endpoints
Required:Minimum X+Y IPsec SAsMaximum 2* X * Y IPsec SAs
IPsec SAs
SCTP Endpoint A
SCTP
SCTP Endpoint B
SCTP
NI-XNI-1 . .
IP-A1. . IP-AX
IP
IPsec IPsec
NI-YNI-1 . .
IP-B1. . IP-BY
IP
IPsec IPsec
U.EsboldSecure End-to-End Transport over SCTP
Standardized security solutions - Comparison
Dynamic Address Reconfiguration (SCTP extension)Partially Reliable Transport (SCTP extension)Management of security sessions (handling)Flexible multiplexing of secure/insecure streamsProtection for SCTP control chunksOverhead for long messages (fragmentation)Overhead for small messages (bundling)Protection for unordered delivery serviceSupport for SCTP multi-homingScalability for multiple streams
Criteria
(+) – advantage, (-) – disadvantage, (no) – not possible
+no++no+-
no+-
TLS over SCTP
-+-
no+-++-+
SCTP over IPsec
U.EsboldSecure End-to-End Transport over SCTP
SCTP –Challenges for secure end-to-end transport
Standard security protocols are defined for TCP, but– SCTP is different
• Multi-streaming, multi-homing, flexible delivery• Partial reliability, dynamic address reconfiguration
Application of standard security protocols is possible, but– Some SCTP features cannot be used– There are potential performance limitations
Possible solutions– Significantly modify standard security protocols
• Not realistic due to already existing applications– Significantly modify and extend SCTP
• Approach chosen in this project
U.EsboldSecure End-to-End Transport over SCTP
Secure SCTP (S-SCTP) – Basic Ideas
S-SCTP is designed to– Be interoperable with standard SCTP– Support all SCTP features and extensions– Be scalable
• One „security session“ per SCTP association– Be Efficient
• Flexible mix of secure and non-secure data transfer– Be user friendly
S-SCTP provides the same security features as TLS and IPSec– Authentication and/or encryption– Flexible cipher suite selection– Use of PKI or pre-shared keys
Secure SCTP integrates security functions into SCTP
PKI: Public Key Infrastructure
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP –Basic concept
SCTP Endpoint A
S1 S2 S3SCTP
IP IP-A2IP-A1
NI-2NI-1
security mechanism
Unsecured
Secured
SCTP Endpoint B
S1 S2 S3SCTP
IP IP-A2IP-A1
NI-2NI-1
App3App 2App1
security mechanism
App3App 2App1
One secure
session
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP –Integration of security functions
Stream Layer
Upper Layer
State Controller
FlowControl/Reliable Transfer
Packet Assembly/Disassembly
Network layer
Message Validation
Bundling
Encryption/Decryption
Authentication
Path-Manager
Control-Path
Crypto-Controller
Data-Path
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP –Data path and bundling
Three new chunk types:– EncData chunk : contains encrypted chunks, random number, key ID – Auth chunk : contains HMAC, key ID– Padding chunk: contains random numbers
S-SCTP packet
Chunk1 Ch2 Chunk3... ...
EncData Chunk1
Ch2 Auth
PaddingCommon Header
CH CC
Control Chunk
EncData Chunk3Chunk1 Padding
Chunk3
Requires encryptionDoes not require encryption HMAC: Keyed-Hashing for Message Authentication
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP –Security levels and packet formats
Security Level 3: Full authentication and encryption of all chunksAuthCH EncData Chunk2Chunk1 PaddingCC Chunk3
CH - Common Header CC – Control Chunk
Security Level 0: No security, downward compatible
CCCH Chunk1 Chunk2 Chunk3
Security Level 1: Full authentication of all SCTP packetsCCCH Chunk1 Chunk2 Chunk3 Auth
Security Level 2: Full authentication, encryption of selected data chunks
AuthCH EncData Chunk2Chunk1 PaddingCC Chunk3
•Both endpoints can have different security levels
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP –Qualitative comparison
-+Dynamic Address Reconfiguration (SCTP extension)
-+Support for SCTP multi-homing
+noPartially Reliable Transport (SCTP extension)-+Management of security sessions (handling)
no+Flexible multiplexing of secure/insecure streams
+noProtection for SCTP control chunks
+noProtection for unordered delivery service-+Overhead for long messages (fragmentation)
+-Overhead for small messages (bundling)
+-Scalability for multiple streams
SCTP over IPsec
TLS over SCTP
Criteria
+++++++-++
S-SCTP
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP measurements –Lab setup and parameters
Lab testbed– 2 PCs directly connected to the 100 MHz switch– Both PC´s have 100 MHz LAN card– First PC – AMD Athlon 1,4 GHz– Second PC – Pentium 3, 600 MHz
Some additional components had to be implemented– Traffic source– Extension to Ethereal
Measurement execution– Measurement period was 5 minutes– Throughput was measured in 1 second intervals – Each measurement was repeated 20 times – The thoughput was calculated as mean of all measurements
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP measurement results –Throughput vs. message size (3DES-SHA)
0
500
1000
1500
2000
2500
0 2000 4000 6000
Message size (byte)
Thro
ughp
ut (k
b/se
c)
SCTP over IPsec
TLS over SCTP
S-SCTP
Standard SCTP
No bundling used
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP measurement results –Throughput vs. message size (AES-SHA)
0
500
1000
1500
2000
2500
0 2000 4000 6000
Message size (byte)
Thro
ughu
t (kb
/sec
)
SCTP over IPSec
TLS over SCTP
S-SCTP
Standard SCTP
No bundling used
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP measurement results –Throughput vs. message size (3DES-SHA)
0
500
1000
1500
2000
2500
0 200 400 600 800 1000
Message size (byte)
Thro
ughp
ut (k
b/se
c)
SCTP over IPsec
TLS over SCTP
S-SCTP
Bundling used
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP measurement results –Throughput vs. traffic mix (3DES-SHA)
1000
1200
1400
1600
1800
2000
0 20 40 60 80 100
Percentage of secured traffic (%)
Thro
ughp
ut (k
b/se
c)
SCTP over IPsec
TLS over SCTP
S-SCTP
Message size 1000 byte: No fragmentation
U.EsboldSecure End-to-End Transport over SCTP
S-SCTP measurement results –Memory usage vs. number of streams
0
50
100150
200
250
300350
400
450
100 1000 5000 10000 20000
Number of concurrent streams
Mem
ory
usag
e (M
Byt
es)
TLS over SCTP
SCTP over IPsec
S-SCTP
IPsec and S-SCTP use about 2.4 MB memory
U.EsboldSecure End-to-End Transport over SCTP
Conclusion and outlook
SCTP is used for sensitive applications– Secure end-to-end transport over SCTP required
Standardized SCTP security solutions have some severe limitations– Designed to require only minimum modification of SCTP/TLS/IPSec
S-SCTP extension has been proposed– It is feasible as demonstrated by prototype implementation
The integrated S-SCTP solution has significant advantages– S-SCTP supports all SCTP protocol features and extensions– S-SCTP performs well over a wide range of protocol parameters
• Message size • Mix of secured and unsecured traffic• Number of concurrent streams
– Is user friendly (simple API, predefined security levels) But: S-SCTP is not a standardized solution
U.EsboldSecure End-to-End Transport over SCTP
Thank you very much