Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and...

Ph.D Unurkhaan Esbold, Computer Science and Management School,

Mongolian University of Science and Technology

“InfoSec Mongolia 2006” conference, Ulaanbaatar, 2006-02-22..23

Secure End-to-End Transport over SCTP

U.EsboldSecure End-to-End Transport over SCTP

Overview

SCTP (Stream Control Transmission Protocol)– History, main features, SCTP extensions

Introduction and analysis of standardized SCTP security solutions– TLS over SCTP– SCTP over IPsec

Challenges for secure end-to-end transport over SCTP Secure SCTP

– Basic ideas– Functional structure and some highlights

Results of comparative performance measurements in lab testbed Conclusion and outlook


Transport layer

IPNetwork layer

SCTP

App1

TCP

App2

UDP

App3

SIGTRAN WG: Signaling Transport Working Group TSV WG: Transport Area Working Group

Stream Control Transmission Protocol “SCTP” –History and purpose

Defined by SIGTRAN WG of IETF in RFC 2960 in October 2000 Initial SCTP focus:

– Transport of telephony signaling over IP networks Stream Control Transmission Protocol (SCTP)

– Reliable, message oriented general purpose IETF transport protocol


Like TCP• checksum and sequence

number • reliable transmission• ordered delivery• flow and congestion control • fast retransmission

Unlike TCP• multihoming• multiple streams• unordered delivery • 32 bits checksum • protection against blind attack• selective acknowledgement

SCTP –Comparison with TCP


SCTP – Terminology

A “stream” is a unidirectional logical channel transporting a sequence of messages

• SCTP supports multiple independent streams per association

Messages are transported in information units called “chunks”

Multiple chunks can be “bundled” together into a SCTP packet to reduce overhead

A “path” is a unidirectional network route between associated SCTP endpoints

• SCTP endpoints can use multiple redundant paths through the network

A “connection” between two SCTP endpoints is called “association”

S1

SCTP

S2 S3

App1 App3App 2

NI-2NI-1

IP-A1 IP-A2IP

SCTP Endpoint

SCTP PacketCH


Data chunk1Control chunk(s)Common header Data chunkN

Dest. portSource port

32 bits

User Data

Chunk header

32 bits

Control Data

Chunk header

32 bits

SCTP –Packet format and chunks

Type

Type


SCTP main features –Multi-Streaming

SCTP endpoint B

S2 S3 SNS1

D1D2D3D4 D5D6

S2 S3 SNS1

D1D2D3

D4 D5D6

S1, S2, S3, . . . , SN – SCTP streamsD1 – D6 – SCTP data chunks

SCTP endpoint A

Multiplexing of several independent message streams within one SCTP association via multiple streams

D1D2D3D4D5D6

packet stream


SCTP main features –Multi-Homing

SCTP entities with multiple network addresses and redundant paths

NI-2NI-1

IP-A1 IP-A2IP

NI-2NI-1

IP-B1 IP-B2IP

SCTP Endpoint A

SCTP

IP network

SCTP

SCTP Endpoint B

NI – Network interface

Primary path

Primary path


Upper layer

654721

Transmission link

1

2

7

4

5

Upper layer

54721

Transmission link

1

2

7

4

5

Receive buffer

Resequencing buffer

6

3

missing

SCTP main features –Flexible delivery

Flexible message delivery per stream: Ordered or unordered

3

3

All data chunks belong to the same stream Unordered message Ordered message


SCTP –Protocol extensions

Partial reliability extension – Retransmission can be limited for some messages

• Some messages may not arrive at the receiving application – unreliable service

– Useful for real-time traffic where late messages are discarded anyway Dynamic address reconfiguration

– Add and drop IP addresses of established associations dynamically – Request peer endpoint to use specific path as primary path– Useful to support mobility of terminals


TLS 2 TLS 2Secure Session 2

Secure Session 1TLS 1TLS 1

Standardized SCTP security solutions –TLS over SCTP

App3 App3

App 2 App 2

S1

SCTP

S2 S3

IP

S3

SCTP

S2 S1

IP

App1 App1

SCTP Endpoint A SCTP Endpoint B

Unsecured

Secured

SCTP Endpoint A

SCTP Endpoint B

TLS: Transport Layer Security


Standardized SCTP security solutions –SCTP over IPsec

App1 App1

IPIPsec

IPIPsec

App3App 2 App3App 2

IPsec SAs

S1

SCTP

S2 S3 S1

SCTP

S2 S3

SCTP Endpoint A SCTP Endpoint B

Unsecured

Secured

IPSec: Internet Protocol Security


Standardized SCTP security solutions –SCTP over IPsec

X, Y – number of IP addresses of the two endpoints

Required:Minimum X+Y IPsec SAsMaximum 2* X * Y IPsec SAs

IPsec SAs

SCTP Endpoint A

SCTP

SCTP Endpoint B

SCTP

NI-XNI-1 . .

IP-A1. . IP-AX

IP

IPsec IPsec

NI-YNI-1 . .

IP-B1. . IP-BY

IP

IPsec IPsec


Standardized security solutions - Comparison

Dynamic Address Reconfiguration (SCTP extension)Partially Reliable Transport (SCTP extension)Management of security sessions (handling)Flexible multiplexing of secure/insecure streamsProtection for SCTP control chunksOverhead for long messages (fragmentation)Overhead for small messages (bundling)Protection for unordered delivery serviceSupport for SCTP multi-homingScalability for multiple streams

Criteria

(+) – advantage, (-) – disadvantage, (no) – not possible

+no++no+-

no+-

TLS over SCTP

-+-

no+-++-+

SCTP over IPsec


SCTP –Challenges for secure end-to-end transport

Standard security protocols are defined for TCP, but– SCTP is different

• Multi-streaming, multi-homing, flexible delivery• Partial reliability, dynamic address reconfiguration

Application of standard security protocols is possible, but– Some SCTP features cannot be used– There are potential performance limitations

Possible solutions– Significantly modify standard security protocols

• Not realistic due to already existing applications– Significantly modify and extend SCTP

• Approach chosen in this project


Secure SCTP (S-SCTP) – Basic Ideas

S-SCTP is designed to– Be interoperable with standard SCTP– Support all SCTP features and extensions– Be scalable

• One „security session“ per SCTP association– Be Efficient

• Flexible mix of secure and non-secure data transfer– Be user friendly

S-SCTP provides the same security features as TLS and IPSec– Authentication and/or encryption– Flexible cipher suite selection– Use of PKI or pre-shared keys

Secure SCTP integrates security functions into SCTP

PKI: Public Key Infrastructure


S-SCTP –Basic concept

SCTP Endpoint A

S1 S2 S3SCTP

IP IP-A2IP-A1

NI-2NI-1

security mechanism

Unsecured

Secured

SCTP Endpoint B

S1 S2 S3SCTP

IP IP-A2IP-A1

NI-2NI-1

App3App 2App1

security mechanism

App3App 2App1

One secure

session


S-SCTP –Integration of security functions

Stream Layer

Upper Layer

State Controller

FlowControl/Reliable Transfer

Packet Assembly/Disassembly

Network layer

Message Validation

Bundling

Encryption/Decryption

Authentication

Path-Manager

Control-Path

Crypto-Controller

Data-Path


S-SCTP –Data path and bundling

Three new chunk types:– EncData chunk : contains encrypted chunks, random number, key ID – Auth chunk : contains HMAC, key ID– Padding chunk: contains random numbers

S-SCTP packet

Chunk1 Ch2 Chunk3... ...

EncData Chunk1

Ch2 Auth

PaddingCommon Header

CH CC

Control Chunk

EncData Chunk3Chunk1 Padding

Chunk3

Requires encryptionDoes not require encryption HMAC: Keyed-Hashing for Message Authentication


S-SCTP –Security levels and packet formats

Security Level 3: Full authentication and encryption of all chunksAuthCH EncData Chunk2Chunk1 PaddingCC Chunk3

CH - Common Header CC – Control Chunk

Security Level 0: No security, downward compatible

CCCH Chunk1 Chunk2 Chunk3

Security Level 1: Full authentication of all SCTP packetsCCCH Chunk1 Chunk2 Chunk3 Auth

Security Level 2: Full authentication, encryption of selected data chunks

AuthCH EncData Chunk2Chunk1 PaddingCC Chunk3

•Both endpoints can have different security levels


S-SCTP –Qualitative comparison

-+Dynamic Address Reconfiguration (SCTP extension)

-+Support for SCTP multi-homing

+noPartially Reliable Transport (SCTP extension)-+Management of security sessions (handling)

no+Flexible multiplexing of secure/insecure streams

+noProtection for SCTP control chunks

+noProtection for unordered delivery service-+Overhead for long messages (fragmentation)

+-Overhead for small messages (bundling)

+-Scalability for multiple streams

SCTP over IPsec

TLS over SCTP

Criteria

+++++++-++

S-SCTP


S-SCTP measurements –Lab setup and parameters

Lab testbed– 2 PCs directly connected to the 100 MHz switch– Both PC´s have 100 MHz LAN card– First PC – AMD Athlon 1,4 GHz– Second PC – Pentium 3, 600 MHz

Some additional components had to be implemented– Traffic source– Extension to Ethereal

Measurement execution– Measurement period was 5 minutes– Throughput was measured in 1 second intervals – Each measurement was repeated 20 times – The thoughput was calculated as mean of all measurements


S-SCTP measurement results –Throughput vs. message size (3DES-SHA)

0

500

1000

1500

2000

2500

0 2000 4000 6000

Message size (byte)

Thro

ughp

ut (k

b/se

c)

SCTP over IPsec

TLS over SCTP

S-SCTP

Standard SCTP

No bundling used


S-SCTP measurement results –Throughput vs. message size (AES-SHA)

0

500

1000

1500

2000

2500

0 2000 4000 6000

Message size (byte)

Thro

ughu

t (kb

/sec

)

SCTP over IPSec

TLS over SCTP

S-SCTP

Standard SCTP

No bundling used


S-SCTP measurement results –Throughput vs. message size (3DES-SHA)

0

500

1000

1500

2000

2500

0 200 400 600 800 1000

Message size (byte)

Thro

ughp

ut (k

b/se

c)

SCTP over IPsec

TLS over SCTP

S-SCTP

Bundling used


S-SCTP measurement results –Throughput vs. traffic mix (3DES-SHA)

1000

1200

1400

1600

1800

2000

0 20 40 60 80 100

Percentage of secured traffic (%)

Thro

ughp

ut (k

b/se

c)

SCTP over IPsec

TLS over SCTP

S-SCTP

Message size 1000 byte: No fragmentation


S-SCTP measurement results –Memory usage vs. number of streams

0

50

100150

200

250

300350

400

450

100 1000 5000 10000 20000

Number of concurrent streams

Mem

ory

usag

e (M

Byt

es)

TLS over SCTP

SCTP over IPsec

S-SCTP

IPsec and S-SCTP use about 2.4 MB memory


Conclusion and outlook

SCTP is used for sensitive applications– Secure end-to-end transport over SCTP required

Standardized SCTP security solutions have some severe limitations– Designed to require only minimum modification of SCTP/TLS/IPSec

S-SCTP extension has been proposed– It is feasible as demonstrated by prototype implementation

The integrated S-SCTP solution has significant advantages– S-SCTP supports all SCTP protocol features and extensions– S-SCTP performs well over a wide range of protocol parameters

• Message size • Mix of secured and unsecured traffic• Number of concurrent streams

– Is user friendly (simple API, predefined security levels) But: S-SCTP is not a standardized solution


Thank you very much

Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and...

Documents

Transcript of Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and...