SCTP is connection-oriented

SCTP is connection-oriented • Like TCP, SCTP is connection-oriented • i.e. three phases: setup, communicate, teardown • requires a setup procedure to establish the communication relationship between two parties, • maintains state at the endpoints • Note: connection-oriented DOES NOT NECESSARILY imply reliable, • SCTP is always connection oriented, but ... • SCTP can be configured to be reliable, unreliable or partially reliable • To establish this state, both sides go through a specific set of exchanges • TCP uses a 3-way handshake (SYN, SYN/ACK, ACK) • SCTP uses a 4-way handshake (INIT, INIT-ACK, COOKIE-ECHO, COOKIE-ACK)

The a-word: association • In TCP, the communication relationship between two endpoints is called a connection • Socket pair: { <Local IP addr, port>, <Remote IP addr, port> } • e.g. { <10.1.61.11, 2223>, <161.10.8.221, 80> } • In SCTP, we would called this an association • An SCTP association can be represented as a pair of SCTP endpoints: • assoc = { [10.1.61.11 : 2223], [161.10.8.221, 120.1.1.5 : 80] } • Note: second endpoint has two IP addresses word "association" emphasizes that the two endpoints are "associated"rather than that two IP-addresses (interfaces) are "connected"

Associations and Endpoints • An SCTP endpoint is a port number on a specific host • An SCTP endpoint may have multiple associations • Only one association may be established between any two SCTP endpoints

Operation of SCTP Associations • An SCTP association provides reliable data transfer of messages • (or partially reliable, or unreliable, with the PR-SCTP extension) • Messages are sent within a stream, which is identified by a stream identifier (SID) • Messages can be ordered or un-ordered: • Each ordered message sent within a stream is also assigned a stream sequence number (SSN) • Unordered messages have no SSN and are delivered with no respect to ordering

[Rcv INIT] Gen Cookie Send INIT-ACK CLOSED COOKIE_WAIT [ASSOCIATE] Create TCB Send INIT Start init timer [rcv valid COOKIE-ECHO] Create TCB Send COOKIE-ACK [rcv INIT-ACK] Send COOKIE-ECHO Stop init timer Start cookie timer COOKIE_ECHOED ESTABLISHED [rcv COOKIE-ACK] Stop cookie timer Page 31 of the SCTP book SCTP States I

CLOSED COOKIE_WAIT COOKIE_ECHOED Page 31 of the SCTP book SCTP States I

ESTABLISHED [SHUTDOWN] Check outstanding data chunks [rcv SHUTDOWN] Check outstanding data chunks SHUTDOWN- PENDING SHUTDOWN- PENDING [No More Outstanding data chunks] Send SHUTDOWN Start shutdown timer [No More Outstanding data chunks] Send SHUTDOWN-ACK Start shutdown- timer NEXT-SLIDE NEXT-SLIDE Page 32 of the SCTP book SCTP States II

FROM STATES-2 FROM STATES-2 SHUTDOWN- SENT SHUTDOWN- ACK-SENT [rcv SHUTDOWN-ACK] send SHUTDOWN_COMPETE Stop shutdown timer Delete TCB [rcv SHUTDOWN-COMPLETE] Stop shutdown timer delete TCB CLOSED Page 32 of the SCTP book SCTP States III

CLOSED ESTABLISHED COOKIE_WAIT SHUTDOWN- SENT SHUTDOWN- ACK-SENT SHUTDOWN- PENDING SHUTDOWN- PENDING COOKIE_ECHOED CLOSED Page 32 of the SCTP book SCTP full state diagram

Type=1 Flags=0 Length=variable Initiation Tag Receiver window credit # Out Streams Max # In Streams Initial TSN Optional/Variable length parameters INIT Chunk

INIT (and INIT-ACK) Chunk Fields • Initiation Tag: non-zero random 32-bit nonce value • Receiver Window Credit: initial rwnd used for flow control • # of Outbound Streams: number of streams the sender wishes to use • Max # of Inbound Streams: maximum number of streams the sender supports • Initial TSN: initial 32-bit TSN used for data transfer which is also a random value (it may be copied from the initiation tag)

INIT / INIT-ACK Chunk Summary • INIT / INIT-ACK chunks have fixed and variable parts • The variable part is made up of parameters • The parameters specify options and features supported by the sender • Most parameters are valid for both the INIT and the INIT-ACK

Type=2 Flags=0 Length=variable Initiation Tag Receiver window credit # Out Streams Max # In Streams Initial TSN Optional/Variable length parameters INIT-ACK Chunk

PARAMETER TYPE INIT INIT-ACK IPv4 Address 0x0005 YES YES IPv6 Address 0x0006 YES YES Cookie Preservative 0x0009 YES NO ECN Capable 0x8000 YES YES Hostname Address 0x000B YES YES Supported Address Types 0x000C YES YES Unrecognized Parameters 0x0008 NO YES State Cookie 0x0007 NO YES PR-SCTP Supported 0xC001 YES YES Set Primary Address 0xC004 YES YES Adaption Layer Indication 0XC006 YES YES INIT and INIT-ACK Parameters

Flags=0 Type=a Length=variable State Cookie from INIT-ACK Cookie Echo Chunk

Length=4 Type=b Flags=0 Cookie Ack Chunk • The Cookie-Echo and Cookie-ACK are simplistic chunks, but help prevent resource attacks • They serve as the last part of the 4-way handshake that sets up an SCTP association • Both allow bundling with other chunks, such as DATA

Type=0x00 Flags=UBE Length=variable TSN Value Stream Sequence Num Stream Identifier Payload Protocol Identifier Variable Length User Data DATA Chunk • Flag Bits ‘UBE’ are used to indicate: • U – Unordered Data • B – Beginning of Fragmented Message • E – End of Fragmented Message • A user message that fits in one chunk would have both the B and E bits set

DATA Chunk Fields • TSN: transmission sequence number used for ordering and reassembly and retransmission • Stream Identifier: the stream number for this DATA • Stream Sequence Number: identifies which message this DATA belongs to for this stream • Payload Protocol Identifier: opaque value used by the endpoints (and perhaps network equipment) • User Data: the user message (or portion of)

Type=3 Flags=0 Length=variable Cumulative TSN Receiver window credit Num of Fragments=N Num of Dup=M Gap Ack Blk #1 start Gap Ack Blk #1 end Gap Ack Blk #N start Gap Ack Blk #N end Duplicate TSN #1 Duplicate TSN #M SACK Chunk

SACK Chunk Fields • Cumulative TSN Acknowledgment: the highest consecutive TSN that the SACK sender has received • a.k.a. cumulative ack (cum-ack) point • Receiver Window Credit: current rwnd available for the peer to send • # of Fragments: number of Gap Ack Blocks included • # of Duplicates: number of Duplicate TSN reports included

SACK Chunk Fields II • Gap Ack Block Start / End TSN offset: the start and end offset for a range of consecutive TSNs received relative to the cumulative ack point • The TSNs not covered by a Gap Ack Block indicate TSNs that are “missing” • Duplicate TSN: TSN that has been received more than once • Note that the same TSN may be reported more than once

Type=3 Flags=0 Length=variable Cum Ack=109965 rwnd = 64200 Num of Fragments=2 Num of Dup=2 Gap start = 2 Gap end = 5 Gap start = 7 Gap end = 9 Duplicate TSN = 109963 Duplicate TSN = 109964 SACK Chunk Example

SACK Example Dissected • The sender’s cum-ack point is 109,965 • The sender has received TSN's 109,967 – 109,970 • The sender has received TSN's 109,972 – 109,974 • The sender is missing 109,966 and 109,971. • The sender received duplicate transmissions of 109,963 and 109,964 • Question: Would you ever see a Gap Ack start of 1?

Type=4 Flags=0 Length=variable Length=variable Param Type = 1 Heartbeat Data Heartbeat Chunk • Data within the Heartbeat Data parameter is implementation specific

Type=5 Flags=0 Length=variable Length=variable Param Type = 1 Heartbeat Data Heartbeat Ack Chunk • Data within the Heartbeat Data parameter is implementation specific and is a straight echo of what was received in the Heartbeat chunk

Type=7 Flags=0 Length=8 Cumulative TSN SHUTDOWN Type=8 Flags=0 Length=4 SHUTDOWN-ACK Type=14 Flags=T Length=4 SHUTDOWN-COMPLETE Shutdown Chunks

Shutdown Chunk Fields • The SHUTDOWN chunk also carries a Cumulative TSN Acknowledgment field to indicate the highest TSN that the SHUTDOWN sender has seen. • A SACK chunk may be bundled to give a more complete picture (e.g. Gap Ack Blocks) of the sender’s receive state.

Type=9h Flags=0 Length=variable Length=variable Error Cause=xxxx One or More Error Causes Error Cause Operational Error Chunk

Error Cause Type Value Invalid Stream Identifier 0x0001 Missing Mandatory Parameter 0x0002 Stale Cookie Error 0x0003 Out of Resource 0x0004 Unresolvable Address 0x0005 Unrecognized Chunk Type 0x0006 Invalid Mandatory Parameter 0x0007 Unrecognized Parameter Type 0x0008 No User Data 0x0009 Cookie Received While Shutting Down 0x0010 Restart of Association With New Addresses 0x0011 User Initiated Abort 0x0012 Protocol Violation 0x0013 Summary of Error Causes

Type=6 Flags=T Length=variable Length=variable Error Cause=xxxx Zero or More Error Causes Error Cause Abort Chunk

The T-bit • Both the SHUTDOWN-COMPLETE and ABORT chunk use one flag value • The T bit is the first bit: i.e.: binary -------x • When this bit is set to 0, the sender has a TCB and the V-Tag (in the common header) is the correct one for the association. • When this bit is set to 1, the sender has NO TCB and the V-Tag is set to what was in the V-Tag value of the packet that is being responded to.

Type=192 Flags=0 Length=variable New Cumulative TSN Stream Id 1 Stream Seq 1 Stream Id N Stream Seq N Forward-TSN Chunk

Forward-TSN Chunk Fields • New Cumulative TSN: the new cumulative ack point that the receiver should move forward (skip) to • Treat all TSNs up to this new point as having been received • Stream Identifier/Stream Sequence Number: the largest stream sequence number being skipped for a given stream • Multiple Stream Identifier-Sequence Number pairs may be included if the Forward TSN covers multiple messages

Forward TSN Operation • Used to move the cumulative ack point forward without retransmitting data. • Note the receiver could move the point forward further if the Forward TSN skips past a missing block of TSNs • Has zero or more stream and sequence numbers listed to help a receiver free stranded data. • Is part of the soon to be RFC'd PR-SCTP document.

Other Extensions • Several SCTP extensions exist • Packet Drop is a Cisco originated extension that inter-works the router with the endpoint. • ADD-IP allows for dynamic addition and subtraction of IP addresses • AUTH allows for two endpoints to negotiate the signing of specific chunks (such as ADD-IP chunks). It uses the Purpose Built Key's (PBK) draft

Parameters and Error Causes • RFC 2960 lays out all the basic data formats • The SCTP book on pages 47-55 also hold illustrations of the various chunk layouts and details. • Error causes are also in the RFC and can also be found on pages 65-73 of the SCTP book • The SCTP Implementors Guide (draft) contains a few new parameters mentioned previously • We will let your curiosity guide you in viewing these bits and bytes if your interested

Questions • Questions before we break • In the next sections, we will begin going through the protocol operation details

Endpoint A Endpoint Z INIT INIT-ACK Association Is Up * Association Is Up COOKIE-ECHO * COOKIE-ACK * -- User data can be attached Setting Up an Association

SCTP Association Setup • SCTP uses a four-way handshake to set up an association • The side doing the active (or implicit) open will formulate and send an INIT chunk • The sender of the INIT includes various parameters: • IPv4 and IPv6 address parameters identifying all bound addresses within the peer’s scope • Extensions such as PR-SCTP, Adaption Layer Indication and possibly a Supported Address list • There could also be cookie preservatives and other sundry items as well

Sending an INIT • Two important random values that a sender of an INIT (and an INIT-ACK) generates: • A Verification Tag (V-Tag) will provide the peer with a nonce that must be present in every packet sent (this is placed in the initiate tag field) • An Initial TSN provides the starting point for the transport sequence space • The V-Tag provides modest security for the association and also removes the need for a psuedo-header in the checksum

Endpoint A Endpoint Z INIT The INIT is in Flight

Receiving an INIT • The receiver of the INIT will validate that a listener exists for the destination port. If not, it will send an ABORT back to the sender. • It may do some checking and validation, but in general it will always send back an INIT-ACK saving NO state. This prevents SCTP from being subject to the TCP SYN-like attacks. • In formulating an INIT-ACK, the responder will include all the various parameters just like what a sender does when formulating an INIT, but with one important addition.

Formulating the INIT-ACK Response • The receiver of the INIT MUST include a state cookie parameter in the INIT-ACK response. • The state cookie parameter: • Is signed (usually with MD5 or SHA-1) • Contains ALL the state needed to setup the association (usually the entire INIT and some pieces of the INIT-ACK) • Is implementation specific, but must include a timestamp • Page 86-88 of the SCTP reference book goes into more details of state cookie generation

Endpoint A Endpoint Z INIT INIT-ACK Back Goes the INIT-ACK

When the INIT-ACK Arrives… • The receiver of the INIT-ACK must take special care in finding the association for the endpoint that sent the INIT. • In particular it must look at the address list inside the INIT-ACK in case the source address is not the same as where the INIT was sent. • After finding the association, the receiver will add all of the peer’s information (addresses, V-Tag, initial sequence number, etc.) to the local TCB.

More on Processing the INIT-ACK • At this point the receiver must reply back with a COOKIE-ECHO chunk: • The cookie is retrieved by simply finding the state-cookie parameter and changing the first two bytes into the chunk type and flags field (set to 0) of the COOKIE-ECHO chunk. • This chunk is sent back to the source address of the INIT-ACK packet. • As long as the COOKIE-ECHO chunk is first in the packet, any queued DATA chunks may be bundled in the SCTP packet.

Endpoint A Endpoint Z INIT INIT-ACK * COOKIE-ECHO * -- User data can be attached Feed the Peer a Cookie

Source Port Destination Port Verification Tag Checksum Type=0xa Type=0x0A Flags=0 Flags=0 Chunk Length=N Chunk Length=N Cookie Data (N – 4 bytes) Type=0x0 Type=0xa Flags=03 Flags=0 Chunk Length=N Chunk Length=K TSN = X Stream Number = M Stream Sequence = 0 Payload Protocol ID = A User Data (K – 16 bytes) A Packet with the COOKIE-ECHO

Processing the Cookie-Echo • First, validate that the state cookie has not been modified by running the hash over it and the internal secret key. If they do not match, the cookie is silently discarded. • Next, the timestamp field in the cookie is checked. If it proves to be an old cookie, a stale cookie error is sent to the peer. • Otherwise, the cookie is used to create a new TCB. • The association now enters the ESTABLISHED state.

More on Cookie Processing • Note that this quick summary assumes a normal non-collision, non-restart case. Collision cases are accounted for in the specification. • After the cookie is processed and the TCB is created, the endpoint then processes any additional chunks contained in the packet. • Note that the additional chunks are processed in the ESTABLISHED state, since the cookie processing was completed.

SCTP is connection-oriented

SCTP is connection-oriented

Presentation Transcript

Single Process, Concurrent, Connection-Oriented Servers (TCP)

SCTP: An Overview

SCTP Streams

SCTP Nat Support

SCTP Tutorial

SCTP Sockets Draft

SCTP

SCTP Applicability Statement

Connection Oriented Mobility Using Edge Point Interactivity

Connection-Oriented Computer Science Education

Internetworking connectionless and connection-oriented networks

SCTP Draft

Enabling a connection-oriented internet

SCTP MIB

Building a connection-oriented internet

Chapter 14 Connection-Oriented Networking and ATM

Internetworking connectionless and connection-oriented networks

Connection-oriented Ethernet Attributes and Applications

SCTP Draft