Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and Technology “InfoSec Mongolia 2006” conference, Ulaanbaatar,

Slides:



Advertisements
Similar presentations
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Advertisements

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
RivuS Stream Control Transmission Protocol (SCTP) on BSD By- Jayesh Rane Nitin Kumbhar Kedar Sovani PICT. Guides: Prof. Rajesh B. Ingle, PICT. Mr. Adityashankar.
Transmission Control Protocol (TCP)
SCTP Tutorial Randall Stewart
Lecture 2 Protocol Layers CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.
Chapter 3: Transport Layer
Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
1 Summer Report Reporter : Yi-Cheng Lin Data: 2008/09/02.
IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.
Process-to-Process Delivery:
Gursharan Singh Tatla Transport Layer 16-May
OIS Model TCP/IP Model.
Process-to-Process Delivery:
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
Review: –What is AS? –What is the routing algorithm in BGP? –How does it work? –Where is “policy” reflected in BGP (policy based routing)? –Give examples.
Presentation on Osi & TCP/IP MODEL
Adaptive Failover Mechanism Motivation End-to-end connectivity can suffer during net failures Internet path outage detection and recovery is slow (shown.
Protocols and the TCP/IP Suite
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.
I-D: draft-rahman-mipshop-mih-transport-01.txt Transport of Media Independent Handover Messages Over IP 67 th IETF Annual Meeting MIPSHOP Working Group.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
University of the Western Cape Chapter 12: The Transport Layer.
1 Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
1 Transport Layer Lecture 7 Imran Ahmed University of Management & Technology.
The Transport Layer application transport network data link physical application transport network data link physical application transport network data.
23.1 Chapter 23 Process-to-Process Delivery: UDP, TCP, and SCTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
4.1.4 multi-homing.
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
1 Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Computer Networks23-1 PART 5 Transport Layer. Computer Networks23-2 Position of Transport Layer Responsible for the delivery of a message from one process.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Protocols and Architecture Slide 1 Use of Standard Protocols.
SCTP: A new networking protocol for super-computing Mohammed Atiquzzaman Shaojian Fu Department of Computer Science University of Oklahoma.
Teacher:Quincy Wu Presented by: Ying-Neng Hseih
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Stream Control Transmission.
2: Transport Layer 11 Transport Layer 1. 2: Transport Layer 12 Part 2: Transport Layer Chapter goals: r understand principles behind transport layer services:
SCTP (Stream Control Transmission Protocol) Chanmin Park ( 박 찬 민 ) CARES lab.
Ch23 Ameera Almasoud 1 Based on Data Communications and Networking, 4th Edition. by Behrouz A. Forouzan, McGraw-Hill Companies, Inc., 2007.
Introduction to Networks
The Transport Layer Implementation Services Functions Protocols
Chapter 3 outline 3.1 Transport-layer services
Instructor Materials Chapter 9: Transport Layer
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
4.1.5 multi-homing.
Chapter 16 Stream Control Transmission Protocol (SCTP)
Transport Layer.
Process-to-Process Delivery, TCP and UDP protocols
Long-haul Transport Protocols
PART 5 Transport Layer Computer Networks.
Understand the OSI Model Part 2
TCP Transport layer Er. Vikram Dhiman LPU.
SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic
Introduction to Networks
Transport Layer Our goals:
SCTP Team 2: Alexia Allaway Johnson Nguyen Nnamdi Nwajagu Scott Seo
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Stream Control Transmission Protocol (SCTP)
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Process-to-Process Delivery:
Transport Protocols An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Advanced Computer Networks
CPEG514 Advanced Computer Networkst
Process-to-Process Delivery: UDP, TCP
Chapter 3 Transport Layer
NET 323D: Networks Protocols
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Transport Layer 9/22/2019.
Transport Layer Our goals:
Presentation transcript:

Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and Technology “InfoSec Mongolia 2006” conference, Ulaanbaatar, Secure End-to-End Transport over SCTP

U.Esbold Secure End-to-End Transport over SCTP Overview SCTP (Stream Control Transmission Protocol) –History, main features, SCTP extensions Introduction and analysis of standardized SCTP security solutions –TLS over SCTP –SCTP over IPsec Challenges for secure end-to-end transport over SCTP Secure SCTP –Basic ideas –Functional structure and some highlights Results of comparative performance measurements in lab testbed Conclusion and outlook

U.Esbold Secure End-to-End Transport over SCTP Transport layer IP Network layer SCTP App1 TCP App2 UDP App3 SIGTRAN WG: Signaling Transport Working Group TSV WG: Transport Area Working Group Stream Control Transmission Protocol “SCTP” – History and purpose Defined by SIGTRAN WG of IETF in RFC 2960 in October 2000 Initial SCTP focus: –Transport of telephony signaling over IP networks Stream Control Transmission Protocol (SCTP) –Reliable, message oriented general purpose IETF transport protocol

U.Esbold Secure End-to-End Transport over SCTP Like TCP checksum and sequence number reliable transmission ordered delivery flow and congestion control fast retransmission Unlike TCP multihoming multiple streams unordered delivery 32 bits checksum protection against blind attack selective acknowledgement SCTP – Comparison with TCP

U.Esbold Secure End-to-End Transport over SCTP SCTP – Terminology A “stream” is a unidirectional logical channel transporting a sequence of messages SCTP supports multiple independent streams per association Messages are transported in information units called “chunks” Multiple chunks can be “bundled” together into a SCTP packet to reduce overhead A “path” is a unidirectional network route between associated SCTP endpoints SCTP endpoints can use multiple redundant paths through the network A “connection” between two SCTP endpoints is called “association” S1 SCTP S2 S3 App1 App3 App 2 NI-2 NI-1 IP-A1 IP-A2 IP SCTP Endpoint SCTP Packet CH

U.Esbold Secure End-to-End Transport over SCTP Data chunk1 Control chunk(s)Common header Data chunkN Dest. port Source port 32 bits User Data Chunk header 32 bits Control Data Chunk header 32 bits SCTP – Packet format and chunks Type

U.Esbold Secure End-to-End Transport over SCTP SCTP main features – Multi-Streaming SCTP endpoint B S2 S3 SN S1 D1 D2 D3 D4 D5 D6 S2 S3 SN S1 D1 D2 D3 D4D5 D6 S1, S2, S3,..., SN – SCTP streams D1 – D6 – SCTP data chunks SCTP endpoint A Multiplexing of several independent message streams within one SCTP association via multiple streams D1 D2D3D4D5D6 packet stream

U.Esbold Secure End-to-End Transport over SCTP SCTP main features – Multi-Homing SCTP entities with multiple network addresses and redundant paths NI-2 NI-1 IP-A1 IP-A2 IP NI-2 NI-1 IP-B1 IP-B2 IP SCTP Endpoint A SCTP IP network SCTP SCTP Endpoint B NI – Network interface Primary path

U.Esbold Secure End-to-End Transport over SCTP Upper layer Transmission link Upper layer Transmission link Receive buffer Resequencing buffer 6 3 missing SCTP main features – Flexible delivery Flexible message delivery per stream: Ordered or unordered 3 3 All data chunks belong to the same stream Unordered messageOrdered message

U.Esbold Secure End-to-End Transport over SCTP SCTP – Protocol extensions Partial reliability extension –Retransmission can be limited for some messages Some messages may not arrive at the receiving application –unreliable service –Useful for real-time traffic where late messages are discarded anyway Dynamic address reconfiguration –Add and drop IP addresses of established associations dynamically –Request peer endpoint to use specific path as primary path –Useful to support mobility of terminals

U.Esbold Secure End-to-End Transport over SCTP TLS 2 Secure Session 2 Secure Session 1 TLS 1 Standardized SCTP security solutions – TLS over SCTP App3 App 2 S1 SCTP S2 S3 IP S3 SCTP S2 S1 IP App1 SCTP Endpoint ASCTP Endpoint B Unsecured Secured SCTP Endpoint A SCTP Endpoint B TLS: Transport Layer Security

U.Esbold Secure End-to-End Transport over SCTP Standardized SCTP security solutions – SCTP over IPsec App1 IP IPsec IP IPsec App3 App 2 App3 App 2 IPsec SAs S1 SCTP S2 S3 S1 SCTP S2 S3 SCTP Endpoint ASCTP Endpoint B Unsecured Secured IPSec: Internet Protocol Security

U.Esbold Secure End-to-End Transport over SCTP Standardized SCTP security solutions – SCTP over IPsec X, Y – number of IP addresses of the two endpoints Required: Minimum X+Y IPsec SAs Maximum 2* X * Y IPsec SAs IPsec SAs SCTP Endpoint A SCTP SCTP Endpoint B SCTP NI-X NI-1.. IP-A1.. IP-AX IP IPsec NI-Y NI-1.. IP-B1.. IP-BY IP IPsec

U.Esbold Secure End-to-End Transport over SCTP Standardized security solutions - Comparison Dynamic Address Reconfiguration (SCTP extension) Partially Reliable Transport (SCTP extension) Management of security sessions (handling) Flexible multiplexing of secure/insecure streams Protection for SCTP control chunks Overhead for long messages (fragmentation) Overhead for small messages (bundling) Protection for unordered delivery service Support for SCTP multi-homing Scalability for multiple streams Criteria (+) – advantage, (-) – disadvantage, (no) – not possible + no TLS over SCTP no SCTP over IPsec

U.Esbold Secure End-to-End Transport over SCTP SCTP – Challenges for secure end-to-end transport Standard security protocols are defined for TCP, but –SCTP is different Multi-streaming, multi-homing, flexible delivery Partial reliability, dynamic address reconfiguration Application of standard security protocols is possible, but –Some SCTP features cannot be used –There are potential performance limitations Possible solutions –Significantly modify standard security protocols Not realistic due to already existing applications –Significantly modify and extend SCTP Approach chosen in this project

U.Esbold Secure End-to-End Transport over SCTP Secure SCTP (S-SCTP) – Basic Ideas S-SCTP is designed to –Be interoperable with standard SCTP –Support all SCTP features and extensions –Be scalable One „security session“ per SCTP association –Be Efficient Flexible mix of secure and non-secure data transfer –Be user friendly S-SCTP provides the same security features as TLS and IPSec –Authentication and/or encryption –Flexible cipher suite selection –Use of PKI or pre-shared keys Secure SCTP integrates security functions into SCTP PKI: Public Key Infrastructure

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Basic concept SCTP Endpoint A S1 S2 S3 SCTP IP IP-A2 IP-A1 NI-2 NI-1 security mechanism Unsecured Secured SCTP Endpoint B S1 S2 S3 SCTP IP IP-A2 IP-A1 NI-2 NI-1 App3 App 2 App1 security mechanism App3 App 2 App1 One secure session

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Integration of security functions Stream Layer Upper Layer State Controller FlowControl/ Reliable Transfer Packet Assembly/ Disassembly Network layer Message Validation Bundling Encryption/ Decryption Authentication Path- Manager Control-Path Crypto- Controller Data-Path

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Data path and bundling Three new chunk types: –EncData chunk : contains encrypted chunks, random number, key ID –Auth chunk : contains HMAC, key ID –Padding chunk: contains random numbers S-SCTP packet Chunk1Ch2 Chunk3... EncData Chunk1 Ch2 Auth Padding Common Header CHCC Control Chunk EncData Chunk3 Chunk1 Padding Chunk3 Requires encryption Does not require encryption HMAC: Keyed-Hashing for Message Authentication

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Security levels and packet formats Security Level 3: Full authentication and encryption of all chunks AuthCH EncData Chunk2 Chunk1 Padding CC Chunk3 CH - Common Header CC – Control Chunk Security Level 0: No security, downward compatible CCCHChunk1Chunk2Chunk3 Security Level 1: Full authentication of all SCTP packets CCCHChunk1Chunk2Chunk3Auth Security Level 2: Full authentication, encryption of selected data chunks AuthCH EncData Chunk2 Chunk1 Padding CCChunk3 Both endpoints can have different security levels

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Qualitative comparison -+Dynamic Address Reconfiguration (SCTP extension) -+Support for SCTP multi-homing +noPartially Reliable Transport (SCTP extension) -+Management of security sessions (handling) no+Flexible multiplexing of secure/insecure streams +noProtection for SCTP control chunks +noProtection for unordered delivery service -+Overhead for long messages (fragmentation) +-Overhead for small messages (bundling) +-Scalability for multiple streams SCTP over IPsec TLS over SCTP Criteria S-SCTP

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurements – Lab setup and parameters Lab testbed –2 PCs directly connected to the 100 MHz switch –Both PC´s have 100 MHz LAN card –First PC – AMD Athlon 1,4 GHz –Second PC – Pentium 3, 600 MHz Some additional components had to be implemented –Traffic source –Extension to Ethereal Measurement execution –Measurement period was 5 minutes –Throughput was measured in 1 second intervals –Each measurement was repeated 20 times –The thoughput was calculated as mean of all measurements

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. message size (3DES-SHA) No bundling used

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. message size (AES-SHA) No bundling used

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. message size (3DES-SHA) Bundling used

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. traffic mix (3DES-SHA) Message size 1000 byte: No fragmentation

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Memory usage vs. number of streams IPsec and S-SCTP use about 2.4 MB memory

U.Esbold Secure End-to-End Transport over SCTP Conclusion and outlook SCTP is used for sensitive applications –Secure end-to-end transport over SCTP required Standardized SCTP security solutions have some severe limitations –Designed to require only minimum modification of SCTP/TLS/IPSec S-SCTP extension has been proposed –It is feasible as demonstrated by prototype implementation The integrated S-SCTP solution has significant advantages –S-SCTP supports all SCTP protocol features and extensions –S-SCTP performs well over a wide range of protocol parameters Message size Mix of secured and unsecured traffic Number of concurrent streams –Is user friendly (simple API, predefined security levels) But: S-SCTP is not a standardized solution

U.Esbold Secure End-to-End Transport over SCTP Thank you very much