Ph.D Unurkhaan Esbold, Computer Science and Management School, Mongolian University of Science and Technology “InfoSec Mongolia 2006” conference, Ulaanbaatar, Secure End-to-End Transport over SCTP

U.Esbold Secure End-to-End Transport over SCTP Overview SCTP (Stream Control Transmission Protocol) –History, main features, SCTP extensions Introduction and analysis of standardized SCTP security solutions –TLS over SCTP –SCTP over IPsec Challenges for secure end-to-end transport over SCTP Secure SCTP –Basic ideas –Functional structure and some highlights Results of comparative performance measurements in lab testbed Conclusion and outlook

U.Esbold Secure End-to-End Transport over SCTP Transport layer IP Network layer SCTP App1 TCP App2 UDP App3 SIGTRAN WG: Signaling Transport Working Group TSV WG: Transport Area Working Group Stream Control Transmission Protocol “SCTP” – History and purpose Defined by SIGTRAN WG of IETF in RFC 2960 in October 2000 Initial SCTP focus: –Transport of telephony signaling over IP networks Stream Control Transmission Protocol (SCTP) –Reliable, message oriented general purpose IETF transport protocol

U.Esbold Secure End-to-End Transport over SCTP Like TCP checksum and sequence number reliable transmission ordered delivery flow and congestion control fast retransmission Unlike TCP multihoming multiple streams unordered delivery 32 bits checksum protection against blind attack selective acknowledgement SCTP – Comparison with TCP

U.Esbold Secure End-to-End Transport over SCTP SCTP – Terminology A “stream” is a unidirectional logical channel transporting a sequence of messages SCTP supports multiple independent streams per association Messages are transported in information units called “chunks” Multiple chunks can be “bundled” together into a SCTP packet to reduce overhead A “path” is a unidirectional network route between associated SCTP endpoints SCTP endpoints can use multiple redundant paths through the network A “connection” between two SCTP endpoints is called “association” S1 SCTP S2 S3 App1 App3 App 2 NI-2 NI-1 IP-A1 IP-A2 IP SCTP Endpoint SCTP Packet CH

U.Esbold Secure End-to-End Transport over SCTP Data chunk1 Control chunk(s)Common header Data chunkN Dest. port Source port 32 bits User Data Chunk header 32 bits Control Data Chunk header 32 bits SCTP – Packet format and chunks Type

U.Esbold Secure End-to-End Transport over SCTP SCTP main features – Multi-Streaming SCTP endpoint B S2 S3 SN S1 D1 D2 D3 D4 D5 D6 S2 S3 SN S1 D1 D2 D3 D4D5 D6 S1, S2, S3,..., SN – SCTP streams D1 – D6 – SCTP data chunks SCTP endpoint A Multiplexing of several independent message streams within one SCTP association via multiple streams D1 D2D3D4D5D6 packet stream

U.Esbold Secure End-to-End Transport over SCTP SCTP main features – Multi-Homing SCTP entities with multiple network addresses and redundant paths NI-2 NI-1 IP-A1 IP-A2 IP NI-2 NI-1 IP-B1 IP-B2 IP SCTP Endpoint A SCTP IP network SCTP SCTP Endpoint B NI – Network interface Primary path

U.Esbold Secure End-to-End Transport over SCTP Upper layer Transmission link Upper layer Transmission link Receive buffer Resequencing buffer 6 3 missing SCTP main features – Flexible delivery Flexible message delivery per stream: Ordered or unordered 3 3 All data chunks belong to the same stream Unordered messageOrdered message

U.Esbold Secure End-to-End Transport over SCTP SCTP – Protocol extensions Partial reliability extension –Retransmission can be limited for some messages Some messages may not arrive at the receiving application –unreliable service –Useful for real-time traffic where late messages are discarded anyway Dynamic address reconfiguration –Add and drop IP addresses of established associations dynamically –Request peer endpoint to use specific path as primary path –Useful to support mobility of terminals

U.Esbold Secure End-to-End Transport over SCTP TLS 2 Secure Session 2 Secure Session 1 TLS 1 Standardized SCTP security solutions – TLS over SCTP App3 App 2 S1 SCTP S2 S3 IP S3 SCTP S2 S1 IP App1 SCTP Endpoint ASCTP Endpoint B Unsecured Secured SCTP Endpoint A SCTP Endpoint B TLS: Transport Layer Security

U.Esbold Secure End-to-End Transport over SCTP Standardized SCTP security solutions – SCTP over IPsec App1 IP IPsec IP IPsec App3 App 2 App3 App 2 IPsec SAs S1 SCTP S2 S3 S1 SCTP S2 S3 SCTP Endpoint ASCTP Endpoint B Unsecured Secured IPSec: Internet Protocol Security

U.Esbold Secure End-to-End Transport over SCTP Standardized SCTP security solutions – SCTP over IPsec X, Y – number of IP addresses of the two endpoints Required: Minimum X+Y IPsec SAs Maximum 2* X * Y IPsec SAs IPsec SAs SCTP Endpoint A SCTP SCTP Endpoint B SCTP NI-X NI-1.. IP-A1.. IP-AX IP IPsec NI-Y NI-1.. IP-B1.. IP-BY IP IPsec

U.Esbold Secure End-to-End Transport over SCTP Standardized security solutions - Comparison Dynamic Address Reconfiguration (SCTP extension) Partially Reliable Transport (SCTP extension) Management of security sessions (handling) Flexible multiplexing of secure/insecure streams Protection for SCTP control chunks Overhead for long messages (fragmentation) Overhead for small messages (bundling) Protection for unordered delivery service Support for SCTP multi-homing Scalability for multiple streams Criteria (+) – advantage, (-) – disadvantage, (no) – not possible + no TLS over SCTP no SCTP over IPsec

U.Esbold Secure End-to-End Transport over SCTP SCTP – Challenges for secure end-to-end transport Standard security protocols are defined for TCP, but –SCTP is different Multi-streaming, multi-homing, flexible delivery Partial reliability, dynamic address reconfiguration Application of standard security protocols is possible, but –Some SCTP features cannot be used –There are potential performance limitations Possible solutions –Significantly modify standard security protocols Not realistic due to already existing applications –Significantly modify and extend SCTP Approach chosen in this project

U.Esbold Secure End-to-End Transport over SCTP Secure SCTP (S-SCTP) – Basic Ideas S-SCTP is designed to –Be interoperable with standard SCTP –Support all SCTP features and extensions –Be scalable One „security session“ per SCTP association –Be Efficient Flexible mix of secure and non-secure data transfer –Be user friendly S-SCTP provides the same security features as TLS and IPSec –Authentication and/or encryption –Flexible cipher suite selection –Use of PKI or pre-shared keys Secure SCTP integrates security functions into SCTP PKI: Public Key Infrastructure

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Basic concept SCTP Endpoint A S1 S2 S3 SCTP IP IP-A2 IP-A1 NI-2 NI-1 security mechanism Unsecured Secured SCTP Endpoint B S1 S2 S3 SCTP IP IP-A2 IP-A1 NI-2 NI-1 App3 App 2 App1 security mechanism App3 App 2 App1 One secure session

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Integration of security functions Stream Layer Upper Layer State Controller FlowControl/ Reliable Transfer Packet Assembly/ Disassembly Network layer Message Validation Bundling Encryption/ Decryption Authentication Path- Manager Control-Path Crypto- Controller Data-Path

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Data path and bundling Three new chunk types: –EncData chunk : contains encrypted chunks, random number, key ID –Auth chunk : contains HMAC, key ID –Padding chunk: contains random numbers S-SCTP packet Chunk1Ch2 Chunk3... EncData Chunk1 Ch2 Auth Padding Common Header CHCC Control Chunk EncData Chunk3 Chunk1 Padding Chunk3 Requires encryption Does not require encryption HMAC: Keyed-Hashing for Message Authentication

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Security levels and packet formats Security Level 3: Full authentication and encryption of all chunks AuthCH EncData Chunk2 Chunk1 Padding CC Chunk3 CH - Common Header CC – Control Chunk Security Level 0: No security, downward compatible CCCHChunk1Chunk2Chunk3 Security Level 1: Full authentication of all SCTP packets CCCHChunk1Chunk2Chunk3Auth Security Level 2: Full authentication, encryption of selected data chunks AuthCH EncData Chunk2 Chunk1 Padding CCChunk3 Both endpoints can have different security levels

U.Esbold Secure End-to-End Transport over SCTP S-SCTP – Qualitative comparison -+Dynamic Address Reconfiguration (SCTP extension) -+Support for SCTP multi-homing +noPartially Reliable Transport (SCTP extension) -+Management of security sessions (handling) no+Flexible multiplexing of secure/insecure streams +noProtection for SCTP control chunks +noProtection for unordered delivery service -+Overhead for long messages (fragmentation) +-Overhead for small messages (bundling) +-Scalability for multiple streams SCTP over IPsec TLS over SCTP Criteria S-SCTP

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurements – Lab setup and parameters Lab testbed –2 PCs directly connected to the 100 MHz switch –Both PC´s have 100 MHz LAN card –First PC – AMD Athlon 1,4 GHz –Second PC – Pentium 3, 600 MHz Some additional components had to be implemented –Traffic source –Extension to Ethereal Measurement execution –Measurement period was 5 minutes –Throughput was measured in 1 second intervals –Each measurement was repeated 20 times –The thoughput was calculated as mean of all measurements

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. message size (3DES-SHA) No bundling used

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. message size (AES-SHA) No bundling used

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. message size (3DES-SHA) Bundling used

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Throughput vs. traffic mix (3DES-SHA) Message size 1000 byte: No fragmentation

U.Esbold Secure End-to-End Transport over SCTP S-SCTP measurement results – Memory usage vs. number of streams IPsec and S-SCTP use about 2.4 MB memory

U.Esbold Secure End-to-End Transport over SCTP Conclusion and outlook SCTP is used for sensitive applications –Secure end-to-end transport over SCTP required Standardized SCTP security solutions have some severe limitations –Designed to require only minimum modification of SCTP/TLS/IPSec S-SCTP extension has been proposed –It is feasible as demonstrated by prototype implementation The integrated S-SCTP solution has significant advantages –S-SCTP supports all SCTP protocol features and extensions –S-SCTP performs well over a wide range of protocol parameters Message size Mix of secured and unsecured traffic Number of concurrent streams –Is user friendly (simple API, predefined security levels) But: S-SCTP is not a standardized solution

U.Esbold Secure End-to-End Transport over SCTP Thank you very much