View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Toward Formal Modelling and
Analysis of SCTP Connection
Managment
Somsak Vanit-Anunchai
School of Telecommunication Engineering
Institute of Engineering
Suranaree University of Technology
Nakhon Ratchasima Thailand
22 October 2008
CPN'08 - 22/10/2008
Outline Introduction to SCTP Motivation SCTP-Packet and VTAG Message sequence chart Tie Tags An error in RFC 4960 Procedure-based modelling approach SCTP-CPN model Analysis Problems Discussion Conclusions and Future Work
CPN'08 - 22/10/2008
What is Stream Control Transmission Protocol (SCTP)?
A transport protocol originally developed by SIGTRANS group, Internet Engineering Task Force (IETF).
It became Request For Comments (RFC) 2960 in October 2000.
Aims to overcome the weakness of TCP. Using four-way handshake and a cookie mechanism to
prevent the Denial of Service Attacks (DoS).
Internet Protocol (IP)
Transmission Control Protocol
(TCP)
Datagram Congestion
Control Protocol
User Datagram Protocol (UDP)
Network Layer
Transport Layer SCTP
CPN'08 - 22/10/2008
Motivations
Discrepancies between RFC 2960 and Implementation Guide (IG). SCTP Errata published in RFC 4460 (Sep. 2007) . Revised SCTP spec. – RFC 4960 published in Sep. 2007. Q1. Are there any defects left?
Q2. Are new deflect introduced in the new spec?
Experiment with the Procedure-based modelling approach.
CPN'08 - 22/10/2008
SCTP Packet Format
An SCTP Packet comprises a header and a number of chunks.
CPN'08 - 22/10/2008
Verification Tag (VTAG)
Verification Tag is used to protect the association from blind attacks.
An endpoint keeps two values of verification tag: “My Verification Tag” and “Peer’s Verification Tag”. In general, Any received packets containing a verification tag di ering fffrom “My Verification Tag” will be discarded.
CPN'08 - 22/10/2008
Typical message sequence: Connection Setup
ESTABLISHED
COOKIE-ECHOED
CLOSED
CLOSEDCLOSEDInit (vtag=0, itag=Ax)
InitAck (vtag=Ax,itag=Zx, CK[Zx,Ax])
[ASSOCIATE]
COOKIE-WAIT
CookieEcho (vtag=Zx,CK[Zx,Ax])
ESTABLISHED
CookieAck (vtag=Ax)
Endpoint A
Initial Verification Tag = Ax
Endpoint Z
Initial Verification Tag = Zx
CPN'08 - 22/10/2008
Typical message sequence: Connection Closedown
CLOSED
No more outstanding data
SHUTDOWN-RECEIVED
ESTABLISHEDESTABLISHED
Shutdown (vtag=Zx)
ShutdownAck (vtag=Ax)
SHUTDOWN-PENDING
SHUTDOWN-SENT
ShutdownComplete (vtag=Zx)CLOSED
Endpoint A Endpoint Z
[SHUTDOWN]
No more outstanding data
SHUTDOWN-ACK-SENT
CPN'08 - 22/10/2008
Tie-Tag Modeling Tie-Tags is a main contribution of this paper. Tie-Tags are copies of two verification tags. RFC2960 Tie Tags being stored in the cookie. RFC4960 Tie Tags stored in both cookie and TCB. In TCB “Local Tag” and “ Peer’sTag”. (definitions) In cookie “Local Tie-Tag”and “Peer’s Tie-Tag”. Thus a cookie contains a pair of VTAG and a pair of Tie-tag. TCB contains a pair of VTAG and a pair of Tie-tag.
The Tie-Tags are used to tie the received cookie of the new association with the old association.
Table 2 section 5.4.2 of RFC 4960 TCB = Transmission Control Block containing state variables
for SCTP connection.
CPN'08 - 22/10/2008
An error in section 5.2.4 of RFC 4960
(but the implementation is correct)
Local VTAG in Cookie
Peer’s VTAG in Cookie
CPN'08 - 22/10/2008
Motivations
Discrepancies between RFC 2960 and Implementation Guide (IG). SCTP Errata published in RFC 4460 (Sep. 2007) . Revised SCTP spec. – RFC 4960 published in Sep. 2007. Q1. Are there any defects left?
don’t know yet
Q2. Are new deflect introduced in the new spec? A: yes!
Experiment with the Procedure-based modelling approach.
CPN'08 - 22/10/2008
What is the Procedure-based modelling approach?
A CPN model usually divided into several CPN subpages according to protocol’s state state-based.
the model is easy to read.
For a protocol procedure, an event is when an endpoint receives a packet or user command.
Events in difference states may cause the endpoint acting in the same way regardless of states.
Event-processing style groups the similar events into the same CPN subpage.
the model is very compact but difficult to read.
CPN'08 - 22/10/2008
What is the Procedure-based modelling approach?
In order to develop a CPN model which is not only easy to read but also small.
Billington proposed the procedure-based approach in [FI08] “Coloured Petri Nets Modelling of an Evolving Internet Standard: the Datagram Congestion Control Protocol. Fundamenta Informaticae, In Press, 2008”
Following the Procedure-based style, we group events according its functionalities, e.g. Typical procedures; Error handling procedures (Unexpected events).
In FI08 we built an event-processing CPN model from a state-based CPN model. Then a procedure-based CPN model was developed from the event-processing CPN model.
Q3. What if we develop a procedure-based CPN model directly from the narrative specification?
CPN'08 - 22/10/2008
SCTP_Procedure
Normal Event
UnexpectedEvent
Retransmission
Abort Check InvalidVTAG
Establish ShutDown Init_InitAck CookieEcho_CookieAck
Shutdown
Restart SimultaneousOpen
Delayed Cookie
Tag_Match
Hierarchy – SCTP-CPN Model4-level, 2 ML functions
6 places
54 executable transitions
CPN'08 - 22/10/2008
CPN'08 - 22/10/2008
Top-level page
CPN'08 - 22/10/2008
Typical message sequence: Connection Setup
CPN'08 - 22/10/2008
One side opens
Simultaneous Open
One side closes
Simultaneous
Closed
One side aborts
Analysis Results
Number of retransmission
- Init, InitAck, CookieEcho, CookieAck
CPN'08 - 22/10/2008
Potential Problem 1-Case A Open side opens
Source of the problem : CookieAck is so delayed
CPN'08 - 22/10/2008
Potential Problem 2 – Case B Simultaneous Open
CPN'08 - 22/10/2008
Discussion This paper focuses on modelling. Analysis is used to debug the model. It took me two months – part time to study the protocol, create and
debug the model. Why the problems is called the potential problems.
We are not so sure if they are really problem. We do not model time-stamp and user behavior.
While developing the model, we find an error in Table 2 section 5.2.4 of RFC 4960. This was confirmed by IETF.
http://www.ietf.org/mail-archive/web/tsvwg/current/msg08603.html
CPN'08 - 22/10/2008
Conclusions The difficulty of designing a protocol is again witnessed by the defect list in
RFC 4460. This paper presents a CPN model of SCTP connection management. We still need more exhaustive work on the analysis part. The procedure-based style suites SCTP specification. One error and two potential problems were found.
Modelling Analysis
CPN'08 - 22/10/2008
Further work Investigate complex scenarios when unexpected
CookieEcho chunks received. Investigate the user interface, time stamp, stale
packets, and cookie authentication.
Future work Multi-homing Security attacks against SCTP
CPN'08 - 22/10/2008
Thankyou!
Any questions?
CPN'08 - 22/10/2008
Chunk - Declaration
CPN'08 - 22/10/2008
TCB - Declaration