1 sctp stream control transmission protocol source from cisco system

11

SCTPSCTPStream Control Transmission ProtocolStream Control Transmission Protocol

Source fromSource from

http://www.STCP.orghttp://www.STCP.org

Cisco SystemCisco System

22

PrerequisitesPrerequisites A basic understanding of IP and transport protocolsA basic understanding of IP and transport protocols Some knowledge of TCP may be helpfulSome knowledge of TCP may be helpful

33

Reference MaterialsReference Materials Main DocumentsMain Documents

[SCTP reference book] Stream Control Transmission Protocol (SCTP): A Re[SCTP reference book] Stream Control Transmission Protocol (SCTP): A Reference Guide, R. Stewart and Q. Xie, Addison-Wesley, 2002, ISBN 0-201-7ference Guide, R. Stewart and Q. Xie, Addison-Wesley, 2002, ISBN 0-201-72186-42186-4

RFC 2960: Stream Control Transmission Protocol, October 2000RFC 2960: Stream Control Transmission Protocol, October 2000 RFC 3309: SCTP Checksum Change, September 2002RFC 3309: SCTP Checksum Change, September 2002 [I-G] draft-ietf-tsvwg-sctpimpguide-10: SCTP Implementer's Guide[I-G] draft-ietf-tsvwg-sctpimpguide-10: SCTP Implementer's Guide

SCTP Extensions DraftsSCTP Extensions Drafts [PR-SCTP] RFC 3758[PR-SCTP] RFC 3758 [Add-IP] draft-ietf-tsvwg-addip-sctp-08: SCTP Dynamic Address Reconfigur[Add-IP] draft-ietf-tsvwg-addip-sctp-08: SCTP Dynamic Address Reconfigur

ationation [Pkt-Drop] draft-stewart-sctp-pktdrprep-00: SCTP Packet Drop Reporting[Pkt-Drop] draft-stewart-sctp-pktdrprep-00: SCTP Packet Drop Reporting [Auth] draft-tuexen-sctp-auth-chunk-00: Authenticated Chunks for SCTP[Auth] draft-tuexen-sctp-auth-chunk-00: Authenticated Chunks for SCTP

44

Online ReferencesOnline References http://www.sctp.orghttp://www.sctp.org

Also reachable with HTTP over SCTP!Also reachable with HTTP over SCTP!

http://www.ietf.org/html.charters/tsvwg-charter.htmlhttp://www.ietf.org/html.charters/tsvwg-charter.html All current work on SCTP is done in the IETF TSVWGAll current work on SCTP is done in the IETF TSVWG

sctp-impl on mailer.cisco.comsctp-impl on mailer.cisco.com

55

Features of SCTPFeatures of SCTP Reliable data transferReliable data transfer Congestion control and avoidanceCongestion control and avoidance Message boundary preservationMessage boundary preservation PMTU discovery and message fragmentationPMTU discovery and message fragmentation Message bundlingMessage bundling Multi-homing supportMulti-homing support Unordered data delivery optionUnordered data delivery option Security cookie against connection flood attack (SYSecurity cookie against connection flood attack (SY

N flood)N flood) Built-in heartbeat (reachability check)Built-in heartbeat (reachability check) ExtensibilityExtensibility

66

IP Multi-homingIP Multi-homing The following figure depicts a typical multi-homed host. The following figure depicts a typical multi-homed host.

Keep this picture in mind when we discuss multi-homing.Keep this picture in mind when we discuss multi-homing.

NI-1 NI-2 NI-3

160.15.82.20

161.10.8.221

10.1.61.11

OS

App-2

App-1

App-3

77

Of Endpoints and AssociationsOf Endpoints and Associations Two fundamental concepts in SCTPTwo fundamental concepts in SCTP

Endpoints (communicating parties)Endpoints (communicating parties) Associations (communication relationships)Associations (communication relationships)

These two concepts are key to understanding the These two concepts are key to understanding the protocol and its basic operationprotocol and its basic operation

We start by defining an “SCTP Transport Address”We start by defining an “SCTP Transport Address”

88

An SCTP Transport AddressAn SCTP Transport Address Each transport protocol defines a transport level headerEach transport protocol defines a transport level header The transport level header helps demultiplex data coming to The transport level header helps demultiplex data coming to

a host to the correct applicationsa host to the correct applications Applications in TCP and UDP bind to a “port” which forms thApplications in TCP and UDP bind to a “port” which forms th

e core method for demultiplexing datae core method for demultiplexing data SCTP also defined the same byte positions in its transport hSCTP also defined the same byte positions in its transport h

eader for the two 16 bit port fieldseader for the two 16 bit port fields We term the combination of an SCTP port and an IP addresWe term the combination of an SCTP port and an IP addres

s an “SCTP Transport Address”s an “SCTP Transport Address” The IP address in an SCTP Transport Address MUST be a rThe IP address in an SCTP Transport Address MUST be a r

outeable unicast addressouteable unicast address i.e. multicast and broadcast addresses are invalidi.e. multicast and broadcast addresses are invalid

99

An SCTP Endpoint (1)An SCTP Endpoint (1) An SCTP endpoint is the logical end of the SCTP transport An SCTP endpoint is the logical end of the SCTP transport

protocol - a communicating partyprotocol - a communicating party An SCTP endpoint may have MORE than one IP address An SCTP endpoint may have MORE than one IP address

but it always has but it always has one and only one port number port number An application typically will open an SCTP socket and bind An application typically will open an SCTP socket and bind

one address, a set of addresses, or all addresses to that one address, a set of addresses, or all addresses to that socketsocket This socket can then be thought of as an SCTP endpointThis socket can then be thought of as an SCTP endpoint

An SCTP endpoint can be represented as a list of SCTP An SCTP endpoint can be represented as a list of SCTP transport addresses with the same port:transport addresses with the same port: endpoint = [10.1.4.2, 10.1.5.3 : 80]endpoint = [10.1.4.2, 10.1.5.3 : 80]

An SCTP transport address can only be bound to one single An SCTP transport address can only be bound to one single SCTP endpointSCTP endpoint

1010

An SCTP Endpoint (2)An SCTP Endpoint (2)

NI-1 NI-2 NI-3

160.15.82.20

161.10.8.221

10.1.61.11

Application-1

[161.10.8.221 : 2223]

1111

An SCTP Endpoint (3)An SCTP Endpoint (3) Application-1 has bound one IP address of the host Application-1 has bound one IP address of the host

with the port 2223.with the port 2223. If a new application is started Application-2, it may lIf a new application is started Application-2, it may l

egally bind [160.15.82.20 : 2223] or [10.1.61.11 : 2egally bind [160.15.82.20 : 2223] or [10.1.61.11 : 2223] or even [160.15.82.20, 10.1.61.11 : 2223]223] or even [160.15.82.20, 10.1.61.11 : 2223]

The new application will NOT be able to bind the exThe new application will NOT be able to bind the existing SCTP Transport address that Application-1 histing SCTP Transport address that Application-1 has bound I.e: [161.10.8.221 : 2223]as bound I.e: [161.10.8.221 : 2223]

1212

SCTP Associations (1)SCTP Associations (1) SCTP is connection-orientedSCTP is connection-oriented

Like TCPLike TCP A connection-oriented protocol is one that requires a A connection-oriented protocol is one that requires a setup

procedure to establish the communication relationship (and to establish the communication relationship (and state) between two partiesstate) between two parties

To establish this state, both sides go through a specific set To establish this state, both sides go through a specific set of exchangesof exchanges TCP uses a 3-way handshake (SYN, SYN/ACK, ACK)TCP uses a 3-way handshake (SYN, SYN/ACK, ACK) SCTP uses a 4-way handshake (we examine this later)SCTP uses a 4-way handshake (we examine this later)

In TCP, the communication relationship between two In TCP, the communication relationship between two endpoints is called a “connection”endpoints is called a “connection”

In SCTP, this is called an “association” this is because it is a In SCTP, this is called an “association” this is because it is a broader concept than a single connection (i.e. multi-broader concept than a single connection (i.e. multi-homing)homing)

1313

SCTP Associations (2)SCTP Associations (2) An SCTP association can be represented as a pair of SCTP An SCTP association can be represented as a pair of SCTP

endpoints:endpoints: assoc = { [10.1.61.11 : 2223], [161.10.8.221, 120.1.1.5 : 80]}assoc = { [10.1.61.11 : 2223], [161.10.8.221, 120.1.1.5 : 80]}

An SCTP endpoint may have multiple associationsAn SCTP endpoint may have multiple associations Only one association may be established between any two Only one association may be established between any two

SCTP endpointsSCTP endpoints

1414

Operation of SCTP AssociationsOperation of SCTP Associations An SCTP association provides reliable data An SCTP association provides reliable data

transfer of messagestransfer of messages Messages are sent within a stream, which is Messages are sent within a stream, which is

identified by a stream identifier (SID)identified by a stream identifier (SID) Messages can be ordered or un-ordered:Messages can be ordered or un-ordered:

Each ordered message sent within a stream is also Each ordered message sent within a stream is also assigned a stream sequence number (SSN) assigned a stream sequence number (SSN)

Unordered messages have no SSN and are delivered Unordered messages have no SSN and are delivered with no respect to orderingwith no respect to ordering

1515

Bits, Bytes, and ChunksBits, Bytes, and Chunks We will now turn our attention to the on-the-wire bits and We will now turn our attention to the on-the-wire bits and

bytes of SCTPbytes of SCTP An SCTP packet has a common header that appears in An SCTP packet has a common header that appears in

each packet, followed by one or more chunkseach packet, followed by one or more chunks SCTP chunks use a self-describing Tag-Length-Value (TLV) SCTP chunks use a self-describing Tag-Length-Value (TLV)

formatformat Note: all figures used are always 32-bits wideNote: all figures used are always 32-bits wide

1616

SCTP Packet With IP Header SCTP Packet With IP Header

SCTP Common Header

Chunk 1

Chunk N

...

IP Header

1717

SCTP Common HeaderSCTP Common Header Source and Destination Port: 16-bit port valuesSource and Destination Port: 16-bit port values Verification Tag: 32-bit random value selected by each endpVerification Tag: 32-bit random value selected by each endp

oint in an association during setupoint in an association during setup Discriminates between two successive associationsDiscriminates between two successive associations Protection mechanism against blind attackersProtection mechanism against blind attackers

CRC32c Checksum: 32-bit CRC covering the entire SCTP pCRC32c Checksum: 32-bit CRC covering the entire SCTP packet (SCTP common header and all chunks)acket (SCTP common header and all chunks) Note that RFC 3309 (CRC32c) supercedes the Adler-32 checksum Note that RFC 3309 (CRC32c) supercedes the Adler-32 checksum

defined in RFC 2960 (SCTP)defined in RFC 2960 (SCTP)

Source Port Destination Port

Verification Tag

CRC-32c Checksum

1818

SCTP ChunksSCTP Chunks Chunk Type: 8-bit value indicating the type of chunkChunk Type: 8-bit value indicating the type of chunk Chunk Flags: 8-bit flags, defined on per chunk type basisChunk Flags: 8-bit flags, defined on per chunk type basis Chunk Length: 16-bit length in bytes, including the chunk Chunk Length: 16-bit length in bytes, including the chunk

type, chunk flags, and chunk length fields.type, chunk flags, and chunk length fields. Note that chunks are padded to 32-bit boundaries within an SCTP Note that chunks are padded to 32-bit boundaries within an SCTP

packet. Any padding bytes (0x00) used are NOT included in the packet. Any padding bytes (0x00) used are NOT included in the chunk lengthchunk length

Chunk Type Chunk Flags Chunk Length

Chunk Data

1919

List of Chunk TypesList of Chunk Types There are 20 chunk types currently defined in SCTP (including non-There are 20 chunk types currently defined in SCTP (including non-

RFC/Internet Draft extensions):RFC/Internet Draft extensions): (1) DATA (0x00)(1) DATA (0x00) (2) INITIATION [INIT] (0x01)(2) INITIATION [INIT] (0x01) (3) INITIATION-ACKNOWLEDGMENT [INIT-ACK] (0x02)(3) INITIATION-ACKNOWLEDGMENT [INIT-ACK] (0x02) (4) SELECTIVE-ACKNOWLEDGMENT [SACK] (0x03)(4) SELECTIVE-ACKNOWLEDGMENT [SACK] (0x03) (5) HEARTBEAT (0x04)(5) HEARTBEAT (0x04) (6) HEARTBEAT-ACKNOWLEDGMENT [HEARTBEAT-ACK] (0x05)(6) HEARTBEAT-ACKNOWLEDGMENT [HEARTBEAT-ACK] (0x05) (7) ABORT (0x06)(7) ABORT (0x06) (8) SHUTDOWN (0x07)(8) SHUTDOWN (0x07) (9) SHUTDOWN-ACKNOWLEGMENT [SHUTDOWN-ACK] (0x08)(9) SHUTDOWN-ACKNOWLEGMENT [SHUTDOWN-ACK] (0x08) (10) OPERATIONAL-ERROR [ERROR] (0x09)(10) OPERATIONAL-ERROR [ERROR] (0x09) (11) COOKIE-ECHO (0x0A)(11) COOKIE-ECHO (0x0A) (12) COOKIE-ACKNOWLEDGMENT [COOKIE-ACK] (0x0B)(12) COOKIE-ACKNOWLEDGMENT [COOKIE-ACK] (0x0B) (13) EXPLICIT CONGESTION NOTIFICATION ECHO [ECNE] (0x0C)(13) EXPLICIT CONGESTION NOTIFICATION ECHO [ECNE] (0x0C) (14) CONGESTION WINDOW REDUCE [CWR] (0x0D)(14) CONGESTION WINDOW REDUCE [CWR] (0x0D) (15) SHUTDOWN-COMPLETE (0x0E)(15) SHUTDOWN-COMPLETE (0x0E)

2020

List of Chunks Types: ExtensionsList of Chunks Types: Extensions PR-SCTP - RFC 3758PR-SCTP - RFC 3758

(16) FORWARD-TSN (0xC0)(16) FORWARD-TSN (0xC0) ADD-IP draftADD-IP draft

(17) ADDRESS-CONFIGURATION [ASCONF] (0xC1) (17) ADDRESS-CONFIGURATION [ASCONF] (0xC1) (18) ADDRESS-CONFIGURATION-ACKNOWLEDGMENT (18) ADDRESS-CONFIGURATION-ACKNOWLEDGMENT

[ASCONF-ACK] (0x80)[ASCONF-ACK] (0x80) Packet-Drop draftPacket-Drop draft

(19) SCTP-PACKET-DROP-REPORT [PKT-DROP] (0x81)(19) SCTP-PACKET-DROP-REPORT [PKT-DROP] (0x81) Authentication draft Authentication draft

(20) AUTHENTICATION [AUTH] (0x82) - about to undergo drastic (20) AUTHENTICATION [AUTH] (0x82) - about to undergo drastic changes and will probably add 2-3 chunks.changes and will probably add 2-3 chunks.

2121

Chunk Type ProcessingChunk Type Processing A bit pattern of 00xxxxxx in the chunk type indicates that if A bit pattern of 00xxxxxx in the chunk type indicates that if

this chunk is unknown by the receiver, silently drop it and this chunk is unknown by the receiver, silently drop it and stop processing the rest of the packetstop processing the rest of the packet

A bit pattern of 01xxxxxx in the chunk type indicates that if A bit pattern of 01xxxxxx in the chunk type indicates that if this chunk is unknown by the receiver, drop it, send an this chunk is unknown by the receiver, drop it, send an ERROR chunk in reply, and stop processing the rest of the ERROR chunk in reply, and stop processing the rest of the packetpacket

A bit pattern of 10xxxxxx in the chunk type indicates that if A bit pattern of 10xxxxxx in the chunk type indicates that if this chunk is unknown by the receiver, silently skip this this chunk is unknown by the receiver, silently skip this chunk but continue to process the rest of the chunks in the chunk but continue to process the rest of the chunks in the packetpacket

A bit pattern of 11xxxxxx in the chunk type indicates that if A bit pattern of 11xxxxxx in the chunk type indicates that if this chunk is unknown by the receiver, skip this chunk but this chunk is unknown by the receiver, skip this chunk but send an ERROR chunk in reply and continue to process the send an ERROR chunk in reply and continue to process the rest of the chunks in the packetrest of the chunks in the packet

2222

SCTP Chunk ParametersSCTP Chunk Parameters Some chunks have parameters within themSome chunks have parameters within them

Examples: INIT, INIT-ACK, HEARTBEATExamples: INIT, INIT-ACK, HEARTBEAT

A parameter also has a TLV formatA parameter also has a TLV format A parameter has a similar format to a chunk but slightly A parameter has a similar format to a chunk but slightly

different (see the next slide).different (see the next slide). Processing rules for unknown parameters are similar to Processing rules for unknown parameters are similar to

those for the chunk processing with slightly different those for the chunk processing with slightly different connotationsconnotations

Type = 0x0033 Length = 8

4 Octets of Data

The Variable Length Data goes here

Note 16 bit lengthIncluding the headerNote 16 bit Parameter Type

2323

Setting Up an AssociationSetting Up an Association

Endpoint A Endpoint Z

INIT

INIT-ACK

COOKIE-ECHO

COOKIE-ACK

*

*

* -- User data can be attached

AssociationIs Up

AssociationIs Up

2424

SCTP Association SetupSCTP Association Setup SCTP uses a four-way handshake to set up an associationSCTP uses a four-way handshake to set up an association The side doing the active (or implicit) open will formulate The side doing the active (or implicit) open will formulate

and send an INIT chunkand send an INIT chunk The sender of the INIT includes various parameters:The sender of the INIT includes various parameters:

IPv4 and IPv6 address parameters identifying all bound addresses IPv4 and IPv6 address parameters identifying all bound addresses within the peer’s scopewithin the peer’s scope

Extensions such as PR-SCTP, Adaption Layer Indication and Extensions such as PR-SCTP, Adaption Layer Indication and possibly a Supported Address listpossibly a Supported Address list

There could also be cookie preservatives and other sundry items as There could also be cookie preservatives and other sundry items as wellwell

2525

Sending an INITSending an INIT Two important random values that a sender of an INIT (and Two important random values that a sender of an INIT (and

an INIT-ACK) generates:an INIT-ACK) generates: A Verification Tag (V-Tag) will provide the peer with a nonce that muA Verification Tag (V-Tag) will provide the peer with a nonce that mu

st be present in every packet sent (this is placed in the initiate tag fiest be present in every packet sent (this is placed in the initiate tag field)ld)

An Initial TSN provides the starting point for the transport sequence An Initial TSN provides the starting point for the transport sequence spacespace

The V-Tag provides modest security for the association and The V-Tag provides modest security for the association and also removes the need for a psuedo-header in the checksualso removes the need for a psuedo-header in the checksumm

2626

Receiving an INITReceiving an INIT The receiver of the INIT will validate that a listener exists for The receiver of the INIT will validate that a listener exists for

the destination port. If not, it will send an ABORT back to the destination port. If not, it will send an ABORT back to the sender.the sender.

It may do some checking and validation, but in general it will It may do some checking and validation, but in general it will always send back an INIT-ACK saving NO state. This always send back an INIT-ACK saving NO state. This prevents SCTP from being subject to the TCP SYN-like prevents SCTP from being subject to the TCP SYN-like attacks.attacks.

In formulating an INIT-ACK, the responder will include all In formulating an INIT-ACK, the responder will include all the various parameters just like what a sender does when the various parameters just like what a sender does when formulating an INIT, but with one important addition.formulating an INIT, but with one important addition.

2727

Formulating the INIT-ACK ResponseFormulating the INIT-ACK Response The receiver of the INIT MUST include a state The receiver of the INIT MUST include a state

cookie parameter in the INIT-ACK response.cookie parameter in the INIT-ACK response. The state cookie parameter:The state cookie parameter:

Is signed (usually with MD5 or SHA-1)Is signed (usually with MD5 or SHA-1) Contains ALL the state needed to setup the association Contains ALL the state needed to setup the association

(usually the entire INIT and some pieces of the INIT-(usually the entire INIT and some pieces of the INIT-ACK)ACK)

Is implementation specific, but must include a timestampIs implementation specific, but must include a timestamp

2828

When the INIT-ACK ArrivesWhen the INIT-ACK Arrives The receiver of the INIT-ACK must take special care in The receiver of the INIT-ACK must take special care in

finding the association for the endpoint that sent the INIT.finding the association for the endpoint that sent the INIT. In particular it must look at the address list inside the INIT-In particular it must look at the address list inside the INIT-

ACK in case the source address is not the same as where ACK in case the source address is not the same as where the INIT was sent.the INIT was sent.

After finding the association, the receiver will add all of the After finding the association, the receiver will add all of the peer’s information (addresses, V-Tag, initial sequence peer’s information (addresses, V-Tag, initial sequence number, etc.) to the local TCB.number, etc.) to the local TCB.

2929

More on Processing the INIT-ACKMore on Processing the INIT-ACK At this point the receiver must reply back with a At this point the receiver must reply back with a

COOKIE-ECHO chunk:COOKIE-ECHO chunk: The cookie is retrieved by simply finding the state-cookie The cookie is retrieved by simply finding the state-cookie

parameter and changing the first two bytes into the parameter and changing the first two bytes into the chunk type and flags field (set to 0) of the COOKIE-chunk type and flags field (set to 0) of the COOKIE-ECHO chunk.ECHO chunk.

This chunk is sent back to the source address of the This chunk is sent back to the source address of the INIT-ACK packet.INIT-ACK packet.

As long as the COOKIE-ECHO chunk is first in the As long as the COOKIE-ECHO chunk is first in the packet, any queued DATA chunks may be bundled in the packet, any queued DATA chunks may be bundled in the SCTP packet.SCTP packet.

3030

A Packet with the COOKIE-ECHOA Packet with the COOKIE-ECHOSource Port Destination Port

Verification Tag

Checksum

Type=0xa Chunk Length=NFlags=0Type=0x0A Chunk Length=N

Cookie Data (N – 4 bytes)

Flags=0

Type=0xa Chunk Length=NFlags=0Type=0x0 Chunk Length=K

User Data (K – 16 bytes)

Flags=03

Stream Number = M Stream Sequence = 0

TSN = X

Payload Protocol ID = A

3131

Processing the Cookie-EchoProcessing the Cookie-Echo First, validate that the state cookie has not been modified by First, validate that the state cookie has not been modified by

running the hash over it and the internal secret key. If they running the hash over it and the internal secret key. If they do not match, the cookie is silently discarded.do not match, the cookie is silently discarded.

Next, the timestamp field in the cookie is checked. If it Next, the timestamp field in the cookie is checked. If it proves to be an old cookie, a stale cookie error is sent to proves to be an old cookie, a stale cookie error is sent to the peer.the peer.

Otherwise, the cookie is used to create a new TCB. Otherwise, the cookie is used to create a new TCB. The association now enters the ESTABLISHED state.The association now enters the ESTABLISHED state.

3232

More on Cookie ProcessingMore on Cookie Processing Note that this quick summary assumes a normal non-Note that this quick summary assumes a normal non-

collision, non-restart case. Collision cases are accounted for collision, non-restart case. Collision cases are accounted for in the specification.in the specification.

After the cookie is processed and the TCB is created, the After the cookie is processed and the TCB is created, the endpoint then processes any additional chunks contained in endpoint then processes any additional chunks contained in the packet.the packet.

Note that the additional chunks are processed in the Note that the additional chunks are processed in the ESTABLISHED state, since the cookie processing was ESTABLISHED state, since the cookie processing was completed.completed.

3333

Acknowledge the Eaten CookieAcknowledge the Eaten Cookie After the packet with the COOKIE-ECHO is fully processed, After the packet with the COOKIE-ECHO is fully processed,

a COOKIE-ACK response is sent back.a COOKIE-ACK response is sent back. At this point, any other chunks (DATA, SACK, etc) can also At this point, any other chunks (DATA, SACK, etc) can also

be bundled with the COOKIE-ACK.be bundled with the COOKIE-ACK. One final interesting note, most implementations will include One final interesting note, most implementations will include

within the state cookie the address to which the INIT-ACK within the state cookie the address to which the INIT-ACK was sent. This is due to the fact that this address will be the was sent. This is due to the fact that this address will be the only one that is considered “confirmed” initially.only one that is considered “confirmed” initially.

3434

Other Association Setup Issues to Other Association Setup Issues to ConsiderConsider

The SCTP book contains additional material regarding INIT The SCTP book contains additional material regarding INIT and INIT-ACK chunks.and INIT-ACK chunks.

A large set of special case handling is described in section A large set of special case handling is described in section of the SCTP reference book. These cases deal with of the SCTP reference book. These cases deal with collisions and restarts.collisions and restarts.

We will walk through the restart case and discuss tie-tags We will walk through the restart case and discuss tie-tags briefly.briefly.

Refer to the SCTP book for details on all of the other cases Refer to the SCTP book for details on all of the other cases (it is the only place that such collisions are documented to (it is the only place that such collisions are documented to my knowledge).my knowledge).

3535

Association RestartAssociation Restart An association restart occurs when a peer crashes and restAn association restart occurs when a peer crashes and rest

arts rapidly.arts rapidly. The restart and association re-establish attempt must occur The restart and association re-establish attempt must occur

before the non-restarting peer’s HEARTBEAT is sent.before the non-restarting peer’s HEARTBEAT is sent. (HEARTBEAT’s are discussed later)(HEARTBEAT’s are discussed later) We start our scenario with the following picture:We start our scenario with the following picture:

3636

Restart: Initial ConditionRestart: Initial Condition

Endpoint-A Endpoint-Z

VT_L=AVT_P=ZVT_L=AVT_P=Z

VT_L=ZVT_P=A

ESTABLISHED

3737

Restart: Initial Condition Description Restart: Initial Condition Description Peers Endpoint-A and Endpoint-Z have their association in Peers Endpoint-A and Endpoint-Z have their association in

the ESTABLISHED state.the ESTABLISHED state. VT_L (Verification Tag Local) is the value that the endpoint VT_L (Verification Tag Local) is the value that the endpoint

expects in each V-Tag for each received packet.expects in each V-Tag for each received packet. VT_P (Verification Tag Peer) is the value that each endpoint VT_P (Verification Tag Peer) is the value that each endpoint

will send as the V-Tag in every packet.will send as the V-Tag in every packet. So, if Endpoint-A sends a packet to Endpoint-Z, it places “Z” So, if Endpoint-A sends a packet to Endpoint-Z, it places “Z”

in the V-Tag field of the common header.in the V-Tag field of the common header.

3838

Restart: The CRASHRestart: The CRASH



VT_L=ZVT_P=A

CRASHINIT (Tag=Zx)

ESTABLISHED

VT_L=Zx

3939

Restart: The Crash DescribedRestart: The Crash Described Endpoint-Z suddenly crashes and restarts.Endpoint-Z suddenly crashes and restarts. After the application restarts, it (re-)attempts to setup an assAfter the application restarts, it (re-)attempts to setup an ass

ociation with Endpoint-A using the same local SCTP transpociation with Endpoint-A using the same local SCTP transport addressesort addresses

Endpoint-Z chooses a new random tag “Zx” and sends off a Endpoint-Z chooses a new random tag “Zx” and sends off a new INIT to its ‘potential’ peernew INIT to its ‘potential’ peer Remember, Endpoint-Z’s SCTP stack is un-aware of the previous asRemember, Endpoint-Z’s SCTP stack is un-aware of the previous as

sociationsociation

4040

Restart: Hmm… A New Restart: Hmm… A New Association?Association?



VT_L=ZVT_P=A

CRASHINIT (Tag=Zx)

INIT-ACK(Tag=Ax, Cookie(TT(Ay/Zy)))

ESTABLISHED

VT_L=ZxVT_P=Ax

VT_L=Zx

4141

Restart: Handling the New INITRestart: Handling the New INIT Endpoint-A receives the new INIT from its peer out of the blEndpoint-A receives the new INIT from its peer out of the bl

ue.ue. Endpoint-A cannot necessarily trust this INIT since the V-TaEndpoint-A cannot necessarily trust this INIT since the V-Ta

g it expects in every packet is NOT present (since Endpoint-g it expects in every packet is NOT present (since Endpoint-Z restarted).Z restarted).

Endpoint-A will respond with an INIT-ACK with:Endpoint-A will respond with an INIT-ACK with: A new random verification tag (Ax)A new random verification tag (Ax) Two new random Tie-Tags (Ay and Zy) sent in the state cookie (and Two new random Tie-Tags (Ay and Zy) sent in the state cookie (and

also stored in the TCB)also stored in the TCB)

4242

Restart: Everything Normal (Sort-of)Restart: Everything Normal (Sort-of)



VT_L=ZVT_P=A

CRASHINIT (Tag=Zx)


COOKIE-ECHO(Tag=Ax+Cookie)

ESTABLISHED

VT_L=ZxVT_P=Ax

VT_L=Zx

4343

Restart: Tie-TagsRestart: Tie-Tags RFC2960 and the SCTP reference book will instruct that the RFC2960 and the SCTP reference book will instruct that the

old V-Tags be used as the Tie-Tags.old V-Tags be used as the Tie-Tags. The most recent I-G has changed this so that V-Tags are nThe most recent I-G has changed this so that V-Tags are n

ever revealed on the wire except during their initial exchangever revealed on the wire except during their initial exchange. (Tie-Tags now are basically 32 bit random nonces that ree. (Tie-Tags now are basically 32 bit random nonces that represent the TCB).present the TCB).

This new change in the I-G adds extra security for a minimal This new change in the I-G adds extra security for a minimal additional TCB storage cost.additional TCB storage cost.

The restarting peer considers everything normal when the IThe restarting peer considers everything normal when the INIT-ACK arrives and sends off the COOKIE-ECHO which hNIT-ACK arrives and sends off the COOKIE-ECHO which holds the Tie-Tags.olds the Tie-Tags.

4444

Peer RestartPeer RestartEndpoint-A Endpoint-Z

VT_L=AVT_P=Z

VT_L=ZVT_P=A

CRASHINIT (Tag=Zx)


COOKIE-ECHO(Tag=Ax+Cookie)

ESTABLISHED

COOKIE-ACK

VT_L=ZxVT_P=Ax

VT_L=Zx

VT_L=Ax*VT_P=Zx

* App is given Restart notification

4545

Restart: Final ProcessingRestart: Final Processing Endpoint-A will unpack and verify the state cookie. As part oEndpoint-A will unpack and verify the state cookie. As part o

f validation it will use the Tie-Tags to determine that a peer rf validation it will use the Tie-Tags to determine that a peer restart as occurred.estart as occurred.

It will reply with a COOKIE-ACK to the restarted peer (EndpIt will reply with a COOKIE-ACK to the restarted peer (Endpoint-Z).oint-Z).

It will also notify its upper layer or application that a peer resIt will also notify its upper layer or application that a peer restart has occured.tart has occured.

Note that the SCTP stack on Endpoint-Z is never aware that Note that the SCTP stack on Endpoint-Z is never aware that a restart of the association has occurred.a restart of the association has occurred.

4646

Multi-homed ConsiderationsMulti-homed Considerations When a peer is multi-homed, a “primary destination addressWhen a peer is multi-homed, a “primary destination address

” will be selected by the SCTP endpoint.” will be selected by the SCTP endpoint. By default, all data will be sent to this primary address.By default, all data will be sent to this primary address. When the primary address fails, the sender will select an altWhen the primary address fails, the sender will select an alt

ernate primary address until it is restored or the user changernate primary address until it is restored or the user changes the primary address.es the primary address.

SACK's may also require some special handling, consider tSACK's may also require some special handling, consider the following: he following: A Multi-homed Peer With a Failure

EP-1 EP-2IP NetworkIP-3

IP-2

IP-1

IP-4X

4747

Special ConsiderationsSpecial Considerations If IP-2 was EP-2's primary address, then the association maIf IP-2 was EP-2's primary address, then the association ma

y still fail even though EP-1 has multiple addresses. [more oy still fail even though EP-1 has multiple addresses. [more on association failures later]n association failures later]

In the preceding drawing imagine that EP-1 is sending packIn the preceding drawing imagine that EP-1 is sending packets with source address IP-2.ets with source address IP-2.

If EP-2 always sends SACK’s back to IP-2, EP-1 will never rIf EP-2 always sends SACK’s back to IP-2, EP-1 will never receive a SACK.eceive a SACK.

To prevent this, a receiver will generally alter the destination To prevent this, a receiver will generally alter the destination address of a SACK if it receives duplicate data.address of a SACK if it receives duplicate data.

4848

Streams and OrderingStreams and Ordering A sender tells the sndmsg() or sctp_sndmsg() function whicA sender tells the sndmsg() or sctp_sndmsg() function whic

h stream to send data on.h stream to send data on. Both ordered and un-ordered data can be sent within a streBoth ordered and un-ordered data can be sent within a stre

am. am. For un-ordered data, delivery to the upper layer is immediatFor un-ordered data, delivery to the upper layer is immediat

e upon receipt.e upon receipt. For ordered data, delivery may be delayed due to reassembFor ordered data, delivery may be delayed due to reassemb

ly from network reordering.ly from network reordering.

4949

More on StreamsMore on Streams A stream is uni-directionalA stream is uni-directional SCTP makes NO correlation between an inbound and outboSCTP makes NO correlation between an inbound and outbo

und streamund stream An association may have more streams traveling in one direAn association may have more streams traveling in one dire

ction than the other.ction than the other. Valid stream number ranges for each direction are set durinValid stream number ranges for each direction are set durin

g association setupg association setup Generally an application will want to tie two streams togetheGenerally an application will want to tie two streams togethe

r.r.

5050

Congestion Control (CC)Congestion Control (CC) We will now go into congestion control (CC)We will now go into congestion control (CC) CC originally did not exist in TCP. This caused a series of congestion CC originally did not exist in TCP. This caused a series of congestion

collapses in the late 80's. collapses in the late 80's. Congestion collapse is when the network is passing lots of data but Congestion collapse is when the network is passing lots of data but

almost ALL of that data is retransmissions of data that has already almost ALL of that data is retransmissions of data that has already arrived at the peer.arrived at the peer. RFC896 provides lots of details for those interested in congestion collapseRFC896 provides lots of details for those interested in congestion collapse

In order to avoid congestion collapse, CC was added to TCP. An In order to avoid congestion collapse, CC was added to TCP. An Additive Increase Multiplicative Decrease (AIMD) function is used to function is used to adjust sending rate.adjust sending rate.

The basic idea is to slowly increase the amount an endpoint is allowed The basic idea is to slowly increase the amount an endpoint is allowed to send (to send (cwndcwnd), but collapse ), but collapse cwndcwnd rapidly when there is sign of rapidly when there is sign of congestion.congestion.

Packet loss is assumed to be the primary indicator and result of Packet loss is assumed to be the primary indicator and result of congestion.congestion.

5151

Congestion Control: InitializationCongestion Control: Initialization Initially a new destination address starts with a initial cwnd Initially a new destination address starts with a initial cwnd

of two MTU's. However, the latest I-G changes this to min[4 of two MTU's. However, the latest I-G changes this to min[4 MTU's, 4380 bytes].MTU's, 4380 bytes].

ssthresh is set theoretically infinity, but it is usually set to the ssthresh is set theoretically infinity, but it is usually set to the peer’s rwnd.peer’s rwnd.

flightsize and pba are set to zero.flightsize and pba are set to zero. Slow Start (SS) is used when cwnd <= ssthresh.Slow Start (SS) is used when cwnd <= ssthresh.

Note that initially we are in Slow Start (SS).Note that initially we are in Slow Start (SS).

5252

Congestion Control: Sending DataCongestion Control: Sending Data As long as there is room in the cwnd, the sender is allowed As long as there is room in the cwnd, the sender is allowed

to send additional data into the network.to send additional data into the network. There is room in the cwnd as long as flightsize < cwnd.There is room in the cwnd as long as flightsize < cwnd.

This is slightly different then TCP in that SCTP can “slop” This is slightly different then TCP in that SCTP can “slop” over the cwnd value. If the flightsize is (cwnd-1), another over the cwnd value. If the flightsize is (cwnd-1), another packet can be sent.packet can be sent.

Every time a SACK arrives, one of two algorithms, Slow Every time a SACK arrives, one of two algorithms, Slow Start (SS) or Congestion Avoidance (CA), is used to Start (SS) or Congestion Avoidance (CA), is used to increment the cwnd.increment the cwnd.

5353

Controlling cwnd GrowthControlling cwnd Growth When a SACK arrives in SS, we increment the cwnd by the When a SACK arrives in SS, we increment the cwnd by the

either the number of bytes acknowledged or one MTU, either the number of bytes acknowledged or one MTU, whichever is less.whichever is less. Slow Start is used when cwnd <= ssthreshSlow Start is used when cwnd <= ssthresh

When a SACK arrives in CA, we increment pba by the When a SACK arrives in CA, we increment pba by the number of bytes acknowledged. When pba > cwnd number of bytes acknowledged. When pba > cwnd increment the cwnd by one MTU and reduce pba by the increment the cwnd by one MTU and reduce pba by the cwnd. cwnd. Congestion Avoidance is used when cwnd > ssthreshCongestion Avoidance is used when cwnd > ssthresh

5454

Congestion ControlCongestion Control pba is reset to zero when all data is acknowlegedpba is reset to zero when all data is acknowleged We NEVER advance cwnd if the cumulative We NEVER advance cwnd if the cumulative

acknowledgment point is not moving forward.acknowledgment point is not moving forward. A Max Burst Limit is always applied to how many packets A Max Burst Limit is always applied to how many packets

may be sent at any opportunity to sendmay be sent at any opportunity to send This limit is usually 4This limit is usually 4 An opportunity to send is any event that will cause data transmission An opportunity to send is any event that will cause data transmission

(SACK arrival, user sending of data, etc.)(SACK arrival, user sending of data, etc.)

5555

Congestion Control ExampleCongestion Control ExampleEP-ZEP-A

1

2

3

4

DATA(1452)

DATA(1452)DATA(1096)

DATA(1452)DATA(548)

5656

Congestion Control Example IICongestion Control Example II In our example, at point 1 we are at the initial stage, cwnd=3000, In our example, at point 1 we are at the initial stage, cwnd=3000,

ssthresh = infinity, pba=0, flightsize=0. Our application sends 4000 ssthresh = infinity, pba=0, flightsize=0. Our application sends 4000 bytes.bytes.

The implementation sends these (note there is no block by cwnd).The implementation sends these (note there is no block by cwnd). At point 2, the SACK arrives and we are in SS. The cwnd is At point 2, the SACK arrives and we are in SS. The cwnd is

incremented to 4500 bytes, i.e: add min(1500, 2904).incremented to 4500 bytes, i.e: add min(1500, 2904). At point 3, the SACK arrives for the last data segment, but no cwnd At point 3, the SACK arrives for the last data segment, but no cwnd

advance is made, why?advance is made, why? Our application now sends 2000 bytes. These can be sent since Our application now sends 2000 bytes. These can be sent since

flightsize is 0, cwnd is 4500.flightsize is 0, cwnd is 4500. At point 4, no congestion control advancement is made.At point 4, no congestion control advancement is made. So we end with flightsize=0, pba=0, cwnd=4500, and ssthresh still So we end with flightsize=0, pba=0, cwnd=4500, and ssthresh still

infinity.infinity.

5757

Network Diversity and Multi-homingNetwork Diversity and Multi-homing Multi-homing can assist greatly in preventing single points Multi-homing can assist greatly in preventing single points

of failureof failure Path diversity is also needed to prevent a single point of Path diversity is also needed to prevent a single point of

failurefailure Consider the following two networks with maximum path Consider the following two networks with maximum path

diversity and minimal path diversity:diversity and minimal path diversity: Both hosts are multi-homed, but which network is more desirable?Both hosts are multi-homed, but which network is more desirable?

5858

Maximum Path DiversityMaximum Path Diversity

Endpoint-1 Endpoint-2

5959

Minimum Path DiversityMinimum Path Diversity

Endpoint-1 Endpoint-2

6060

Asymmetric Multi-homingAsymmetric Multi-homing In some cases, one side will be multi-homed while the other In some cases, one side will be multi-homed while the other

side is singly-homed.side is singly-homed. In this configuration, a single failure on the multi-homed side In this configuration, a single failure on the multi-homed side

may still disable the association.may still disable the association. This failure may occur even when an alternate route exists.This failure may occur even when an alternate route exists. Consider the following picture:Consider the following picture:

6161

Aysmmetric Multi-HomingAysmmetric Multi-Homing

Endpoint-1 Endpoint-23.13.2

1.21.1

2.1 2.2

E-1 Route Table E-2 Route Table3.0 -> 1.2 1.0 -> 3.2

2.0 -> 3.2

6262

Solutions to the ProblemSolutions to the Problem One possible solution is shown in the next slide.One possible solution is shown in the next slide. One disadvantage is that an extra route must be added to One disadvantage is that an extra route must be added to

the network, thus using additional address space.the network, thus using additional address space. Routing setup is more complicated (most hosts like to use Routing setup is more complicated (most hosts like to use

simple default routes)simple default routes)

6363

Solution 1Solution 1

Endpoint-1 Endpoint-23.1/4.13.2

1.21.1

2.1 2.2

E-1 Route Table E-2 Route Table3.0 -> 1.2 1.0 -> 3.2

2.0 -> 3.24.0 -> 2.2

6464

A Simpler SolutionA Simpler Solution A simpler solution can be made by the assitance of the A simpler solution can be made by the assitance of the

multi-homed host’s routing table.multi-homed host’s routing table. It first must be setup to allow duplicate routes at any level in It first must be setup to allow duplicate routes at any level in

its routing table.its routing table. Support must be added to query the routing table for an Support must be added to query the routing table for an

“alternate” route.“alternate” route. When SCTP hits a set error threshold, it asks for an When SCTP hits a set error threshold, it asks for an

“alternate” route then the previously cached one .“alternate” route then the previously cached one .

6565

Solution 2Solution 2

Endpoint-1 Endpoint-23.13.2

1.21.1

2.1 2.2

E-1 Route Table E-2 Route TableDefault -> 1.2 1.0 -> 3.2

2.0 -> 3.2Default -> 2.2

6666

SCTP and TCP: SimilaritiesSCTP and TCP: Similarities Both use a handshake to setup and terminate the state Both use a handshake to setup and terminate the state

(communication) relationship between peers(communication) relationship between peers Both have an abortive method to terminate the stateBoth have an abortive method to terminate the state Both provide a “reliable ordered” service:Both provide a “reliable ordered” service:

Lost data is retransmittedLost data is retransmitted Data is (or can be) delivered in the order it was sentData is (or can be) delivered in the order it was sent

Both follow an AIMD-based congestion control mechanism.Both follow an AIMD-based congestion control mechanism.

6767

SCTP and TCPSCTP and TCP SCTP uses a four-way handshake to setup an association. TCP uses a SCTP uses a four-way handshake to setup an association. TCP uses a

three-way handshake to setup a connection.three-way handshake to setup a connection. However, this does not mean that data can start to be sent more quickly However, this does not mean that data can start to be sent more quickly

(relative to the start of the connection) with TCP.(relative to the start of the connection) with TCP. SCTP can exchange data on the third and fourth leg of its handshake. SCTP can exchange data on the third and fourth leg of its handshake.

TCP in practicality does not (due to socket API issues).TCP in practicality does not (due to socket API issues). SCTP delivers messages, not a “byte stream”SCTP delivers messages, not a “byte stream”

An application using TCP must “frame” its own messagesAn application using TCP must “frame” its own messages SCTP streams allows “partially ordered” transfers SCTP streams allows “partially ordered” transfers

Escapes head of line blocking, while preserving order within each streamEscapes head of line blocking, while preserving order within each stream An SCTP sender can send all messages in a single ordered stream to An SCTP sender can send all messages in a single ordered stream to

achieve the same behavior as TCP.achieve the same behavior as TCP. SCTP also provides an “reliable un-ordered” service for applicationsSCTP also provides an “reliable un-ordered” service for applications

6868

SCTP and TCPSCTP and TCP TCP is a singly-homed protocol so a single interface failure TCP is a singly-homed protocol so a single interface failure

can shutdown a connection. SCTP is multi-homed and can can shutdown a connection. SCTP is multi-homed and can take advantage of all interfaces, addresses on a host.take advantage of all interfaces, addresses on a host.

SACK support:SACK support: Optional in TCP, fundamental to SCTPOptional in TCP, fundamental to SCTP TCP SACK has a very limited segment space for specifying out of TCP SACK has a very limited segment space for specifying out of

order segmentsorder segments SCTP has a much larger “gap ack” space so that many sets of SCTP has a much larger “gap ack” space so that many sets of

segments can be reportedsegments can be reported SCTP does not allow a half-closed stateSCTP does not allow a half-closed state

Half-closed state is when one side is no longer allowed to send data but the Half-closed state is when one side is no longer allowed to send data but the other side can.other side can.

SCTP does NOT have a timed-wait state that will hold a connection SCTP does NOT have a timed-wait state that will hold a connection from being made again within a specified time.from being made again within a specified time.

6969

SCTP and TCP: Security ConsiderationsSCTP and TCP: Security Considerations

SCTP uses the four-way handshake and the signed state SCTP uses the four-way handshake and the signed state cookie to protect against SYN flooding attackscookie to protect against SYN flooding attacks

SCTP uses a 32-bit random nonce to protect its packets SCTP uses a 32-bit random nonce to protect its packets from blind attackersfrom blind attackers I-G version 10 prevents these from ever being revealed after I-G version 10 prevents these from ever being revealed after

association setup.association setup. TCP does not have this and is more subject to various forms of blind TCP does not have this and is more subject to various forms of blind

data and control segment injection attacks as we have recently seen data and control segment injection attacks as we have recently seen in the newsin the news

7070

新型態網路應用新型態網路應用

7171

雲端運算雲端運算 (1)(1) 雲端運算，透過網路使用服務廠商提供的虛擬機器去運算，雲端運算，透過網路使用服務廠商提供的虛擬機器去運算，

而非使用本機端硬體去運算而非使用本機端硬體去運算雲端運算是從既有的概念：平行運算、網格運算、公用運算逐漸演進雲端運算是從既有的概念：平行運算、網格運算、公用運算逐漸演進

的新型態網路服務。然而它卻受到相當廣泛的重視，關鍵在於雲端運的新型態網路服務。然而它卻受到相當廣泛的重視，關鍵在於雲端運算結合了虛擬化、服務管理的自動化和標準化，得以提供真正隨選即算結合了虛擬化、服務管理的自動化和標準化，得以提供真正隨選即用的運算資源，以及更多不同型態的用的運算資源，以及更多不同型態的 ITIT 應用服務。應用服務。

一般而言，平行運算是將一個大的計算需求分別切割成小型的運算任一般而言，平行運算是將一個大的計算需求分別切割成小型的運算任務，由多臺電腦並行處理去快速解決。但缺點是要透過特有的邏輯切務，由多臺電腦並行處理去快速解決。但缺點是要透過特有的邏輯切割後，才可在系統上執行。但雲端運算的應用彈性較大，它對程式設割後，才可在系統上執行。但雲端運算的應用彈性較大，它對程式設計及應用服務沒有特別規範，只要將運算任務或應用程式放上去即可計及應用服務沒有特別規範，只要將運算任務或應用程式放上去即可執行。執行。

而網格運算是基於整合資源的概念，將網路上閒置的異質性運算資源而網格運算是基於整合資源的概念，將網路上閒置的異質性運算資源和儲存系統做連結後，再將這些資源統整起來。而雲端運算的架構方和儲存系統做連結後，再將這些資源統整起來。而雲端運算的架構方式和它相似，只是使用的設備是同質性資源。此外，網格運算大多是式和它相似，只是使用的設備是同質性資源。此外，網格運算大多是研究機構與企業在使用。相較之下，雲端服務的彈性較大，使用者從研究機構與企業在使用。相較之下，雲端服務的彈性較大，使用者從企業到大眾皆可使用。企業到大眾皆可使用。

7272

雲端運算雲端運算 (2)(2) 大家最常看到的雲端服務有三種：大家最常看到的雲端服務有三種：

SaaS – Software as a ServiceSaaS – Software as a Service 泛指透過網路取得的軟體服務，並且資料是存放在服務提供者端。從日常泛指透過網路取得的軟體服務，並且資料是存放在服務提供者端。從日常

生活經常使用的生活經常使用的 GoogleGoogle 服務，到服務，到 salesforce.comsalesforce.com 的的 CRMCRM ，這都是，這都是 SaaSaaSS 。。

PaaS – Platform as a ServicePaaS – Platform as a Service PaaSPaaS 是一種廠商提供使用者撰寫網路應用程式的平臺的服務，譬如微是一種廠商提供使用者撰寫網路應用程式的平臺的服務，譬如微

軟推出的軟推出的 Azure Azure 以及以及 Google Google 的的 Google App EngineGoogle App Engine 。。 IaaS – Infrastructure as a ServiceIaaS – Infrastructure as a Service

IaaSIaaS 則是提供虛擬設備，其中最著名的是則是提供虛擬設備，其中最著名的是 Amazon EC2Amazon EC2 ，開發者可以，開發者可以隨時租用，並選擇所需的作業系統、開發語言及資料庫。跟隨時租用，並選擇所需的作業系統、開發語言及資料庫。跟 PaaS PaaS 比起比起來，來， IaaS IaaS 的開發環境更有彈性。的開發環境更有彈性。

另外還有一種服務叫做另外還有一種服務叫做 STaaSSTaaS ，它性質相似網路硬碟，但是，它性質相似網路硬碟，但是服務更多元化，除了基本的儲存資料，還可以做異地備援和服務更多元化，除了基本的儲存資料，還可以做異地備援和版本控制的功能，最著名的服務為版本控制的功能，最著名的服務為 Amazon S3Amazon S3 。。

7373

點對點點對點 (Peer to peer)(Peer to peer) 技技術的市場應用模型術的市場應用模型

P2P(Peer to Peer)P2P(Peer to Peer) Client_ServerClient_Server

原理原理所有資源所有資源 (CPU(CPU 、檔案、儲存體、檔案、儲存體 ))分散在各個端點的電腦中，中央分散在各個端點的電腦中，中央伺服器只負責認證、統合管理與伺服器只負責認證、統合管理與媒介所有的用戶端媒介所有的用戶端 (Peer)(Peer) 資源。資源。

所有的資源所有的資源 (CPU(CPU 、檔案、儲存體、檔案、儲存體 )) 都都集中在中央伺服器上，所有使用的資源集中在中央伺服器上，所有使用的資源需求都直接向中央伺服器存取。需求都直接向中央伺服器存取。

優點優點分散式系統資源，分散主伺服器分散式系統資源，分散主伺服器負擔。並行處理能力佳。系統處負擔。並行處理能力佳。系統處理容量遠大於理容量遠大於 Web-Base Web-Base 的的 ClienClient_Server t_Server 架構。使用記憶體管理架構。使用記憶體管理交換資訊，效能大幅提昇。硬體交換資訊，效能大幅提昇。硬體成本低。客戶端與客戶端採取直成本低。客戶端與客戶端採取直接即時的溝通。接即時的溝通。

資源集中式安全管理。現成的客戶端程資源集中式安全管理。現成的客戶端程式免費取得式免費取得 (IE(IE 、、 Nescape)Nescape) 。。

缺點缺點架構較複雜，除開發伺服器端程架構較複雜，除開發伺服器端程式外，還要有專用的客戶端程式。式外，還要有專用的客戶端程式。客戶端上線後才會有資源分享出，客戶端上線後才會有資源分享出，因此如果客戶端少的話，分享資因此如果客戶端少的話，分享資源就少。源就少。

伺服器長常成為瓶頸所在，且不容易有伺服器長常成為瓶頸所在，且不容易有效改善。硬體成本高。效改善。硬體成本高。

7474

P2P P2P 網路二大類主要技術網路二大類主要技術

7575

5 5 個個 P2P P2P 應用模型分類應用模型分類 (1)(1)根據根據 Gartner Group Gartner Group 的分類，共提出的分類，共提出 5 5 種不同的種不同的 PP

2P 2P 模型。該五種模型分別為：模型。該五種模型分別為：原子模型（原子模型（ atomistic modelatomistic model））

此類型的此類型的 P2P model P2P model 不需要有中央伺服器（不需要有中央伺服器（ serverserver ），每個用），每個用戶端（戶端（ clientclient ）可以彼此互相連結，進行資料的顯示及傳輸；但）可以彼此互相連結，進行資料的顯示及傳輸；但也因為它沒有中央伺服器，所以沒辦法進行用戶身份辨認。一般也因為它沒有中央伺服器，所以沒辦法進行用戶身份辨認。一般應用如應用如 Gnutella Gnutella 或視訊會議（或視訊會議（ Net meetingNet meeting ）都是。）都是。

用戶中心模型（用戶中心模型（ user-centered modeluser-centered model ））此類型需要一個第三者管理用戶名單，提供用戶相關目錄（此類型需要一個第三者管理用戶名單，提供用戶相關目錄（ directdirect

oryory ）。當用戶連上伺服器之後，用戶端便會列出登錄到相同伺服）。當用戶連上伺服器之後，用戶端便會列出登錄到相同伺服器的目錄，如此一來，每個用戶端就能找到特定用戶。此類應用器的目錄，如此一來，每個用戶端就能找到特定用戶。此類應用如：如： ICQICQ 、、 AOL Massager AOL Massager 都是。而通訊服務如：行動電話、都是。而通訊服務如：行動電話、 PPocket PCocket PC 、、 PDA PDA 及藍芽或無限通訊技術的設備，也可以藉由這及藍芽或無限通訊技術的設備，也可以藉由這項模式，讓用戶作更方便的溝通。項模式，讓用戶作更方便的溝通。

7676

5 5 個個 P2P P2P 應用模型分類應用模型分類 (2)(2) 資料中心模型（資料中心模型（ data-centered modeldata-centered model ））

每個用戶端每個用戶端 (( 可能是可能是 PC PC 或其他移動設備或其他移動設備 )) 可以依索引找到所需可以依索引找到所需要的資料，一般由一個中央伺服器來提供資料索引，用戶端便可要的資料，一般由一個中央伺服器來提供資料索引，用戶端便可以根據資料索引去檢視別人電腦硬碟目錄，視需求和權限來下載以根據資料索引去檢視別人電腦硬碟目錄，視需求和權限來下載特定資料到自己的電腦硬碟。此類應用如特定資料到自己的電腦硬碟。此類應用如 Napster Napster 。。

電腦中心模型（電腦中心模型（ computer-centered modelcomputer-centered model ））匯集與運用閒置或低成本的電腦運算能力，去執行一些複雜與非匯集與運用閒置或低成本的電腦運算能力，去執行一些複雜與非線性的任務，最後再將結果進行整合和聚集，完成任務。本類應線性的任務，最後再將結果進行整合和聚集，完成任務。本類應用大部分在大型的學術或企業機構，需要大量電腦運算，能藉用大部分在大型的學術或企業機構，需要大量電腦運算，能藉由此種方式解省大量成本，例如由此種方式解省大量成本，例如 SETI@homeSETI@home 。。

網路綜合模型（網路綜合模型（ web Mk2 modelweb Mk2 model））整合全球資訊網整合全球資訊網 (Web)(Web) 的架構與前四種模型衍生出來的新模型，的架構與前四種模型衍生出來的新模型，使用者透過瀏覽器可以自行配置所需要的功能。美國目前有使用者透過瀏覽器可以自行配置所需要的功能。美國目前有 ContrControlShift, Groove olShift, Groove 等公司利用網路綜合模型正在進行新事業，但尚等公司利用網路綜合模型正在進行新事業，但尚無實際結果產生。無實際結果產生。

7777

P2P P2P 的資訊科技之應用意涵與產生之的資訊科技之應用意涵與產生之價值價值

Source from: 吳政達 , 虛擬通路商之商業模式在數位內容產業應用之研究 – 以點對點技術為基礎架構 (碩士論文 )

7878

網路安全議題網路安全議題影響網路安全的因素影響網路安全的因素

網路架構網路架構通訊協定通訊協定區域性區域性用戶端用戶端主機主機單位政策單位政策人員人員

資通安全資通安全網路安全網路安全資訊安全資訊安全 ISO 27001ISO 27001