Toward Formal Modelling and

Analysis of SCTP Connection

Managment

Somsak Vanit-Anunchai

School of Telecommunication Engineering

Institute of Engineering

Suranaree University of Technology

Nakhon Ratchasima Thailand

22 October 2008

CPN'08 - 22/10/2008

Outline Introduction to SCTP Motivation SCTP-Packet and VTAG Message sequence chart Tie Tags An error in RFC 4960 Procedure-based modelling approach SCTP-CPN model Analysis Problems Discussion Conclusions and Future Work

CPN'08 - 22/10/2008

What is Stream Control Transmission Protocol (SCTP)?

A transport protocol originally developed by SIGTRANS group, Internet Engineering Task Force (IETF).

It became Request For Comments (RFC) 2960 in October 2000.

Aims to overcome the weakness of TCP. Using four-way handshake and a cookie mechanism to

prevent the Denial of Service Attacks (DoS).

Internet Protocol (IP)

Transmission Control Protocol

(TCP)

Datagram Congestion

Control Protocol

User Datagram Protocol (UDP)

Network Layer

Transport Layer SCTP

CPN'08 - 22/10/2008

Motivations

Discrepancies between RFC 2960 and Implementation Guide (IG). SCTP Errata published in RFC 4460 (Sep. 2007) . Revised SCTP spec. – RFC 4960 published in Sep. 2007. Q1. Are there any defects left?

Q2. Are new deflect introduced in the new spec?

Experiment with the Procedure-based modelling approach.

CPN'08 - 22/10/2008

SCTP Packet Format

An SCTP Packet comprises a header and a number of chunks.

CPN'08 - 22/10/2008

Verification Tag (VTAG)

Verification Tag is used to protect the association from blind attacks.

An endpoint keeps two values of verification tag: “My Verification Tag” and “Peer’s Verification Tag”. In general, Any received packets containing a verification tag di ering fffrom “My Verification Tag” will be discarded.

CPN'08 - 22/10/2008

Typical message sequence: Connection Setup

ESTABLISHED

COOKIE-ECHOED

CLOSED

CLOSEDCLOSEDInit (vtag=0, itag=Ax)

InitAck (vtag=Ax,itag=Zx, CK[Zx,Ax])

[ASSOCIATE]

COOKIE-WAIT

CookieEcho (vtag=Zx,CK[Zx,Ax])

ESTABLISHED

CookieAck (vtag=Ax)

Endpoint A

Initial Verification Tag = Ax

Endpoint Z

Initial Verification Tag = Zx

CPN'08 - 22/10/2008

Typical message sequence: Connection Closedown

CLOSED

No more outstanding data

SHUTDOWN-RECEIVED

ESTABLISHEDESTABLISHED

Shutdown (vtag=Zx)

ShutdownAck (vtag=Ax)

SHUTDOWN-PENDING

SHUTDOWN-SENT

ShutdownComplete (vtag=Zx)CLOSED

Endpoint A Endpoint Z

[SHUTDOWN]

No more outstanding data

SHUTDOWN-ACK-SENT

CPN'08 - 22/10/2008

Tie-Tag Modeling Tie-Tags is a main contribution of this paper. Tie-Tags are copies of two verification tags. RFC2960 Tie Tags being stored in the cookie. RFC4960 Tie Tags stored in both cookie and TCB. In TCB “Local Tag” and “ Peer’sTag”. (definitions) In cookie “Local Tie-Tag”and “Peer’s Tie-Tag”. Thus a cookie contains a pair of VTAG and a pair of Tie-tag. TCB contains a pair of VTAG and a pair of Tie-tag.

The Tie-Tags are used to tie the received cookie of the new association with the old association.

Table 2 section 5.4.2 of RFC 4960 TCB = Transmission Control Block containing state variables

for SCTP connection.

CPN'08 - 22/10/2008

An error in section 5.2.4 of RFC 4960

(but the implementation is correct)

Local VTAG in Cookie

Peer’s VTAG in Cookie

CPN'08 - 22/10/2008

Motivations

Discrepancies between RFC 2960 and Implementation Guide (IG). SCTP Errata published in RFC 4460 (Sep. 2007) . Revised SCTP spec. – RFC 4960 published in Sep. 2007. Q1. Are there any defects left?

don’t know yet

Q2. Are new deflect introduced in the new spec? A: yes!

Experiment with the Procedure-based modelling approach.

CPN'08 - 22/10/2008

What is the Procedure-based modelling approach?

A CPN model usually divided into several CPN subpages according to protocol’s state state-based.

the model is easy to read.

For a protocol procedure, an event is when an endpoint receives a packet or user command.

Events in difference states may cause the endpoint acting in the same way regardless of states.

Event-processing style groups the similar events into the same CPN subpage.

the model is very compact but difficult to read.

CPN'08 - 22/10/2008

What is the Procedure-based modelling approach?

In order to develop a CPN model which is not only easy to read but also small.

Billington proposed the procedure-based approach in [FI08] “Coloured Petri Nets Modelling of an Evolving Internet Standard: the Datagram Congestion Control Protocol. Fundamenta Informaticae, In Press, 2008”

Following the Procedure-based style, we group events according its functionalities, e.g. Typical procedures; Error handling procedures (Unexpected events).

In FI08 we built an event-processing CPN model from a state-based CPN model. Then a procedure-based CPN model was developed from the event-processing CPN model.

Q3. What if we develop a procedure-based CPN model directly from the narrative specification?

CPN'08 - 22/10/2008

SCTP_Procedure

Normal Event

UnexpectedEvent

Retransmission

Abort Check InvalidVTAG

Establish ShutDown Init_InitAck CookieEcho_CookieAck

Shutdown

Restart SimultaneousOpen

Delayed Cookie

Tag_Match

Hierarchy – SCTP-CPN Model4-level, 2 ML functions

6 places

54 executable transitions

CPN'08 - 22/10/2008

CPN'08 - 22/10/2008

Top-level page

CPN'08 - 22/10/2008

Typical message sequence: Connection Setup

CPN'08 - 22/10/2008

One side opens

Simultaneous Open

One side closes

Simultaneous

Closed

One side aborts

Analysis Results

Number of retransmission

- Init, InitAck, CookieEcho, CookieAck

CPN'08 - 22/10/2008

Potential Problem 1-Case A Open side opens

Source of the problem : CookieAck is so delayed

CPN'08 - 22/10/2008

Potential Problem 2 – Case B Simultaneous Open

CPN'08 - 22/10/2008

Discussion This paper focuses on modelling. Analysis is used to debug the model. It took me two months – part time to study the protocol, create and

debug the model. Why the problems is called the potential problems.

We are not so sure if they are really problem. We do not model time-stamp and user behavior.

While developing the model, we find an error in Table 2 section 5.2.4 of RFC 4960. This was confirmed by IETF.

http://www.ietf.org/mail-archive/web/tsvwg/current/msg08603.html

CPN'08 - 22/10/2008

Conclusions The difficulty of designing a protocol is again witnessed by the defect list in

RFC 4460. This paper presents a CPN model of SCTP connection management. We still need more exhaustive work on the analysis part. The procedure-based style suites SCTP specification. One error and two potential problems were found.

Modelling Analysis

CPN'08 - 22/10/2008

Further work Investigate complex scenarios when unexpected

CookieEcho chunks received. Investigate the user interface, time stamp, stale

packets, and cookie authentication.

Future work Multi-homing Security attacks against SCTP

CPN'08 - 22/10/2008

Thankyou!

Any questions?

CPN'08 - 22/10/2008

Chunk - Declaration

CPN'08 - 22/10/2008

TCB - Declaration