lecture 9 sctp sockets cpe 401 / 601 computer network systems slides are modified from janardhan...
Post on 15-Jan-2016
220 views
TRANSCRIPT
Lecture 9
SCTP Sockets
CPE 401 / 601Computer Network Systems
slides are modified from Janardhan Iyengar, John Rumsey, Nimish Vartak
Where is SCTP in the stack?Application
IP
IP
IP
IP
IP
Application
UDP TCPUDP TCP
IP
Wifi Eth
IP
Wifi Eth
IP
Transport Transport
kernel
user-level
SCTP SCTP
Socket APISocket API
SCTP – Motivation New applications
Migration from PSTN to Packet based Internet Telephony signaling messages
Shortcomings of existing protocols TCP
• “head-of-line blocking”• Byte-oriented, not message-oriented• Multi-homing support not built in• DoS attack prone
UDP• No Reliability• Absence of congestion control• Absence of flow control
SCTP 3
SCTP – Overview “SCTP is a reliable transport protocol operating on top of a
connectionless packet network such as IP. …” RFC 2960
Has built-in support for multi-homed hosts
Is message-based – conserves the message boundaries.
Classifies messages as: sequenced delivery of user messages within multiple
streams with an option for un-ordered delivery of individual user
messages
Additional security mechanismsSCTP 4
SCTP Feature Summary
Start with TCP:reliable (retransmissions)
congestion controlledconnection oriented
Add:4-way handshake
to reduce vulnerability to DOS attacksframing
preserve message boundaries multistreaming
instead of one ordered stream, up to 64K independent ordered streams
multihoming instead of one IP address per endpointa set of IP addresses per endpoint
SCTP 5
1RTT SYN-ACK
closed
listen
t=0
SYN
SYN sent
ACKdata established
estab’d
A B
TCP Connection Setup
SYN recd(TCB created)
SYN
victim Flooded!!
SYN Flooding Attack
TCB
TCB
TCB
TCB
TCB
• There is no ACK in response to the SYN-ACK, hence connection remains half-open• Other genuine clients cannot open connections to the victim• The victim is unable to provide service
attackers
128.3.4.5
192.10.2.8
221.3.5.10 SYN
SYN
190.13.4.1
228.3.14.5
130.2.4.15
Unavailable, reserved resources
SCTP – Features (contd …)Connection setup
(SYN) INIT
(SYN-ACK) INIT-ACK
COOKIE-ECHO
COOKIE-ACK
End-Point A End-Point Z
SCTP 8
What’s in a cookie?
Information from original INIT Information from current INIT-ACK Timestamp Life span of cookie (Time to live) Signature for authentication (SHA-1, MD5,
etc.)
SCTP 9
V: Verification tagI: Initiate tag
1RTTINIT–ACK (V=TagA) (I=TagB) (StateCookie)
closed
closed
t=0 INIT (V=0) (I=TagA)cookiewait
COOKIE–ECHO (V=TagB) (StateCookie) cookieechoed
data (V=TagB) established
2RTTCOOKIE–ACK (V=TagA)
estab’d
A B
SCTP Association Setup
SCTP – Features (contd …)Connection close
SHUTDOWN
SHUTDOWN-ACK
End-Point A End-Point Z
SHUTDOWN-CMPL
No Half Closed State
SCTP 11
Graceful Shutdown
SHUTDOWN
SHUTDOWN-ACK
SHUTDOWN-COMPLETE
App signals shutdown
Shutdown pending
(pending data)
Shutdown sent (pending data)
Shutdown received
Shutdown-Ack sent
Closed
Closed
A B
SCTP state diagram
SHUTDOWN-SENT
SHUTDOWN-ACK-SENT
CLOSED
ESTABLISHED
SHUTDOWN-PENDING
SHUTDOWN-PENDING
CLOSED
COOKIE_WAIT
COOKIE_ECHOED
SCTP 13
SCTP Feature Summary
Start with TCP:reliable (retransmissions)
congestion controlledconnection oriented
Add:4-way handshake
to reduce vulnerability to DOS attacksframing
preserve message boundaries multistreaming
instead of one ordered stream, up to 64K independent ordered streams
multihoming instead of one IP address per endpointa set of IP addresses per endpoint
SCTP 14
Message Boundaries
UDP honors message boundaries Each app message becomes a datagram
TCP does not honor message boundaries App messages become part of a byte stream
SCTP maintains message boundaries Each app message is maintained as one or more
data chunks
SCTP 15
Sour
cePo
rt
Des
tina
tion
Port
Ver
ific
atio
nT
ag
Che
cksu
m
Typ
e
Len
gth
Val
ue
SCTP Header
Flag
s
Chunk 1Chunk NT
ype
Len
gth
Val
ue
Flag
s
4 4 2 2 N 2 1 1 N 2 1 1
• An SCTP packet forms the payload of an IP packet
• An SCTP packet consists of a 12 byte common header and one or more “Chunks”• Control chunks bundled before
Chunks in SCTP
SCTP 16
Sour
cePo
rt
Des
tina
tion
Port
Ver
ific
atio
nT
ag
Che
cksu
m
SCTP Header
4 4 2 2
Source Port & Destination Port- Uses same port concept as TCP and UDP
Verification Tag- Exchanged between endpoints at startup-To Validate the sender
Checksum - Protected by 32 bit checksum (CRC32 algorithm)
SCTP Header
SCTP 17
ChunkT
ype
Len
gth
Val
ue
Flag
s
N 2 1 1
Type- Used to distinguish data chunks and different types of control chunks
Flags- Usage depends on Chunk type
Length - Required because chunks have a variable length
Value
- Payload field
SCTP Chunks
SCTP 18
Type = 1 Chunk Flags
Number of Inbound Streams
Chunk Length
Initiate Tag
Advertised Receiver Window Credit (a_rwnd)
Optional/Variable-Length Parameters
Initial Transmission Sequence Number (TSN)
Number of Outbound Streams
INIT Chunk
SCTP 19
Type = 0 Reserv.
Stream Sequence Number N
Length
Transmission Sequence Number (TSN)
User Data (seq. n of Stream S)
Payload Protocol Identifier
Stream Identifier S
U B E
Data Chunk
SCTP 20
DATA chunk TSN=112DATA chunk TSN=113
DATA chunk TSN=117
DATA chunk TSN=119DATA chunk TSN=120
DATA chunk TSN=116
SACK chunk Cumulative TSN=113Gap Ack Block #1 Start = +3 End = +9Gap Ack Block #2 Start = +11 End = +13
DATA chunk TSN=111DATA chunk TSN=110DATA chunk TSN=109
DATA chunk TSN=121DATA chunk TSN=122
XDATA chunk TSN=123DATA chunk TSN=124DATA chunk TSN=125DATA chunk TSN=126
DATA chunk TSN=114XDATA chunk TSN=115 X
DATA chunk TSN=118
Selective Acknowledgement
Type = 3 Chunk Flags
Number of Duplicate TSNs = X
Chunk Length
Cumulative Transmission Sequence Number (TSN) Ack
Advertised Receiver Window Credit (a_rwnd)
Duplicate Transmission Sequence Number (TSN) 1
Number of Gap Ack Blocks = N
Gap Ack Block #1 EndGap Ack Block #1 Start
Gap Ack Block #N EndGap Ack Block #N Start
Duplicate Transmission Sequence Number (TSN) N
SACK Chunk
SCTP 22
SCTP Feature Summary
Start with TCP:reliable (retransmissions)
congestion controlledconnection oriented
Add:4-way handshake
to reduce vulnerability to DOS attacksframing
preserve message boundaries multistreaming
instead of one ordered stream, up to 64K independent ordered streams
multihoming instead of one IP address per endpointa set of IP addresses per endpoint
SCTP 23
Multi-streaming
• A.k.a. partial ordering. Eliminates Head of Line (HOL) blocking• In TCP, all data must be sent in order; loss at head of line delays delivery of subsequent data• In SCTP, you can send over up to 64K independent streams, each ordered independently• A loss on one stream does not delay the delivery on other streams i.e. multi-streaming eliminates HOL blocking
SCTP 24
Head-of-Line Blocking in TCP
S RACK 2
1234
5
6
ACK 3
ACK 3
ACK 3
PDU 3 is blocking the head of the line.
1
2
R’s App
ACK 3
Head-of-line Blocking
TCP provides a single data stream
When a segment is lost, subsequent segments must wait to be processed.
Problem for some applications (telephony)
SCTP provides multiple independent streams per association
SCTP 26
SCTP Multistreaming
Logical separation of data within an assoc Designed to prevent head-of-line blocking Can be used to deliver multiple objects belonging to
the same assoc Eg: objects on a webpage, multimedia streams
(audio/video/text), files in an FTP mget
SCTP Feature Summary
Start with TCP:reliable (retransmissions)
congestion controlledconnection oriented
Add:4-way handshake
to reduce vulnerability to DOS attacksframing
preserve message boundaries multistreaming
instead of one ordered stream, up to 64K independent ordered streams
multihoming instead of one IP address per endpointa set of IP addresses per endpoint
SCTP 28
Multi-homing
Internet
End-Point A End-Point Z
• In TCP, connections made between <IP addr,port> and <IP addr, port>• If a host is multi-homed, you have to choose ONE IP Addr only, at each end• If that interface goes down, so does the connection• With SCTP, you can list as many IP addresses per endpoint as you like• If host is still reachable through ANY of those addresses, connection stays up.
SCTP 29
SCTP Multi-Homing
Multiple src/dest ip addresses Use of different physical paths not guaranteed Peer reachability and path status are monitored
(heartbeat) One selectable default destination Parameters per path (cwnd, ssthresh, RTT)
IP network
IP A2
IP B2 IP B1
IP B3IP A1
SCTP 30
What is SCTP Multihoming?
Host A
A1
A2
Host B
B1
B2
InternetISP
ISP
ISP
ISP
Hosts pick 1 of 4 possible TCP connections:― {(A1, B1), (A1, B2), (A2, B1), (A2, B2)}
Hosts use 1 SCTP association: ({A1,A2}, {B1,B2})
Selectable “primary” dest: Host A → B1 ; Host B → A1
New data sent only to primary destination SCTP 31
DATA
DATA
SACK
1
2
SCTPEndpoint B
IP address B1
IP address B2
SCTPEndpoint A
IP address A1
IP address A2
Multihoming Operation
SCTP 32
SCTP – SummaryWell suited for Multimedia
Like TCP
• Provides connection establishment
• Ensures Reliability
• Provisions for ordered and un-ordered data
• Provides Congestion Control
In addition to TCP features
• Provides multi-homing
• Provides multi-streaming
• Has security features
SCTP 33
SCTP Socket Types
SCTP socket API comes in two forms: one-to-one and one-to-many.
The one-to-many at one time was known by the “UDP style” socket. The one-to-one used to be called the a “TCP style” socket.
So what is the purpose of each socket style and how can it be used?
SCTP 35
One-to-One style The purpose of the one-to-one style socket is to
provide a smooth transition mechanism for those applications running on TCP and wishing to move to SCTP.
The same semantics used in TCP are used with this style.
A server will typically open the socket, make a call to listen (to accept associations), and call accept, blocking upon the arrival of a new association.
The only notable difference between a TCP socket and a SCTP socket is the socket call uses IPPROTO_SCTP instead of IPPROTO_TCP (or 0).
SCTP 36
One-to-One Example Server
int sd, newfd, sosz;
struct sockaddr_in6 sin6;
sosz = sizeof(sin6);
sd = socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
listen(sd, 1);
while (1) {
newfd = accept(sd, (struct sockaddr *)&sin6, &sosz)
do_child_stuff(newfd, &sin6, sosz);
}
SCTP 37
One-to-Many style
A typical server using a one-to-many style socket will do a socket() call, followed by a listen() and recvfrom().
A typical client will just sendto() the server of his choice.
Note that the connect() and accept() call are not needed.
The connect() call can be done by either side (server or client) but it is not needed.
Note that this style is more like what a UDP client/server would look like thus the previous name.
SCTP 38
One-to-many Example Server
int sd, newfd, sosz, msg_flags;
struct sockaddr_in6 sin6;
struct sndrcvinfo snd_rcv;
char buf[8000];
sosz = sizeof(sin6);
sd = socket(AF_INET6, SOCK_SEQPKT, IPPROTO_SCTP);
listen(sd, 1);
while (1) {
len = sctp_recvmsg(sd, buf, sizeof(buf), (sockaddr *)&sin6, &sosz, &snd_rcv, &msg_flags);
do_child_stuff(newfd, buf, len, &sin6, &snd_rcv, msg_flags);
}
SCTP 39
SCTP Notifications The SCTP stack, at times, has information
it may wish to share with its application (or Upper Layer Protocol ... ULP).
The ULP can turn off and on specific notifications via a socket options call.
By default ALL notifications are off. We can get a notification
By reading data and looking at the msg_flags, if the message read is a notification, then "MSG_NOTIFICATION” is contained within the msg_flags argument upon return.
SCTP 40
Deciphering Notifications Every Notification uses a TLV format as
illustrated below:
Type of notifications SCTP_ASSOC_CHANGE SCTP_PEER_ADDR_CHANGE SCTP_REMOTE_ERROR SCTP_SEND_FAILED SCTP_SHUTDOWN_EVENT ....
struct sctp_tlv {u_int16_t sn_type;u_int16_t sn_flags;u_int32_t sn_length;
};
SCTP 41
Socket Options
SCTP provides a host of socket options to perform a mirad of operations.
Some have unique structures others just turn things on and off with boolean's or integers. SCTP_NODELAY SCTP_MAXSEG SCTP_ASSOCINFO SCTP_AUTOCLOSE SCTP_ADAPTION_LAYER SCTP_DEFAULT_SEND_PARAM SCTP_DISABLE_FRAGMENTS ...
SCTP 42
Extended “system calls”. sctp_connectx
Allows a user to specify multiple address to attempt to connect too.
sctp_bindx Allows an application to bind a set of addresses
instead of one or all addresses. sctp_opt_info
Some implementations do not support a getsockopt() call that allows data to be passed both ways. This call is compatible with all implementations.
sctp_peeloff this call is used to convert a single association that is
part of a one-to-many socket into an individual new socket descriptor that is a one-to-one socket.
43
Extended “system calls” sctp_getpaddrs
This call will return a block of memory holding the peers addresses currently part of the association.
sctp_freepaddrs This call is used to release the memory back that
the sctp_getpaddrs call allocated. sctp_getladdrs
This call will return a block of memory holding the local addresses bound to an association.
sctp_freeladdrs This call should be used to release the memory
allocated by sctp-getladdrs back to the system.SCTP 44
Extended “system calls” sctp_sendmsg
This call will allow the caller to specify on the command line things like the stream number and other SCTPish information to be sent with a message.
sctp_send This call has a similar purpose to sctp_sendmsg but
instead of a large number of command line options, a sctp_sendrcvinfo structure is used to pass the relevant information.
sctp_recvmsg This call (as we saw previously) is used to receive a
message but also a sctp_sendrcvinfo structure with details on the message (e.g. The stream number and stream sequence number).
SCTP 45
Summary
SCTP is a new transport protocol available now in bleeding edge Linux and
BSD kernels,and will make its way into the mainstream
It has some cool new features
SCTP 46