Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 SCTP Programmer's Guide: HP-UX 11i v2, HP-UX 11i v3 > Chapter 1 Introduction

SCTP Security
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

SCTP uses the following methods to provide security:

  • Cookie Mechanism

  • Verification Tag

This section addresses the following topics:

Cookie Mechanism

A cookie mechanism is employed during the initialization of an association, to provide protection against security attacks. The cookie mechanism uses a four-way handshake, and the last pair of handshake is allowed to carry user data for fast setup.

The cookie mechanism guards against a blind attacker from generating INIT chunks, which overload the resources of an SCTP server by causing the server to use memory and resources to handle new INIT requests. Instead of allocating memory for a Transmission Control Block (TCB), the server creates a cookie parameter with the TCB information, together with a valid lifetime and a signature for authentication, and sends these back in the INIT ACK chunk. The blind attacker cannot obtain the cookie, because the INIT ACK always goes back to the source address of the INIT. A valid SCTP client gets the cookie and returns it in the COOKIE ECHO chunk, where the SCTP server can validate the cookie and use it to rebuild the TCB. The cookie is created by the server, and the cookie format and secret key remain with the server. The server does not exchange these details with the client.

Verification Tag

A verification tag is a 32–bit unsigned integer that is randomly generated to verify whether the SCTP packet belongs to the current association, or to a stale packet from a previous association. SCTP discards packets received without the expected verification tag value, to protect against blind masquerade attacks and also from receiving stale SCTP packets from a previous association.

The verification tag rules apply when sending or receiving SCTP packets that do not contain an INIT, SHUTDOWN COMPLETE, COOKIE ECHO, ABORT, or a SHUTDOWN ACK chunk.

While sending an SCTP packet, the endpoint must fill in the verification tag field of the outbound packet, with the tag value in the Initiate Tag parameter of INIT or INIT ACK received from its peer.

After receiving an SCTP packet, the endpoint must ensure that the value in the verification tag field of the received SCTP packet matches its own tag. If the received verification tag value does not match the receiver's own tag value, the receiver silently discards the packet and does not process it any further.

The verification tag value is chosen by each endpoint of the association during association startup.



Error Handling in SCTP
  		 


Chapter 2 SCTP Socket APIs  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007–2008 Hewlett-Packard Development Company, L.P.