Re: [secdir] Secdir review of draft-ietf-tsvwg-sctp-udp-encaps-07.txt

[Tero Kivinen <kivinen@iki.fi>]

Michael Tuexen writes:
> > It might be good to say that in the document, i.e. that it is out of
> > scope of this document. 
> 
> What about adding
> <t>Please note that this document does not provide all techniques necessary
> for building a complete NAT-capable application using SCTP. This document
> focuses on the functionality required within the SCTP stack and making
> this available via an API.</t>
> to the Abstract?

I think it would be better to add more explicit notice what is left
outside of the scope. 

> >>> Also what if host A and B already have one SCTP connection, and now
> >>> host B wants to create another, do host B reuse the same UDP
> >>> destination port number for host A that was used for the already
> >>> existing SCTP connection between them? The section 4.1 says that UDP
> >>> port numbers are stored per destination address per SCTP association,
> >>> so that would indicate no.
> >> 
> >> As stated in the document, each stack uses a single port number
> >> as the destination address of all incoming packets.
> > 
> > The document also says:
> > 
> >   Using a single UDP encapsulation port number per host is not
> >   possible if the SCTP stack is implemented as part of an
> >   application.
> > 
> > which indicates that using multiple UDP port numbers is also an
> > option. Or is implementing SCTP stack as appliction out of scope too?
> > Section 3.1 seems to indicate that it is not out of scope.
>
> No, you can implement SCTP in the kernel (which means that the stack
> is unique on the host) or in the application (which means there
> can me multiple, one stack per association for example).

That was my understanding, and thats why it was bit odd to see text
that says that you have one UDP port only, and it is not possible to
do that if SCTP stack is in the application.

This seems to give bit mixed signals what is supported and what is
not. 

> > From the section 3.1 and 4.1 it is not really clear what needs to be
> > supported. If I have understood correctly that if SCTP is implemented
> > in kernel then we use one UDP port for the whole host, but if SCTP is
> > implemented by the application then each application might have
> > different UDP port, i.e. there will be multiple UDP SCTP encapsulation
> > ports in the host.
> Correct.
> > 
> > I.e. if host A is connected to two different applications on host B.
> > Host B is such host that it does not support SCTP on kernel, the SCTP
> > is implemented on the application itself, and that means each
> > application has separate UDP encapsulation port. Now what you said
> > before I assume that it is outside the scope of this document for host
> > A know how to connect to host B, i.e. how to get the UDP port numbers
> > where to connect, and also whether to use the UDP encapsulation at
> > all?
> Correct. Finding the remote UDP number for the initial packets is
> out of scope.

Which is again one thing that should be explictly mentioned. It makes
hard to understand what this document is for, as you would expect this
kind of things to be solved here, or at least pointed to a pointer
telling where they are solved, but this document is silent about the
issue. 

> > Is there any work ongoing on this? I.e. how is this going to be solved
> > in practice? Or is it assumed that the SCTP applications which do not
> > have direct access to IP-layer, which need to use UDP encapsulation
> > because of that, are always only initiators, i.e. nobody ever connects
> > to them, they always initiate the connection to the known services?
> As said above, a complete solution is out of scope of this document.

That is fine, but it should mention what is out of scope. 

> >>> In some cases also the IP-address might change,
> >>> i.e. if the NAT box is rebooted or its connection table is cleared,
> >>> and the NAT box have multiple IP-addresses, it is completly possible
> >>> that the NAT mapping changes so that IP-address and UDP port number
> >>> both change. I am not familiar enough with SCTP to know whether this
> >>> causes problem with SCTP, i.e. whether it is default SCTP rules to use
> >>> the last seen IP-address when sending reply or what.
> >> 
> >> The method described in the document does NOT cover changing the
> >> address. If you want to handle that, you need to use the address
> >> reconfiguration extension (RFC 5061).
> > 
> > Then you need to say that in the draft. Note, that hosts A and B do
>
> It is mentioned in the last paragraph of section 4.7

I would be very suprised if someone can really combine RFC5061 and
this document to get interoperable implementation with just that one
reference, in the cases where the NAT box is rebooted and the outer
IP-addresses change because of that.

> > not have any way of knowing when the IP-address changes, or whether it
> > is going to change. For normal TCP (and most likely also SCTP) this
> 
> Well, that depends.

No, it really does not. We are not talking about local IP address
changes, we are talking the NAT box rebooting and loosing state, and
allocating new IP address for the UDP encapsulated SCTP packets. The
local host does not know anything about that. 

> If the address change is local on the host, SCTP kernel implementations (at
> least FreeBSD and Linux) will get notified when addresses are added or
> removed. For example, on FreeBSD you can add an address using
> ifconfig and the address changes will happen on all association which use
> a wildcard bound SCTP socket, it is allowed system-wide via the
> net.inet.sctp.auto_asconf sysctl and the application didn't disabled
> it via the SCTP_AUTO_ASCONF socket option.

We are not talking about local changes.

> On the other hand, if the address change is not local, the peer will
> respond to a packet with an ABORT chunk having the T-bit set. This
> could be interpreted as an indication of an address change. 

Ok, so this is already handled in the SCTP internally, i.e. remote
node notices that other end changed IP-address and indicates that to
the other end. Mentioning this in the draft would most likely help for
implementors to understand what they need to do in this cases.

NAT boxes loosing state is something that should be explained in the
draft, as that is quite common situation and if this is supposed to
work on environments where there are NATs, then what happens when NAT
box looses state should be explained.

> > IP-address change will usually result the connection to be reset, as
> > the NAT box does not have the mapping for the connection anymore, but
> > for UDP that does not happen. The NAT box will just create new
> > mapping.
> Which is fine.
> > 
> > I.e. the situation is as follows. Host A is behind NAT, and talks to
> > host B using UDP encapsulated SCTP. Now the NAT box is rebooted, and
> > it looses state. When Host A sends next UDP encapsulated SCTP packet
> > to Host B that UDP packet might get new source IP address by the NAT
> > box. What should happen at that point?
> As described above, host B will respond with an ABORT chunk and host A
> can use this as an indication that it has to update its address.
> So it can send a ASCONF chunk adding the wildcard address and removing
> the wildcard address which will result in the possibility to continue
> the association.

Adding section explaining the thing above would most likely help to
understand that this issue needs to be handled in the implementations.
This for example makes it quite clear that using udp encapsulation
through NAT without supporting RFC 5061 is just not going to work. 

> > Should the SCTP implementation notice that IP-address of the
> > association has changed, and send some kind of reset or what? Or does
> > the SCTP implementation just drop all packets because they do not
> > match association and then connection is dropped after timeout?
> > 
> > How do you plan to use RFC 5061 to solve that situation? I do not know
> > enough of RFC 5061 to say how it can be used to solve this kind of
> > situation, where the peer A whose IP-address was changed does not even
> > know that his IP-address was changed.
> I hope the above makes it clearer. We can add at the end of section 4.7
> text like:
> 
> If an SCTP end-point receives an ABORT with the T-bit set, it MAY
> use this as an indication that the addresses seen by the peer might
> have changed.</t>

I would like think it would be better to add new section explaining
how this is supposed to interact with NAT boxes loosing state. I.e.
the text what you explained above to me. Until now I had only assumed
that if I would be implementing that, I do not need to care about
RFC5061 unless I want to support IP-addresses changing. After your
explination it is clear that all implementations who want to work
through NATs do need to support it.

> > Of course as the NAT mappings are usually remote IP + remote port +
> > protocol + NAT IP + NAT port, this means that changes for host C to
> > get exactly same 5-tuple are small... On the other hand host C can
> > most likely know remote IP and remote port as they are well known
> > based on the service. The NAT IP is most likely going to be same all
> > the time, so only thing host C needs to be doing is to cause NAT to
> > loose state (i.e. cause it to either reboot, or run out of mappings),
> > and then start filling up the NAT mappings until it gets the NAT port
> > host A used earlier.
> > 
> > One way to cause NAT to loose state, is to start flooding NAT with new
> > UDP packets each destinationed to remote host + port and having
> > UDP different source port. NAT will allocate new NAT port for each of
> > them until it runs out of port numbers, in which case it starts
> > reusing port numbers. Now depending on the NAT implementation, flood
> > guarding, SCTP heartbeat intervals etc NAT might reuse the host A's
> > port in which case host C managed to get the session.
> 
> Yes, that is possible. What can the attacker do? The attacker can't
> insert any DATA or SACK chunks, since it would have to guess the
> V-tag. However, the attacker can ABORT the association with sending
> an ABORT with the V-tag set. But this is not better or worse than
> attacking the NAT box. So most likely the attacker can receive an
> RWND of user data. If sent unprotected, I would assume that his is
> acceptable. Using DTLS/SCTP would protect against it.

It can do exactly same things it can do in the other case where the IP
address got reused. It will receive all packets that were supposed to
be received by original host A, so it can see all traffic going to
host A. As there is no cryptographic checksums there, it can add data
to the packets it receive and might send them to host A depending on
the network layout. At least as far as I know.

> > Which ways those HEARTBEAT messages are sent? For NAT mappings to stay
> > alive, the messages quite often needs to be coming from inside of the
> > NAT, i.e. from the host which is behind the NAT, and if both ends are
> > behind NAT, they need to be coming from both ends. Do HEARTBEATs cover
> > that possibility. Also some NAT boxes are known to require as small
> > keepalive intervals as 20 seconds... How often do you send HEARTBEATS?
> Both sides send HEARTBEATs, the standard time between them is 30 seconds
> plus RTO plus/minus 50%. However, the application can change the 30 seconds
> to other values using the standard socket API.

Ok, so that is ok. 

> > So is having both ends behind NAT out of scope? This should then be
> > mentioned in section 3.2. Note, that similar problems also arise when
> > you need to connect to host which is behind NAT, i.e. even if it is
> > only one host behind NAT, but if the connection is coming from the
> > outside, you have similar problems than what you have when both ends
> > are behind NAT.
>
> I think the point is that finding the remote port number for initial
> packets is out of scope of the this document.

The dynamic port fixup is UNSAF operation, already described in the
draft.

The use if RFC5061 with wildcard addresses is similar operation. Both
of those are solutions which get around the fact that peers do not
know the actual addresses, i.e. are trying to "determine or fix the
addresses by which it is known to another endpoint".

UNSAF operations are not only the cases where you try to find out the
initial address, it covers also all cases where the protocol tries to
fix things caused by NATs. From RFC3424:

   o  proposed workarounds include the use of "ping"-like address
      discovery requests sent from the UNSAF client (initiator) to the
      UNSAF server (listener), to which the listener responds with the
      transport address of the initiator - in the address realm of the
      listener.  However, with connection-less transports, e.g. UDP,
      IPsec ESP, etc., an UNSAF process must take care to react to
      changes in NAT bindings for a given application flow, since it may
      change unpredictably.

just covers this loosing NAT bindings and the:

   o  limiting the scope to outbound requests for service (or service
      initiation) in order to prevent unacceptable security exposures.

Is just what this document does, i.e. limits the scope so that only
outbound ocnnections are allowed or similar constraints, but does not
mention what those constraints are.

What you are trying to say is that UNSAF considerations do not apply
as you have scoped them out, but that is exactly one UNSAF
consideration. In real world case those problems do need to be solved,
and this document is not really that useful if it cannot be used in
real world...
-- 
kivinen@iki.fi