IETF Logo Mail Archive

Re: [tsvwg] Some unclear points about rfc4960 (SCTP).

Michael Tuexen <michael.tuexen@lurchi.franken.de> Thu, 19 August 2021 19:21 UTC

Return-Path: <michael.tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03333A1868 for <tsvwg@ietfa.amsl.com>; Thu, 19 Aug 2021 12:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NAUUR0O1ncDZ for <tsvwg@ietfa.amsl.com>; Thu, 19 Aug 2021 12:20:55 -0700 (PDT)
Received: from drew.franken.de (mail-n.franken.de [193.175.24.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C0A23A1860 for <tsvwg@ietf.org>; Thu, 19 Aug 2021 12:20:53 -0700 (PDT)
Received: from smtpclient.apple (ip1f100e9c.dynamic.kabel-deutschland.de [31.16.14.156]) (Authenticated sender: lurchi) by mail-n.franken.de (Postfix) with ESMTPSA id EF22B721BE020; Thu, 19 Aug 2021 21:20:45 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
X-Priority: 3
In-Reply-To: <tencent_19DFE8523B3A02AB70BD1AA22A247B58C309@qq.com>
Date: Thu, 19 Aug 2021 21:20:45 +0200
Cc: Claudio Porfiri <claudio.porfiri@ericsson.com>, "draft-ietf-tsvwg-2960bis@ietf.org" <draft-ietf-tsvwg-2960bis@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA454978-D669-4760-8BBC-1BC5EA97DA6D@lurchi.franken.de>
References: <tencent_19DFE8523B3A02AB70BD1AA22A247B58C309@qq.com>
To: 一念之后★だ <zhouming948@foxmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/MK0VaHPHbimj4VYMvrUwqnP1BHE>
Subject: Re: [tsvwg] Some unclear points about rfc4960 (SCTP).
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 19:21:01 -0000

> On 19. Aug 2021, at 18:16, 一念之后★だ <zhouming948@foxmail.com> wrote:
> 
> Hi,
> Thanks very much for your replay.
> I test lksctp and ncat(an accessory tool  of nmap), the implementation of these SCTP protocol stack all have this problem:
> 
> when I sent the illegal init msg to 192.168.43.183(pkt 7), then 192.168.43.183 reply an Abort msg to peer point 192.168.43.184 with corresponding verificaiton Tag(pkt8), then the association break down.(Please see the attachment wireshark pcap file for detail)
> <5D2E80FE@4A130A5F.D2831E61.png.jpg>
Which version of the Linux kernel are you using (what is the output of uname -a)?

Best regards
Michael
> 
> pkt8 Abort msg:
> <CB0266FF@FBFE9A21.D2831E61.png.jpg>
> ncat tool shows that "connection reset by peer" when received this Abort msg:
> <6A303306@6350590C.D2831E61.png.jpg>
> 
> After reading section 5.2 of rfc4960, It seems that the description for this scenario is not very clear:
> <5AFA6105@22953A15.D2831E61.png.jpg>
> 
> other sections of RFC 4960:
> <631002D6@F251F155.D2831E61.png.jpg>
> 
> <0034273A@59759967.D2831E61.png.jpg>
> 
> 
> <5D8F9FB5@C90E002B.D2831E61.png.jpg>
> 
> 
> ------------------ Original ------------------
> From: "Claudio Porfiri" <claudio.porfiri@ericsson.com>;
> Date: Wed, Aug 18, 2021 02:45 PM
> To: "一念之后★だ"<zhouming948@foxmail.com>;"draft-ietf-tsvwg-2960bis@ietf.org"<draft-ietf-tsvwg-2960bis@ietf.org>;"tsvwg@ietf.org"<tsvwg@ietf.org>;
> Subject: RE: [tsvwg] Some unclear points about rfc4960 (SCTP).
> 
> Hi,
> 
> I think that behavior in case of duplicated INIT is quite well described in section 5.2
> 
> If there are implementation handling INIT without considering the Association’s Status, the fault is in those implementations not in the specification.
> 
>  
> 
> Regards,
> 
> Claudio
> 
>  
> 
> From: tsvwg <tsvwg-bounces@ietf.org> On Behalf Of ??????
> Sent: Tuesday, August 17, 2021 6:57 PM
> To: draft-ietf-tsvwg-2960bis <draft-ietf-tsvwg-2960bis@ietf.org>; tsvwg <tsvwg@ietf.org>
> Subject: [tsvwg] Some unclear points about rfc4960 (SCTP).
> 
>  
> 
> Dear IETF experts,
> 
>  
> 
> I read rfc4960 (SCTP) and felt that there were some unclear descriptions in the document. I hope to get your reply, so I wrote this email to you. And I think it's better to describe these more clearly in the subsequent version of the RFC.
> 
> The following description describes some scenarios requiring abort Association in rfc4960:
> 
> Page25
> 
> 
> <56E2D136@656BBF6B.D2831E61.jpg>
> 
> Page26
> 
> <78AED853@1DFBC332.D2831E61.jpg>
> 
> Page30
> 
> <8B89B681@BE22C554.D2831E61.jpg>
> 
> Page31
> 
> <CCF68A5F@F8F19405.D2831E61.jpg>
> 
> Page56
> 
> <5421AF32@18627375.D2831E61.jpg>
> 
> As can be seen from the above description, when an init message or init ACK message is received,
> 
> (1)If the init tag in the message is 0, the association must be released
> 
> (2)If the mandatory parameters in the message are not fully carried, the association must be released
> 
> (3)When the OS value or MIS value in the message is 0, it is strongly recommended to release this association
> 
>  
> 
> The following description also shows that there can only be one SCTP association between two SCTP endpoints at any time:
> 
> <58AD0452@4C5E614C.D2831E61.jpg>
> 
>  
> 
> Because init messages can be forged arbitrarily, take the scenario where the initial tag in init message is 0 as an example. 
> 
> In this scenario, a malicious attacker can destroy other associations at a very low cost:
> 
> <6146D0AF@A5290577.D2831E61.jpg>
> 
> For the other two scenarios, i.e. init message with missing mandatory parameters or init message with OS value / MIS value of 0, the effect may be similar.
> 
> I think from the original intention of the protocol design, these error scenarios should be handled according to the following. However, the RFC does not specify how to deal with the established association endpoint when receiving this wrong init (or init ACK) message, and whether the corresponding association should still be removed.
> 
> <B05003C1@4536BE18.D2831E61.jpg>
> 
> Unfortunately, the SCTP implementation of Linux will be affected by the attacks described above, such as the open source lksctp.
> 
> I hope to receive your reply to clarify the above unclear areas.
> 
> Thank you very much.
> 
>  
> 
> Yours faithfully!
> 
> Zhouming.
> 
> <B05003C1@4536BE18.D2831E61.jpg><6146D0AF@A5290577.D2831E61.jpg><58AD0452@4C5E614C.D2831E61.jpg><5421AF32@18627375.D2831E61.jpg><CCF68A5F@F8F19405.D2831E61.jpg><8B89B681@BE22C554.D2831E61.jpg><78AED853@1DFBC332.D2831E61.jpg><56E2D136@656BBF6B.D2831E61.jpg><5D2E80FE@4A130A5F.D2831E61.png.jpg><CB0266FF@FBFE9A21.D2831E61.png.jpg><6A303306@6350590C.D2831E61.png.jpg><5AFA6105@22953A15.D2831E61.png.jpg><631002D6@F251F155.D2831E61.png.jpg><0034273A@59759967.D2831E61.png.jpg><5D8F9FB5@C90E002B.D2831E61.png.jpg><sctp_illegal_init_msg.pcap>

v2.41.0 | Report a Bug | By Email | System Status