本文档的Copyleft归yfydz所有,使用GPL发布,可以自由拷贝、转载,转载时请保持文档的完整性,严禁用于任何商业用途。
msn:
[email protected]
来源:http://yfydz.cublog.cn
参考文献: RFC2960, 3309
1. SCTP(Stream Control Transmission Protocol)位于IP层与应用层之间,和TCP/UDP等并列,IP协议号:132,SCTP协议设计中考虑到了TCP协议SYN Flood攻击的问题,并进行相应的改进,目前在Linux2.6内核中已经有了SCTP的实现。
2. SCTP数据包包括通用数据头和一个到多个CHUNK,CHUNK可为数据CHUNK和控制CHUNK
3. 和TCP/UDP一样,SCTP也使用16位的端口以进行不同的应用
4. SCTP通用头
SCTP Common Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port Number | Destination Port Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
注意: SCTP的checksum是32位的,不象TCP/UDP是16位的,范围包括全部SCTP包,但不包括IP头,因此不会象TCP和UDP那样在 IPv4下和IPv6下不同.checksum计算方法在RFC2960中是用alder32算法,但发现有问题,在3309中进行了修改,使用和以太网校验类似的CRC32算法
5. CHUNK通用头
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chunk Type | Chunk Flags | Chunk Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Chunk Value /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ID Value Chunk Type
----- ----------
0 - Payload Data (DATA)
1 - Initiation (INIT)
2 - Initiation Acknowledgement (INIT ACK)
3 - Selective Acknowledgement (SACK)
4 - Heartbeat Request (HEARTBEAT)
5 - Heartbeat Acknowledgement (HEARTBEAT ACK)
6 - Abort (ABORT)
7 - Shutdown (SHUTDOWN)
8 - Shutdown Acknowledgement (SHUTDOWN ACK)
9 - Operation Error (ERROR)
10 - State Cookie (COOKIE ECHO)
11 - Cookie Acknowledgement (COOKIE ACK)
12 - Reserved for Explicit Congestion Notification Echo (ECNE)
13 - Reserved for Congestion Window Reduced (CWR)
14 - Shutdown Complete (SHUTDOWN COMPLETE)
15 to 62 - reserved by IETF
63 - IETF-defined Chunk Extensions
64 to 126 - reserved by IETF
127 - IETF-defined Chunk Extensions
128 to 190 - reserved by IETF
191 - IETF-defined Chunk Extensions
192 to 254 - reserved by IETF
255 - IETF-defined Chunk Extensions
CHUNK是描述SCTP的数据结构,分控制CHUNK和数据CHUNK,控制CHUNK一般用于连接的建立和断开,数据CHUNK用于描述数据,因此数据CHUNK就类似于TCP包中的TCP标志位,除了INIT,INIT_ACK和SHUTDOWN_COMPLETE三种CHUNK必须单独发送外,其他类型的CHUNK可以捆绑在同一个包中发送以提高效率
6. 状态机
----- -------- (frm any state)
/ / rcv ABORT [ABORT]
rcv INIT | | | ---------- or ----------
--------------- | v v delete TCB snd ABORT
generate Cookie +---------+ delete TCB
snd INIT ACK ---| CLOSED |
+---------+
/ [ASSOCIATE]
/ ---------------
| | create TCB
| | snd INIT
| | strt init timer
rcv valid | |
COOKIE ECHO | v
(1) ---------------- | +------------+
create TCB | | COOKIE-WAIT| (2)
snd COOKIE ACK | +------------+
| |
| | rcv INIT ACK
| | -----------------
| | snd COOKIE ECHO
| | stop init timer
| | strt cookie timer
| v
| +--------------+
| | COOKIE-ECHOED| (3)
| +--------------+
| |
| | rcv COOKIE ACK
| | -----------------
| | stop cookie timer
v v
+---------------+
| ESTABLISHED |
+---------------+
(from the ESTABLISHED state only)
|
|
/--------+--------
[SHUTDOWN] /
-------------------| |
check outstanding | |
DATA chunks | |
v |
+---------+ |
|SHUTDOWN-| | rcv SHUTDOWN/check
|PENDING | | outstanding DATA
+---------+ | chunks
| |------------------
No more outstanding | |
---------------------| |
snd SHUTDOWN | |
strt shutdown timer | |
v v
+---------+ +-----------+
(4) |SHUTDOWN-| | SHUTDOWN- | (5,6)
|SENT | | RECEIVED |
+---------+ +-----------+
| |
(A) rcv SHUTDOWN ACK | |
----------------------| |
stop shutdown timer | cv:SHUTDOWN |
send SHUTDOWN COMPLETE| (B) |
delete TCB | |
| | No more outstanding
| |-----------------
| | send SHUTDOWN ACK
(B)rcv SHUTDOWN | | strt shutdown timer
----------------------| |
send SHUTDOWN ACK | |
start shutdown timer | |
move to SHUTDOWN- | |
ACK-SENT | | |
| v |
| +-----------+
| | SHUTDOWN- | (7)
| | ACK-SENT |
| +----------+-
| | (C)rcv SHUTDOWN COMPLETE
| |-----------------
| | stop shutdown timer
| | delete TCB
| |
| | (D)rcv SHUTDOWN ACK
| |--------------
| | stop shutdown timer
| | send SHUTDOWN COMPLETE
| | delete TCB
| |
+---------+ /
-->| CLOSED |<--/
+---------+
Figure 3: State Transition Diagram of SCTP
7. 建立连接
发起方 接收方
-------------------------------------------------------------------------
发送INIT---------------------------------->
(状态变为COOKIE_WAIT)
<---------------接收INIT,发送INIT_ACK,附带COOKIE
(状态仍为CLOSED)
接收INIT_ACK,发送COOKIE_ECHO----->
(状态变为COOKIE_ECHOED)
<---------------接收COOKIE_ECHO,发送COOKIE_ACK
(状态转为ESTABLISHED)
接收COOKIE_ACK,状态转为ESTABLISHED
由于接收端是收到COOKIE_ECHO包后才认为连接合法,所以某种程度上可以避免类似SYN FLOOD的攻击
8. 正常断开连接
发起方 接收方
-----------------------------------------------------------------------------------------------
发送SHUTDOWN--------------------->
(状态变为SHUTDOWN_SENT)
<---------------接收SHUTDOWN
(状态变为SHUTDOWN_RECEIVED)
<---------------发送SHUTDOWN_ACK
(状态变为SHUTDOWN_ACK_SENT)
接收SHUTDOWN_ACK,发送SHUTDOWN_COMPLETE----->
(状态变为CLOSED)
<---------------接收SHUTDOWN_COMPLETE
(状态转为CLOSED)
同时断开,两边同时发SHUTDOWN,则都发SHUTDOWN_ACK,都转为SHUTDOWN_ACK_SENT状态,发送SHUTDOWN_COMPLETE断开连接
9. 异常断开
接收或发送了ABORT类型的CHUNK,立即断开
10. 控制CHUNK和TCP标志位的类比
CHUNK TCP FLAG
-------------------------------------------------
INIT SYN
INIT_ACK SYN ACK
SACK ACK
SHUTDOWN FIN
ABORT RST
DATA PSH
11. 状态跟踪
主要跟踪INIT,INIT_ACK, COOKIE_ECHO, COOKIE_ACK, SHUTDOWN, SHUTDOWN_ACK, SHUTDOWN_COMPLETE和ABORT这些控制CHUNK来改变连接状态
12. NAT
主要就是修改SCTP的端口,然后计算校验和,和TCP、UDP类似
13. 总结
SCTP的协议跟踪和NAT的实现可以参考TCP协议跟踪的处理,比较麻烦的一点就是各类CHUNK的识别,不象TCP标志那样简单明显,其他处理都比较类似。