SCTP协议跟踪
本文档的Copyleft归yfydz所有,使用GPL发布,可以自由拷贝、转载,转载时请保持文档的完整性,严禁用于任何商业用途。
msn: yfydz_no1@hotmail.com
来源:http://yfydz.cublog.cn
参考文献: RFC2960, 3309
1. SCTP(Stream Control Transmission Protocol)位于IP层与应用层之间,和TCP/UDP等并列,IP协议号:132,SCTP协议设计中考虑到了TCP协议SYN Flood攻击的问题,并进行相应的改进,目前在Linux2.6内核中已经有了SCTP的实现。2. SCTP数据包包括通用数据头和一个到多个CHUNK,CHUNK可为数据CHUNK和控制CHUNK3. 和TCP/UDP一样,SCTP也使用16位的端口以进行不同的应用4. SCTP通用头 SCTP Common Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port Number | Destination Port Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Verification Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 注意: SCTP的checksum是32位的,不象TCP/UDP是16位的,范围包括全部SCTP包,但不包括IP头,因此不会象TCP和UDP那样在 IPv4下和IPv6下不同.checksum计算方法在RFC2960中是用alder32算法,但发现有问题,在3309中进行了修改,使用和以太网校验类似的CRC32算法5. CHUNK通用头 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Chunk Type | Chunk Flags | Chunk Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Chunk Value / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ID Value Chunk Type ----- ---------- 0 - Payload Data (DATA) 1 - Initiation (INIT) 2 - Initiation Acknowledgement (INIT ACK) 3 - Selective Acknowledgement (SACK) 4 - Heartbeat Request (HEARTBEAT) 5 - Heartbeat Acknowledgement (HEARTBEAT ACK) 6 - Abort (ABORT) 7 - Shutdown (SHUTDOWN) 8 - Shutdown Acknowledgement (SHUTDOWN ACK) 9 - Operation Error (ERROR) 10 - State Cookie (COOKIE ECHO) 11 - Cookie Acknowledgement (COOKIE ACK) 12 - Reserved for Explicit Congestion Notification Echo (ECNE) 13 - Reserved for Congestion Window Reduced (CWR) 14 - Shutdown Complete (SHUTDOWN COMPLETE) 15 to 62 - reserved by IETF 63 - IETF-defined Chunk Extensions 64 to 126 - reserved by IETF 127 - IETF-defined Chunk Extensions 128 to 190 - reserved by IETF 191 - IETF-defined Chunk Extensions 192 to 254 - reserved by IETF 255 - IETF-defined Chunk Extensions CHUNK是描述SCTP的数据结构,分控制CHUNK和数据CHUNK,控制CHUNK一般用于连接的建立和断开,数据CHUNK用于描述数据,因此数据CHUNK就类似于TCP包中的TCP标志位,除了INIT,INIT_ACK和SHUTDOWN_COMPLETE三种CHUNK必须单独发送外,其他类型的CHUNK可以捆绑在同一个包中发送以提高效率6. 状态机 ----- -------- (frm any state) / / rcv ABORT [ABORT] rcv INIT | | | ---------- or ---------- --------------- | v v delete TCB snd ABORT generate Cookie +---------+ delete TCB snd INIT ACK ---| CLOSED | +---------+ / [ASSOCIATE] / --------------- | | create TCB | | snd INIT | | strt init timer rcv valid | | COOKIE ECHO | v (1) ---------------- | +------------+ create TCB | | COOKIE-WAIT| (2) snd COOKIE ACK | +------------+ | | | | rcv INIT ACK | | ----------------- | | snd COOKIE ECHO | | stop init timer | | strt cookie timer | v | +--------------+ | | COOKIE-ECHOED| (3) | +--------------+ | | | | rcv COOKIE ACK | | ----------------- | | stop cookie timer v v +---------------+ | ESTABLISHED | +---------------+ (from the ESTABLISHED state only) | | /--------+-------- [SHUTDOWN] / -------------------| | check outstanding | | DATA chunks | | v | +---------+ | |SHUTDOWN-| | rcv SHUTDOWN/check |PENDING | | outstanding DATA +---------+ | chunks | |------------------ No more outstanding | | ---------------------| | snd SHUTDOWN | | strt shutdown timer | | v v +---------+ +-----------+ (4) |SHUTDOWN-| | SHUTDOWN- | (5,6) |SENT | | RECEIVED | +---------+ +-----------+ | | (A) rcv SHUTDOWN ACK | | ----------------------| | stop shutdown timer | cv:SHUTDOWN | send SHUTDOWN COMPLETE| (B) | delete TCB | | | | No more outstanding | |----------------- | | send SHUTDOWN ACK (B)rcv SHUTDOWN | | strt shutdown timer ----------------------| | send SHUTDOWN ACK | | start shutdown timer | | move to SHUTDOWN- | | ACK-SENT | | | | v | | +-----------+ | | SHUTDOWN- | (7) | | ACK-SENT | | +----------+- | | (C)rcv SHUTDOWN COMPLETE | |----------------- | | stop shutdown timer | | delete TCB | | | | (D)rcv SHUTDOWN ACK | |-------------- | | stop shutdown timer | | send SHUTDOWN COMPLETE | | delete TCB | | +---------+ / -->| CLOSED |<--/ +---------+ Figure 3: State Transition Diagram of SCTP7. 建立连接 发起方 接收方-------------------------------------发送INIT---------------------------------->(状态变为COOKIE_WAIT) <---------------接收INIT,发送INIT_ACK,附带COOKIE (状态仍为CLOSED)接收INIT_ACK,发送COOKIE_ECHO----->(状态变为COOKIE_ECHOED) <---------------接收COOKIE_ECHO,发送COOKIE_ACK (状态转为ESTABLISHED)接收COOKIE_ACK,状态转为ESTABLISHED由于接收端是收到COOKIE_ECHO包后才认为连接合法,所以某种程度上可以避免类似SYN FLOOD的攻击8. 正常断开连接 发起方 接收方-----------------------------------------------------------发送SHUTDOWN--------------------->(状态变为SHUTDOWN_SENT) <---------------接收SHUTDOWN (状态变为SHUTDOWN_RECEIVED) <---------------发送SHUTDOWN_ACK (状态变为SHUTDOWN_ACK_SENT)接收SHUTDOWN_ACK,发送SHUTDOWN_COMPLETE----->(状态变为CLOSED) <---------------接收SHUTDOWN_COMPLETE (状态转为CLOSED)同时断开,两边同时发SHUTDOWN,则都发SHUTDOWN_ACK,都转为SHUTDOWN_ACK_SENT状态,发送SHUTDOWN_COMPLETE断开连接9. 异常断开 接收或发送了ABORT类型的CHUNK,立即断开10. 控制CHUNK和TCP标志位的类比 CHUNK TCP FLAG------------------------------------------------- INIT SYN INIT_ACK SYN ACK SACK ACK SHUTDOWN FIN ABORT RST DATA PSH11. 状态跟踪 主要跟踪INIT,INIT_ACK, COOKIE_ECHO, COOKIE_ACK, SHUTDOWN, SHUTDOWN_ACK, SHUTDOWN_COMPLETE和ABORT这些控制CHUNK来改变连接状态12. NAT 主要就是修改SCTP的端口,然后计算校验和,和TCP、UDP类似13. 总结 SCTP的协议跟踪和NAT的实现可以参考TCP协议跟踪的处理,比较麻烦的一点就是各类CHUNK的识别,不象TCP标志那样简单明显,其他处理都比较类似。