draft-ietf-tsvwg-sctp-dtls-encaps-03.txt   draft-ietf-tsvwg-sctp-dtls-encaps-04.txt 
Network Working Group M. Tuexen Network Working Group M. Tuexen
Internet-Draft Muenster Univ. of Appl. Sciences Internet-Draft Muenster Univ. of Appl. Sciences
Intended status: Standards Track R. Stewart Intended status: Standards Track R. Stewart
Expires: August 11, 2014 Adara Networks Expires: November 14, 2014 Adara Networks
R. Jesup R. Jesup
WorldGate Communications WorldGate Communications
S. Loreto S. Loreto
Ericsson Ericsson
February 7, 2014 May 13, 2014
DTLS Encapsulation of SCTP Packets DTLS Encapsulation of SCTP Packets
draft-ietf-tsvwg-sctp-dtls-encaps-03.txt draft-ietf-tsvwg-sctp-dtls-encaps-04.txt
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) is a transport The Stream Control Transmission Protocol (SCTP) is a transport
protocol originally defined to run on top of the network protocols protocol originally defined to run on top of the network protocols
IPv4 or IPv6. This document specifies how SCTP can be used on top of IPv4 or IPv6. This document specifies how SCTP can be used on top of
the Datagram Transport Layer Security (DTLS) protocol. the Datagram Transport Layer Security (DTLS) protocol. Using
encapsulation method described in this document, SCTP is agnostic
about the protocols being used below DTLS, explicit IP addresses can
not be used in the SCTP control chunks. As a consequence, the SCTP
associations are single homed.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 11, 2014. This Internet-Draft will expire on November 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Encapsulation and Decapsulation Procedure . . . . . . . . . . 3 3. Encapsulation and Decapsulation Procedure . . . . . . . . . . 3
4. DTLS Considerations . . . . . . . . . . . . . . . . . . . . . 3 4. General Considerations . . . . . . . . . . . . . . . . . . . 3
5. SCTP Considerations . . . . . . . . . . . . . . . . . . . . . 3 5. DTLS Considerations . . . . . . . . . . . . . . . . . . . . . 3
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 6. SCTP Considerations . . . . . . . . . . . . . . . . . . . . . 4
7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 8. Security Considerations . . . . . . . . . . . . . . . . . . . 5
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
1.1. Overview 1. Overview
The Stream Control Transmission Protocol (SCTP) as defined in The Stream Control Transmission Protocol (SCTP) as defined in
[RFC4960] is a transport protocol running on top of the network [RFC4960] is a transport protocol running on top of the network
protocols IPv4 or IPv6. This document specifies how SCTP is used on protocols IPv4 [RFC0791] or IPv6 [RFC2460]. This document specifies
top of the Datagram Transport Layer Security (DTLS) protocol defined how SCTP is used on top of the Datagram Transport Layer Security
in [RFC6347]. This encapsulation is used for example within the (DTLS) protocol defined in [RFC6347]. This encapsulation is used for
RTCWeb protocol suite (see [I-D.ietf-rtcweb-overview] for an example within the WebRTC protocol suite (see
overview) for transporting non-media data between browsers. The [I-D.ietf-rtcweb-overview] for an overview) for transporting
architecture of this stack is described in non-(S)RTP data between browsers. The architecture of this stack is
[I-D.ietf-rtcweb-data-channel]. described in [I-D.ietf-rtcweb-data-channel].
1.2. Terminology
This document uses the following terms:
Association: An SCTP association.
Stream: A unidirectional stream of an SCTP association. It is
uniquely identified by a stream identifier.
1.3. Abbreviations
DTLS: Datagram Transport Layer Security.
MTU: Maximum Transmission Unit.
PPID: Payload Protocol Identifier.
SCTP: Stream Control Transmission Protocol.
TCP: Transmission Control Protocol.
TLS: Transport Layer Security. Please note that the procedures defined in [RFC6951] for dealing with
the UDP port numbers do not apply here. When using the encapsulation
defined in this document, SCTP is agnostic about the protocols used
below DTLS.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Encapsulation and Decapsulation Procedure 3. Encapsulation and Decapsulation Procedure
When an SCTP packet is sent down to the DTLS layer, the complete SCTP When an SCTP packet is provided to the DTLS layer, the complete SCTP
packet, consisting of the SCTP common header and a number of SCTP packet, consisting of the SCTP common header and a number of SCTP
chunks, MUST be handled as the payload of the application layer chunks, MUST be handled as the payload of the application layer
protocol of DTLS. When the DTLS layer has processed a DTLS record protocol of DTLS. When the DTLS layer has processed a DTLS record
containing a message of the application layer protocol, the payload containing a message of the application layer protocol, the payload
MUST be given up to the SCTP layer. The SCTP layer expects an SCTP MUST be given up to the SCTP layer. The SCTP layer expects an SCTP
common header followed by a number of SCTP chunks. common header followed by a number of SCTP chunks.
4. DTLS Considerations 4. General Considerations
The DTLS implementation MUST be based on [RFC6347]. An implementation of SCTP over DTLS MUST implement and use a path
maximum transmission unit (MTU) discovery method that functions
without ICMP to provide SCTP/DTLS with an MTU estimate. An
implementation of "Packetization Layer Path MTU Discovery" [RFC4821]
either in SCTP or DTLS is RECOMMENDED.
5. DTLS Considerations
The DTLS implementation MUST be based on DTLS 1.2 [RFC6347]. The
support of future versions of DTLS is RECOMMENDED if defined.
If path MTU discovery is performed by the DTLS layer, the method If path MTU discovery is performed by the DTLS layer, the method
described in [RFC4821] MUST be used. For probe packets, the described in [RFC4821] MUST be used. For probe packets, the
extension defined in [RFC6520] MUST be used. extension defined in [RFC6520] MUST be used.
If path MTU discovery is performed by the SCTP layer and IPv4 is used If path MTU discovery is performed by the SCTP layer and IPv4 is used
as the network layer protocol, the DTLS implementation MUST allow the as the network layer protocol, the DTLS implementation MUST allow the
DTLS user to enforce that the corresponding IPv4 packet is sent with DTLS user to enforce that the corresponding IPv4 packet is sent with
the DF bit set. the Don't Fragment (DF) bit set. If controlling the DF bit is not
possible, for example due to implementation restrictions, a safe
value for the path MTU has to be used by the SCTP stack.
The DTLS implementation SHOULD allow the DTLS user to set the
Differentiated services code point (DSCP) used for IP packets being
sent. This requires the DTLS implementation to pass the value
through and the lower layer to allow setting this value. If the
lower layer does not support setting the DSCP, then the DTLS user
will end up with the default value used by protocol stack. Please
note that only a single DSCP value can be used for all packets
belonging to the same SCTP association.
Using explicit congestion notifications (ECN) in SCTP requires the
DTLS layer to pass the ECN bits through and its lower layer to expose
access to them for sent and received packets. If this is not
possible, for example due to implementation restrictions, ECN can't
be used by SCTP.
SCTP performs segmentation and reassembly based on the path MTU. SCTP performs segmentation and reassembly based on the path MTU.
Therefore the DTLS layer MUST NOT use any compression algorithm. Therefore the DTLS layer MUST NOT use any compression algorithm.
The DTLS MUST support sending messages larger than the current path The DTLS MUST support sending messages larger than the current path
MTU. This might result in sending IP level fragmented messages. MTU. This might result in sending IP level fragmented messages.
5. SCTP Considerations 6. SCTP Considerations
5.1. Base Protocol This section describes the usage of the base protocol and the
applicability of various SCTP extensions.
SCTP as specified in [RFC4960] is used. However, the following 6.1. Base Protocol
restrictions are necessary to reflect that the lower layer is the
connection-oriented protocol DTLS instead of the connection less This document uses SCTP [RFC4960] with the following restrictions,
protocol IPv4 and IPv6: which are required to reflect that the lower layer is DTLS instead of
IPv4 and IPv6 and that SCTP doesn't deal with the IP addresses or the
transport protocol used below DTLS:
o A DTLS connection MUST be established before an SCTP association o A DTLS connection MUST be established before an SCTP association
can be set up. can be set up.
o All associations MUST be single-homed. o All SCTP associations are single-homed. Therefore it is
RECOMMENDED to set the SCTP parameter path.max.retrans to
association.max.retrans.
o The INIT and INIT-ACK chunk MUST NOT contain any IPv4 Address or o The INIT and INIT-ACK chunk MUST NOT contain any IPv4 Address or
IPv6 Address parameters. The INIT chunk MUST NOT contain the IPv6 Address parameters. The INIT chunk MUST NOT contain the
Supported Address Types parameter. Supported Address Types parameter.
o The implementation MUST NOT rely on processing ICMP or ICMPv6 o The implementation MUST NOT rely on processing ICMP or ICMPv6
packets. This applies in particular to path MTU discovery when packets. This applies in particular to path MTU discovery when
performed by SCTP. performed by SCTP.
5.2. Padding Extension 6.2. Padding Extension
The padding extension defined in [RFC4820] MUST be supported and used The padding extension defined in [RFC4820] MUST be supported and used
for probe packets when performing path MTU discovery as specified in for probe packets when performing path MTU discovery as specified in
[RFC4821]. [RFC4821].
5.3. Dynamic Address Reconfiguration Extension 6.3. Dynamic Address Reconfiguration Extension
If the dynamic address reconfiguration extension defined in [RFC5061] If the dynamic address reconfiguration extension defined in [RFC5061]
is used, only wildcard addresses MUST be used in ASCONF chunks. is used, only wildcard addresses MUST be used in ASCONF chunks.
5.4. SCTP Authentication Extension 6.4. SCTP Authentication Extension
The SCTP authentication extension defined in [RFC4895] can be used The SCTP authentication extension defined in [RFC4895] can be used
with DTLS encapsulation, but does not provide any additional benefit. with DTLS encapsulation, but does not provide any additional benefit.
5.5. Partial Reliability Extension 6.5. Partial Reliability Extension
Partial reliability as defined in [RFC3758] can be used in Partial reliability as defined in [RFC3758] can be used in
combination with DTLS encapsulation. It is also possible to use combination with DTLS encapsulation. It is also possible to use
additional PR-SCTP policies. additional PR-SCTP policies.
5.6. Stream Reset Extension 6.6. Stream Reset Extension
The SCTP stream reset extension defined in [RFC6525] can be used with The SCTP stream reset extension defined in [RFC6525] can be used with
DTLS encapsulation. It is used to reset streams and add streams DTLS encapsulation. It is used to reset SCTP streams and add SCTP
during the lifetime of the SCTP association. streams during the lifetime of the SCTP association.
5.7. Interleaving of Large User Messages 6.7. Interleaving of Large User Messages
SCTP as defined in [RFC4960] does not support the interleaving of SCTP as defined in [RFC4960] does not support the interleaving of
large user messages that need to be fragmented and reassembled by the large user messages that need to be fragmented and reassembled by the
SCTP layer. The protocol extension defined in SCTP layer. The protocol extension defined in
[I-D.ietf-tsvwg-sctp-ndata] overcomes this limitation can can be used [I-D.ietf-tsvwg-sctp-ndata] overcomes this limitation and can be used
with DTLS encapsulation. with DTLS encapsulation.
6. IANA Considerations 7. IANA Considerations
This document requires no actions from IANA. This document requires no actions from IANA.
7. Security Considerations 8. Security Considerations
Security considerations for DTLS are specified in [RFC6347] and for Security considerations for DTLS are specified in [RFC6347] and for
SCTP in [RFC4960], [RFC3758], and [RFC6525]. The combination of SCTP SCTP in [RFC4960], [RFC3758], and [RFC6525]. The combination of SCTP
and DTLS introduces no new security considerations. and DTLS introduces no new security considerations.
8. Acknowledgments It should be noted that the inability to process ICMP or ICMPv6
messages does not add any security issue. The processing of these
messages for SCTP carried over a connection-less lower layer like IP,
IPv6 or UDP is required to protect nodes not supporting SCTP. Since
DTLS provides a connection-oriented lower layer, this kind of
protection is not necessary.
The authors wish to thank Gorry Fairhurst for his invaluable 9. Acknowledgments
comments.
9. References The authors wish to thank Gorry Fairhurst, Joe Touch and Magnus
Westerlund for their invaluable comments.
9.1. Normative References 10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and
Parameter for the Stream Control Transmission Protocol Parameter for the Stream Control Transmission Protocol
(SCTP)", RFC 4820, March 2007. (SCTP)", RFC 4820, March 2007.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
Discovery", RFC 4821, March 2007. Discovery", RFC 4821, March 2007.
skipping to change at page 6, line 5 skipping to change at page 6, line 29
[RFC4960] Stewart, R., "Stream Control Transmission Protocol", RFC [RFC4960] Stewart, R., "Stream Control Transmission Protocol", RFC
4960, September 2007. 4960, September 2007.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012. Security Version 1.2", RFC 6347, January 2012.
[RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport
Layer Security (TLS) and Datagram Transport Layer Security Layer Security (TLS) and Datagram Transport Layer Security
(DTLS) Heartbeat Extension", RFC 6520, February 2012. (DTLS) Heartbeat Extension", RFC 6520, February 2012.
9.2. Informative References 10.2. Informative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
1981.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P.
Conrad, "Stream Control Transmission Protocol (SCTP) Conrad, "Stream Control Transmission Protocol (SCTP)
Partial Reliability Extension", RFC 3758, May 2004. Partial Reliability Extension", RFC 3758, May 2004.
[RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla,
"Authenticated Chunks for the Stream Control Transmission "Authenticated Chunks for the Stream Control Transmission
Protocol (SCTP)", RFC 4895, August 2007. Protocol (SCTP)", RFC 4895, August 2007.
[RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M. [RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M.
Kozuka, "Stream Control Transmission Protocol (SCTP) Kozuka, "Stream Control Transmission Protocol (SCTP)
Dynamic Address Reconfiguration", RFC 5061, September Dynamic Address Reconfiguration", RFC 5061, September
2007. 2007.
[RFC6525] Stewart, R., Tuexen, M., and P. Lei, "Stream Control [RFC6525] Stewart, R., Tuexen, M., and P. Lei, "Stream Control
Transmission Protocol (SCTP) Stream Reconfiguration", RFC Transmission Protocol (SCTP) Stream Reconfiguration", RFC
6525, February 2012. 6525, February 2012.
[RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream
Control Transmission Protocol (SCTP) Packets for End-Host
to End-Host Communication", RFC 6951, May 2013.
[I-D.ietf-rtcweb-overview] [I-D.ietf-rtcweb-overview]
Alvestrand, H., "Overview: Real Time Protocols for Brower- Alvestrand, H., "Overview: Real Time Protocols for Brower-
based Applications", draft-ietf-rtcweb-overview-08 (work based Applications", draft-ietf-rtcweb-overview-09 (work
in progress), September 2013. in progress), February 2014.
[I-D.ietf-rtcweb-data-channel] [I-D.ietf-rtcweb-data-channel]
Jesup, R., Loreto, S., and M. Tuexen, "RTCWeb Data Jesup, R., Loreto, S., and M. Tuexen, "WebRTC Data
Channels", draft-ietf-rtcweb-data-channel-06 (work in Channels", draft-ietf-rtcweb-data-channel-08 (work in
progress), October 2013. progress), April 2014.
[I-D.ietf-tsvwg-sctp-ndata] [I-D.ietf-tsvwg-sctp-ndata]
Stewart, R., Tuexen, M., Loreto, S., and R. Seggelmann, "A Stewart, R., Tuexen, M., Loreto, S., and R. Seggelmann, "A
New Data Chunk for Stream Control Transmission Protocol", New Data Chunk for Stream Control Transmission Protocol",
draft-ietf-tsvwg-sctp-ndata-00 (work in progress), draft-ietf-tsvwg-sctp-ndata-00 (work in progress),
February 2014. February 2014.
Authors' Addresses Authors' Addresses
Michael Tuexen Michael Tuexen
 End of changes. 36 change blocks. 
79 lines changed or deleted 112 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/