Internet DRAFT - draft-ietf-tsvwg-tls-over-sctp
draft-ietf-tsvwg-tls-over-sctp
Network Working Group A. Jungmaier
INTERNET DRAFT University of Essen
E. Rescorla
RTFM Inc.
M. Tuexen (editor)
Siemens AG
Expires May 14, 2002 November 14, 2001
TLS over SCTP
<draft-ietf-tsvwg-tls-over-sctp-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of [RFC2026].
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document describes the usage of the Transport Layer Security (TLS)
protocol, as defined in [RFC2246], over the Stream Control Transmission
Protocol (SCTP), as defined in [RFC2960].
The user of TLS can take advantage of the following features provided by
SCTP:
- Support of multiple streams to avoid head of line blocking.
- Support of multi-homing to provide network level fault
tolerance.
Additionally currently being discussed extensions of SCTP are also
Jungmaier, Rescorla, Tuexen [Page 1]
Internet Draft TLS over SCTP November 2001
supported. This means especially:
- Support of dynamic reconfiguration of IP-addresses.
1. Introduction
1.1. Overview
This document describes the usage of the Transport Layer Security (TLS)
protocol, as defined in [RFC2246], over the Stream Control Transmission
Protocol (SCTP), as defined in [RFC2960].
TLS is designed to run on top of a byte-stream oriented transport
protocol providing a reliable, in-sequence delivery. Thus, TLS is
currently mainly being used on top of the Transmission Control Protocol
(TCP), as defined in [RFC793].
Comparing TCP and SCTP, the latter provides additional features and this
document shows how TLS should be used with SCTP to provide some of these
additional features to the TLS user.
This document defines
- how to use the multiple streams feature of SCTP.
- how to handle the message oriented nature of SCTP.
It should be noted that the TLS user can take advantage of the multi-
homing support of SCTP. The dynamic reconfiguration of IP-addresses as
currently being discussed can also be used with the described solution.
The method described in this document does not require any changes of
TLS or SCTP. It is only required that SCTP implementations support the
optional feature of fragmentation of SCTP user messages.
1.2. Terminology
This document uses the following terms:
Association:
A SCTP association.
Connection:
A TLS connection.
Session:
A TLS session.
Jungmaier, Rescorla, Tuexen [Page 2]
Internet Draft TLS over SCTP November 2001
Stream:
A unidirectional stream of a SCTP association. It is uniquely
identified by a stream identifier.
1.3. Abbreviations
MTU: Maximum Transmission Unit
SCTP: Stream Control Transmission Protocol
TCP: Transmission Control Protocol
TLS: Transport Layer Security
2. Conventions
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD. SHOULD
NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL, when they appear
in this document, are to be interpreted as described in [RFC2119].
3. SCTP Requirements
3.1. Number of Inbound and Outbound Streams
An association between the endpoints A and Z provides n streams from A
to Z and m streams from Z to A.
A pair consisting of two streams with the same stream identifier is
considered and used as one bi-directional stream.
Thus an SCTP association can be considered as a set of min(n,m) bi-
directional streams and (max(n,m) - min(n,m)) uni-directional streams.
3.2. Fragmentation of User Messages
To avoid the knowledge and handling of the MTU inside TLS, SCTP MUST
provide fragmentation of user messages, which is an optional feature of
[RFC2960]. Since SCTP is a message oriented protocol, it must be able
to transmit all TLS records as SCTP user messages. Thus the supported
maximum length of SCTP user messages MUST be at least 2^14 + 2048 + 5 =
18437 bytes, which is the maximum length of a TLSCiphertext, as defined
in [RFC2246].
Therefore, SCTP takes care of fragmenting and reassembling the TLS
records in order to avoid IP-fragmentation.
Jungmaier, Rescorla, Tuexen [Page 3]
Internet Draft TLS over SCTP November 2001
4. Connections and Bi-directional Streams
TLS makes use of a bi-directional stream by establishing a connection
over it. This means that the number of connections for an association
is limited by the number of bi-directional streams.
The TLS handshake protocol is used on each bi-directional stream
separately. Each handshake can be
- a full handshake or
- an abbreviated handshake that resumes a TLS session with a
session id from another connection (on the same or another
association).
After completing the handshake for a connection, the bi-directional
stream can be used for TLS-based user data transmission. It should also
be noted that the handshakes for the different connections are
independent and can be delayed until the bi-directional stream is used
for user data transmission.
5. Usage of bi-directional streams
It is not required that all bi-directional streams are used for TLS-
based user data transmission. If TLS is not used, it is called SCTP-
based user data transmission.
5.1. SCTP-based user data transmission
If a bi-directional stream is not used for TLS-based communication there
are no restrictions on the features provided by SCTP for SCTP-based user
data transmission.
5.2. TLS-based user data transmission
In general, the bi-directional stream will be used for TLS-based user
data transmission and it SHOULD NOT be used for SCTP-based user data
transmission. The exception to this rule is protocols which contain
upgrade-to-TLS mechanisms such as those of HTTP upgrade [RFC2817] and
SMTP over TLS [RFC2487].
TLS requires that the underlying transport delivers TLS records in
strict sequence. Thus, the 'unordered delivery' feature of SCTP MUST NOT
be used on streams which are used for TLS based user data transmission.
For the same reason, TLS records delivered to SCTP for transmission MUST
NOT have limited lifetimes.
Jungmaier, Rescorla, Tuexen [Page 4]
Internet Draft TLS over SCTP November 2001
6. Usage of uni-directional streams
The uni-directional streams can not be used for TLS-based user data
transmission. Nevertheless they can be used without any restrictions for
SCTP-based communication.
7. Examples
In these examples we consider the case of an association with two bi-
directional streams.
7.1. Two Bi-directional Streams with Full Handshake
Just after the association has been established the client sends two
ClientHello messages on the bi-directional streams 0 and 1. After a
full handshake has been completed on each bi-directional stream, TLS-
based user data transmission can take place on that stream. It is
possible that on the bi-directional stream 0 the handshake has been
completed, and user data transmission is ongoing, while on the bi-
directional stream 1 the handshake has not been completed, or vice
versa.
7.2. Two Bi-directional Streams with an Abbreviated Handshake
After establishing the association, the client starts a full handshake
on the bi-directional stream 0. The server provides a session
identifier which allows session resumption. After the full handshake
has been completed, the client initiates an abbreviated handshake on the
bi-directional stream 1 using the session identifier from the handshake
on the bi-directional stream 0. User data can be transmitted on the bi-
directional stream 0, but not on the bi-directional stream stream 1 in
that state. After completion of the abbreviated handshake on the bi-
directional stream 1, user data can be transmitted on both streams.
Whether or not to use abbreviated handshakes during the setup phase of a
TLS connection over an SCTP association depends on several factors:
- the complexity and duration of the initial handshake
processing (also determined by the number of connections),
- the network performance (round-trip times, bandwidth).
Abbreviated handshakes can reduce computational complexity of the
handshake considerably, in case that this is a limiting resource. If a
large number of connections need to be established, it may be of
advantage to use the TLS session resumption feature. On the other hand,
before an abbreviated handshakes can take place, a full handshake needs
to have completed. In networks with large round-trip time delays, it may
Jungmaier, Rescorla, Tuexen [Page 5]
Internet Draft TLS over SCTP November 2001
be favorable to perform a number of full handshakes in parallel.
Therefore, both possibilities are allowed.
7.3. Two Bi-directional Streams with a Delayed Abbreviated Handshake
This example resembles the last one, but after the completion of the
full handshake on the bi-directional stream 0, the abbreviated handshake
on the bi-directional stream 1 is not started immediately. The bi-
directional stream 0 can be used for user data transmission. It is only
when the user also wants to transmit data on the bi-directional stream 1
that the abbreviated handshake for the bi-directional stream 1 is
initiated.
This allows the user of TLS to request a large number of bi-directional
streams without having to provide all the resources at association
start-up if not all bi-directional streams are used right from the
beginning.
7.4. Two Bi-directional Streams without Full Handshakes
This example is like the second or third one, but an abbreviated
handshake is used for both bi-directional streams. This requires the
existence of a valid session identifier from connections handled by
another association.
8. Security Considerations
Using TLS on top of SCTP does not provide any new security issues beside
the ones discussed in [RFC2246] and [RFC2960].
It is possible to authenticate TLS endpoints based on IP-addresses in
certificates. Unlike TCP, SCTP associations can use multiple addresses
per SCTP endpoint and therefore it is possible that TLS records will be
sent from a different IP-address from that originally authenticated.
This is not a problem provided that no security decisions are made based
on that IP-address. This is a special case of a general rule: all
decisions should be based on the peer's authenticated identity, not on
its transport layer identity.
9. Acknowledgements
The authors would like to thank P. Calhoun, J. Wood and many others for
their invaluable comments and suggestions.
Jungmaier, Rescorla, Tuexen [Page 6]
Internet Draft TLS over SCTP November 2001
10. References
[RFC793] J. Postel (ed.), "Transmission Control Protocol", STP 7, RFC
793, September 1981.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2026] S. Bradner, "The Internet Standards Process -- Revision 3",
RFC 2026, October 1996.
[RFC2246] T. Diercks, C. Allen, "The TLS Protocol Version 1.0", RFC
2246, January 1999.
[RFC2487] P. Hoffman, "SMTP Service Extension for Secure SMTP over
TLS", RFC 2487, January 1999.
[RFC2817] R. Khare and S. Lawrence, "Upgrading to TLS Within
HTTP/1.1", RFC 2817, May 2000.
[RFC2960] R. R. Stewart et al., "Stream Control Transmission
Protocol", RFC 2960, November 2000.
11. Authors' Addresses
Andreas Jungmaier Tel.: +49 201 1837636
University of Essen e-mail: ajung@exp-math.uni-essen.de
Networking Technology Group at the IEM
Ellernstrasse 29
D-45326 Essen
Germany
Eric Rescorla Tel.: +1 650-320-8549
RTFM, Inc. e-mail: ekr@rtfm.com
2064 Edgewood Drive
Palo Alto, CA 94303
USA
Michael Tuexen Tel.: +49 89 722 47210
Siemens AG e-mail: Michael.Tuexen@icn.siemens.de
ICN WN CS SE 5
D-81359 Munich
Germany
Jungmaier, Rescorla, Tuexen [Page 7]
Internet Draft TLS over SCTP November 2001
This Internet Draft expires May 14, 2002.
Jungmaier, Rescorla, Tuexen [Page 8]