Secure Socket SCTP: A Multi-layer End-to-End Security Solution

Stream control transmission protocol (SCTP) [1] is a rather new full-fledged transport protocol with a rich set of functionalities. In SCTP, transport layer multihoming for enhanced network fault tolerance is provided. The concept of multistreaming is also included to reduce the impact of head-of-line blocking of unrelated data. In addition, enhanced protection against denial-of-service (DoS) attacks is provided through a four-way handshake mechanism. Furthermore, the provided transport service is message-oriented, and support for both ordered and unordered delivery of messages is offered. Messages in SCTP are transmitted as chunks. The same mechanism is further used to transfer SCTP control information. Through the chunk concept, SCTP is also easily extendable. Until today, four protocol extensions have reached a standard status [2–5]. Message content protection, hereafter referred to as endto-end (E2E) security, is not provided by the base protocol. E2E security is instead recommended to be implemented either beneath or above SCTP through IPsec [6] or TLS [7]. Another approach, as proposed in [8], is to provide E2E security by extending SCTP. The main disadvantage with this solution is that it cannot be efficiently implemented in the kernel. Yet another approach is to spread security functionalities over multiple layers within the communication stack. Secure socket SCTP (S2SCTP) [9] is such a multi-layer E2E security solution. In the following, an overview of S2SCTP is first given. Then, a brief comparison of S2SCTP, SCTP over IPsec, and TLS over SCTP is presented. Finally, a discussion on implementing E2E security solutions in a singleor multi-layer fashion together with future work on S2SCTP are provided.