Effects of mobility and multihoming on transport-protocol security

The Stream Control Transmission Protocol (SCTP) is a reliable message-based transport protocol developed by the IETF that could replace TCP in some applications. SCTP allows endpoints to have multiple IP addresses for the purposes of fault tolerance. There is on-going work to extend the SCTP multihoming functions to support dynamic addressing and endpoint mobility. This paper explains how the multihoming and mobility features can be exploited for denial-of-service attacks, connection hijacking, and packet flooding. We propose implementation guidelines for SCTP and changes to the mobility extensions that prevent most of the attacks. The same lessons apply to multihomed TCP variants and other transport-layer protocols that incorporate some flavor of dynamic addressing.

[1]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[2]  Christian Huitema,et al.  Multi-homed TCP , 1995 .

[3]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[4]  Hideyuki Tokuda,et al.  TCP-R: TCP mobility support for continuous operation , 1997, Proceedings 1997 International Conference on Network Protocols.

[5]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[6]  Stefan Savage,et al.  TCP congestion control with a misbehaving receiver , 1999, CCRV.

[7]  Hari Balakrishnan,et al.  An end-to-end approach to host mobility , 2000, MobiCom '00.

[8]  Brian Wellington,et al.  Secure Domain Name System (DNS) Dynamic Update , 2000, RFC.

[9]  Lixia Zhang,et al.  Stream Control Transmission Protocol , 2000, RFC.

[10]  Paul D. Amer,et al.  SCTP in battlefield networks , 2001, 2001 MILCOM Proceedings Communications for Network-Centric Operations: Creating the Information Force (Cat. No.01CH37277).

[11]  Qiaobing Xie,et al.  Stream control transmission protocol (SCTP): a reference guide , 2001 .

[12]  Michael Roe,et al.  Security of Internet location management , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[13]  Adam Wolisz,et al.  M-SCTP: Design and Prototypical Implementation of an SCTP-Based, End-to-End Mobility Concept for IP Networks , 2002 .

[14]  Adam Wolisz,et al.  M-SCTP: DESIGN AND PROTOTYPICAL IMPLEMENTATION OF AN END-TO-END MOBILITY CONCEPT , 2002 .

[15]  Eric Rescorla,et al.  Transport Layer Security over Stream Control Transmission Protocol , 2002, RFC.

[16]  Jonathan Rosenberg The Real Time Transport Protocol (RTP) Denial of Service (Dos) Attack and its Prevention( , 2003 .

[17]  Arifumi Matsumoto TCP Multi-Home Options , 2003 .

[18]  Thomas Dreibholz,et al.  A new scheme for IP-based Internet-mobility , 2003, 28th Annual IEEE International Conference on Local Computer Networks, 2003. LCN '03. Proceedings..

[19]  Pekka Nikander,et al.  Integrating Security, Mobility and Multi-Homing in a HIP Way , 2003, NDSS.

[20]  Angelos D. Keromytis,et al.  On the Use of Stream Control Transmission Protocol (SCTP) with IPsec , 2003, RFC.

[21]  Tuomas Aura,et al.  Cryptographically Generated Addresses (CGA) , 2005, ISC.

[22]  S. Bradner,et al.  A Framework for Purpose Built Keys (PBK) , 2003 .

[23]  Dave Crocker,et al.  MULTIPLE ADDRESS SERVICE FOR TRANSPORT (MAST):AN EXTENDED PROPOSAL , 2003 .

[24]  Pekka Nikander,et al.  SEcure Neighbor Discovery (SEND) , 2005, RFC.