SCTP
Stream Control Transmission Protocol (SCTP) is part of the Transport Layer of the OSI Model just like TCP and UDP and provides some of the features of both of those protocols. It is message or datagram orientated like UDP but it also ensures reliable sequential transport of data with congestion control like TCP.
SCTP provides the following services:
• Acknowledged error-free non-duplicated transfer of user data
• Data fragmentation to conform to discovered path MTU size
• Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages
• Optional bundling of multiple user messages into a single SCTP packet
• Network-level fault tolerance through supporting of multi-homing at either or both ends of an association
• Congestion avoidance behavior and resistance to flooding and masquerade attacks
SCTP uses multi-streaming to transport its messages which means that there can be several independent streams of messages traveling in parallel between the points of the transmission. The data is sent out in larger chunks of data than is used by TCP just like UDP but the messages include a sequence number within each message in the same way that TCP does so that the data can be reassembled at the other end of the transmission in the correct sequence without the data having to arrive in the correct sequence.
SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failure detection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.
Some common applications of SCTP include supporting transmission of the following protocols over IP networks:
• SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells)
• SS7 over IP (for example, for 3G mobile networks)
• SCTP is also defined and used for SIP over SCTP and H.248 over SCTP
• Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks.
SCTP is a much newer protocol. It was defined by the IETF Signaling Transport (SIGTRAN) working group in 2000. It was introduced by
RFC 3286 and more fully define by
RFC 4960.
The FortiGate firewall can apply security policies to SCTP sessions in the same way as TCP and UDP sessions. You can create security policies that accept or deny SCTP traffic by setting the service to “ALL”. FortiOS does not include pre-defined SCTP services. To configure security policies for traffic with specific SCTP source or destination ports you must create custom firewall services for SCTP.
FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can configure policy routes specifically for routing SCTP traffic by setting the protocol number to 132. SCTP policy routes can route SCTP traffic according to the destination port of the traffic if you add a port range to the policy route.
You can configure a FortiGate unit to perform stateful inspection of different types of SCTP traffic by creating custom SCTP services and defining the port numbers or port ranges used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit performs the following checks on SCTP packets:
• Source and Destination Port and Verification Tag.
• Chunk Type, Chunk Flags and Chunk Length
• Verify that association exists
• Sequence of Chunk Types (INIT, INIT ACK, etc)
• Timer checking
• Four way handshake checking
• Heartbeat mechanism
• Protection against INIT/ACK flood DoS attacks, and long-INIT flooding
• Protection against association hijacking
FortiOS also supports SCTP sessions over IPSec VPN tunnels, as well as full traffic and event logging for SCTP sessions.