The Stream Control Transmission Protocol (SCTP) is a new IP transportprotocol, existing at an equivalent level with UDP (User DatagramProtocol) and TCP (Transmission Control Protocol), which provide transport layer functions to many Internet applications.  SCTP has been approved by the IETF as a Proposed Standard [1].  The error check algorithm has since been modified [2].  Future changes and updates will be reflected in the IETF RFC index.

Like TCP, SCTP provides a reliable transport service, ensuring that data is transported across the network without error and in sequence. Like TCP, SCTP is a session-oriented mechanism, meaning that a relationship is created between the endpoints of an SCTP association prior to data being transmitted, and this relationship is maintained until all data transmission has been successfully completed.

Unlike TCP, SCTP provides a number of functions that are critical for telephony signaling transport, and at the same time can potentially benefit other applications needing transport with additional performance and reliability.  The original framework for the SCTP definition is described in [3]. 

 Basic SCTP Features

SCTP is a unicast protocol, and supports data exchange between exactly 2 endpoints, although these may be represented by multiple IP addresses.

SCTP provides reliable transmission, detecting when data is discarded, reordered, duplicated or corrupted, and retransmitting damaged data as necessary.  SCTP transmission is full duplex.

SCTP is message oriented and supports framing of individual message boundaries.  In comparison, TCP is byte oriented and does not preserve any implicit structure within a transmitted byte stream without enhancement.

SCTP is rate adaptive similar to TCP, and will scale back data transfer to the prevailing load conditions in the network.  It is designed to behave cooperatively with TCP sessions attempting to use the same bandwidth.

SCTP Multi-Streaming Feature

The name Stream Control Transmission Protocol is derived from the multi-streaming function provided by SCTP.  This feature allows data to be partitioned into multiple streams that have the property of independently sequenced delivery, so that message loss in any one stream will only initially affect delivery within that stream, and not delivery in other streams.

In contrast, TCP assumes a single stream of data and ensures that delivery of that stream takes place with byte sequence preservation. While this is desirable for delivery of a file or record, it causes additional delay when message loss or sequence error occurs within the network.  When this happens, TCP must delay delivery of data until the correct sequencing is restored, either by receipt of an out-of-sequence message, or by retransmission of a lost message.

For a number of applications, the characteristic of strict sequence preservation is not truly necessary.  In telephony signaling, it is only necessary to maintain sequencing of messages that affect the same resource (e.g., the same call, or the same channel).  Other messages are only loosely correlated and can be delivered without having to maintain overall sequence integrity.

Another example of possible use of multi-streaming is the delivery of multimedia documents, such as a web page, when done over a single session.  Since multimedia documents consist of objects of different sizes and types, multi-streaming allows transport of these components to be partially ordered rather than strictly ordered, and may result in improved user perception of transport.

At the same time, transport is done within a single SCTP association, so that all streams are subjected to a common flow and congestion control mechanism, reducing the overhead required at the transport level.

SCTP accomplishes multi-streaming by creating independence between data transmission and data delivery.  In particular, each payload DATA “chunk” in the protocol uses two sets of sequence numbers, a Transmission Sequence Number that governs the transmission of messages and the detection of message loss, and the Stream ID/Stream Sequence Number pair, which is used to determine the sequence of delivery of received data.

This independence of mechanisms allows the receiver to determine immediately when a gap in the transmission sequence occurs (e.g., due to message loss), and also whether or not messages received following the gap are within an affected stream.  If a message is received within the affected stream, there will be a corresponding gap in the Stream Sequence Number, while messages from other streams will not show a gap.  The receiver can therefore continue to deliver messages to the unaffected streams while buffering messages in the affected stream until retransmission occurs.

SCTP Multi-Homing Feature

Another core feature of SCTP is multi-homing, or the ability for a single SCTP endpoint to support multiple IP addresses.  The benefit of multi-homing is potentially greater survivability of the session in the presence of network failures.  In a conventional single-homed session, the failure of a local LAN access can isolate the end system, while failures within the core network can cause temporary unavailability of transport until the IP routing protocols can reconverge around the point of failure.  Using multi-homed SCTP, redundant LANs can be used to reinforce the local access, while various options are possible in the core network to reduce the dependency of failures for different addresses.  Use of addresses with different prefixes can force routing to go through different carriers, for example, route-pinning techniques or even redundant core networks can also be used if there is control over the network architecture and protocols.

In its current form, SCTP does not do load sharing, that is, multi- homing is used for redundancy purposes only.  A single address is chosen as the “primary” address and is used as the destination for all DATA chunks for normal transmission.  Retransmitted DATA chunks

use the alternate address(es) to improve the probability of reaching the remote endpoint, while continued failure to send to the primary address ultimately results in the decision to transmit all DATA chunks to the alternate until heartbeats can reestablish the reachability of the primary.

To support multi-homing, SCTP endpoints exchange lists of addresses during initiation of the association.  Each endpoint must be able to receive messages from any of the addresses associated with the remote endpoint; in practice, certain operating systems may utilize available source addresses in round robin fashion, in which case receipt of messages from different source addresses will be the normal case.  A single port number is used across the entire address list at an endpoint for a specific session.

In order to reduce the potential for security issues, it is required that some response messages be sent specifically to the source address in the message that caused the response.  For example, when the server receives an INIT chunk from a client to initiate an SCTP association, the server always sends the response INIT ACK chunk to the source address that was in the IP header of the INIT.

Features of the SCTP Initiation Procedure

The SCTP Initiation Procedure relies on a 4-message sequence, where DATA can be included on the 3rd and 4th messages of the sequence, as these messages are sent when the association has already been validated.  A “cookie” mechanism has been incorporated into the sequence to guard against some types of denial of service attacks.

Cookie Mechanism

The “cookie” mechanism guards specifically against a blind attacker generating INIT chunks to try to overload the resources of an SCTP server by causing it to use up memory and resources handling new INIT requests.  Rather than allocating memory for a Transmission Control Block (TCB), the server instead creates a Cookie parameter with the TCB information, together with a valid lifetime and a signature for authentication, and sends this back in the INIT ACK.  Since the INIT ACK always goes back to the source address of the INIT, the blind attacker will not get the Cookie.  A valid SCTP client will get the Cookie and return it in the COOKIE ECHO chunk, where the SCTP server can validate the Cookie and use it to rebuild the TCB.  Since the server creates the Cookie, only it needs to know the format and secret key, this is not exchanged with the client.

Otherwise, the SCTP Initiation Procedure follows many TCP conventions, so that the endpoints exchange receiver windows, initial sequence numbers, etc.  In addition to this, the endpoints may exchange address lists as discussed above, and also mutually confirm the number of streams to be opened on each side.

INIT Collision Resolution

Multi-homing adds to the potential that messages will be received out of sequence or with different address pairs.  This is a particular concern during initiation of the association, where without procedures for resolving the collision of messages, you may easily end up with multiple parallel associations between the same endpoints.  To avoid this, SCTP incorporates a number of procedures to resolve parallel initiation attempts into a single association.

SCTP DATA Exchange Features

DATA chunk exchange in SCTP follows TCP’s Selective ACK procedure. Receipt of DATA chunks is acknowledged by sending SACK chunks, which indicate not only the cumulative Transmission Sequence Number (TSN) range received, but also any non-cumulative TSNs, implying gaps in the received TSN sequence.  Following TCP procedures, SACKs are sent using the “delayed ack” method, normally one SACK per every other received packet, but with an upper limit on the delay between SACKs and an increase to once per received packet when there are gaps detected.

Flow and Congestion Control follow TCP algorithms.  The advertised receive window indicates buffer occupancy at the receiver, while a per-path congestion window is maintained to manage the packets in flight.  Slow start, Congestion avoidance, Fast recovery and Fast retransmit are incorporated into the procedures as described in RFC 2581, with the one change being that the endpoints must manage the conversion between bytes sent and received and TSNs sent and received, since TSN is per chunk rather than per byte.

The application can specify a lifetime for data to be transmitted, so that if the lifetime has expired and the data has not yet been transmitted, it can be discarded (e.g., time-sensitive signaling messages).  If the data has been transmitted, it must continue to be delivered to avoid creating a hole in the TSN sequence.

SCTP Shutdown Features

SCTP Shutdown uses a 3-message procedure to allow graceful shutdown, where each endpoint has confirmation of the DATA chunks received by the remote endpoint prior to completion of the shutdown.  An Abort procedure is also provided for error cases when an immediate shutdown must take place.

Note that SCTP does not support the function of a “half-open” connection as can occur in TCP, when one side indicates that it has no more data to send, but the other side can continue to send data indefinitely.  SCTP assumes that once the shutdown procedure begins, both sides will stop sending new data across the association, and only need to clear up acknowledgements of previously sent data.

SCTP Message Format

The SCTP Message includes a common header plus one or more chunks, which can be control or data.  The common header has source and destination port numbers to allow multiplexing of different SCTP associations at the same address, a 32-bit verification tag that guards against insertion of an out-of-date or false message into the SCTP association, and a 32-bit checksum (this has been modified to use the CRC-32c polynomial [2]) for error detection.

Each chunk includes chunk type, flag field, length and value. Control chunks incorporate different flags and parameters depending on the chunk type.  DATA chunks in particular incorporate flags for control of segmentation and reassembly, and parameters for the TSN, Stream ID and Stream Sequence Number, and a Payload Protocol Identifier.

The Payload Protocol ID has been included for future flexibility.  It is envisioned that the functions of protocol identification and port number multiplexing will not be as closely linked in the future as they are in current usage.  Payload Protocol ID will allow the protocol being carried by SCTP to be identified independent of the port numbers being used.

The SCTP message format naturally allows support of bundling of multiple DATA and control chunks in a single message, to improve transport efficiency.  Use of bundling is controllable by the application, so that bundling of initial transmission can be prohibited.  Bundling will naturally occur on retransmission of DATA chunks, to further reduce any chance of congestion.

Error Handling

• Retransmission

Retransmission of DATA chunks occurs from either (a) timeout of the retransmission timer; or (b) receipt of SACKs indicating the DATA chunk has not been received.  To reduce the potential for congestion, the rate of retransmission of DATA chunks is limited.  The retransmission timeout (RTO) is adjusted based on estimates of the round trip delay and backs off exponentially as message loss increases.

In an active association with fairly constant DATA transmission, SACKs are more likely to cause retransmission than the timeout.  To reduce the chance of an unnecessary retransmission, a 4 SACK rule is used, so that retransmission only occurs on receipt of the 4th SACK that indicates that the chunk is missing.  This is intended to avoid retransmits due to normal occurrences such as packets received out of sequence.

•  Path Failure

A count is maintained of the number of retransmissions to a particular destination address without successful acknowledgement. When this count exceeds a configured maximum, the address is declared inactive, notification is given to the application, and the SCTP begins to use an alternate address for the sending of DATA chunks.

Also, Heartbeat chunks are sent periodically to all idle destinations (i.e., alternate addresses), and a counter is maintained on the number of Heartbeats sent to an inactive destination without receipt of a corresponding Heartbeat Ack.  When this counter exceeds a configured maximum, that destination address is also declared inactive.

Heartbeats continue to be sent to inactive destination addresses until an Ack is received, at which point the address can be made active again.  The rate of sending Heartbeats is tied to the RTO estimation plus an additional delay parameter that allows Heartbeat traffic to be tailored according to the needs of the user application.

•  Endpoint Failure

A count is maintained across all destination addresses on the number of retransmits or Heartbeats sent to the remote endpoint without a successful Ack.  When this exceeds a configured maximum, the endpoint is declared unreachable, and the SCTP association is closed.

API

The specification includes a model of the primitives exchanged between the application and the SCTP layer, intended as informational material rather than a formal API statement.  A socket-based API is being defined to simplify migration of TCP or UDP applications to the use of SCTP.

Security Considerations

In addition to the verification tag and cookie mechanisms, SCTP specifies the use of IPSec if strong security and integrity protection is required.  The SCTP specification does not itself define any new security protocols or procedures.

Extensions to IPSec are under discussion to reduce the overhead required to support multi-homing.  Also, work is in progress on the use of Transport Layer Security (TLS) over SCTP [4].

Extensions

The SCTP format allows new chunk types, flags and parameter fields to be defined as extensions to the protocol.  Any extensions must be based on standard agreements within the IETF, as no vendor-specific extensions are supported in the protocol.

Chunk Type values are organized into four ranges to allow extensions to be made with a pre-defined procedure for responding if a new Chunk Type is not recognized at the remote endpoint.  Responses include: whole packet discard; packet discard with reporting; ignoring the chunk; ignoring with reporting.  Similar pre-defined responses are specified for unrecognized Parameter Type values.

Chunk Parameter Type values are in principle independent ranges for each Chunk Type.  In practice, the values defined in the SCTP specification have been coordinated so that a particular parameter type will have the same Chunk Parameter Type value across all Chunk Types.  Further experience will determine if this alignment needs to be maintained or formalized.

Informative References

[1] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., Zhang, L. and V. Paxson, “Stream Control Transmission Protocol”, RFC 2960, October 2000.

[2] Stewart, Sharp, et. al., “SCTP Checksum Change”, Work in Progress.

[3] Ong, L., Rytina, I., Garcia, M., Schwarzbauer, H., Coene, L., Lin, H., Juhasz, I., Holdrege, M. and C. Sharp, “Framework Architecture for Signaling Transport”, RFC 2719, October 1999.

[4] Jungmeier, Rescorla and Tuexen, “TLS Over SCTP”, Work in Progress.

Security Risks of Cloud Computing

In 2008 information technology research and consulting U.S. Gartner believes the risks of cloud computing, especially from the corner vendor in terms of security capabilities. Tujuh keamanan resiko dalam cloud computing menurut Gartner

1. User Privilage Access
2. Regulation
3. Data Location
4. Data Separation
5. Recovery
6. Investigation
7. Long-term survival

In 2009 CSA (Cloud Security Alliance) guidelines issued in terms of safety, especially on a cloud computing perspective on the threat that an attack will occur on the system of the attacker / hacker. It is proposed that there are 7 fields in the biggest security issues, important, and very dangerous in a cloud computing system

1. Cloude Computing Abuse
2. Security in the use of interface / hardware
3. Malicious
4. The issue of a shared technology
5. Lost Data
6. Account user hijacking
7. Risk for unoun users

To respond to the multiple data security in cloud computing, then the service provider (vendor) should be prioritized in terms of the privacy of each user’s security service cloud computing

1. Monitoring and auditing data
2. Data Privacy
3. Enscription management
4. Data integritation

The security of cloud computing is still in discussion as the security standard used in the implementation of cloud computing systems. Some organizations implement security standards on cloud computing, such as the Open Cloud Manifesto (OCM), National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA) and the Distributed Management Task Force (DMFT)

This papers writtent by : Elmansyah and Riantino in Computer Architecture, Department of Electrical Engineering, University of Indonesia.

Refference :

1. Xiang Tan^a, Bo Ai^b, “The Issues of Cloud computing Security in High-speed Railway, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, P.R.China, 2011
2. http://www.opencloudmanifesto.org/
3. Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud computing V2.1, 2009
4. http://www.dmtf.org/
5. http://www.computerweekly.com/Articles/2009/06/10/235429/A-history-of-cloud-computing.htm
6. http://www.techno-pulse.com/2010/04/infrastructure-as-service-iaas-cloud.html
7. http://www.altor.com/altor/opencms/index.html
8. Wei J, Zhang X, Ammons G, Bala V, Ning P, “Managing security of virtual machine images in a cloud environment. In: Proc. Of the 2009 ACM Workshop on Cloud Computing Security. 2009

Today’s Internet technology is designed with no QOS (Quality of Service), so there is no guarantee of safety data on the internet, therefore it is developing Internet2 QOS support services to improve the performance of today’s Internet network. Internet today is using the concept of best-effort IP routing is irregular so that the transmitted data packets can pass through the routing path to be empty until the goal. The concept of IP routing on the internet today also do not support the existence of prior communication between sender and receiver (handshak) there is no guarantee that data packets will arrive safely at your destination.

By addressing some of the weaknesses and flaws in the concept of the Internet today, so the researchers continue to develop to make some improvements, namely the concept of its dirancangan Internet2.

Development of current technology is developing rapidly and has a lot of use of online applications such as video and audio conferencing that require extremely high internet service to send data packets on the internet can be saved to the destination without any delay, jitter, and packet loss. It is therefore necessary to support these services are very good QOS in the network connection on the internet.

The purpose in creating it Internet2 to provide access to data transmission is very high, intense, dynamic, fast, and cost effective. Internet2 networks uses some concepts such as the current phone system (ATM Switch) that is the relationship between sender and receiver before transmitting data to the Internet (handshaking). For example, if the sender wants to send data packets to the destination, the sender can call in advance to receive objective and asks whether to accept data to be transmitted, if the receiver busy condition, the receiver shall immediately send ack (action) back to the sender that receiver busy condition. And vice versa if the receiver can receive the package right away, then the receiver sends ack to the sender to immediately send data packets to be transmitted by the sender. By using the concept as it is expected that the service guarantee of safety data can be saved to a good purpose.

Internet2 is designed to perform several approaches, namely the best-effort technology with ATM Switch. The main objective of this approach to share network resources such that it can simultaneously achieve the benefits of circuit-switched network (performance guarantees) and the benefits of best-effort network to a maximum

Internet2 has some requirements that will apply are:

1. Supporting technological applications that require access to the internet as a very high
2. Can implement packet forwarding equipment
3. Administrable
4. Provide a scalable service
5. Ability to work with the host, operating system and middleware
6. Short-term needs for QOS Tesbed.

Some protocols that can support Internet2, namely:

1. IPv6 (Internet Protocol Version 6)
2. MPLS (Multi Protocol Label of switching)
3. GMPLS (Generalized Multi Protocol Label Switching)
4. SIP (Session Initiation Protocol)

IPv6 is an enhancement to replace IPv4 existence that is almost depleted his willingness to just thinking about a 23-bit network address. Meanwhile, pick the 128 bit IPv6 network address that is 2 * 96 more than the IPv4

MPLS is a technology delivering data packets of high-speed backbone network, the principle works combine some advantages of the communication system of circuit-switched and packet-switched technology that gave birth to a better than two. The working principle is to combine MPLS layer 2 switching speed with Traffic routing and scalability at layer 3, the way it works is by slipping between the header label layer 2 and layer 3 in the packet is forwarded. Label produced by the label-switching router which acts as a liaison with outside networks MPLS network. The label contains further information destination node where the packet should be sent. Then forwarded the package to the next node, the node is the package label will be released and given a new label containing the following purposes. Packets transmitted in a path which is called LSP (Label Switching Path)

GMPLS also known as Multiprotocol Switching Lamda is a technology that provides enhancements to Multiprotocol Label Switching (MPLS) to support network switching for time, wavelength, and as well as for packet switching. In particular, GMPLS network will provide support for optical communication networks (fotonic)

SIP is a signaling protocol developed by IETF and is widely used for communication sessions such as voice and video calls using the IP protocol. SIP is very good for data transmission is realtime as video and audio conferencing.

This will be described below some approaches that stiffened QOS on Internet2, namely:

1. Scope
2. model Control
3. Transmission guarantee

Scope defines the boundaries of service QOS, such as a scope to access the application end-to-end, which means defining how much and what applications will be covered by QOS Facility.

QOS control model in describing the request of the limitations in network equipment, duration, and location. For example QOS requests can be done both in terms of end-to-end or central location (middleware) as a proxy for internet caching.

Collateral is marked with a granularity of transmission, the transmission parameters, and the corresponding guarantees about what the networks have to offer for each service.

The papers writtent by : Elmansyah and Elvian Syafrurizal in Advanced Information Network,  Department of Electrical Engineering, University of Indonesia

Refference :

1. Dimitrios Miras, “A Survey of Network QoS Needs of Advanced Internet Applications — Working Document —“, Internet2 QoS Working Group, Computer Science Department, University College London, 2002, pp. 1
2. January 2010 Internet2 Traffic Snapshot, Prepared for the Joint Techs Connector BOF On February 1st, 2010, pp. 3
3. Robert H. Zakon. “Hobbes’ Internet Timeline 10.1″. Retrieved September 16, 2011
4. Teitelbaum Ben, Hanss Ted, “QoS Requirements for Internet2 (draft)”. QoS Home,  April 22, 1998
5. Nickols, K.; Blake, S.; Baker, F.; Black, D. “Definition of the Differentiated Service Field (DS Field) in the IPv4 and IPv6 Headers, IETF.” RFC 2474. December, 1998
6. RFC 2474
7. Li (Erran) Li, Milind M. Buddhikot, Chandra Chekuri, and Katherine Guo, “Routing Bandwidth Guaranteed Paths With Local Restoration in Label Switched Networks”, IEEE Journal on Selected Areas in Communications, VOL. 23, NO. 2, February 2005
8. RFC 3945

To prevent piracy Facebook account, you’ll want to know the tricks used by hackers in stealing accounts. Here is a trick that is usually used hackers to hijack accounts / get one’s Facebook password.