Manualshelf

SCTP Programmer's Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
31323334353637383940
information, together with a valid lifetime and a signature for authentication, and sends
these back in the INIT ACK chunk. The blind attacker cannot obtain the cookie, because
the INIT ACK always goes back to the source address of the INIT. A valid SCTP client
gets the cookie and returns it in the COOKIE ECHO chunk, where the SCTP server can
validate the cookie and use it to rebuild the TCB. The cookie is created by the server,
and the cookie format and secret key remain with the server. The server does not
exchange these details with the client.
Verification Tag
A verification tag is a 32–bit unsigned integer that is randomly generated to verify
whether the SCTP packet belongs to the current association, or to a stale packet from
a previous association. SCTP discards packets received without the expected verification
tag value, to protect against blind masquerade attacks and also from receiving stale
SCTP packets from a previous association.
The verification tag rules apply when sending or receiving SCTP packets that do not
contain an INIT, SHUTDOWN COMPLETE, COOKIE ECHO, ABORT, or a SHUTDOWN ACK
chunk.
While sending an SCTP packet, the endpoint must fill in the verification tag field of
the outbound packet, with the tag value in the Initiate Tag parameter of INIT or
INIT ACK received from its peer.
After receiving an SCTP packet, the endpoint must ensure that the value in the
verification tag field of the received SCTP packet matches its own tag. If the received
verification tag value does not match the receiver's own tag value, the receiver silently
discards the packet and does not process it any further.
The verification tag value is chosen by each endpoint of the association during
association startup.
SCTP Security 39