The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Stream Control Transmission Protocol (SCTP) is defined in IETF RFC 2960. This description assumes the reader has familiarity with and understands RFC 2960. SCTP provides protection against modification of messages relating to SCTP associations through the use of data stored in cookies, and through the use of verification tag values. See R. Stewart et al., “Stream Control Transmission Protocol” (Boston: Addison-Wesley, 2001), pp. 231-235.
Network administrators desire to deploy rules governing operation of network address translation (NAT) devices and firewall (FW) devices with a finite duration so that each rule has a lifetime equivalent to the lifetime of an association between endpoints. In present practice, NAT devices and FW devices do not consider the values of SCTP verification tag values. Therefore, rules in NAT and FW devices that are established for SCTP associations can expire only based on timers, administrative action, or configuration. There is a need for a way to cause rules established in NAT devices and FW devices to expire automatically when an SCTP association ends.
One approach to this problem would be to store a verification tag associated with a particular traffic direction of an SCTP association in the NAT device or FW device with each rule. However, this approach is too rigid. In normal operation of SCTP, verification tags of an association sometimes change. For example, if one endpoint of the association restarts, the restarting endpoint normally advertises a changed verification tag value to the other endpoint. Unfortunately, security vulnerability would occur if the NAT device or FW device updated the verification tag stored with association information to match a changed verification tag. In particular, if the NAT device or FW device updated a verification tag based on a spoofed or unauthorized SCTP message, then an attacker could implement a denial-of-service (DoS) attack merely by sending messages with changed verification tag values.