# <center><i class="fas fa-clipboard-list"></i> SCTP </center>
###### tags: `O-RAN`
:::info
**Goal:**
Learning SCTP in O-RAN
- [x] Study what is E2 (SCTP)
- [x] What is the messages
- [x] How to connect SCTP
:::
:::info
**Future Task:**
- [ ] Can I modify the RIC stub easily so I can make it sending some messages to specific entity? How? Describe it
:::
## What is SCTP?
Stream Control Transmission Protocol (SCTP) is a reliable, message oriented transport protocol that provides new services and features for IP communication. For the past twenty years, reliable communication service has been provided by TCP and unreliable service has been provided by UDP.
SCPT is similar to TCP, provides a connection oriented, full duplex, reliable data communication path. Many of the standard features you will find in TCP (congestion control, flow control, etc) can also be found in SCTP. However, unlike TCP, SCTP provides a transport of messages, not just bytes.
## Message in SCTP
SCTP is a message-oriented. It can handle multiple simultaneous streams and multimplexed streams of data per connection. SCTP's stream-aware connection control is one of its most notable features and also provides for multihoming in that the end points can use multiple IP addresses for the connection. SCTP connection endpoints can use IP addresses from different ISPs for network-level fault tolerance. So, if one of ISPs were fail, the connection would just use the IP adress from the operational ISP for the connections.
With SCTP, messages are never merged together upon reading. As long as a large enough buffer is provided for reading, each read returns a single message. Each send is considered to be a message in itself. As a consequence, the application does not need to track by sender nor receiver where the message boundaries are.
Note that message boundary preservation does have impact on how messages are transmitted. SCTP is capable of bundling multiple messages together and eve splitting a large message over multiple Protocol Data Units (PDUs). How the bundling or splitting occurs is often driven by the size of the messages the user is sending and the Path Maximum Transport Unit (PMTU).
## Advantage of SCTP
* Resistant to Man-In-The-Middle (MITM) and Denial of Service (DoS) attacks
* SCTP can handle multiple simultaneous streas in one connection
* SCTP can use IP addresses from different ISPs
* Support unreliable transport and out-of-order packet delivery
* Able to deal with Path MTU Discovery (PMUTD) and fragmentation. So, SCTP has connection to detect the dropped and duplicated packets
## How to Connect SCTP
The following procedure describes how to enable SCTP. We can use either web interface or the CLI on the firewall.
### STEP 1: Enable SCTP security on the firewall
1. Select **Device** :arrow_right: **Setup** :arrow_right: **Management** and edit the General Settings.
2. Select **SCTP Security** to enable SCTP.
3. Click **OK**.
:::info
If you disable SCTP, you must also **Commit** your change; otherwise, the frewall continues to perform SCTP stateful inspection. After you disable SCTP, the firewall does not check SCTP four-way handshakes but still checks the SCTP packets against security policy rules and still applies APP-ID.
:::
### STEP 2: (optional) Beginning with PAN-OS 8.1.11, we can enable SCTP stateful inspection to minimize disruption when you deploy a new firewall or migrate SCTP traffic.
1. Access the CLI.
2. `> set sctp nodrop yes`
:::info
The firewall continues to perform SCTP stateful inspection and generate logs, but won't drop SCTP packets that failt SCTP stateful inspection. When we want re-enable, the command: `set sctp nodrop no` (default setting).
:::
3. `> show sctp info`
:::info
Use the command CLO to see whether SCTP stateful inspection is enabled
:::
### STEP 3: Allocate SCTP log storage on the firewall
1. Select **Device** :arrow_right: **Setup** :arrow_right: **Management** and edit **Session Log Storage** in the Logging and Reporting Settings.
2. Enter a **Quota** (%) for SCTP. Each SCTP quota percentage must equate to a minimum of 32MB or your **Comit** will fail. The percentage you enter equates to a number of MB or GB, depending on the firewall model.
3. Scroll up and enter a **Quota** (%) for **SCTP Summary**; the percentage must equate to a minimum of 32MB.
4. Enter percentage quotas for **Hourly SCTP Summary**, **Daily SCTP Summary**, and **Weekly SCTP Summary**; each percentage must equate to a minimum of 32MB.
5. Clock **OK**.
### STEP 5: **Commit** your changes.
### STEP 6: Create an SCTP Protection profile and configure validation of SCTP packets.
1. Select **Objects** :arrow_right: **Security Profiles** :arrow_right: **SCTP Protection** and **Add** a profile by **Name**
2. Enter a **Description** for the profile
3. Select **Shared** to apply the proile to all virtual systems.
### STEP 7: Configure the validity checks that the firewall performs on SCTP traffic.
1. On the SCTP Inspection tab, select the firewall response if an SCTP node transmits an Unknown Chunk in an SCTP packet.
* **allow** (default) -- Allow the packet to pass without modification
* **alert** -- Allow the packet to pass without modification and generate an SCTP log.
* **block** -- Nullify the chunk before inspection the next chunk and generate an SCTP log. The firewall nullifies the chunk by changing the data chunk payload slightly so that the data chunk is ignored by the endpoint.
2. Select the response to **Chunk Flags** in the event the chunk flags don't comply with RFC 4960
3. select the response to **Invalid length** of an sCTP chunk
### STEP 8: Specify the **IP address limit for multihoming** for the profile
### STEP 9: Select the Log Settings for the profile
### STEP 10: Configure the filtering that the firewall performs on SCTP traffic.
1. on the **Filtering Options** tab, select **SCTP Filtering** to filter payload protocols.
2. **Add** an SCTP filter by **Name** using a maximum of 20 characters
3. select an SCTP payload protocol ID (**PPID**)
4. Specify the **Action** the firewall takes on data chunks containing the specified PPID
5. **Add** more SCTP filters by PPID for the SCTP Protection profile to filter additional paylaod protocols. The order of filters in the list makes a difference because the firewall takes the action specified by the first filter that matches the PPID in a chunk.
### STEP 11: Select **Diameter Filtering** to apply granular-level filtering on Diameter applications and their messages.
1. **Add** a Diameter filter by Name using maximum of 20 characters.
2. Specify the **Action** the firewall takes on a chunk that includes any of the specified Diameter application IDs.
3. Select a **Diameter Application ID** for which the firewall takes action or select any to configure the firewall to take the action you specified for.
4. **Add** one or more **Diameter Command Codes** from the list.
5. **Add** one or more **Diameter AVP** codes or values (range is 1 to 16,777,215)
6. Click **OK** to save.
### STEP 12: Select **SS7 Filtering** to apply granular-level filtering on applications using SCCP signaling and messages of MAP and CAP.
1. **Add** an SS7 filter by **Name**
2. Specify the Action the firewall takes on specified SS7 chunks
3. Select an **SCCP Calling Party SSN** entry or select **any-map**. If you select **INAP** or **SCCP Management**, you cannot enter an Operatio Code.
4. **Add** one or more **SCCP Calling Party GT** strings of digits (0 to 9)
5. Add an **Operation Code **
6. click **OK.**
### STEP 13: Click OK to save the SCTP Protection Profiles.
### STEP 14: Apply the SCTP Protection profile to a Security policy rule.
1. Select **Policies** :arrow_right: **Security** and select a security policy rule
2. For the **Source Zone**, select a zone that includes the interface where you want to secure SCTP associations.
3. On the **Application** tab, select **sctp** as the App-ID.
4. On the **Actions** tab, select an **Action** and in the Profile Setting section, select the SCTP Protection profile we just created.
5. Continue to **Create a Security Policy Rule**, making sure that you allow packets from the proper IP address of each SCTP endpoint.
6. Click **OK** to save rule.
### STEP 14: Commit your changes.
## Future Task: Change RIC Stub (On-Going)
E2 making a lot of assumptions using ORAN and adapting when WG3 is defines. The near-RT RIC platform is implemented as per WG3's E2 General Aspects and Principles. Here is how RIC stub sending message:
* First assuming xApps use services exposed by E2 nodes via E2SM models and RIC message routing will send over TCP using nanomsg next generation
* Each E2 node having 0 until 1 RIC connections and each RIC having 0 to many connections to E2 nodes. It will implement messages to xApps to E2 manager
* E2 insert messages by interreupting processing on E2 node, then RIC will control the messages from RIC to E2 node.
* E2SM policy management will send RIC messages back to E2 node.
you can see the full in [here](https://gerrit.o-ran-sc.org/r/gitweb?p=ric-plt%2Frtmgr.git;hb=749099bc00ec6cad5da19846e65bd5b4bd9b8de4;f=pkg%2Fstub%2Fstub.go)
If we want modify the RIC stub, we could modify the function in VaidEndpoints and ValidPlatformComponents to meet the right port and same frequencies in order to make it easy.
:::info
References:
* [SCTP: What, Why, and How](https://ieeexplore.ieee.org/document/5233615)
* [IETF](https://tools.ietf.org/html/rfc4960)
* [Wiki-ORAN](https://wiki.o-ran-sc.org/display/ORANSDK/E2+Simulator)
* [devopedia](https://devopedia.org/o-ran)
* [networkwolrd](https://www.networkworld.com/article/2222277/what-about-stream-control-transmission-protocol--sctp--.html)
* [Juniper Docs](https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-gprs-sctp.html)
* [TechDOCS](https://docs.paloaltonetworks.com/service-providers/8-1/mobile-network-infrastructure-getting-started/sctp/configure-sctp-security)
* [gerrit O-RAN](https://gerrit.o-ran-sc.org/r/gitweb?p=ric-plt%2Frtmgr.git;hb=749099bc00ec6cad5da19846e65bd5b4bd9b8de4;f=pkg%2Fstub%2Fstub.go)
* [Wiki-ORAN (2)](https://wiki.o-ran-sc.org/display/RICP/Status+report+2019-09-10)
:::
Sign in with Wallet
Connect another wallet