SCTP Inspection Behavior change in Junos

This article shows Stream Control Transmission Protocol (SCTP) inspection behavior in various Junos versions.

An SCTP association is created after SCTP is configured on a SRX running Junos 11.4, but there is NO SCTP PROFILE defined in the security policy.

For example, the output below shows the SCTP association and the configuration with no SCTP profile in the security policy:

SCTP Association:

Configuration:

Note that no SCTP Profile is defined in the security policies.

Without a SCTP Profile defined in the security policy, SCTP is in fact inspecting SCTP control or data packet whenever SCTP is configured.
Below illustrates the behavior of a SCTP Inspection in SRX without a SCTP Profile in Security policy.

For Junos before 11.4 (e.g. 10.2/10.3/10.4R1-10.4R2/11.1R1-11.1R2)
SCTP control packets are inspected, but data packets are dropped silently.

For Junos 11.4
SCTP control packets are inspected, and data packets are passed without inspection. In this case, SCTP Association will be created in SRX despite there is no SCTP profile in policy.

For Junos 12.1X45
SCTP packets are forwarded directly without any inspection by the SCTP module, no matter if it’s a control or data packet. Hence, no SCTP Association will be created.

Notes:

  1. Despite SCTP data packet using the same source/destination IP address as control packets, they can be identified by chunk id.
  2. Technical documentation below for 11.4 is incorrect:
    https://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-58652.html is it fixed in12.1×45? http://www.juniper.net/techpubs/en_US/junos12.1×45/topics/example/gprs-sctp-profile-configuring.html

About the author

Prasanna

Leave a Comment