This article shows Stream Control Transmission Protocol (SCTP) inspection behavior in various Junos versions.
An SCTP association is created after SCTP is configured on a SRX running Junos 11.4, but there is NO SCTP PROFILE defined in the security policy.
For example, the output below shows the SCTP association and the configuration with no SCTP profile in the security policy:
SCTP Association:
lab@3600-Mid> show security gprs sctp association node1: -------------------------------------------------------------------------- Association Information for FPC: 8 PIC: 0 SCTP association numbers: Total association 1 Association ID: 8-6 source: 1.1.1.1 (1.1.1.1) 1.1.1.2 (1.1.1.2) port: 1252, state: SCTP_ESTABLISHED, tag: 0x00005203; destination: 2.2.2.1 (2.2.2.1) 2.2.2.2 (2.2.2.2) port: 11280, state: SCTP_ESTABLISHED, tag: 0x4bcad244; ager mark: 1, time left: 596 s, access time: 3017715 s, live timeout: 10 min, handshake timeout: 30 s SCTP association numbers: Output association 1 Association Information for FPC: 9 PIC: 0 SCTP association numbers: Total association 0 Output association 0
Configuration:
Note that no SCTP Profile is defined in the security policies.
set security gprs sctp profile M3UA association-timeout 10 set security gprs sctp profile M3UA handshake-timeout 30 set security gprs sctp profile M3UA drop payload-protocol asap set security gprs sctp profile M3UA drop payload-protocol bicc set security gprs sctp profile M3UA drop payload-protocol ddp-segment set security gprs sctp profile M3UA drop payload-protocol ddp-stream set security gprs sctp profile M3UA drop payload-protocol dua set security gprs sctp profile M3UA drop payload-protocol enrp set security gprs sctp profile M3UA drop payload-protocol h248 set security gprs sctp profile M3UA drop payload-protocol h323 set security gprs sctp profile M3UA drop payload-protocol iua set security gprs sctp profile M3UA drop payload-protocol m2ua set security gprs sctp profile M3UA drop payload-protocol qipc set security gprs sctp profile M3UA drop payload-protocol simco set security gprs sctp profile M3UA drop payload-protocol sua set security gprs sctp profile M3UA drop payload-protocol tali set security gprs sctp profile M3UA drop payload-protocol v5ua set security gprs sctp profile M3UA drop payload-protocol m2pa set security gprs sctp log decoding-error set security gprs sctp log dropped-packet set security gprs sctp log exceeding-rate-limt set security gprs sctp log configuration set security gprs sctp traceoptions flag all set security policies from-zone TRUST to-zone UNTRUST policy T2U match source-address any-ipv4 set security policies from-zone TRUST to-zone UNTRUST policy T2U match destination-address any-ipv4 set security policies from-zone TRUST to-zone UNTRUST policy T2U match application junos-sctp-any set security policies from-zone TRUST to-zone UNTRUST policy T2U then permit
Without a SCTP Profile defined in the security policy, SCTP is in fact inspecting SCTP control or data packet whenever SCTP is configured.
Below illustrates the behavior of a SCTP Inspection in SRX without a SCTP Profile in Security policy.
For Junos before 11.4 (e.g. 10.2/10.3/10.4R1-10.4R2/11.1R1-11.1R2)
SCTP control packets are inspected, but data packets are dropped silently.
For Junos 11.4
SCTP control packets are inspected, and data packets are passed without inspection. In this case, SCTP Association will be created in SRX despite there is no SCTP profile in policy.
For Junos 12.1X45
SCTP packets are forwarded directly without any inspection by the SCTP module, no matter if it’s a control or data packet. Hence, no SCTP Association will be created.
Notes:
- Despite SCTP data packet using the same source/destination IP address as control packets, they can be identified by chunk id.
- Technical documentation below for 11.4 is incorrect:
https://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-58652.html is it fixed in12.1×45? http://www.juniper.net/techpubs/en_US/junos12.1×45/topics/example/gprs-sctp-profile-configuring.html