Stream Control Transmission Protocol (SCTP) is part of the Transport Layer of the OSI Model just like TCP and UDP and provides some of the features of both of those protocols. It is message or datagram orientated like UDP but it also ensures reliable sequential transport of data with congestion control like TCP.
SCTP provides the following services:
Acknowledged error-free non-duplicated transfer of user data
Data fragmentation to conform to discovered path MTU size
Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages
Optional bundling of multiple user messages into a single SCTP packet
Network-level fault tolerance through supporting of multi-homing at either or both ends of an association
Congestion avoidance behavior and resistance to flooding and masquerade attacks
SCTP uses multi-streaming to transport its messages which means that there can be several independent streams of messages traveling in parallel between the points of the transmission. The data is sent out in larger chunks of data than is used by TCP just like UDP but the messages include a sequence number within each message in the same way that TCP does so that the data can be reassembled at the other end of the transmission in the correct sequence without the data having to arrive in the correct sequence.
SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failure detection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.
Some common applications of SCTP include supporting transmission of the following protocols over IP networks:
SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells)
SS7 over IP (for example, for 3G mobile networks)
SCTP is also defined and used for SIP over SCTP and H.248 over SCTP
Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks.
SCTP is a much newer protocol. It was defined by the IETF Signaling Transport (SIGTRAN) working group in 2000. It was introduced by RFC 3286 and more fully defined by RFC 4960.
The FortiGate and FortiOS Carrier firewall can apply security policies to SCTP sessions in the same way as TCP and UDP sessions. You can create security policies that accept or deny SCTP traffic by setting the service to “ALL”. FortiOS does not include pre-defined SCTP services. To configure security policies for traffic with specific SCTP source or destination ports you must create custom firewall services for SCTP.
FortiOS and FortiOS Carrier routes SCTP traffic in the same way as TCP and UDP traffic. You can configure policy routes specifically for routing SCTP traffic by setting the protocol number to 132. SCTP policy routes can route SCTP traffic according to the destination port of the traffic if you add a port range to the policy route.
You can configure a FortiOS and FortiOS Carrier to perform stateful inspection of different types of SCTP traffic by creating custom SCTP services and defining the port numbers or port ranges used by those services. FortiOS and FortiOS Carrier supports SCTP over IPv4.
FortiOS and FortiOS Carrier perform the following checks on SCTP packets:
Source and Destination Port and Verification Tag.
Chunk Type, Chunk Flags and Chunk Length.
Verify that association exists.
Sequence of Chunk Types (INIT, INIT ACK, etc).
Four way handshake checking.
Protection against INIT/ACK flood DoS attacks, and long-INIT flooding.
Protection against association hijacking.
FortiOS also supports SCTP sessions over IPsec VPN tunnels, as well as full traffic and event logging for SCTP sessions.
Example firewall policy that can accept SCTP traffic:
config firewall policy
set name "sctp-example"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"