Ah that makes sense! Thank you On Mon, May 22, 2023 at 12:58 PM Xin Long <lucien.xin@xxxxxxxxx> wrote: > > Hi, Adam, > > Thanks for the scripts. > > In SCTP, after 'sysctl net.sctp.auth_enable=1' and > setsockopt(SCTP_AUTH_CHUNK), it will tell the peer that this side > supports auth. Meanwhile, the kernel creates a 'null_key' (key_id = 0) > as the default one. > > The peer uses the shared key (key_id = 0) for the auth chunk if it > doesn't set up any key, like on your client side. On your server side, > it added a new shared key (key_id = 1), but the server still can > process the incoming auth chunk with the shared key (key_id = 0), even > if it's not the active key, unless you deleted the shared key (key_id > = 0). > > Just note that it's the peer's choice which sh_key it will use, and it > uses key_id = 0 by default. If you want the authentication to fail in > your case, try to delete the shared key (key_id = 0) after you set up > the new one (key_id = 1): > > authkeyid.scact_keynumber = 0; > ASSERT(setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY, > &authkeyid, sizeof(authkeyid)) == 0, > "fail to del key"); > > Make sense? > > Thanks. > > On Mon, May 22, 2023 at 1:52 PM Adam Snaider > <adam.snaider@xxxxxxxxxxxxxxxxx> wrote: > > > > Hi Marcelo, > > > > Thank you for your response. The issue I'm facing is that if I set up a server with authentication using some random key, then I'm still able to receive data from a client that didn't set up the shared key itself. However, if the client also sets up authentication but the key is incorrect, then the server refuses the message and it tries again (which is similar to what I would expect). > > The code I'm using is here: https://gist.github.com/brt-adam-snaider/3076ab06f846384f5a7f87ad54ddd276, where the server calls `Bind` and the client calls `Unbound` to create their respective sockets. (Note how I purposely only set up the authentication key in the `Bind` call). Running tcpdump however, I can see that there are authenticated chunks being sent (since the chunk type is 0xf), so I'm not sure why the server is receiving those without errors. > > > > Thank you for the help! And for what it's worth, I would love to contribute some documentation once I'm done working with this :) > > > > Best, > > Adam > > > > > > On Fri, May 19, 2023 at 6:09 PM Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> wrote: > >> > >> On Mon, May 15, 2023 at 12:00:00PM -0700, Adam Snaider wrote: > >> > Hi folks, > >> > > >> > I would like to ask what the current state is for SCTP Authentication > >> > in the Linux kernel (as described by rfc4895). I've been attempting to > >> > use an SCTP authenticated socket in the 5.10 kernel but all my efforts > >> > are fruitless so far. Given the lack of examples around, I'm not sure > >> > if my setup is incorrect or if the linux implementation is incomplete. > >> > If there are any references or examples I can look at I would really > >> > appreciate it. > >> > >> Hi Adam, > >> > >> The support should be complete, but yeah, I am not aware of examples > >> with Auth. Would you mind sharing a minimal reproducer that didn't > >> work for you? > >> > >> Thanks, > >> Marcelo