Hi, SCTP, an IP transport protocol, is enabled by default in upstream FreeBSD's GENERIC config:
> # SCTP is a NEW transport protocol defined by > # RFC2960 updated by RFC3309 and RFC3758 [...] > options SCTP (Although RFC2960 was published in 2000, so it is not so new any more.) To date I've never configured SCTP on any servers before, or knowingly used it on any other systems. "The SCTP web site", sctp.org, had no news entries after 2004 and seems to have gone offline. Linux has SCTP support. Debian has some command-line tools for that and a library, each with around 5000 popcon users: https://qa.debian.org/popcon.php?package=lksctp-tools FreeBSD's SCTP support seems to be a reference implementation by Cisco. Another implementation by the KAME Project had an OpenBSD port, but seems that never quite made it into the tree. Support for SCTP seems notably missing from Microsoft Windows: https://stackoverflow.com/questions/2153700 There exists some backward-compatibility mechanism to run SCTP over UDP sockets if that's needed. In wheezy, we've patched a kernel memory disclosure vulnerability that was remotely exploitable if SCTP sockets were used. (CVE-2013-5209) STABLE-9 quietly fixed jailed processes being able to see or use SCTP source addresses that should not have been available to them: http://svnweb.freebsd.org/base?view=revision&revision=267674 We now have a local kernel memory disclosure bug (CVE-2014-3953) - I'm unsure if SCTP must be in use to exploit it - but the patch will not apply cleanly to 9.0 and 8.3 that we have in wheezy, so would need backporting by us. I wonder if it is worth it? Is SCTP really used by us, even close to working or desirable to anyone? A search for Debian packages with "sctp" in the name shows binary packages that have only built on linux-any arches: https://packages.debian.org/search?keywords=sctp I've used Debian Code Search to look for potential users: http://codesearch.debian.net/search?q=include.*sctp\.h and found these: * openssl - is disabled by OPENSSL_NO_SCTP, which is default * iceweasel/icedove - kfreebsd buildd logs don't mention it, linux does * libav - I don't see any mention in the buildd log * chromium-browser - wasn't in wheezy * openjdk-7 - wasn't in wheezy * about a dozen other packages I thought were less interesting than the above, didn't bother to check if SCTP was really implemented/supported * SCTP was mentioned in lots of network diagnostic tools e.g. wireshark, nmap, ns2 - but what is the point of that if not using the protocol for anything? So I'm obviously asking here - could we just drop SCTP from the default kernel config? In jessie/sid? Even in wheezy-security? Thanks for reading! Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
