TelcomIQ

Overview

SCTP — Stream Control Transmission Protocol — is the IETF transport-layer protocol that underlies the majority of telecom signalling in 3G and 4G networks. When the industry moved SS7 signalling from TDM circuits to IP networks (via the SIGTRAN protocol suite), it did not use TCP or UDP. It used SCTP — a purpose-built transport with properties specifically suited to the reliability, ordering, and redundancy requirements of telecom signalling.

Defined in RFC 4960, SCTP operates directly over IP (protocol number 132, alongside TCP's 6 and UDP's 17). It provides reliable, in-order delivery within independent streams — an important distinction from TCP, which provides a single ordered byte stream and thus introduces head-of-line blocking. SCTP also supports multi-homing: a single SCTP association can span multiple IP addresses on each endpoint, allowing transparent failover when a path fails without any renegotiation at the application layer. These capabilities made SCTP the natural transport for SS7 adaptation layers (M3UA, SUA, M2PA) and for Diameter.

In 4G EPC, SCTP carries the S1AP protocol between eNBs and the MME (TS 36.412), and is recommended as the transport for Diameter (RFC 6733 Section 2.1). Between SGSNs and other core nodes, SCTP carries the GTPv1 signalling in some operator configurations. In 5G SA, the SBI (Service Based Interface) moves to HTTP/2 over TCP, and SCTP's direct role diminishes — but it remains present in any 5G network that retains 4G coverage or 3G fallback.

How it works

An SCTP connection is called an association rather than a connection, reflecting its multi-address, multi-stream nature. Each association carries multiple independent streams, and each stream provides ordered, reliable delivery independently of the others.

SCTP chunk types:

SCTP messages are composed of chunks, each with a type, flags, length, and value. The principal chunk types are:

INIT — Initiates association setup. Carries the initiating endpoint's tag (a randomly chosen 32-bit Verification Tag), initial sequence numbers, and the list of IP addresses the sender wishes to use.
INIT-ACK — The receiver's response. Critically, it carries a stateless cookie — an HMAC-protected record of the INIT parameters — rather than allocating any resources. This is SCTP's protection against SYN-flood equivalents.
COOKIE ECHO — The initiator echoes the cookie back. This is the third step of the 4-way handshake.
COOKIE ACK — The receiver validates the cookie (recomputing the HMAC), and only now allocates association state. The association is established.
DATA — User data chunks. Carry a stream identifier, stream sequence number, payload protocol identifier (PPID — used by upper-layer protocols like M3UA or Diameter to identify themselves), and the payload.
SACK — Selective Acknowledgement. Acknowledges received DATA chunks and reports gaps in the received sequence.
HEARTBEAT / HEARTBEAT-ACK — Keepalive mechanism. Also used to verify the reachability of alternate IP addresses on a multi-homed association.
ABORT — Immediate association termination.
SHUTDOWN / SHUTDOWN-ACK / SHUTDOWN-COMPLETE — Graceful association termination, equivalent to TCP's FIN/FIN-ACK.

Multi-homing and failover

When an association is established between multi-homed endpoints (e.g., a signalling node with two network interfaces), SCTP maintains state for all available path combinations. Data flows over the primary path by default. HEARTBEAT chunks are sent periodically on alternative paths to verify their availability. If the primary path fails, SCTP fails over to an alternative path without any intervention from the application — the Diameter or M3UA session continues without interruption.

This is the primary reason SCTP was chosen for telecom signalling transport: it replicates, in software, the path protection that TDM SS7 achieved through physically diverse link sets.

Streams and head-of-line blocking

Each SCTP stream within an association delivers messages in order independently of other streams. If a DATA chunk is lost on stream 1, stream 2 is unaffected — delivery on stream 2 continues normally. In TCP, a single lost segment blocks all subsequent data. For telecom signalling, where a single association may carry independent procedures for many different subscribers simultaneously, this distinction matters: a retransmission for one subscriber's Diameter transaction does not delay another subscriber's authentication.

Architecture role

SCTP is present wherever SS7-over-IP or Diameter is deployed. Its role is invisible at the application layer — Diameter and M3UA do not expose SCTP to their users — but it is the transport that makes those protocols work reliably across IP networks.

In 3G UMTS, the SIGTRAN stack replaces TDM SS7 links with SCTP associations carrying M3UA. The SGSN, MSC, HLR, and STP all communicate over SCTP when deployed in IP-based configurations. The point codes and MAP/ISUP application logic are unchanged; only the physical transport changes.

In 4G EPC, SCTP carries two distinct types of traffic. First, the S1AP protocol between eNBs and the MME (TS 36.412) uses SCTP to provide the reliable transport that control-plane signalling requires. Each eNB establishes a single SCTP association to the MME; the association carries S1AP messages for all UEs on that eNB. Second, Diameter may use SCTP between the MME and HSS (S6a), between the PCEF and PCRF (Gx), and other internal interfaces.

In 4G EPC: The SCTP association between each eNB and the MME on S1-MME carries S1AP messages for every subscriber on that eNB. A single failed eNB SCTP association impacts all active procedures for hundreds or thousands of subscribers simultaneously.

In 5G SA, SCTP is not used for the SBI (which uses TCP). However, the N2 interface between gNB and AMF uses NGAP over SCTP (TS 38.412), directly analogous to S1AP over SCTP in 4G.

Key interfaces

Interface	Between	Protocol over SCTP	Purpose
S1-MME	eNB ↔ MME	S1AP	Radio access network control-plane signalling in 4G
N2	gNB ↔ AMF	NGAP	Radio access network control-plane signalling in 5G
S6a	MME ↔ HSS	Diameter	Authentication and location update (SCTP or TCP)
Gx	PCEF ↔ PCRF	Diameter	Policy and charging (SCTP or TCP)
M3UA links	SG ↔ SG / ASP	M3UA (SIGTRAN)	SS7 MTP3 signalling over IP

Security posture

SCTP's security posture at the transport layer is generally strong relative to TCP. The 4-way handshake with stateless cookie prevents the equivalent of TCP SYN flood attacks. Multi-homing is a resilience feature but also a potential attack vector: the ASCONF (Address Configuration) extension allows adding and removing IP addresses from an active association, which, if not properly controlled, could allow an attacker to inject a new path.

The more significant security consideration with SCTP is that it carries high-value application-layer protocols. An operator that allows unrestricted SCTP access to signalling nodes has effectively given the attacker direct access to Diameter or M3UA. SCTP access control — restricting associations to known peer addresses via IP firewall rules — is the primary control, and it is foundational to the security of everything running over it.

In practice, SCTP is rarely directly attacked. Attackers target the application protocols it carries: SS7/MAP via SIGTRAN, or Diameter. The transport-layer properties of SCTP (reliable delivery, multi-homing) are largely transparent to these attacks.

Attack surface

SCTP INIT flood

Although SCTP's cookie-based handshake is specifically designed to prevent resource exhaustion from INIT floods (the TCP SYN-flood equivalent), an attacker can still generate large volumes of INIT chunks from spoofed source addresses. The receiving node responds with INIT-ACKs (stateless, carrying a cookie) but does not allocate state. The outbound traffic volume from INIT-ACKs can constitute a reflected amplification vector against the spoofed source.

Impact: Reflected traffic amplification against spoofed IP; limited DoS risk to the target SCTP node itself.
Difficulty: Low. Requires only the ability to send UDP-like packets to the SCTP port.

Multi-homing address injection via ASCONF

The ASCONF extension (RFC 5061) allows an endpoint to dynamically add or remove IP addresses from an active SCTP association. An attacker who can send ASCONF chunks on an active association — either by being on-path or by predicting the Verification Tag — can inject a new IP address into the association. If the peer accepts the new address, traffic may be redirected to the attacker.

Impact: Traffic redirection on an active SCTP association; enables application-layer session hijacking.
Difficulty: Medium. Requires knowledge of the Verification Tag (32-bit, established at association setup) and either on-path position or the ability to forge packets.

Heartbeat-based endpoint enumeration

SCTP HEARTBEAT chunks are sent periodically to confirm path availability. An attacker sending HEARTBEAT chunks to a target address will receive HEARTBEAT-ACK responses from any active SCTP endpoint, allowing enumeration of SCTP-listening nodes across an operator's signalling address range.

Impact: Enumeration of SCTP endpoints exposes the signalling infrastructure topology.
Difficulty: Low. Requires only the ability to send packets to potential SCTP port addresses.

Mitigations

IP-level access control: The most important control. All SCTP-listening signalling nodes should have IP firewall rules restricting inbound SCTP to known peer addresses. An eNB should only be able to reach its configured MMEs; a DRA should only accept SCTP associations from known Diameter peers. This is the single most effective defence.
ASCONF restriction: Disable ASCONF or restrict it to associations where multi-homing is operationally required. For associations between known, fixed-address peers, dynamic address addition is unnecessary and introduces risk.
Verification Tag validation: SCTP uses the Verification Tag — a random 32-bit value exchanged during association setup — to bind chunks to an association. Ensuring that the Verification Tag is properly validated on every received chunk (as RFC 4960 requires) prevents INIT injection attacks on established associations.
DTLS over SCTP (RFC 6083): For SCTP links that cross administrative boundaries — such as a direct SIGTRAN connection to a roaming partner — DTLS over SCTP provides transport-layer encryption and authentication. Deployment is limited but technically straightforward.

Spec references

RFC 4960 — The normative SCTP specification. Section 3 defines the packet format and chunk types. Section 4 defines the association setup and teardown state machines. Section 6 defines the data transfer and acknowledgement mechanisms. The complete reference for SCTP implementation and security analysis.
RFC 4166 — Applicability statement for telephony signalling over SCTP. Explains the specific SCTP features that make it suitable for SS7 and Diameter transport: multi-streaming, multi-homing, and ordered delivery within streams.
3GPP TS 36.412 — S1 signalling transport specification. Defines the use of SCTP as the transport for S1AP between eNBs and the MME, including the association setup, stream allocation, and failover behaviour.

SCTP is the foundation of SIGTRAN — the suite of SS7 adaptation layers that run over it. Without SCTP, SIGTRAN cannot function. Diameter uses SCTP (or TCP) as its transport; the choice between SCTP and TCP for Diameter is an operator configuration decision, with SCTP preferred where multi-homing resilience is required.

SS7 and MAP travel over SCTP when deployed in IP-based networks. ISUP similarly runs over SCTP via M3UA in soft-switch architectures. In 4G EPC, the MME uses SCTP for both S1AP (toward the RAN) and Diameter (toward the HSS). The STP and DRA are the SCTP-anchored routing points for SS7 and Diameter respectively.

Specifications

Relationships