Bug ID 588771: SCTP needs traffic-group validation for server-side client alternate addresses

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3.6

Opened: Apr 20, 2016

Severity: 3-Major

Symptoms

Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.

Impact

Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.

Conditions

When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.

Workaround

None

Fix Information

The SCTP filter in BIG-IP has been fixed so that all of the alternate addresses advertised during SCTP association establishment are in the same traffic group as the virtual server. Configured addresses are checked for the correct traffic group membership before being advertised.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips