nmap/todo/sctp.txt

TODO.sctp $Id$ -*-text-*-

o Further investigate SCTP functionality, as some people reported
  problems (see this thread:
  http://seclists.org/nmap-dev/2009/q2/0669.html)

o Add support for UDP encapsulated SCTP (9899/udp).
  Basically just wrap the SCTP packets into a UDP packet.
  Think about how to add support for this to libdnet first.
  See this Internet Draft by Michael Tuexen for the specs:
  http://tools.ietf.org/html/draft-tuexen-sctp-udp-encaps
  This is actually quite a challenging task due to the
  current architecture of the scan engine.  How to best
  differentiate a UDP packet related to a UDP scan from a
  UDP wrapped SCTP packet?  How to unpack the UDP wrapped
  SCTP packet in order not to duplicate a lot of code?
  A good solution will be non-trivial.

o Verify ICMP response handling for SCTP.  Make sure all
  ICMP types are handled in an optimal way (esp. destination
  unreachable: protocol unreachable).

o Consider removing 9899/sctp from the default port list.
  9899/udp is used for UDP encapsulated SCTP.  One reason
  to keep 9899/sctp is likely misconfigurations.

o Investigate whether it makes sense to store scan state in
  the itag/itsn fields for INIT scans.

o Investigate the suitability of other SCTP chunks for port
  scanning and implement more scan types if they turn out to
  be worthwhile.  One unverified idea is to experiment with
  undefined chunk types and their first two magic bits to
  provoke ERROR responses.

o Add SCTP based service probing.

o [Ncat] Consider implementing SCTP broker mode.

o [NSE] Add SCTP support to NSE.

o Investigate on differences between SCTP stacks and
  implement SCTP based OS detection probes based on the
  results.  For example, BSD systems send the ASCII string
  KAME-BSD in INIT-ACK chunks.

o SCTP-enable scanme.nmap.org in order to make scanme.roe.ch
  obsolete.