Comments (4)
We discussed some alternative for this issue as potential direction we can continue. So this issue is only impacting very large user messages. For example an attempt to use a single user message as a continuous byte stream that is long lived will have issues.
-
Accept the limitations and that user messages of sizes that are close to take the magnitude of the rekeying interval in transferring or the AEDA key byte limit in size will not work well with this. Continue to track the DTLS rekeying events based on SCTP-AUTH keys on the user level.
-
That one require another API than the currently defined one. Then one can both use multiple different SCTP-Auth keys for a single user message. However, one would need to track which key(s) are using in which packets for a user messages so that one can determine when all packets with an older key have been delivered to the receiver so that one can rekey.
-
Change the mapping between ULP user messages and its DTLS records to underlying SCTP user messages. If one track the fragmentation over SCTP user messages and when an ULP user messages is at its end then one can continue to use SCTP API as currently defined and enable rekeying in the middle of ULP user messages.
Based on the known applications and API limitations in existing implementations, we think that alternative 1 is the one to recommend. However, if you have an SCTP using application that would have issues with the limitations: User messages can't be as long as the AEAD single key value limiations. The transfer of these uses messages must complete within a key-update period.
We will discuss this design choice with the WG.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
With #70 the limitation is SCTP-AUTH API only. So for an API that does not allow one to change the SCTP-AUTH key for a message the maximum length is what can be transferred in the period between each periodic rekeying.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
So if one uses RFC 6458 defined API for setting the SCTP-AUTH key. Then one can only set it on the start of the user message. That means that the rekeying using multiple DTLS connections will be affected. The impact to enable this to function are:
- Allow that one continue to use old SCTP-Auth key ID after having created a new one for user messages that started with the old key.
- The shutdown of the old DTLS connection will be delayed until all user messages using the corresponding SCTP-auth key have been sent. Then apply the normal hold period to avoid issues.
- The above leads to recommendations that user message sizes should be kept short enough to avoid blocking rekeying, i.e. user messages must be completed within a small fraction of the expected rekeying interval.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
PR #93 notes the API limitation and notes the fact that message sizes needs to be such that transfer complete in short time frame after rekeying to not block future rekeying.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
Related Issues (20)
- Define how the SCTP-AUTH keys are derived HOT 5
- Don't reuse the RFC 6803 exporter label HOT 1
- EC(DHE) -> (EC)DHE HOT 1
- Resumption performance HOT 3
- Cryptographic considerations is very long HOT 1
- How do you limit new connections HOT 1
- Mandatory mutual authentication HOT 3
- Use RFC 7525(bis) HOT 3
- Authenticating fallback to RFC 6083 HOT 6
- DTLS 1.3 Only
- Editorial alignment in style of the IANA sub sections needed HOT 1
- DTLS considerations need to be clear that AEAD limits MUST be handled by new connection
- Address new vulnerabilities found in SCTP-AUTH HOT 10
- DTLS Considerations for Handling of Endpoint Pair Shared Secrets HOT 5
- Clarify that COOKIE-ECHO and COOKIE-ACK are not authenticated
- Align terminology with RFC 9260 HOT 10
- Create DTLS/SCTP Control Message IANA registry
- Update solution properties description
- Add text on how SCTP restart works
- Overstated Security Properties
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.