« Getting the shrimp back on their feet | Main | Notes on getting X.org working with the Matrox P650 (II) »
December 2, 2004
DTLS comes to reSIProcate
TLS is the standard approach for securing your garden variety TCP-based protocol. Unfortunately, because TLS assumes that the transport is reliable, you can't use it to secure protocols that run over datagram transports such as UDP and DCCP. This presents a problem because a number of important protocols such as SNMP and SIP are often run over UDP.1 Nagendra Modadugu, Dan Boneh, and I have been working to develop Datagram TLS (paper, Internet-Draft), which is a version of TLS that works over datagram transport.Nagendra has developed a DTLS implementation that runs within OpenSSL and yesterday he committed DTLS support to the popular reSIProcate open source SIP stack. (Commits 3680, 3681, 3684). Nice work!
1. These protocols can also be run over TCP, but in many situations UDP is more convenient.
Posted by ekr at December 2, 2004 10:58 AM | Filed under:
Comments
Read the paper, very nice. Very clear; rationale and design choices well illuminated. WRT DTLS itself, good choice of problem!
Posted by: Allan Schiffman at December 2, 2004 12:09 PM
OpenVPN has already implemented a reliability layer on top of UDP for a TLS handshake. Have you looked at this approach?
(Unfortunately, it's only documented in the source code AFAIK, so you've got a good excuse not to. 8-)
Posted by: Florian Weimer at December 2, 2004 1:54 PM
We considered a similar approach when we designed DTLS (2 years ago now...) but ultimately concluded that application-level timeouts and retransmission was a simpler and more straightforward solution.
Posted by: EKR at December 2, 2004 2:08 PM