summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-rescorla-dtls-04.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/draft-rescorla-dtls-04.txt')
-rw-r--r--doc/protocol/draft-rescorla-dtls-04.txt1338
1 files changed, 0 insertions, 1338 deletions
diff --git a/doc/protocol/draft-rescorla-dtls-04.txt b/doc/protocol/draft-rescorla-dtls-04.txt
deleted file mode 100644
index 5d7ee14b6f..0000000000
--- a/doc/protocol/draft-rescorla-dtls-04.txt
+++ /dev/null
@@ -1,1338 +0,0 @@
- E. Rescorla
- RTFM, Inc.
- N. Modadugu
-INTERNET-DRAFT Stanford University
-<draft-rescorla-dtls-04.txt> April 2004 (Expires October 2005)
-
- Datagram Transport Layer Security
-
-Status of this Memo
-
-By submitting this Internet-Draft, each author represents that any
-applicable patent or other IPR claims of which he or she is aware
-have been or will be disclosed, and any of which he or she becomes
-aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-Internet-Drafts are working documents of the Internet Engineering
-Task Force (IETF), its areas, and its working groups. Note that
-other groups may also distribute working documents as
-Internet-Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time. It is inappropriate to use Internet-Drafts as reference
-material or to cite them other than as "work in progress."
-
-The list of current Internet-Drafts can be accessed at
-http://www.ietf.org/1id-abstracts.html
-
-The list of Internet-Draft Shadow Directories can be accessed at
-http://www.ietf.org/shadow.html
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1999-2004). All Rights Reserved.
-
-
-
-
-
-
-Rescorla, Modadugu [Page 1]
-
-
-Abstract
-
- This document specifies Version 1.0 of the Datagram Transport
- Layer Security (DTLS) protocol. The DTLS protocol provides
- communications privacy for datagram protocols. The protocol
- allows client/server applications to communicate in a way that
- is designed to prevent eavesdropping, tampering, or message
- forgery. The DTLS protocol is based on the TLS protocol and
- provides equivalent security guarantees. Datagram semantics of
- the underlying transport are preserved by the DTLS protocol.
-
-
-Contents
-
- 1 Introduction 3
- 1.1 Requirements Terminology 3
- 2 Usage Model 4
- 3 Overview of DTLS 4
- 3.1 Loss-insensitive messaging 4
- 3.2 Providing Reliability for Handshake 5
- 3.2.1 Packet Loss 5
- 3.2.2 Reordering 6
- 3.2.3 Message Size 6
- 3.3 Replay Detection 6
- 4 Differences from TLS 6
- 4.1 Record Layer 7
- 4.1.1 Transport Layer Mapping 8
- 4.1.1.1 PMTU Discovery 8
- 4.1.2 Record payload protection 9
- 4.1.2.1 MAC 9
- 4.1.2.2 Null or standard stream cipher 9
- 4.1.2.3 Block Cipher 10
- 4.1.2.4 New Cipher Suites 10
- 4.1.2.5 Anti-Replay 10
- 4.2 The DTLS Handshake Protocol 11
- 4.2.1 Denial of Service Countermeasures 11
- 4.2.2 Handshake Message Format 13
- 4.2.3 Message Fragmentation and Reassembly 15
- 4.2.4 Timeout and Retransmission 16
- 4.2.4.1 Timer Values 19
- 4.2.5 ChangeCipherSpec 20
- 4.2.6 Finished messages 20
- 4.2.7 Alert Messages 20
- 4.2 Record Layer 20
- 4.3 Handshake Protocol 21
- 5 Security Considerations 22
- 6 IANA Considerations 22
-
-
-
-
-Rescorla, Modadugu [Page 2]
-
-
-1. Introduction
-
- TLS [TLS] is the most widely deployed protocol for securing
- network traffic. It is widely used for protecting Web traffic
- and for e-mail protocols such as IMAP [IMAP] and POP [POP].
- The primary advantage of TLS is that it provides a transparent
- connection-oriented channel. Thus, it is easy to secure an
- application protocol by inserting TLS between the application
- layer and the transport layer. However, TLS must run over a
- reliable transport channel--typically TCP [TCP]. It therefore
- cannot be used to secure unreliable datagram traffic.
-
- However, over the past few years an increasing number of
- application layer protocols have been designed which UDP
- transport. In particular such protocols as the Session
- Initiation Protocol (SIP) [SIP], and electronic gaming
- protocols are increasingly popular. (Note that SIP can run
- over both TCP and UDP, but that there are situations in which
- UDP is preferable). Currently, designers of these applications
- are faced with a number of unsatisfactory choices. First, they
- can use IPsec [RFC2401]. However, for a number of reasons
- detailed in [WHYIPSEC], this is only suitable for some
- applications. Second, they can design a custom application
- layer security protocol. SIP, for instance, uses a subsert of
- S/MIME to secure its traffic. Unfortunately, while application
- layer security protocols generally provide superior security
- properties (e.g., end-to-end security in the case of S/MIME)
- it typically require a large amount of effort to design--by
- contrast to the relatively small amount of effort required to
- run the protocol over TLS.
-
- In many cases, the most desirable way to secure client/server
- applications would be to use TLS; however the requirement for
- datagram semantics automatically prohibits use of TLS. Thus, a
- datagram-compatible variant of TLS would be very desirable.
- This memo describes such a protocol: Datagram Transport Layer
- Security (DTLS). DTLS is deliberately designed to be as
- similar to to TLS as possible, both to minimize new security
- invention and to maximize the amount of code and
- infrastructure reuse.
-
-
-1.1. Requirements Terminology
-
- Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
- NOT" and "MAY" that appear in this document are to be
- interpreted as described in RFC 2119 [REQ].
-
-
-
-
-Rescorla, Modadugu [Page 3]
-
-
-2. Usage Model
-
- The DTLS protocol is designed to secure data between
- communicating applications. It is designed to run in
- application space, without requiring any kernel modifications.
-
- Datagram transport does not require or provide reliable or in-
- order delivery of data. The DTLS protocol preserves this
- property for payload data. Applications such as media
- streaming, Internet telephony and online gaming use datagram
- transport for communication due to the delay-sensitive nature
- of transported data. The behavior of such applications is
- unchanged when the DTLS protocol is used to secure
- communication, since the DTLS protocol does not compensate for
- lost or re-ordered data traffic.
-
-3. Overview of DTLS
-
- The basic design philosophy of DTLS is to construct "TLS over
- datagram". The reason that TLS cannot be used directly in
- datagram environments is simply that packets may be lost or
- reordered. TLS has no internal facilities to handle this kind
- of unreliability and therefore TLS implementations break when
- rehosted on datagram transport. The purpose of DTLS is to make
- only the minimal changes to TLS required to fix this problem.
- To the greatest extent possible, DTLS is identical to TLS.
- Whenever we need to invent new mechanisms, we attempt to do so
- in such a way that it preserves the style of TLS.
-
- Unreliability creates problems for TLS at two levels:
-
- 1. TLS's traffic encryption layer does not allow
- independent decryption of individual records. If record N
- is not received, then record N+1 cannot be decrypted.
-
- 2. The TLS handshake layer assumes that handshake messages
- are delivered reliably and breaks if those messages are
- lost.
-
- The rest of this section describes the approach that DTLS uses
- to solve these problems.
-
-3.1. Loss-insensitive messaging
-
- In TLS's traffic encryption layer (called the TLS Record
- Layer), records are not independent. There are two kinds of
- inter-record dependency:
-
-
-
-
-Rescorla, Modadugu [Page 4]
-
-
- 1. Cryptographic context (CBC state, stream cipher key
- stream) is chained between records.
-
- 2. Anti-replay and message reordering protection are
- provided by a MAC which includes a sequence number, but the
- sequence numbers are implicit in the records.
-
- The fix for both of these problems is straightforward and
- well-known from IPsec ESP [ESP]: add explicit state to the
- records. TLS 1.1 [TLS11] is already adding explicit CBC state
- to TLS records. DTLS borrows that mechanism and adds explicit
- sequence numbers.
-
-3.2. Providing Reliability for Handshake
-
- The TLS handshake is a lockstep cryptographic handshake.
- Messages must be transmitted and received in a defined order
- and any other order is an error. Clearly, this is incompatible
- with reordering and message loss. In addition, TLS handshake
- messages are potentially larger than any given datagram, thus
- creating the problem of fragmentation. DTLS must provide fixes
- for both these problems.
-
-3.2.1. Packet Loss
-
- DTLS uses a simple retransmission timer to handle packet loss.
- The following figure demonstrates the basic concept using the
- first phase of the DTLS handshake:
-
- Client Server
- ------ ------
- ClientHello ------>
-
- X<-- HelloVerifyRequest
- (lost)
-
- [Timer Expires]
-
- ClientHello ------>
- (retransmit)
-
- Once the client has transmitted the ClientHello message, it
- expects to see a HelloVerifyRequest from the server. However,
- if the server's message is lost the client knows that either
- the ClientHello or the HelloVerifyRequest has been lost and
- retransmits. When the server receives the retransmission, it
- knows to retransmit. The server also maintains a
- retransmission timer and retransmits when that timer expires.
-
-
-
-Rescorla, Modadugu [Page 5]
-
-
- Note: timeout and retransmission do not apply to the
- HelloVerifyRequest, because this requires creating state on
- the server.
-
-3.2.2. Reordering
-
- In DTLS, each handshake message is assigned a specific
- sequence number within that handshake. When a peer receives a
- handshake message, it can quickly determine whether that
- message is the next message it expects. If it is, then it
- processes it. If not, it queues it up for future handling once
- all previous messages have been received.
-
-3.2.3. Message Size
-
- TLS and DTLS handshake messages can be quite large (in theory
- up to 2^24-1 bytes, in practice many kilobytes). By contrast,
- UDP datagrams are often limited to <1500 bytes if
- fragmentation is not desired. In order to compensate for this
- limitation, each DTLS handshake message may be fragmented over
- several DTLS records. Each DTLS handshake message contains
- both a fragment offset and a fragment length. Thus, a
- recipient in possession of all bytes of a handshake message
- can reassemble the original unfragmented message.
-
-3.3. Replay Detection
-
- DTLS optionally supports record replay detection. The
- technique used is the same as in IPsec AH/ESP, by maintaining
- a bitmap window of received records. Records that are too old
- to fit in the window and records that have been previously
- received are silently discarded. The replay detection feature
- is optional, since packet duplication is not always malicious,
- but can also occur due to routing errors. Applications may
- conceivably detect duplicate packets and accordingly modify
- their data transmission strategy.
-
-4. Differences from TLS
-
- As mentioned in Section 3., DTLS is intentionally very similar
- to TLS. Therefore, instead of presenting DTLS as a new
- protocol, we instead present it as a series of deltas from TLS
- 1.1 [TLS11]. Where we do not explicitly call out differences,
- DTLS is the same as TLS.
-
-
-
-
-
-
-
-Rescorla, Modadugu [Page 6]
-
-
-4.1. Record Layer
-
- The DTLS record layer is extremely similar to that of TLS 1.1.
- The only change is the inclusion of an explicit sequence
- number in the record. This sequence number allows the
- recipient to correctly verify the TLS MAC. The DTLS record
- format is shown below:
-
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 epoch; // New field
- uint48 sequence_number; // New field
- uint16 length;
- opaque fragment[DTLSPlaintext.length];
- } DTLSPlaintext;
-
- type
- Equivalent to the type field in a TLS 1.1 record.
-
- version
- The version of the protocol being employed. This document
- describes DTLS Version 1.0, which uses the version { 254, 255
- }. The version value of 254.255 is the 1's complement of DTLS
- Version 1.0. This maximal spacing between TLS and DTLS version
- numbers ensures that records from the two protocols can be
- easily distinguished.
-
- epoch
- A counter value that is incremented on every cipher state
- change.
-
- sequence_number
- The sequence number for this record.
-
- length
- Identical to the length field in a TLS 1.1 record. As in TLS
- 1.1, the length should not exceed 2^14.
-
- fragment
- Identical to the fragment field of a TLS 1.1 record.
-
- DTLS uses an explicit rather than implicit sequence number,
- carried in the sequence_number field of the record. As with
- TLS, the sequence number is set to zero after each
- ChangeCipherSpec message is sent.
-
-
-
-
-
-Rescorla, Modadugu [Page 7]
-
-
- If several handshakes are performed in close succession, there
- might be multiple records on the wire with the same sequence
- number but from different cipher states. The epoch field
- allows recipients to distinguish such packets. The epoch
- number is initially zero and is incremented each time the
- ChangeCipherSpec messages is sent. In order to ensure that any
- given sequence/epoch pair is unique, implementations MUST NOT
- allow the same epoch value to be reused within two times the
- TCP maximum segment lifetime. In practice, TLS implementations
- rehandshake rarely and we therefore do not expect this to be a
- problem.
-
-4.1.1. Transport Layer Mapping
-
- Each DTLS record MUST fit within a single datagram. In order
- to avoid IP fragmentation [MOGUL], DTLS implementations SHOULD
- determine the MTU and send records smaller than the MTU. DTLS
- implementations SHOULD provide a way for applications to
- determine the value of the PMTU (or alternately the maximum
- application datagram size, which is the PMTU minus the DTLS
- per-record overhead). If the application attempts to send a
- record larger than the MTU the DTLS implementation SHOULD
- generate an error, thus avoiding sending a packet which will
- be fragmented.
-
- Note that unlike IPsec, DTLS records do not contain any
- association identifiers. Applications must arrange to
- multiplex between associations. With UDP, this is presumably
- done with host/port number.
-
- Multiple DTLS records may be placed in a single datagram. hey
- are simply encoded consecutively. The DTLS record framing is
- sufficient to determine the boundaries. Note, however, that
- the first byte of the datagram payload must be the beginning
- of a record. Records may not span datagrams.
-
-4.1.1.1. PMTU Discovery
-
- In general, DTLS's philosophy is to avoid dealing with PMTU
- issues. The general strategy is to start with a conservative
- MTU and then update it if events require it, but not actively
- probe for MTU values. PMTU discovery is left to the
- application.
-
- The PMTU SHOULD be initialized from the interface MTU that
- will be used to send packets. If the DTLS implementation
- receives an RFC 1191 [RFC1191] ICMP Destination Unreachable
- message with the "fragmentation needed and DF set" Code
-
-
-
-Rescorla, Modadugu [Page 8]
-
-
- (otherwise known as Datagram Too Big) it should decrease its
- PMTU estimate to that given in the ICMP message. A DTLS
- implementation SHOULD allow the application to occasionally
- reset its PMTU estimate. The DTLS implementation SHOULD also
- allow applications to control the status of the DF bit. These
- controls allow the application to perform PMTU discovery.
-
- One special case is the DTLS handshake system. Handshake
- messages should be set with DF set. Because some firewalls and
- routers screen out ICMP messages, it is difficult for the
- handshake layer to distinguish packet loss from an overlarge
- PMTU estimate. In order to allow connections under these
- circumstances, DTLS implementations SHOULD back off handshake
- packet size during the retransmit backoff described in Section
- 4.2.4.. For instance, if a large packet is being sent, after 3
- retransmits the handshake layer might choose to fragment the
- handshake message on retransmission. In general, choice of a
- conservative initial MTU will avoid this problem.
-
-4.1.2. Record payload protection
-
- Like TLS, DTLS transmits data as a series of protected
- records. The rest of this section describes the details of
- that format.
-
-4.1.2.1. MAC
-
- The DTLS MAC is the same as that of TLS 1.1. However, rather
- than using TLS's implicit sequence number, the sequence number
- used to compute the MAC is the 64-bit value formed by
- concatenating the epoch and the sequence number in the order
- they appear on the wire. Note that the DTLS epoch + sequence
- number is the same length as the TLS sequence number.
-
- Note that one important difference between DTLS and TLS MAC
- handling is that in TLS MAC errors must result in connection
- termination. In DTLS, the receiving implementation MAY simply
- discard the offending record and continue with the connection.
- This change is possible because DTLS records are not dependent
- on each other the way that TLS records are.
-
-
-4.1.2.2. Null or standard stream cipher
-
- The DTLS NULL cipher is performed exactly as the TLS 1.1 NULL
- cipher.
-
-
-
-
-
-Rescorla, Modadugu [Page 9]
-
-
- The only stream cipher described in TLS 1.1 is RC4, which
- cannot be randomly accessed. RC4 MUST NOT be used with DTLS.
-
-4.1.2.3. Block Cipher
-
- DTLS block cipher encryption and decryption are performed
- exactly as with TLS 1.1.
-
-4.1.2.4. New Cipher Suites
-
- Upon registration, new TLS cipher suites MUST indicate whether
- they are suitable for DTLS usage and what, if any, adaptations
- must be made.
-
-4.1.2.5. Anti-Replay
-
- DTLS records contain a sequence number to provide replay
- protection. Sequence number verification SHOULD be performed
- using the following sliding, window procedure, borrowed from
- Section 3.4.3 of [RFC 2402]
-
- The receiver packet counter for this session MUST be
- initialized to zero when the session is established. For each
- received record, the receiver MUST verify that the record
- contains a Sequence Number that does not duplicate the
- Sequence Number of any other record received during the life
- of this session. This SHOULD be the first check applied to a
- packet after it has been matched to a session, to speed
- rejection of duplicate records.
-
- Duplicates are rejected through the use of a sliding receive
- window. (How the window is implemented is a local matter, but
- the following text describes the functionality that the
- implementation must exhibit.) A minimum window size of 32 MUST
- be supported; but a window size of 64 is preferred and SHOULD
- be employed as the default. Another window size (larger than
- the minimum) MAY be chosen by the receiver. (The receiver does
- not notify the sender of the window size.)
-
- The "right" edge of the window represents the highest,
- validated Sequence Number value received on this session.
- Records that contain Sequence Numbers lower than the "left"
- edge of the window are rejected. Packets falling within the
- window are checked against a list of received packets within
- the window. An efficient means for performing this check,
- based on the use of a bit mask, is described in Appendix C of
- [RFC 2401].
-
-
-
-
-Rescorla, Modadugu [Page 10]
-
-
- If the received record falls within the window and is new, or
- if the packet is to the right of the window, then the receiver
- proceeds to MAC verification. If the MAC validation fails, the
- receiver MUST discard the received record as invalid. The
- receive window is updated only if the MAC verification
- succeeds.
-
-4.2. The DTLS Handshake Protocol
-
- DTLS uses all of the same handshake messages and flows as TLS,
- with three principal changes:
-
- 1. A stateless cookie exchange has been added to prevent
- denial of service attacks.
-
- 2. Modifications to the handshake header to handle message
- loss, reordering and fragmentation.
-
- 3. Retransmission timers to handle message loss.
-
- With these exceptions, the DTLS message formats, flows, and
- logic are the same as those of TLS 1.1.
-
-4.2.1. Denial of Service Countermeasures
-
- Datagram security protocols are extremely susceptible to a
- variety of denial of service (DoS) attacks. Two attacks are of
- particular concern:
-
- 1. An attacker can consume excessive resources on the
- server by transmitting a series of handshake initiation
- requests, causing the server to allocate state and
- potentially perform expensive cryptographic operations.
-
- 2. An attacker can use the server as an amplifier by
- sending connection initiation messages with a forged source
- of the victim. The server then sends its next message (in
- DTLS, a Certificate message, which can be quite large) to
- the victim machine, thus flooding it.
-
- In order to counter both of these attacks, DTLS borrows the
- stateless cookie technique used by Photuris [PHOTURIS] and IKE
- [IKE]. When the client sends its ClientHello message to the
- server, the server MAY respond with a HelloVerifyRequest
- message. This message contains a stateless cookie generated
- using the technique of [PHOTURIS]. The client MUST retransmit
- the ClientHello with the cookie added. The server then
- verifies the cookie and proceeds with the handshake only if it
-
-
-
-Rescorla, Modadugu [Page 11]
-
-
- is valid. This mechanism forces the attacker/client to be able
- to receive the cookie, which makes DoS attacks with spoofed IP
- addresses difficult. This mechanism does not provide any
- defense against DoS attacks mounted from valid IP addresses.
-
- The exchange is shown below:
-
- Client Server
- ------ ------
- ClientHello ------>
-
- <----- HelloVerifyRequest
- (contains cookie)
-
- ClientHello ------>
- (with cookie)
-
- [Rest of handshake]
-
- DTLS therefore modifies the ClientHello message to add the
- cookie value.
-
- struct {
- ProtocolVersion client_version;
- Random random;
- SessionID session_id;
- opaque cookie<0..32>; // New field
- CipherSuite cipher_suites<2..2^16-1>;
- CompressionMethod compression_methods<1..2^8-1>;
- } ClientHello;
-
- When sending the first ClientHello, the client does not have a
- cookie yet; in this case, the Cookie field is left empty (zero
- length).
-
- The definition of HelloVerifyRequest is as follows:
-
- struct {
- Cookie cookie<0..32>;
- } HelloVerifyRequest;
-
- The HelloVerifyRequest message type is
- hello_verify_request(3).
-
- When responding to a HelloVerifyRequest the client MUST use
- the same parameter values (version, random, session_id,
- cipher_suites, compression_method) as in the original
- ClientHello. The server SHOULD use those values to generate
-
-
-
-Rescorla, Modadugu [Page 12]
-
-
- its cookie and verify that they are correct upon cookie
- receipt. The DTLS server SHOULD generate cookies in such a way
- that they can be verified without retaining any per-client
- state on the server. One technique is to have a randomly
- generated secret and generate cookies as:
- Cookie = HMAC(Secret, Client-IP, Client-Parameters)
-
- When the second ClientHello is received, the server can verify
- that the Cookie is valid and that the client can receive
- packets at the given IP address.
- One potential attack on this scheme is for the attacker to
- collect a number of cookies from different addresses and then
- reuse them to attack the server. The server can defend against
- this attack by changing the Secret value frequently, thus
- invalidating those cookies. If the server wishes legitimate
- clients to be able to handshake through the transition (e.g.,
- they received a cookie with Secret 1 and then sent the second
- ClientHello after the server has changed to Secret 2), the
- server can have a limited window during which it accepts both
- secrets. [IKEv2] suggests adding a version number to cookies
- to detect this case. An alternative approach is simply to try
- verifying with both secrets.
-
- Although DTLS servers are not required to do a cookie
- exchange, they SHOULD do so whenever a new handshake is
- performed in order to avoid being used as amplifiers. If the
- server is being operated in an environment where amplification
- is not a problem, the server MAY choose not to perform a
- cookie exchange. In addition, the server MAY choose not do to
- a cookie exchange when a session is resumed. Clients MUST be
- prepared to do a cookie exchange with every handshake.
-
- If HelloVerifyRequest is used, the initial ClientHello and
- HelloVerifyRequest are not included in the calculation of the
- verify_data for the Finished message.
-
-4.2.2. Handshake Message Format
-
- In order to support message loss, reordering, and
- fragmentation DTLS modifies the TLS 1.1 handshake header:
-
- struct {
- HandshakeType msg_type;
- uint24 length;
- uint16 message_seq; // New field
- uint24 fragment_offset; // New field
- uint24 fragment_length; // New field
- select (HandshakeType) {
-
-
-
-Rescorla, Modadugu [Page 13]
-
-
- case hello_request: HelloRequest;
- case client_hello: ClientHello;
- case hello_verify_request: HelloVerifyRequest; // New type
- case server_hello: ServerHello;
- case certificate:Certificate;
- case server_key_exchange: ServerKeyExchange;
- case certificate_request: CertificateRequest;
- case server_hello_done:ServerHelloDone;
- case certificate_verify: CertificateVerify;
- case client_key_exchange: ClientKeyExchange;
- case finished:Finished;
- } body;
- } Handshake;
-
- The first message each side transmits in each handshake always
- has message_seq = 0. Whenever each new message is generated,
- the message_seq value is incremented by one. When a message is
- retransmitted, the same message_seq value is used. For
- example.
-
- Client Server
- ------ ------
- ClientHello (seq=0) ------>
-
- X<-- HelloVerifyRequest (seq=0)
- (lost)
-
- [Timer Expires]
-
- ClientHello (seq=0) ------>
- (retransmit)
-
- <------ HelloVerifyRequest (seq=0)
-
- ClientHello (seq=1) ------>
- (with cookie)
-
- <------ ServerHello (seq=1)
- <------ Certificate (seq=2)
- <------ ServerHelloDone (seq=3)
-
- [Rest of handshake]
-
- Note, however, that from the perspective of the DTLS record
- layer, the retransmission is a new record. This record will
- have a new DTLSPlaintext.sequence_number value.
-
-
-
-
-
-Rescorla, Modadugu [Page 14]
-
-
- DTLS implementations maintain (at least notionally) a
- next_receive_seq counter. This counter is initially set to
- zero. When a message is received, if its sequence number
- matches next_receive_seq, next_receive_seq is incremented and
- the message is processed. If the sequence number is less than
- next_receive_seq the message MUST be discarded. If the
- sequence number is greater than next_receive_seq, the
- implementation SHOULD queue the message but MAY discard it.
- (This is a simple space/bandwidth tradeoff).
-
-4.2.3. Message Fragmentation and Reassembly
-
- As noted in Section 4.1.1., each DTLS message MUST fit within
- a single transport layer datagram. However, handshake messages
- are potentially bigger than the maximum record size. Therefore
- DTLS provides a mechanism for fragmenting a handshake message
- over a number of records.
-
- When transmitting the handshake message, the sender divides
- the message into a series of N contiguous data ranges. These
- range MUST NOT be larger than the maximum handshake fragment
- size and MUST jointly contain the entire handshake message.
- The ranges SHOULD NOT overlap. The sender then creates N
- handshake messages, all with the same message_seq value as the
- original handshake message. Each new message is labelled with
- the fragment_offset (the number of bytes contained in previous
- fragments) and the fragment_length (the length of this
- fragment). The length field in all messages is the same as the
- length field of the original message. An unfragmented message
- is a degenerate case with fragment_offset=0 and
- fragment_length=length.
-
- When a DTLS implementation receives a handshake message
- fragment, it MUST buffer it until it has the entire handshake
- message. DTLS implementations MUST be able to handle
- overlapping fragment ranges. This allows senders to retransmit
- handshake messages with smaller fragment sizes during path MTU
- discovery.
-
- Note that as with TLS, multiple handshake messages may be
- placed in the same DTLS record, provided that there is room
- and that they are part of the same flight. Thus, there are two
- acceptable ways to pack two DTLS messages into the same
- datagram: in the same record or in separate records.
-
-
-
-
-
-
-
-Rescorla, Modadugu [Page 15]
-
-
-4.2.4. Timeout and Retransmission
-
- DTLS messages are grouped into a series of message flights,
- according the diagrams below. Although each flight of messages
- may consist of a number of messages, they should be viewed as
- monolithic for the purpose of timeout and retransmission.
-
- Client Server
- ------ ------
-
- ClientHello --------> Flight 1
-
- <------- HelloVerifyRequest Flight 2
-
- ClientHello --------> Flight 3
-
- ServerHello \
- Certificate* \
- ServerKeyExchange* Flight 4
- CertificateRequest* /
- <-------- ServerHelloDone /
-
- Certificate* \
- ClientKeyExchange \
- CertificateVerify* Flight 5
- [ChangeCipherSpec] /
- Finished --------> /
-
- [ChangeCipherSpec] \ Flight 6
- <-------- Finished /
- Figure 1: Message flights for full handshake
-
-
- Client Server
- ------ ------
-
- ClientHello --------> Flight 1
-
- ServerHello \
- [ChangeCipherSpec] Flight 2
- <-------- Finished /
-
- [ChangeCipherSpec] \Flight 3
- Finished --------> /
- Figure 2: Message flights for session resuming handshake (no
- cookie exchange)
-
-
-
-
-
-Rescorla, Modadugu [Page 16]
-
-
- DTLS uses a simple timeout and retransmission scheme with the
- following state machine. Because DTLS clients send the first
- message (ClientHello) they start in the PREPARING state. DTLS
- servers start in the WAITING state, but with empty buffers and
- no retransmit timer.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Rescorla, Modadugu [Page 17]
-
-
- +-----------+
- | PREPARING |
- +---> | |
- | | |
- | +-----------+
- | |
- | |
- | | Buffer next flight
- | |
- | \|/
- | +-----------+
- | | |
- | | SENDING |<------------------+
- | | | |
- | +-----------+ |
- Receive | | |
- next | | Send flight |
- flight | +--------+ |
- | | | Set retransmit timer |
- | | \|/ |
- | | +-----------+ |
- | | | | |
- +--)--| WAITING |-------------------+
- | | | | Timer expires |
- | | +-----------+ |
- | | | |
- | | | |
- | | +------------------------+
- | | Read retransmit
- Receive | |
- last | |
- flight | |
- | |
- \|/\|/
-
- +-----------+
- | |
- | FINISHED |
- | |
- +-----------+
-
- Figure 3: DTLS timeout and retransmission state machine
-
-
- The state machine has three basic states.
-
- In the PREPARING state the implementation does whatever
- computations are necessary to prepare the next flight of
-
-
-
-Rescorla, Modadugu [Page 18]
-
-
- messages. It then buffers them up for transmission (emptying
- the buffer first) and enters the SENDING state.
-
- In the SENDING state, the implementation transmits the
- buffered flight of messages. Once the messages have been sent,
- the implementation then enters the FINISHED state if this is
- the last flight in the handshake, or, if the implementation
- expects to receive more messages, sets a retransmit timer and
- then enters the WAITING state.
-
- There are three ways to exit the WAITING state:
-
- 1. The retransmit timer expires: the implementation
- transitions to the SENDING state, where it retransmits the
- flight, resets the retransmit timer, and returns to the
- WAITING state.
-
- 2. The implementation reads a retransmitted flight from the
- peer: the implementation transitions to the SENDING state,
- where it retransmits the flight, resets the retransmit
- timer, and returns to the WAITING state. The rationale here
- is that the receipt of a duplicate message is the likely
- result of timer expiry on the peer and therefore suggests
- that part of one's previous flight was lost.
-
- 3. The implementation receives the next flight of messages:
- if this is the final flight of messages the implementation
- transitions to FINISHED. If the implementation needs to
- send a new flight, it transitions to the PREPARING state.
- Partial reads (whether partial messages or only some of the
- messages in the flight) do not cause state transitions or
- timer resets.
-
- Because DTLS clients send the first message (ClientHello) they
- start in the PREPARING state. DTLS servers start in the
- WAITING state, but with empty buffers and no retransmit timer.
-
-4.2.4.1. Timer Values
-
- Timer value choices are a local matter. Implementations SHOULD
- use an initial timer value of 500 ms and double the value at
- each retransmission, up to twice the TCP maximum segment
- lifetime [TCP] (if the recommendations in [TCP] are followed,
- this will be 240 seconds). Implementations SHOULD start the
- timer value at the initial value with each new flight of
- messages.
-
-
-
-
-
-Rescorla, Modadugu [Page 19]
-
-
-4.2.5. ChangeCipherSpec
-
- As with TLS, the ChangeCipherSpec message is not technically a
- handshake message but MUST be treated as part of the same
- flight as the associated Finished message for the purposes of
- timeout and retransmission.
-
-4.2.6. Finished messages
-
- Finished messages have the same format as in TLS. However, in
- order to remove sensitivity to fragmentation, the Finished MAC
- MUST be computed as if each handshake message had been sent as
- a single fragment. Note that in cases where the cookie
- exchange is used, the initial ClientHello and
- HelloVerifyRequest MUST BE included in the Finished MAC.
-
-4.2.7. Alert Messages
-
- Note that Alert messages are not retransmitted at all, even
- when they occur in the context of a handshake. However, a DTLS
- implementation SHOULD generate a new alert message if the
- offending record is received again (e.g., as a retransmitted
- handshake message).
-
-
-
-A.1Summary of new syntax
-
- This section includes specifications for the data structures
- that have changed between TLS 1.1 and DTLS.
-
-4.2. Record Layer
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 epoch; // New field
- uint48 sequence_number; // New field
- uint16 length;
- opaque fragment[DTLSPlaintext.length];
- } DTLSPlaintext;
-
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 epoch; // New field
- uint48 sequence_number; // New field
- uint16 length;
- opaque fragment[DTLSCompressed.length];
-
-
-
-Rescorla, Modadugu [Page 20]
-
-
- } DTLSCompressed;
-
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 epoch; // New field
- uint48 sequence_number; // New field
- uint16 length;
- select (CipherSpec.cipher_type) {
- case block: GenericBlockCipher;
- } fragment;
- } DTLSCiphertext;
-
-4.3. Handshake Protocol
-
- enum {
- hello_request(0), client_hello(1), server_hello(2),
- hello_verify_request(3), // New field
- certificate(11), server_key_exchange (12),
- certificate_request(13), server_hello_done(14),
- certificate_verify(15), client_key_exchange(16),
- finished(20), (255)
- } HandshakeType;
-
- struct {
- HandshakeType msg_type;
- uint24 length;
- uint16 message_seq; // New field
- uint24 fragment_offset; // New field
- uint24 fragment_length; // New field
- select (HandshakeType) {
- case hello_request: HelloRequest;
- case client_hello: ClientHello;
- case server_hello: ServerHello;
- case hello_verify_request: HelloVerifyRequest; // New field
- case certificate:Certificate;
- case server_key_exchange: ServerKeyExchange;
- case certificate_request: CertificateRequest;
- case server_hello_done:ServerHelloDone;
- case certificate_verify: CertificateVerify;
- case client_key_exchange: ClientKeyExchange;
- case finished:Finished;
- } body;
- } Handshake;
-
- struct {
- ProtocolVersion client_version;
- Random random;
-
-
-
-Rescorla, Modadugu [Page 21]
-
-
- SessionID session_id;
- opaque cookie<0..32>; // New field
- CipherSuite cipher_suites<2..2^16-1>;
- CompressionMethod compression_methods<1..2^8-1>;
- } ClientHello;
-
- struct {
- Cookie cookie<0..32>;
- } HelloVerifyRequest;
-
-5. Security Considerations
-
- This document describes a variant of TLS 1.1 and therefore
- most of the security considerations are the same as those of
- TLS 1.1 [TLS11], described in Appendices D, E, and F.
-
- The primary additional security consideration raised by DTLS
- is that of denial of service. DTLS includes a cookie exchange
- designed to protect against denial of service. However,
- implementations which do not use this cookie exchange are
- still vulnerable to DoS. In particular, DTLS servers which do
- not use the cookie exchange may be used as attack amplifiers
- even if they themselves are not experiencing DoS. Therefore
- DTLS servers SHOULD use the cookie exchange unless there is
- good reason to believe that amplification is not a threat in
- their environment.
-
-6. IANA Considerations
-
- This document uses the same identifier space as TLS [TLS11],
- so no new IANA registries are required. When new identifiers
- are assigned for TLS, authors MUST specify whether they are
- suitable for DTLS.
-
- This document defines a new handshake message,
- hello_verify_request, whose value is to be allocated from the
- TLS HandshakeType registry defined in [TLS11]. The value "3"
- is suggested.
-
-References
-
-Normative References
-
- [RFC1191] Mogul, J. C., Deering, S.E., "Path MTU Discovery",
- RFC 1191, November 1990.
-
- [RFC2401] Kent, S., Atkinson, R., "Security Architecture for the
- Internet Protocol", RFC2401, November 1998.
-
-
-
-Rescorla, Modadugu [Page 22]
-
-
- [TCP] Postel, J., "Transmission Control Protocol",
- RFC 793, September 1981.
-
- [TLS11] Dierks, T., Rescorla, E., "The TLS Protocol Version 1.1",
- draft-ietf-tls-rfc2246-bis-05.txt, July 2003.
-
-
-Informative References
-
- [AH] Kent, S., and Atkinson, R., "IP Authentication Header",
- RFC 2402, November 1998.
-
- [DCCP] Kohler, E., Handley, M., Floyd, S., Padhye, J., "Datagram
- Congestion Control Protocol", draft-ietf-dccp-spec-11.txt,
- 10 March 2005
-
- [DNS] Mockapetris, P.V., "Domain names - implementation and
- specification", RFC 1035, November 1987.
-
- [DTLS] Modadugu, N., Rescorla, E., "The Design and Implementation
- of Datagram TLS", Proceedings of ISOC NDSS 2004, February 2004.
-
- [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
- Payload (ESP)", RFC 2406, November 1998.
-
-
- [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
- RFC 2409, November 1998.
-
- [IKEv2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
- draft-ietf-ipsec-ikev2-17.txt, September 2004.
-
- [IMAP] Crispin, M., "Internet Message Access Protocol - Version
- 4rev1", RFC 3501, March 2003.
-
- [PHOTURIS] Karn, P., Simpson, W., "Photuris: Session-Key Management
- Protocol", RFC 2521, March 1999.
-
-
- [POP] Myers, J., and Rose, M., "Post Office Protocol -
- Version 3", RFC 1939, May 1996.
-
-
- [REQ] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
- [SIP] Rosenberg, J., Schulzrinne, Camarillo, G., Johnston, A.,
-
-
-
-Rescorla, Modadugu [Page 23]
-
-
- Peterson, J., Sparks, R., Handley, M., Schooler, E.,
- "SIP: Session Initiation Protocol", RFC 3261,
- June 2002.
-
- [TLS] Dierks, T., and Allen, C., "The TLS Protocol Version 1.0",
- RFC 2246, January 1999.
-
- [WHYIPSEC] Bellovin, S., "Guidelines for Mandating the Use of IPsec",
- draft-bellovin-useipsec-02.txt, October 2003
-
-Authors' Address
-
- Eric Rescorla <ekr@rtfm.com>
- RTFM, Inc.
- 2064 Edgewood Drive
- Palo Alto, CA 94303
-
- Nagendra Modadugu <nagendra@cs.stanford.edu>
- Computer Science Department
- 353 Serra Mall
- Stanford University
- Stanford, CA 94305
-
-
-
-Acknowledgements
-
- The authors would like to thank Dan Boneh, Eu-Jin Goh, Russ
- Housley, Constantine Sapuntzakis, and Hovav Shacham for
- discussions and comments on the design of DTLS. Thanks to the
- anonymous NDSS reviewers of our original NDSS paper on DTLS
- [DTLS] for their comments. Also, thanks to Steve Kent for
- feedback that helped clarify many points. The section on PMTU
- was cribbed from the DCCP specification [DCCP]. Pasi Eronen
- provided a detailed review of this specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Rescorla, Modadugu [Page 24]
-
-
-Full Copyright Statement
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at ietf-
- ipr@ietf.org.
-
-Copyright Notice
- Copyright (C) The Internet Society (2003). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Rescorla, Modadugu [Page 25]
-
View Lorry Controller Status