Re: [babel] Opinions wanted: Babel over DTLS ports
David Schinazi <dschinazi@apple.com> Wed, 11 July 2018 23:05 UTC
Return-Path: <dschinazi@apple.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EBA2130ECC for <babel@ietfa.amsl.com>; Wed, 11 Jul 2018 16:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eu-p9dp6n9oX for <babel@ietfa.amsl.com>; Wed, 11 Jul 2018 16:05:12 -0700 (PDT)
Received: from mail-in23.apple.com (mail-out23.apple.com [17.171.2.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25C92130E5D for <babel@ietf.org>; Wed, 11 Jul 2018 16:05:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1531350311; x=2395263911; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=KT8RAn3lQtFV3HdTRLInK9f2afpTqDAT6Qf0YQRyYXs=; b=MlcZ9ZepYIJsEPt6Najl0GSKLxWYIdekM2GYhR7U4NBrsrIwXAxS/DFq/PIxEmgJ FFYE5/iCiAE4fU7plYMvu6Tp3M4gRVTWZspeJ+9xCLX3SWOiS3GJdS5upvm8y3Ys wP0krzxWJ3TfaJDh58vc5BIDErEsb1kssHPa3DbAQ4rxrbqwqTialnLB5BZ3H3m/ OOfE8Emi5Bl7oNXJhyiVN+U+D06p7Bi+QDtfj7crJFWnwIsMzLje0pWo308L0ta/ 2A9bX1idjOCCUi7hmF3nEhdxo/gepc3NubBBYXgXysdIE+lYBzFHZdfMpyky6VlA eiqKBkJcZ0Sw6odJXgs/CA==;
Received: from relay2.euro.apple.com (relay2.euro.apple.com [17.66.55.12]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in23.apple.com (Apple Secure Mail Relay) with SMTP id 54.E8.16016.62D864B5; Wed, 11 Jul 2018 16:05:11 -0700 (PDT)
X-AuditID: 11ab0217-d0fff70000003e90-52-5b468d262ddc
Received: from crk-mmpp-sz03.euro.apple.com ( [17.66.12.165]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by relay2.euro.apple.com (Symantec Mail Security) with SMTP id 17.FE.00572.52D864B5; Thu, 12 Jul 2018 00:05:09 +0100 (BST)
Received: from [17.192.155.180] by crk-mmpp-sz03.euro.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PBQ00FQA5GG0R00@crk-mmpp-sz03.euro.apple.com>; Thu, 12 Jul 2018 00:05:09 +0100 (IST)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <EA0AF499-9090-4230-9D19-BC51FA26D5C9@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_6FA91BEE-7719-4AC4-BC7C-F739766F272C"
MIME-version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 11 Jul 2018 16:05:04 -0700
In-reply-to: <87muuxxuy2.wl-jch@irif.fr>
Cc: babel@ietf.org
To: Juliusz Chroboczek <jch@irif.fr>
References: <3C99142B-734D-44C8-AD96-02A0859E59F8@apple.com> <87muuxxuy2.wl-jch@irif.fr>
X-Mailer: Apple Mail (2.3445.9.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrELMWRmVeSWpSXmKPExsUi6GTOo6ve6xZtsLxb0mLLom4Wi/mty9gc mDyWLPnJ5LF4y1vGAKYoLpuU1JzMstQifbsErox1x16xF6yzrjjxlqOBsd2oi5GTQ0LAROLx pjvsXYxcHEICW5gkvq26zgSTmN9zjg0isYJJ4t76+1BOA5PEybYL7CBVwgLSEl0X7rJ2MXJw sAloSRxYAzaVV8BGYn3bbGYQm1kgSeL0md3sEHFjifWbF7JCtFpLnDj9DKyGRUBVYvKSFrAx nAIaEjseFUC0CkmcuTaDBcQWEVCRWD7tGdgYIYEoieX3J0DdqSjRv+YQ2GkSAjPYJHYu+cg+ gVFoFpLVs5CshohrSyxb+Jp5FtA6ZgEdickLGVGFIeyP548wLWBkW8UonJuYmaObmWdkrJdY UJCTqpecn7uJERQJq5nEdzB+fm14iFGAg1GJh3cDh1u0EGtiWXFl7iFGaQ4WJXHeD7vEooUE 0hNLUrNTUwtSi+KLSnNSiw8xMnFwSjUwxnn+OX3ouOc9bzHRsq9S7o4ePzfsfn3k040Ljya/ WKlhGDqNNftIaTuX52rmbYve6Cf3PlM8WnmzMC/c/9yv+sMPBS0cY88uPbd+reSGOvnmxY+f N25Tmz7x6FMVuauPsu98vnRt8Y9UwUyGGP36+Z8THn8r8wxZX3jocfeOUxeCct+a3Ojjt1di Kc5INNRiLipOBAD+nqC7ZQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUi6MSzVFe11y3a4PgPXYsti7pZLOa3LmNz YPJYsuQnk8fiLW8ZA5iiuGxSUnMyy1KL9O0SuDLWHXvFXrDOuuLEW44GxnajLkZODgkBE4n5 PefYuhi5OIQEVjBJ3Ft/H8ppYJI42XaBHaRKWEBaouvCXdYuRg4ONgEtiQNrwJp5BWwk1rfN ZgaxmQWSJE6f2c0OETeWWL95IStEq7XEidPPwGpYBFQlJi9pARvDKaAhseNRAUSrkMSZazNY QGwRARWJ5dOegY0REoiSWH5/AhPEnYoS/WsOsU1g5J+FZNssJNsg4toSyxa+Zp4FtIFZQEdi 8kJGVGEI++P5I0wLGNlWMYoWpeYkVhrppZYW5eslFhTkpOol5+duYgQHsDnPDsZXBw0PMQpw MCrx8HqUukULsSaWFVfmHmKU4GBWEuE1m+4SLcSbklhZlVqUH19UmpNafIhRmoNFSZx3shJz tJBAemJJanZqakFqEUyWiYNTqoGxLIhv/1vh2hvnfsUxbVc5sDL1+y2GdP9HSwqMi1U55/8t LJ53R+tjAIPrjasiK6okbz1m6mBZUGpxtS2DzSpD4oCtzK1D/xgV/f5d1PZaYavGO0Wiqj1x yyanabrvmI5ztn5/zZaVMVPDKvWN1pm7Kw0XTHghPMPk/If+jGu3lH9sTVtf8vWWEktxRqKh FnNRcSIAjCZDbFwCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/HMk1op2IlmAZ3dW-kIPOmKxYMns>
Subject: Re: [babel] Opinions wanted: Babel over DTLS ports
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 23:05:15 -0000
> On Jul 11, 2018, at 15:35, Juliusz Chroboczek <jch@irif.fr> wrote: > >> One of the Babel over DTLS questions we haven't answered yet is UDP port >> numbers. >> https://tools.ietf.org/html/draft-decimo-babel-dtls-01#section-3 > > I think that implementation complexity is about the same. Using different > ports requires opening an extra socket, but that's a small cost (just > a slight complication to your main event loop, and slightly more complex > error handling in case one of the binds fails). It might be slightly > easier to hook your DTLS library if you use a different port, but we > haven't found that to be a significant problem. > > Using different ports might cause packet reordering (since you're using > different sockets). That is not likely to be a big deal, since we only > send Hellos and IHUs on the unencrypted socket, and since Babel is fairly > resistant to packet reordering. It might cause trouble with extensions > that are sensitive to packet reordering -- for now, HMAC is the only such > extension. If I understand you correctly, this would only cause packet reordering between multicast and unicast (as in all unicast is ordered, and all multicast is ordered, but multicast 1 might arrive after unicast 2). For HMAC specifically, this could be solved by using a different index for unicast and multicast - but that would require receivers to keep track of multiple indices. And that complexity's probably not worth it because you don't need HMAC over DTLS. I agree that this is a valid concern though - but it doesn't tip the scales for me. > I have a slight preference for using a single port. David prefers the two > port solution, I believe, since he wants to hook as high up as possible > into his DTLS library. Antonin would appear to agree with David, but he's > afraid to tell me clearly ;-) > > I think the policy of listening to people with an implementation more than > people without one has served us well. David, what's the state of your > implementation? Our DTLS stack [1] only lets you handle DTLS above the abstraction of a connection - you don't want to be messing with sockets. In order to get the same port variant to work, I had to write 400 lines of Obj-C that create UDP sockets over loopback so I can pull the encrypted packets out from under the DTLS stack. Needless to say that's not an ideal solution. And on the topic of implementation, have you modified the DTLS stack you use to support multiple concurrent connections on the same port yet? Last time we talked your implementation was trivially DoSable by sending bad DTLS client hellos. [1] https://developer.apple.com/documentation/network <https://developer.apple.com/documentation/network> David
- Re: [babel] Opinions wanted: Babel over DTLS ports Ted Lemon
- [babel] Opinions wanted: Babel over DTLS ports David Schinazi
- Re: [babel] Opinions wanted: Babel over DTLS ports Juliusz Chroboczek
- Re: [babel] Opinions wanted: Babel over DTLS ports David Schinazi
- Re: [babel] Opinions wanted: Babel over DTLS ports Juliusz Chroboczek
- Re: [babel] Opinions wanted: Babel over DTLS ports Dave Taht