IETF Logo Mail Archive

Re: [TLS] DTLS and large messages

Michael Tüxen <Michael.Tuexen@lurchi.franken.de> Tue, 15 June 2010 13:29 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AE843A6900 for <tls@core3.amsl.com>; Tue, 15 Jun 2010 06:29:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.065
X-Spam-Level: *
X-Spam-Status: No, score=1.065 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HELO_EQ_DE=0.35, J_CHICKENPOX_15=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVSsLikDNXHf for <tls@core3.amsl.com>; Tue, 15 Jun 2010 06:29:04 -0700 (PDT)
Received: from mail-n.franken.de (mail-n.franken.de [193.175.24.27]) by core3.amsl.com (Postfix) with ESMTP id 01F743A687D for <tls@ietf.org>; Tue, 15 Jun 2010 06:29:04 -0700 (PDT)
Received: from [192.168.1.190] (p508FE9DC.dip.t-dialin.net [80.143.233.220]) by mail-n.franken.de (Postfix) with ESMTP id 17E9E1C0B4607; Tue, 15 Jun 2010 15:28:36 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="iso-8859-1"
From: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <4C1742A6.1050807@iki.fi>
Date: Tue, 15 Jun 2010 15:29:28 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <772A444B-116B-4CC2-A63D-A2D15565E20F@lurchi.franken.de>
References: <E1ONiI8-0001C6-Ln@wintermute02.cs.auckland.ac.nz><4C149556.7040008@gnutls.org> <03826B11-ABC0-4F5B-A636-A07DECDF428C@iki.fi><AANLkTimYxYX8KqZ09bC-aglGU6D6W3JGH4gSlpmP4QCG@mail.gmail.com> <516FD065-D91B-4281-8448-5C79FADDD69A@ll.mit.edu> <00f301cb0c5b$f98cc2a0$4001a8c0@gateway.2wire.net> <4C1742A6.1050807@iki.fi>
To: Juho Vähä-Herttua <juhovh@iki.fi>
X-Mailer: Apple Mail (2.1078)
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS and large messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 13:29:08 -0000

On Jun 15, 2010, at 11:06 AM, Juho Vähä-Herttua wrote:

> 15.6.2010 10:25, t.petch kirjoitti:
>> How may an application send a 64kbyte (less headers) message over DTLS, assuming
>> that the substrate is UDP and that UDP can carry 64kbyte datagrams without
>> fragmentation?
>>   
> 
> This sounds like another argument for max_fragment_length extension allowing lengths larger than 2^14...
> 
>> A usually reliable source has surprised me on two counts:
>> 
>> First, I am told that when rfc4347-bis says
>> "As in TLS
>>        1.2, the length should not exceed 2^14.
>> "
>> then that is the authors' way of saying
>> "As in TLS 1.2, the length MUST NOT exceed 2^14."
>> which I had not guessed.
>>   
> 
> That wording is indeed confusing and should probably be changed, TLS 1.2 uses MUST NOT so a "should not" is not "as in TLS 1.2". With current wording I wouldn't recommend exceeding 2^14 length, since it is quite likely to break with some implementations.
> 
>> Second, that DTLS will break up the message into fragments of 2**14 or less but
>> will then place them in a single UDP datagram so that they will transit the
>> network as one, and can be safely reassembled at the far end.
>>   
> 
> The specification says: "Multiple DTLS records may be placed in a single datagram. They are simply encoded consecutively." So in case of 64kB datagrams there can be either multiple complete records (with fragments of 2^14 or less) included in a single datagram or each record having its own datagram, in the receiving end both cases should be handled. It's basically the same as in TLS 1.2 where large handshake messages need to be fragmented into fragments of 2^14 or less and sent consecutively.
DTLS will not fragment any user data. So the application is limited by the path mtu.
When running DTLS/SCTP, SCTP announces a MTU of 2**14 and uses its own fragmentation,
but for UDP this is not possible.
To use user messages larger than 2^14, you need a link layer with an MTU of 2^14 or
higher. Do you?

Best regards
Michael
> 
> This is just my interpretation, but I think the specification is quite clear on this, and your source is probably correct.
> 
> 
> Juho
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email