Re: [TLS] DTLS and large messages
Michael Tüxen <Michael.Tuexen@lurchi.franken.de> Wed, 16 June 2010 09:58 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B65B928C100 for <tls@core3.amsl.com>; Wed, 16 Jun 2010 02:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.452
X-Spam-Level: **
X-Spam-Status: No, score=2.452 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FH_RELAY_NODNS=1.451, J_CHICKENPOX_15=0.6, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cddsCo6uXxH for <tls@core3.amsl.com>; Wed, 16 Jun 2010 02:58:17 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by core3.amsl.com (Postfix) with ESMTP id ED9853A6AF0 for <tls@ietf.org>; Wed, 16 Jun 2010 02:58:16 -0700 (PDT)
Received: from [10.0.1.103] (unknown [194.95.73.153]) by mail-n.franken.de (Postfix) with ESMTP id 904DF1C0B4607; Wed, 16 Jun 2010 11:58:17 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="iso-8859-1"
From: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
X-Priority: 3
In-Reply-To: <000b01cb0d2a$db84eba0$4001a8c0@gateway.2wire.net>
Date: Wed, 16 Jun 2010 11:59:12 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <BB4F51AD-83BB-49FC-9941-CC8E7CA249B5@lurchi.franken.de>
References: <E1ONiI8-0001C6-Ln@wintermute02.cs.auckland.ac.nz><4C149556.7040008@gnutls.org> <03826B11-ABC0-4F5B-A636-A07DECDF428C@iki.fi><AANLkTimYxYX8KqZ09bC-aglGU6D6W3JGH4gSlpmP4QCG@mail.gmail.com> <516FD065-D91B-4281-8448-5C79FADDD69A@ll.mit.edu> <00f301cb0c5b$f98cc2a0$4001a8c0@gateway.2wire.net> <4C1742A6.1050807@iki.fi> <772A444B-116B-4CC2-A63D-A2D15565E20F@lurchi.franken.de> <000b01cb0d2a$db84eba0$4001a8c0@gateway.2wire.net>
To: "t.petch" <ietfc@btconnect.com>
X-Mailer: Apple Mail (2.1078)
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS and large messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jun 2010 09:58:18 -0000
On Jun 16, 2010, at 10:06 AM, t.petch wrote: > ----- Original Message ----- > From: "Michael Tüxen" <Michael.Tuexen@lurchi.franken.de> > Sent: Tuesday, June 15, 2010 3:29 PM > > On Jun 15, 2010, at 11:06 AM, Juho Vähä-Herttua wrote: > >> 15.6.2010 10:25, t.petch kirjoitti: >>> How may an application send a 64kbyte (less headers) message over DTLS, > assuming >>> that the substrate is UDP and that UDP can carry 64kbyte datagrams without >>> fragmentation? >> >> This sounds like another argument for max_fragment_length extension allowing > lengths larger than 2^14... >> >>> A usually reliable source has surprised me on two counts: >>> >>> First, I am told that when rfc4347-bis says >>> "As in TLS >>> 1.2, the length should not exceed 2^14. >>> " >>> then that is the authors' way of saying >>> "As in TLS 1.2, the length MUST NOT exceed 2^14." >>> which I had not guessed. >> >> That wording is indeed confusing and should probably be changed, TLS 1.2 uses > MUST NOT so a "should not" is not "as in TLS 1.2". With current wording I > wouldn't recommend exceeding 2^14 length, since it is quite likely to break with > some implementations. >> >>> Second, that DTLS will break up the message into fragments of 2**14 or less > but >>> will then place them in a single UDP datagram so that they will transit the >>> network as one, and can be safely reassembled at the far end. >> >> The specification says: "Multiple DTLS records may be placed in a single > datagram. They are simply encoded consecutively." So in case of 64kB datagrams > there can be either multiple complete records (with fragments of 2^14 or less) > included in a single datagram or each record having its own datagram, in the > receiving end both cases should be handled. It's basically the same as in TLS > 1.2 where large handshake messages need to be fragmented into fragments of 2^14 > or less and sent consecutively. > > DTLS will not fragment any user data. So the application is limited by the path > mtu. > When running DTLS/SCTP, SCTP announces a MTU of 2**14 and uses its own > fragmentation, > but for UDP this is not possible. > To use user messages larger than 2^14, you need a link layer with an MTU of 2^14 > or > higher. Do you? > > <tp> > > I am assuming UDP, no SCTP, and a link layer MTU of at least 64kbyte, with a a > message something under 64kbyte to allow for potentially multiple DTLS headers > to still fit the original application message in a single UDP datagram. Haven't seen a link with an MTU of 64KByte yet, but at least in the future it might happen and Matt would love it... > > (In passing, I would love to see documentation on DTLS implementations but what > is publicly available seems scarce to non-existent). Our experience with the OpenSSL implementation of DTLS is pretty good, at least after applying the patches available from http://sctp.fh-muenster.de/ which mostly are integrated in the releases. Best regards Michael > > Tom Petch > > </tp> > > > > > > Best regards > Michael >> >> This is just my interpretation, but I think the specification is quite clear > on this, and your source is probably correct. >> >> >> Juho >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > >
- [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-09.txt Internet-Drafts
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Peter Gutmann
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Joseph Salowey (jsalowey)
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Martin Rex
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- [TLS] max_fragment_length values (was: RE: I-D Ac… Pasi.Eronen
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Donald Eastlake
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Martin Rex
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Peter Gutmann
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- [TLS] DTLS and large messages t.petch
- Re: [TLS] DTLS and large messages Juho Vähä-Herttua
- Re: [TLS] DTLS and large messages Michael Tüxen
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] DTLS and large messages t.petch
- Re: [TLS] DTLS and large messages Michael Tüxen
- Re: [TLS] DTLS and large messages Pasi.Eronen
- Re: [TLS] DTLS and large messages Michael Tüxen
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Peter Gutmann