Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083

Sidhartha pant <sidhartha.pant@huawei.com> Fri, 22 November 2019 06:42 UTC

Return-Path: <sidhartha.pant@huawei.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DE97120110 for <tsvwg@ietfa.amsl.com>; Thu, 21 Nov 2019 22:42:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOmtRN3mI9c4 for <tsvwg@ietfa.amsl.com>; Thu, 21 Nov 2019 22:42:05 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A41481200DE for <tsvwg@ietf.org>; Thu, 21 Nov 2019 22:42:04 -0800 (PST)
Received: from LHREML714-CAH.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 6CDF463A4F5DF0F88518; Fri, 22 Nov 2019 06:42:01 +0000 (GMT)
Received: from lhreml718-chm.china.huawei.com (10.201.108.69) by LHREML714-CAH.china.huawei.com (10.201.108.37) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 22 Nov 2019 06:41:54 +0000
Received: from lhreml718-chm.china.huawei.com (10.201.108.69) by lhreml718-chm.china.huawei.com (10.201.108.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 22 Nov 2019 06:41:54 +0000
Received: from BLREML408-HUB.china.huawei.com (10.20.4.47) by lhreml718-chm.china.huawei.com (10.201.108.69) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1713.5 via Frontend Transport; Fri, 22 Nov 2019 06:41:54 +0000
Received: from BLREML503-MBX.china.huawei.com ([169.254.9.224]) by BLREML408-HUB.china.huawei.com ([10.20.4.47]) with mapi id 14.03.0439.000; Fri, 22 Nov 2019 12:11:29 +0530
From: Sidhartha pant <sidhartha.pant@huawei.com>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>, Ashutosh prakash <ashutosh.prakash@huawei.com>, Shweta r <shweta.k.r@huawei.com>, "Jyoti Ranjan Senapati" <jyotiranjans@huawei.com>
Thread-Topic: Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
Thread-Index: AdWeFlMjpRKS5riqTy+mIM3CiiwOEgCTArEAACI0pyA=
Date: Fri, 22 Nov 2019 06:41:29 +0000
Message-ID: <67CF347253A4874C8F2A2A8CD1D9460B72D56CDE@BLREML503-MBX.china.huawei.com>
References: <67CF347253A4874C8F2A2A8CD1D9460B72D526DC@BLREML503-MBX.china.huawei.com> <8FD70531-A89F-4CDD-9E94-7B1B506A75BA@lurchi.franken.de>
In-Reply-To: <8FD70531-A89F-4CDD-9E94-7B1B506A75BA@lurchi.franken.de>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.150.217]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/3_f46JjtulIRzahbBjuVX4ud3uw>
Subject: Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 06:42:07 -0000

Hi Michael,

Thanks a lot for your response. Appreciate it.

I think we can solve our problem with the contention resolution as suggested by you ( 1. IP 2. Port).

Is there a standard for this? Since we would need to do this at both the ends of the association so this would need to be an Open standard ( to resolve any interoperability issues with Third party) ?

Also we have thought of resolving this contention with Initiate Tag ( since this is known at the initial Handshake), the larger one can be chosen as either Client or Server. Do you have any thoughts on that? This has a chance of failure when both Tag are same though (1 out of 2^32).

Thanks again.

Warm Regards,
Sidhartha

VPP Team
Huawei Technologies India Pvt. Ltd
India


-----Original Message-----
From: Michael Tuexen [mailto:Michael.Tuexen@lurchi.franken.de] 
Sent: 21 November 2019 22:54
To: Sidhartha pant <sidhartha.pant@huawei.com>
Cc: tsvwg@ietf.org; Ashutosh prakash <ashutosh.prakash@huawei.com>om>; Shweta r <shweta.k.r@huawei.com>om>; Jyoti Ranjan Senapati <jyotiranjans@huawei.com>
Subject: Re: Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083

> On 18. Nov 2019, at 14:57, Sidhartha pant <sidhartha.pant@huawei.com> wrote:
> 
> Hi Michael,
>  
> I wish to discuss and take your opinion on one problem faced regarding Clients based on RFC 6083.
>  
> Point of discussion is a Client node based on RFC 6083 (DTLS over SCTP).
>  
> We are faced with a scenario which requires 2 nodes acting as Client connecting to each other using DTLS over SCTP.
>  
> Hence essentially its Client-Client scenario.
>  
> Problem faced :-
> How to establish a DTLS over SCTP connection in a Client-Client scenario ?
As you noted correctly, SCTP can deal with this (called INIT collision case) and results in a single SCTP association.
DTLS does NOT have this feature. Trying to use some features of the SCTP handshake to resolve the DTLS client/server role isn't architecturally not the right way and might even not work at all. It definitely doesn't work using the socket API.

I would suggest to use some data of the SCTP association to resolve it.
For example, you could use:
1. Compare the set of addresses of both sides and figure out if one side has a smallest (by some
   ordering (compare them in host byte order as uint32_t (IPv4) or uint128_t (IPv6).
   Then the side with the smallest address is the client (or server).
2. If the smallest address is the same, compare the port numbers. Then the side with the smallest port
   is the client (or server).
This only doesn't work if the smallest address is the same on both sides and the port numbers are the same. This means an end-point is talking to itself. I think this does not occur in your setup.

Would this solve your problem in a portable way?

Best regards
Michael
 
> Since DTLS does not support Client-Client topology, hence to resolve 
> this we have decided to rely on the SCTP collision scenario based on RFC 4960 Section 5.2 Thus in this case SCTP Endpoint A acts as server and responds with INIT-ACK to the “unexpected” INIT received in COOKIE-WAIT state.
>  
> SCTP Endpoint A                               SCTP Endpoint B
>  
>    INIT---------------------------------------à
> ß-------------------------------------INIT
> INIT-ACK-------------------------------à
> ß---------------------------------COOKIE-ECHO
> COOKIE-ACK-------------------------à
>  
>  
>  
> Hence we can resolve the collision for DTLS ( just call SSL Accept at Endpoint A, instead of SSL Connect). Resolving Endpoint A as a Server in this case.
>  
> However, there is still a chance that Endpoint B also receives INIT-ACK after sending INIT-ACK, almost simultaneously), thus due to state of the Endpoint still remaining in COOKIE-WAIT results in both responding with COOKIE-ECHO and COOKIE-ACK subsequently (after moving to COOKIE-ECHOED).
>  
> As per RFC 4960 Section 5.2.4.  Handle a COOKIE ECHO when a TCB Exists
> “D) When both local and remote tags match, the endpoint should enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.  
>    It should stop any cookie timer that may be running and send a COOKIE ACK.”
>  
>  
>  
> SCTP Endpoint A                               SCTP Endpoint B
>  
>       <-------------------------------------- INIT INIT 
> ----------------------------------à
> <----------------------------------INIT-ACK
>      INIT-ACK ----------------------------à
>                                                      Endpoint B receives INIT-ACK after sending INIT-ACK
>      ß--------------------------------COOKIE-ECHO
>       COOKIE-ECHO---------------------à
>       ß----------------------------------COOKIE-ACK
> COOKIE-ACK-------------------------à
>  
>  
> In this scenario, how do we decide to choose the endpoint for initiating the SSL CONNECT ( and SSL ACCEPT on the other) ? Both acted as server here.
> How do we create DTLS over SCTP connection in this case. Has someone else also faced this problem in the community, or we are missing something here ?
>  
> It will be great if you can throw some light on this.
>  
> Warm Regards,
> Sidhartha Pant
>  
> VPP Team
> Huawei Technologies India Pvt. Ltd
> India