Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083

Sidhartha pant <sidhartha.pant@huawei.com> Thu, 21 November 2019 14:34 UTC

Return-Path: <sidhartha.pant@huawei.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2953412081F for <tsvwg@ietfa.amsl.com>; Thu, 21 Nov 2019 06:34:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQre8RRZe50j for <tsvwg@ietfa.amsl.com>; Thu, 21 Nov 2019 06:34:25 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C91B120041 for <tsvwg@ietf.org>; Thu, 21 Nov 2019 06:34:25 -0800 (PST)
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id DF3D444D0B88AC4EF585; Thu, 21 Nov 2019 14:34:23 +0000 (GMT)
Received: from BLREML405-HUB.china.huawei.com (10.20.4.41) by LHREML713-CAH.china.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 21 Nov 2019 14:34:23 +0000
Received: from BLREML503-MBX.china.huawei.com ([169.254.9.224]) by BLREML405-HUB.china.huawei.com ([10.20.4.41]) with mapi id 14.03.0439.000; Thu, 21 Nov 2019 20:04:16 +0530
From: Sidhartha pant <sidhartha.pant@huawei.com>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>, "tsvwg@ietf.org" <tsvwg@ietf.org>
CC: Ashutosh prakash <ashutosh.prakash@huawei.com>, Shweta r <shweta.k.r@huawei.com>, Jyoti Ranjan Senapati <jyotiranjans@huawei.com>
Thread-Topic: Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
Thread-Index: AdWeFlMjpRKS5riqTy+mIM3CiiwOEgCYevUQ
Date: Thu, 21 Nov 2019 14:34:16 +0000
Message-ID: <67CF347253A4874C8F2A2A8CD1D9460B72D56BC4@BLREML503-MBX.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.150.217]
Content-Type: multipart/alternative; boundary="_000_67CF347253A4874C8F2A2A8CD1D9460B72D56BC4BLREML503MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/5eK2PagKmj_fc6lDEcfW0VbtIPc>
Subject: Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 14:34:28 -0000

Hi Michael,

Did you get a chance to read the following email.
It would be really helpful if you can provide your valuable views. Looking forward to your response.

Warm Regards,
Sidhartha

VPP Team
Huawei Technologies India Pvt. Ltd
India


From: Sidhartha pant
Sent: 18 November 2019 19:27
To: 'Michael Tuexen' <Michael.Tuexen@lurchi.franken.de>de>; 'tsvwg@ietf.org' <tsvwg@ietf.org>
Cc: Ashutosh prakash <ashutosh.prakash@huawei.com>om>; Shweta r <shweta.k.r@huawei.com>om>; Jyoti Ranjan Senapati <jyotiranjans@huawei.com>
Subject: Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083

Hi Michael,

I wish to discuss and take your opinion on one problem faced regarding Clients based on RFC 6083.

Point of discussion is a Client node based on RFC 6083 (DTLS over SCTP).

We are faced with a scenario which requires 2 nodes acting as Client connecting to each other using DTLS over SCTP.

Hence essentially its Client-Client scenario.

Problem faced :-
How to establish a DTLS over SCTP connection in a Client-Client scenario ?

Since DTLS does not support Client-Client topology, hence to resolve this we have decided to rely on the SCTP collision scenario based on RFC 4960 Section 5.2
Thus in this case SCTP Endpoint A acts as server and responds with INIT-ACK to the "unexpected" INIT received in COOKIE-WAIT state.

SCTP Endpoint A                               SCTP Endpoint B

   INIT----------------------------------------->
<---------------------------------------INIT
INIT-ACK--------------------------------->
<-----------------------------------COOKIE-ECHO
COOKIE-ACK--------------------------->



Hence we can resolve the collision for DTLS ( just call SSL Accept at Endpoint A, instead of SSL Connect). Resolving Endpoint A as a Server in this case.

However, there is still a chance that Endpoint B also receives INIT-ACK after sending INIT-ACK, almost simultaneously), thus due to state of the Endpoint still remaining in COOKIE-WAIT results in both responding with COOKIE-ECHO and COOKIE-ACK subsequently (after moving to COOKIE-ECHOED).

As per RFC 4960 Section 5.2.4.  Handle a COOKIE ECHO when a TCB Exists

"D) When both local and remote tags match, the endpoint should enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.

   It should stop any cookie timer that may be running and send a COOKIE ACK."



SCTP Endpoint A                               SCTP Endpoint B

      <-------------------------------------- INIT
INIT ------------------------------------>
<----------------------------------INIT-ACK
     INIT-ACK ------------------------------>
                                                     Endpoint B receives INIT-ACK after sending INIT-ACK
     <----------------------------------COOKIE-ECHO
      COOKIE-ECHO----------------------->
      <------------------------------------COOKIE-ACK
COOKIE-ACK--------------------------->


In this scenario, how do we decide to choose the endpoint for initiating the SSL CONNECT ( and SSL ACCEPT on the other) ? Both acted as server here.
How do we create DTLS over SCTP connection in this case. Has someone else also faced this problem in the community, or we are missing something here ?

It will be great if you can throw some light on this.

Warm Regards,
Sidhartha Pant

VPP Team
Huawei Technologies India Pvt. Ltd
India