Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Wed, 04 December 2019 08:44 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F264120129 for <tsvwg@ietfa.amsl.com>; Wed, 4 Dec 2019 00:44:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIubD5YMX8wI for <tsvwg@ietfa.amsl.com>; Wed, 4 Dec 2019 00:44:03 -0800 (PST)
Received: from drew.franken.de (mail-n.franken.de [193.175.24.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6403E120127 for <tsvwg@ietf.org>; Wed, 4 Dec 2019 00:44:02 -0800 (PST)
Received: from [10.0.1.118] (unknown [212.201.121.94]) (Authenticated sender: lurchi) by mail-n.franken.de (Postfix) with ESMTPSA id C2C3D72106C37; Wed, 4 Dec 2019 09:43:58 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <67CF347253A4874C8F2A2A8CD1D9460B72D56CDE@BLREML503-MBX.china.huawei.com>
Date: Wed, 04 Dec 2019 09:43:31 +0100
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>, Ashutosh prakash <ashutosh.prakash@huawei.com>, Shweta r <shweta.k.r@huawei.com>, Jyoti Ranjan Senapati <jyotiranjans@huawei.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <20CD588F-D5E5-4349-B380-92054BFD5668@lurchi.franken.de>
References: <67CF347253A4874C8F2A2A8CD1D9460B72D526DC@BLREML503-MBX.china.huawei.com> <8FD70531-A89F-4CDD-9E94-7B1B506A75BA@lurchi.franken.de> <67CF347253A4874C8F2A2A8CD1D9460B72D56CDE@BLREML503-MBX.china.huawei.com>
To: Sidhartha pant <sidhartha.pant@huawei.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Tvxsvp7F80QOOPD4FgpArlhj2W8>
Subject: Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 08:44:06 -0000
> On 22. Nov 2019, at 07:41, Sidhartha pant <sidhartha.pant@huawei.com> wrote: > > Hi Michael, > > Thanks a lot for your response. Appreciate it. > > I think we can solve our problem with the contention resolution as suggested by you ( 1. IP 2. Port). Please note that you must ensure that both sides see the same IP-addresses and port numbers. So there MUST NOT be a NAT involved. > > Is there a standard for this? Since we would need to do this at both the ends of the association so this would need to be an Open standard ( to resolve any interoperability issues with Third party) ? No. I would expect that the specification which requires the use of DTLS/SCTP also specifies the client/server role for DTLS. What specification are you using for the scenario you are describing? > > Also we have thought of resolving this contention with Initiate Tag ( since this is known at the initial Handshake), the larger one can be chosen as either Client or Server. Do you have any thoughts on that? This has a chance of failure when both Tag are same though (1 out of 2^32). I don't like solutions which work conceptually only most of the times. The verification tags are also not exposed to the application via the socket API, which is specified in https://tools.ietf.org/html/rfc6458. Best regards Michael > > Thanks again. > > Warm Regards, > Sidhartha > > VPP Team > Huawei Technologies India Pvt. Ltd > India > > > -----Original Message----- > From: Michael Tuexen [mailto:Michael.Tuexen@lurchi.franken.de] > Sent: 21 November 2019 22:54 > To: Sidhartha pant <sidhartha.pant@huawei.com> > Cc: tsvwg@ietf.org; Ashutosh prakash <ashutosh.prakash@huawei.com>; Shweta r <shweta.k.r@huawei.com>; Jyoti Ranjan Senapati <jyotiranjans@huawei.com> > Subject: Re: Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083 > >> On 18. Nov 2019, at 14:57, Sidhartha pant <sidhartha.pant@huawei.com> wrote: >> >> Hi Michael, >> >> I wish to discuss and take your opinion on one problem faced regarding Clients based on RFC 6083. >> >> Point of discussion is a Client node based on RFC 6083 (DTLS over SCTP). >> >> We are faced with a scenario which requires 2 nodes acting as Client connecting to each other using DTLS over SCTP. >> >> Hence essentially its Client-Client scenario. >> >> Problem faced :- >> How to establish a DTLS over SCTP connection in a Client-Client scenario ? > As you noted correctly, SCTP can deal with this (called INIT collision case) and results in a single SCTP association. > DTLS does NOT have this feature. Trying to use some features of the SCTP handshake to resolve the DTLS client/server role isn't architecturally not the right way and might even not work at all. It definitely doesn't work using the socket API. > > I would suggest to use some data of the SCTP association to resolve it. > For example, you could use: > 1. Compare the set of addresses of both sides and figure out if one side has a smallest (by some > ordering (compare them in host byte order as uint32_t (IPv4) or uint128_t (IPv6). > Then the side with the smallest address is the client (or server). > 2. If the smallest address is the same, compare the port numbers. Then the side with the smallest port > is the client (or server). > This only doesn't work if the smallest address is the same on both sides and the port numbers are the same. This means an end-point is talking to itself. I think this does not occur in your setup. > > Would this solve your problem in a portable way? > > Best regards > Michael > >> Since DTLS does not support Client-Client topology, hence to resolve >> this we have decided to rely on the SCTP collision scenario based on RFC 4960 Section 5.2 Thus in this case SCTP Endpoint A acts as server and responds with INIT-ACK to the “unexpected” INIT received in COOKIE-WAIT state. >> >> SCTP Endpoint A SCTP Endpoint B >> >> INIT---------------------------------------à >> ß-------------------------------------INIT >> INIT-ACK-------------------------------à >> ß---------------------------------COOKIE-ECHO >> COOKIE-ACK-------------------------à >> >> >> >> Hence we can resolve the collision for DTLS ( just call SSL Accept at Endpoint A, instead of SSL Connect). Resolving Endpoint A as a Server in this case. >> >> However, there is still a chance that Endpoint B also receives INIT-ACK after sending INIT-ACK, almost simultaneously), thus due to state of the Endpoint still remaining in COOKIE-WAIT results in both responding with COOKIE-ECHO and COOKIE-ACK subsequently (after moving to COOKIE-ECHOED). >> >> As per RFC 4960 Section 5.2.4. Handle a COOKIE ECHO when a TCB Exists >> “D) When both local and remote tags match, the endpoint should enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. >> It should stop any cookie timer that may be running and send a COOKIE ACK.” >> >> >> >> SCTP Endpoint A SCTP Endpoint B >> >> <-------------------------------------- INIT INIT >> ----------------------------------à >> <----------------------------------INIT-ACK >> INIT-ACK ----------------------------à >> Endpoint B receives INIT-ACK after sending INIT-ACK >> ß--------------------------------COOKIE-ECHO >> COOKIE-ECHO---------------------à >> ß----------------------------------COOKIE-ACK >> COOKIE-ACK-------------------------à >> >> >> In this scenario, how do we decide to choose the endpoint for initiating the SSL CONNECT ( and SSL ACCEPT on the other) ? Both acted as server here. >> How do we create DTLS over SCTP connection in this case. Has someone else also faced this problem in the community, or we are missing something here ? >> >> It will be great if you can throw some light on this. >> >> Warm Regards, >> Sidhartha Pant >> >> VPP Team >> Huawei Technologies India Pvt. Ltd >> India >
- [tsvwg] Query regarding DTLS over SCTP: Client-Cl… Sidhartha pant
- Re: [tsvwg] Query regarding DTLS over SCTP: Clien… Sidhartha pant
- Re: [tsvwg] Query regarding DTLS over SCTP: Clien… Michael Tuexen
- Re: [tsvwg] Query regarding DTLS over SCTP: Clien… Sidhartha pant
- Re: [tsvwg] Query regarding DTLS over SCTP: Clien… Michael Tuexen