IETF Logo Mail Archive

Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Thu, 21 November 2019 17:24 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0411200E9 for <tsvwg@ietfa.amsl.com>; Thu, 21 Nov 2019 09:24:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxPLWtq25zSj for <tsvwg@ietfa.amsl.com>; Thu, 21 Nov 2019 09:24:14 -0800 (PST)
Received: from drew.franken.de (mail-n.franken.de [193.175.24.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4385B120059 for <tsvwg@ietf.org>; Thu, 21 Nov 2019 09:24:14 -0800 (PST)
Received: from [10.14.2.251] (unknown [134.106.100.172]) (Authenticated sender: lurchi) by mail-n.franken.de (Postfix) with ESMTPSA id E3C9D72106C29; Thu, 21 Nov 2019 18:24:09 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <67CF347253A4874C8F2A2A8CD1D9460B72D526DC@BLREML503-MBX.china.huawei.com>
Date: Thu, 21 Nov 2019 18:24:02 +0100
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>, Ashutosh prakash <ashutosh.prakash@huawei.com>, Shweta r <shweta.k.r@huawei.com>, Jyoti Ranjan Senapati <jyotiranjans@huawei.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8FD70531-A89F-4CDD-9E94-7B1B506A75BA@lurchi.franken.de>
References: <67CF347253A4874C8F2A2A8CD1D9460B72D526DC@BLREML503-MBX.china.huawei.com>
To: Sidhartha pant <sidhartha.pant@huawei.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/o_1pQlit0BIqfL8gc6gD479Udu0>
Subject: Re: [tsvwg] Query regarding DTLS over SCTP: Client-Client collision scenario in RFC 6083
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 17:24:17 -0000

> On 18. Nov 2019, at 14:57, Sidhartha pant <sidhartha.pant@huawei.com> wrote:
> 
> Hi Michael,
>  
> I wish to discuss and take your opinion on one problem faced regarding Clients based on RFC 6083.
>  
> Point of discussion is a Client node based on RFC 6083 (DTLS over SCTP).
>  
> We are faced with a scenario which requires 2 nodes acting as Client connecting to each other using DTLS over SCTP.
>  
> Hence essentially its Client-Client scenario.
>  
> Problem faced :-
> How to establish a DTLS over SCTP connection in a Client-Client scenario ?
As you noted correctly, SCTP can deal with this (called INIT collision case) and results in a single SCTP association.
DTLS does NOT have this feature. Trying to use some features of the SCTP handshake to resolve the DTLS client/server
role isn't architecturally not the right way and might even not work at all. It definitely doesn't work using the
socket API.

I would suggest to use some data of the SCTP association to resolve it.
For example, you could use:
1. Compare the set of addresses of both sides and figure out if one side has a smallest (by some
   ordering (compare them in host byte order as uint32_t (IPv4) or uint128_t (IPv6).
   Then the side with the smallest address is the client (or server).
2. If the smallest address is the same, compare the port numbers. Then the side with the smallest port
   is the client (or server).
This only doesn't work if the smallest address is the same on both sides and the port numbers are
the same. This means an end-point is talking to itself. I think this does not occur in your setup.

Would this solve your problem in a portable way?

Best regards
Michael
 
> Since DTLS does not support Client-Client topology, hence to resolve this we have decided to rely on the SCTP collision scenario based on RFC 4960 Section 5.2
> Thus in this case SCTP Endpoint A acts as server and responds with INIT-ACK to the “unexpected” INIT received in COOKIE-WAIT state.
>  
> SCTP Endpoint A                               SCTP Endpoint B
>  
>    INIT---------------------------------------à
> ß-------------------------------------INIT
> INIT-ACK-------------------------------à
> ß---------------------------------COOKIE-ECHO
> COOKIE-ACK-------------------------à
>  
>  
>  
> Hence we can resolve the collision for DTLS ( just call SSL Accept at Endpoint A, instead of SSL Connect). Resolving Endpoint A as a Server in this case.
>  
> However, there is still a chance that Endpoint B also receives INIT-ACK after sending INIT-ACK, almost simultaneously), thus due to state of the Endpoint still remaining in COOKIE-WAIT results in both responding with COOKIE-ECHO and COOKIE-ACK subsequently (after moving to COOKIE-ECHOED).
>  
> As per RFC 4960 Section 5.2.4.  Handle a COOKIE ECHO when a TCB Exists
> “D) When both local and remote tags match, the endpoint should enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.  
>    It should stop any cookie timer that may be running and send a COOKIE ACK.”
>  
>  
>  
> SCTP Endpoint A                               SCTP Endpoint B
>  
>       <-------------------------------------- INIT
> INIT ----------------------------------à
> <----------------------------------INIT-ACK
>      INIT-ACK ----------------------------à
>                                                      Endpoint B receives INIT-ACK after sending INIT-ACK
>      ß--------------------------------COOKIE-ECHO
>       COOKIE-ECHO---------------------à
>       ß----------------------------------COOKIE-ACK
> COOKIE-ACK-------------------------à
>  
>  
> In this scenario, how do we decide to choose the endpoint for initiating the SSL CONNECT ( and SSL ACCEPT on the other) ? Both acted as server here.
> How do we create DTLS over SCTP connection in this case. Has someone else also faced this problem in the community, or we are missing something here ?
>  
> It will be great if you can throw some light on this.
>  
> Warm Regards,
> Sidhartha Pant
>  
> VPP Team 
> Huawei Technologies India Pvt. Ltd
> India

v2.23.0 | Report a Bug | By Email