Re: [tsvwg] DTLS for SCTP: DTLS Chunk kernel part testing

[Michael Tuexen <michael.tuexen@lurchi.franken.de>]

> On 18. Mar 2024, at 08:58, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
> 
> Thanks Michael,
>  I think your answer below makes it clear that it is possible to get DTLS chunk parties implemented in an open source operating system. I do understand the personal angle. I hope when the patent application becomes public before June the WG members will
Please understand what is formally possible might be different from what people
feel comfortable with. I think that the reservation I expressed is shared by
Marcelo, who is one of the Linux maintainers.

Best regards
Michael
> be able to analyze what the claimed IPR covers and what can be done without requiring any licensing and when such is needed in relation to different use cases where DTLS in SCTP would be useful security mechanism.  Cheers
>  Magnus
>   From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
> Date: Monday, 18 March 2024 at 17:18
> To: Magnus Westerlund <magnus.westerlund@ericsson.com>
> Cc: tsvwg IETF list <tsvwg@ietf.org>
> Subject: Re: [tsvwg] DTLS for SCTP: DTLS Chunk kernel part testing
> > On 18. Mar 2024, at 00:04, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote:
> > 
> > Hi,
> >  In the design team we have discussion around barriers to implement DTLS Chunk (https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-westerlund-tsvwg-sctp-dtls-chunk%2F&data=05%7C02%7Cmagnus.westerlund%40ericsson.com%7Ca4a855b754f64854b5a108dc471b9922%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638463431055544643%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2BKABYn4u4Xl77PKqWt8aN4r3fFchD0MSfXG8Qv1v0Kc%3D&reserved=0) as part of SCTP stacks that are in open source OS kernels. The discussion in the design team indicated that they could implement and release the functionality described in the above draft. What was raised as an issue was the testing of this code using the API that would exist to the upper layer implementation that would implement the DTLS handshakes and rekeying per: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-westerlund-tsvwg-sctp-dtls-handshake%2F&data=05%7C02%7Cmagnus.westerlund%40ericsson.com%7Ca4a855b754f64854b5a108dc471b9922%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638463431055553156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uaZ2mnJRe3DvzYkS7xqgIFKWErFdmoY0ioBtrvPjrOg%3D&reserved=0.
> >  Is there any reason why one cannot actually write code to test this API without implementing almost any of draft-westerlund-tsvwg-sctp-dtls-handshake? I would think the goal of the kernel parts is to show that the lower layer and its API works and can
> Hi Magnus,
> 
> this is my personal opinion with respect to implementing this in FreeBSD.
> Of course, one can do what you suggest. When I would implement it, most
> likely I would add support for it in packetdrill to do some functional
> testing. I guess some fuzz testing with tools like syzkaller would also
> be done.
> But when I'm implementing something (functionality in the kernel and
> an API for it) which has mainly one use case, I would really prefer to
> be able to test this in this use case. This is my personal preference
> and nothing requires me to do this testing. But not testing it seem
> sub-optimal to me.
> 
> Best regards
> Michael
> > be used by a higher layer application on top of the SCTP stack. In a test application one could use hard coded keys and have multiple sets  to test rekeying and not run DTLS handshakes at all between the endpoints.
> >  Cheers
> >  Magnus