Support for dtls connection id extension? #27
Comments
|
We've implemented a minimalistic form of DTLS CID in a private project but it's not in a good shape right now to be released publicly as it relies on many hardcoded bits. There's some internals that make it clunky to implement so if there's official upstream interest/support we're happy to collaborate. |
|
The official status is that it is currently not supported by the upstream tinydtls. It should not be too hard to implement, though (maybe @erkki can share more details?) |
|
I'm interested to test the interoperability with Eclipse - Californium, at least the device-client side. Would it be possible to get access to your work? |
|
@boaks by all means, we are already running against leshan/californium, in fact your work there was our starting point. I'll revisit and try to share something. |
|
:-), cool! |
|
Sorry for being late, I was hoping to go through the code again to refresh up and maybe make some bits nicer. This didn't happen, so opening it up as it is in its current state and then we can take it from there. We have a limited implementation with a fixed CID length (also hardcoded leshan side in our usage) format so this would probably have to change in a more general solution. Happy to help with implementation and/testing once there's established interest and direction. |
|
just if you are still interested in the recent development, I added a build-in cid-load-balancer to Californium. The current plan is to add this the the upcoming Californium release 2.5.0 next week. |
|
@boaks this looks great! Definitely interested, albeit little time constrained. We're doing field testing now with some devices but for the next phase we would definitely need something like this on the server/infra side for HA/LB. I've been trying to keep up with the RFC discussions as well so probably need a rebase+refresh at some point. Curious if you have a backwards compatibility plan with the recent RFC changes and client code with CID length specificers :) |
So am I :-)
There are three ways to go:
So for now, the only topic discussed to change seems to be the MAC. But until the RFC gets really released, I don't think it's worth to frequently adapt to those MAC updates based on cryptographic hygiene. The discussion about more clarification on "variable length CID" encoding doesn't affect Californium's implementation. There it's just delegated to the implementation of The only "claimed threat" left seems to be a "false valid" for the MAC of the FINISH message, if handshake messages are manipulated. Generally, the So, let's look forward, what will be presented as release by the IETF-TLS working group. |
|
Yes makes sense, we're already using |
|
The last information on that MAC change is, that also a new hello_extension code point (currently 53) will be assigned by the IANA with the release of the draft-ietf-tls-dtls-connection-id. The old one will stay reserved for a while. |
|
For the case, you're still interested:
Californium reached also version 3.0.0 (support compliant to RFC9146). |
|
Sounds good! I'll give this a test in the lab :) |
|
Have you been able to have a look on it? Does it work for you? For my developments in the last two years, DTLS CID, so simple it is, turned into the enabler technology for successfully DTLS load-balancing with long term session, and for (half :-) ) high availability using a dtls graceful restart. Hope this could get some more adoption in the next year. |
|
Sorry, been tied up. Definitely want to give this a test run in the lab this weekend. For us, also, DTLS CID has been a huge enabler, due to the IP roaming issue prevalent otherwise. |
|
Just to mention: |
Does tinydtls support the dtls connection id extension? (See https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/ for details)
If not, does anyone familiar with the project have an idea of how much effort it would be to add support?
The text was updated successfully, but these errors were encountered: