View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000720 | LDMud 3.5 | Networking | public | 2010-01-29 15:33 | 2010-01-30 09:30 |
| Reporter | zesstra | Assigned To | |||
| Priority | low | Severity | feature | Reproducibility | N/A |
| Status | new | Resolution | open | ||
| Summary | 0000720: Support DTLS (Datagram Transport Layer Security) | ||||
| Description | Datagram Transport Layer Security (DTLS) protocol provides communications privacy for datagram protocols. It is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees. Since we support TLS for TCP connections, I think we should also support DTLS. This may also open up the possibility to encrypt Intermud traffic transparently at some point in the future. Unfortunately, DTLS is not widely supported yet. OpenSSL has support for it, but no documentation at all. GnuTLS does not support it (yet?). Until that changes or I have much more time to look into the code of OpenSSL (*shudder*), this issue serves just as reminder for the future... | ||||
| Additional Information | http://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security http://www.net-snmp.org/wiki/index.php/DTLS_Implementation_Notes http://sctp.fh-muenster.de/dtls-samples.html http://archive.netbsd.se/?ml=openssl-users&a=2006-08&t=2303023 http://www.estacado.net/resip-dox/stack/files.html http://vpmn.googlecode.com/svn-history/r103/trunk/src/udpsrvdtls.c http://archive.netbsd.se/?ml=openssl-users&a=2009-01&m=9636051&list http://git.infradead.org/users/dwmw2/openconnect.git/tree | ||||
| Tags | No tags attached. | ||||
|
|
FTR. Some problems to solve later: a) we have to store a SSL session for each peer. Upon receiving a packet, we have to assign it to a specific peer / SSL session. b) we have to expire sessions at some point. c) what happens, if we expire a session but the peer thinks it is still valid and sends us encrypted data? d) if we use the same port for encrypted and unencrypted traffic, we have to decide which packets are intentionally not encrypted and should not trigger a session handshake. (e.g. if there is no SSL session for a peer, the packet has to contain something like STARTTLS to start a DTLS session, otherwise we send it directly to the mudlib...) |
