View Issue Details

IDProjectCategoryView StatusLast Update
0000720LDMud 3.5Networkingpublic2010-01-30 08:30
Reporterzesstra Assigned To 
PrioritylowSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Summary0000720: Support DTLS (Datagram Transport Layer Security)
DescriptionDatagram Transport Layer Security (DTLS) protocol provides communications privacy for datagram protocols. It is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees.
Since we support TLS for TCP connections, I think we should also support DTLS. This may also open up the possibility to encrypt Intermud traffic transparently at some point in the future.

Unfortunately, DTLS is not widely supported yet. OpenSSL has support for it, but no documentation at all. GnuTLS does not support it (yet?).
Until that changes or I have much more time to look into the code of OpenSSL (*shudder*), this issue serves just as reminder for the future...
Additional Informationhttp://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security
http://www.net-snmp.org/wiki/index.php/DTLS_Implementation_Notes
http://sctp.fh-muenster.de/dtls-samples.html
http://archive.netbsd.se/?ml=openssl-users&a=2006-08&t=2303023
http://www.estacado.net/resip-dox/stack/files.html
http://vpmn.googlecode.com/svn-history/r103/trunk/src/udpsrvdtls.c
http://archive.netbsd.se/?ml=openssl-users&a=2009-01&m=9636051&list
http://git.infradead.org/users/dwmw2/openconnect.git/tree
TagsNo tags attached.

Activities

zesstra

2010-01-30 08:30

administrator   ~0001710

FTR. Some problems to solve later:
a) we have to store a SSL session for each peer. Upon receiving a packet, we have to assign it to a specific peer / SSL session.
b) we have to expire sessions at some point.
c) what happens, if we expire a session but the peer thinks it is still valid and sends us encrypted data?
d) if we use the same port for encrypted and unencrypted traffic, we have to decide which packets are intentionally not encrypted and should not trigger a session handshake. (e.g. if there is no SSL session for a peer, the packet has to contain something like STARTTLS to start a DTLS session, otherwise we send it directly to the mudlib...)

Issue History

Date Modified Username Field Change
2010-01-29 14:33 zesstra New Issue
2010-01-30 08:30 zesstra Note Added: 0001710
2010-01-30 08:30 zesstra Additional Information Updated