Datagram Transport Layer Security
Datagram Transport Layer Security (DTLS) is a
packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids the "TCP meltdown problem",[4][5]
when being used to create a VPN tunnel.
Definition
The following documents define DTLS:
- RFC 9147 for use with User Datagram Protocol (UDP),
- RFC 5238 for use with Datagram Congestion Control Protocol (DCCP),
- RFC 5415 for use with Control And Provisioning of Wireless Access Points (CAPWAP),
- RFC 6083 for use with Stream Control Transmission Protocol (SCTP) encapsulation,
- RFC 5764 for use with Secure Real-Time Transport Control Protocol (SRTCP).[6]
DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS.[2] Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".[7]
Implementations
Libraries
This section needs additional citations for verification. (September 2023) |
Implementation | DTLS 1.0[1] | DTLS 1.2[2] | DTLS 1.3[3] |
---|---|---|---|
Botan | Yes | Yes | |
cryptlib | No | No | |
GnuTLS | Yes | Yes | |
Java Secure Socket Extension | Yes | Yes | |
LibreSSL | Yes | Yes[8] | |
libsystools[9] | Yes | No | |
MatrixSSL | Yes | Yes | |
mbed TLS (previously PolarSSL) | Yes[10] | Yes[10] | |
Network Security Services | Yes[11] | Yes[12] | |
OpenSSL | Yes | Yes[13] | |
PyDTLS[14][15] | Yes | Yes | |
Python3-dtls[16][17] | Yes | Yes | |
RSA BSAFE
|
No | No | |
s2n | No | No | |
Schannel XP/2003, Vista/2008
|
No | No | |
Schannel 7/2008R2, 8/2012, 8.1/2012R2, 10
|
Yes[18] | No[18] | |
Schannel 10 (1607), 2016
|
Yes | Yes[19] | |
Secure Transport OS X 10.2–10.7 / iOS 1–4 | No | No | |
Secure Transport OS X 10.8–10.10 / iOS 5–8 | Yes[20] | No | |
SharkSSL | No | No | |
tinydtls [21] | No | Yes | |
Waher.Security.DTLS [22] | No | Yes | |
wolfSSL (previously CyaSSL)[23] | Yes | Yes | Yes |
@nodertc/dtls [24][25] | No | Yes | |
java-dtls[26] | Yes | Yes | |
pion/dtls[27] (Go) | No | Yes | |
californium/scandium[28] (Java) | No | Yes | |
SNF4J[29] (Java) | Yes | Yes | |
Implementation | DTLS 1.0 | DTLS 1.2 | DTLS 1.3 |
Applications
- AnyConnect VPN Client uses TLS and invented DTLS based VPN.[30]
- ocserv server that supports (D)TLS.[31]
- Cisco InterCloud Fabric uses DTLS to form a tunnel between private and public/provider compute environments.[32]
- ZScaler tunnel 2.0 uses DTLS for tunneling.[33]
- F5 Networks Edge VPN Client uses TLS and DTLS.[34]
- Citrix Systems NetScaler uses DTLS to secure UDP.[35]
- Web browsers: Google Chrome, Opera and Firefox support DTLS-SRTP[36] for WebRTC. Firefox 86 and onward does not support DTLS 1.0.[37]
- Remote Desktop Protocol 8.0 and onwards.
Vulnerabilities
In February 2013 two researchers from Royal Holloway, University of London discovered a timing attackCipher Block Chaining mode encryption was used.
See also
References
- ^ .
- ^ .
- ^ .
- ^ Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Archived from the original on 2023-03-10. Retrieved 2015-10-17.
{{cite web}}
: CS1 maint: bot: original URL status unknown (link) - S2CID 8945952.
- IETF.
- ^ "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".
- ^ "LibreSSL 3.3.2 Release Notes". The OpenBSD Project. 2021-05-01. Retrieved 2021-06-13.
- ^ Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". SourceForge.
- ^ a b "mbed TLS 2.0.0 released". ARM. 2015-07-13. Retrieved 2015-08-25.
- ^ "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
- ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
- ^ "As of version 1.0.2". The OpenSSL Project. The OpenSSL Project. 2015-01-22. Archived from the original on 2014-09-04. Retrieved 2015-01-26.
- ^ Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub.
- ^ Ray Brown. "DTLS for Python". Python Software Foundation.
- ^ Ray Brown/Mobius Software LTD. "pydtls - Datagram Transport Layer Security for Python". GitHub.
- ^ Ray Brown/Mobius Software LTD. "DTLS for Python3 Based on PyDTLS". Python Software Foundation.
- ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
- ^ Justinha. "TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016". docs.microsoft.com. Retrieved 2017-09-01.
- ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
- ^ Olaf Bergmann. "tinydtls". Eclipse Foundation.
- ^ Peter Waher. "Waher.Security.DTLS". Waher Data AB.
- ^ "wolfSSL Embedded SSL/TLS Library".
- ^ Dmitriy Tsvettsikh. "Secure UDP communications using DTLS in pure js". GitHub.
- npm.
- ^ Mobius Software LTD. "Non blocking Java DTLS Implementation based on BouncyCastle and Netty". Mobius Software LTD.
- ^ Sean DuBois. "pion/dtls: DTLS 1.2 Server/Client implementation for Go". GitHub.
- ^ "californium/scandium: DTLS 1.2 Server/Client implementation for java and coap. Includes connection id extension". Eclipse Foundation.
- ^ SNF4J.ORG. "Simple Network Framework for Java (SNF4J)". GitHub.
{{cite web}}
: CS1 maint: numeric names: authors list (link) - ^ "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco. Retrieved 26 February 2017.
- ^ "OpenConnect". OpenConnect. Retrieved 26 February 2017.
- Cisco Systems.
- ZScaler.
- f5 Networks.
- ^ "Configuring a DTLS Virtual Server". Citrix Systems.
- ^ "WebRTC Interop Notes". Archived from the original on 2013-05-11.
- ^ "Firefox 86.0, See All New Features, Updates and Fixes". Mozilla. 2021-02-23. Archived from the original on 2021-02-22. Retrieved 2021-02-23.
From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from now on as the minimum version.
- ^ "Plaintext-Recovery Attacks Against Datagram TLS" (PDF).
External links
- "Transport Layer Security (tls) - Charter". IETF.
- Modadugu, Nagendra; Rescorla, Eric (2003-11-21). "The Design and Implementation of Datagram TLS" (PDF). StanfordCrypto Group. Retrieved 2013-03-17.
- AlFardan, Nadhem J.; Paterson, Kenneth G. "Plaintext-Recovery Attacks Against Datagram TLS" (PDF). Retrieved 2013-11-25.
- Gibson, Steve; Laporte, Leo (2012-11-28). "Datagram Transport Layer Security". Security Now 380. Retrieved 2013-03-17. Skip to 1:07:14.
- Robin Seggelmann's Sample Code: echo, character generator, and discard client/servers.
- The Illustrated DTLS Connection