Datagram Transport Layer Security
Datagram Transport Layer Security (DTLS) is a
when being used to create a VPN tunnel.Definition
The following documents define DTLS:
- RFC 5238 from May 2008[6] for use with Datagram Congestion Control Protocol (DCCP)
- RFC 5415 from March 2009Control And Provisioning of Wireless Access Points(CAPWAP)
- RFC 5764 from May 2010Secure Real-Time Transport Control Protocol (SRTCP)[9]
- RFC 6083 from January 2011[10] for use with Stream Control Transmission Protocol (SCTP) encapsulation
- RFC 9147 from April 2022[3] for use with User Datagram Protocol (UDP)
DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS.[2] Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".[11]
Implementations
Libraries
 | This section needs additional citations for verification. (September 2023) |
| Implementation | DTLS 1.0[1] | DTLS 1.2[2] | DTLS 1.3[3] |
|---|---|---|---|
| Botan | Yes | Yes | |
| cryptlib | No | No | |
| GnuTLS | Yes | Yes | |
| Java Secure Socket Extension | Yes | Yes | |
| LibreSSL | Yes | Yes[12] | |
| libsystools[13] | Yes | No | |
| MatrixSSL | Yes | Yes | |
| mbed TLS (previously PolarSSL) | Yes[14] | Yes[14] | |
| Network Security Services | Yes[15] | Yes[16] | |
| OpenSSL | Yes | Yes[17] | |
| PyDTLS[18][19] | Yes | Yes | |
| Python3-dtls[20][21] | Yes | Yes | |
RSA BSAFE
|
No | No | |
s2n
|
No | No | |
Schannel XP/2003, Vista/2008
|
No | No | |
Schannel 7/2008R2, 8/2012, 8.1/2012R2, 10
|
Yes[22] | No[22] | |
Schannel 10 (1607), 2016
|
Yes | Yes[23] | |
| Secure Transport OS X 10.2–10.7 / iOS 1–4 | No | No | |
| Secure Transport OS X 10.8–10.10 / iOS 5–8 | Yes[24] | No | |
| SharkSSL | No | No | |
| tinydtls [25] | No | Yes | |
| Waher.Security.DTLS [26] | No | Yes | |
| wolfSSL (previously CyaSSL)[27] | Yes | Yes | Yes |
| @nodertc/dtls [28][29] | No | Yes | |
| java-dtls[30] | Yes | Yes | |
| pion/dtls[31] (Go) | No | Yes | |
| californium/scandium[32] (Java) | No | Yes | |
| SNF4J[33] (Java) | Yes | Yes | |
| Implementation | DTLS 1.0 | DTLS 1.2 | DTLS 1.3 |
Applications
- AnyConnect VPN Client uses TLS and invented DTLS-based VPN.[34]
- ocserv server that supports (D)TLS.[35]
- Cisco InterCloud Fabric uses DTLS to form a tunnel between private and public/provider compute environments.[36]
- Cato Networks utilizes DTLS v1.2 for the underlay tunnel used by both the Cato Socket and Cato ZTNA (formerly SDP) client when forming tunnels to the Cato POPs [37] and when forming off-cloud tunnels between Cato sockets.[38]
- ZScaler tunnel 2.0 for ZScaler Internet Access (ZIA) uses DTLS for tunneling. ZScaler Private Access (ZPA) does not support DTLS [39]
- F5 Networks Edge VPN Client uses TLS and DTLS.[40]
- Fortinet's SSL VPN[41] and Array Networks SSL VPN[42] also use DTLS for VPN tunneling.
- Citrix Systems NetScaler uses DTLS to secure UDP.[43]
- Web browsers: Google Chrome, Opera and Firefox support DTLS-SRTP[44] for WebRTC. Firefox 86 and onward does not support DTLS 1.0.[45]
- Remote Desktop Protocol 8.0 and onwards.
Vulnerabilities
In February 2013 two researchers from Royal Holloway, University of London discovered a timing attackCipher Block Chaining mode encryption was used.
See also
References
- ^ .
- ^ .
- ^ .
- ^ Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Archived from the original on 2023-03-10. Retrieved 2015-10-17.
{{cite web}}: CS1 maint: bot: original URL status unknown (link) - S2CID 8945952.
- .
- .
- .
- IETF.
- .
- ^ "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".
- ^ "LibreSSL 3.3.2 Release Notes". The OpenBSD Project. 2021-05-01. Retrieved 2021-06-13.
- ^ Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". SourceForge.
- ^ a b "mbed TLS 2.0.0 released". ARM. 2015-07-13. Retrieved 2015-08-25.
- ^ "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
- ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
- ^ "As of version 1.0.2". The OpenSSL Project. 2015-01-22. Archived from the original on 2014-09-04. Retrieved 2015-01-26.
- ^ Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub.
- ^ Ray Brown. "DTLS for Python". Python Software Foundation.
- ^ Ray Brown/Mobius Software LTD. "pydtls - Datagram Transport Layer Security for Python". GitHub.
- ^ Ray Brown/Mobius Software LTD. "DTLS for Python3 Based on PyDTLS". Python Software Foundation.
- ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
- ^ Justinha. "TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016". docs.microsoft.com. Retrieved 2017-09-01.
- ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
- ^ Olaf Bergmann. "tinydtls". Eclipse Foundation.
- ^ Peter Waher. "Waher.Security.DTLS". Waher Data AB.
- ^ "wolfSSL Embedded SSL/TLS Library".
- ^ Dmitriy Tsvettsikh. "Secure UDP communications using DTLS in pure js". GitHub.
- npm.
- ^ Mobius Software LTD. "Non blocking Java DTLS Implementation based on BouncyCastle and Netty". Mobius Software LTD.
- ^ Sean DuBois. "pion/dtls: DTLS 1.2 Server/Client implementation for Go". GitHub.
- ^ "californium/scandium: DTLS 1.2 Server/Client implementation for java and coap. Includes connection id extension". Eclipse Foundation.
- ^ SNF4J.ORG. "Simple Network Framework for Java (SNF4J)". GitHub.
{{cite web}}: CS1 maint: numeric names: authors list (link) - ^ "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco. Retrieved 26 February 2017.
- ^ "OpenConnect". OpenConnect. Retrieved 26 February 2017.
- Cisco Systems.
- ^ "Cato Networks Cipher Suites Used by the Cato Socket and SDP Client".
- ^ "Cato Networks Routing Traffic to an Off-Cloud Link".
- ZScaler.
- f5 Networks.
- ^ "Using DTLS to improve SSL VPN performance". Fortinet. 25 February 2016.
- ^ "array.c from OpenConnect". 23 May 2022.
- ^ "Configuring a DTLS Virtual Server". Citrix Systems.
- ^ "WebRTC Interop Notes". Archived from the original on 2013-05-11.
- ^ "Firefox 86.0, See All New Features, Updates and Fixes". Mozilla. 2021-02-23. Archived from the original on 2021-02-22. Retrieved 2021-02-23.
From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from now on as the minimum version.
- ^ "Plaintext-Recovery Attacks Against Datagram TLS" (PDF).
External links
- "Transport Layer Security (tls) - Charter". IETF.
- Modadugu, Nagendra; Rescorla, Eric (2003-11-21). "The Design and Implementation of Datagram TLS" (PDF). StanfordCrypto Group. Retrieved 2013-03-17.
- AlFardan, Nadhem J.; Paterson, Kenneth G. "Plaintext-Recovery Attacks Against Datagram TLS" (PDF). Retrieved 2013-11-25.
- Gibson, Steve; Laporte, Leo (2012-11-28). "Datagram Transport Layer Security". Security Now 380. Retrieved 2013-03-17. Skip to 1:07:14.
- Robin Seggelmann's Sample Code: echo, character generator, and discard client/servers.
- The Illustrated DTLS Connection