[gnutls-help] Disable anti-replay protection in DTLS ?

Sebastien Decugis sdecugis at freediameter.net
Sat Jun 8 04:19:49 CEST 2013

Thank you for your answers Nikos, more comments inline.

>   Currently there is no way to disable anti-replay protection. Would it
> really matter though? If you say there are no replays over SCTP what
> would this disabling buy?

I plan to use several streams over SCTP, and send my application 
messages (Diameter messages) over each streams in turn.
Let's imagine I have a large message (1^14 bytes) followed by a series 
of very short messages (few bytes). On the sending side, I am sending a 
first record with sequence number #1 over stream #1, length is 1^14 (I 
am simplifying). Then short record #2 over stream #2, record #3 over 
stream #3, etc...  Because the payload sizes are different, on the 
receiving side the messages for streams #2, #3, ... get delivered first 
and successfully parsed by the DTLS layer.

If I undertand correctly, the anti-replay protection might cause the 
record with sequence #1 to be discarded if it is delivered "too late" 
with respect to the sequence number. Is it correct? This would be an 
issue for the upper layer, hence the requirement in RFC 6083 to disable it.

I apologize if my understanding is incorrect, I am new to DTLS...

> No. gnutls_heartbeat_set_timeouts() is relevant to heartbeat message
> retransmission, not the DTLS handshake.

Ok, thank you for the clarification. Then, the documentation of gnutls 
is quite misleading :)

I think this is actually the same exact text as the 
gnutls_dtls_set_timeouts() documentation (which I not seen before your 

> There is (again) no direct way
> to disable those timeouts, but you can always set a retransmission
> timeout that is larger than the total handshake timeout, which is
> equivalent to having no retransmissions. You can set that using
> gnutls_dtls_set_timeouts().

Thank you for the hint! I will do so.

Best regards,

More information about the Gnutls-help mailing list