[gnutls-help] Disable anti-replay protection in DTLS ?

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jun 8 20:18:36 CEST 2013


On 06/08/2013 04:19 AM, Sebastien Decugis wrote:

> Thank you for your answers Nikos, more comments inline.
> 
>>   Currently there is no way to disable anti-replay protection. Would it
>> really matter though? If you say there are no replays over SCTP what
>> would this disabling buy?
> 
> I plan to use several streams over SCTP, and send my application
> messages (Diameter messages) over each streams in turn.
> Let's imagine I have a large message (1^14 bytes) followed by a series
> of very short messages (few bytes). On the sending side, I am sending a
> first record with sequence number #1 over stream #1, length is 1^14 (I
> am simplifying). Then short record #2 over stream #2, record #3 over
> stream #3, etc...  Because the payload sizes are different, on the
> receiving side the messages for streams #2, #3, ... get delivered first
> and successfully parsed by the DTLS layer.
> 
> If I undertand correctly, the anti-replay protection might cause the
> record with sequence #1 to be discarded if it is delivered "too late"
> with respect to the sequence number. Is it correct? This would be an
> issue for the upper layer, hence the requirement in RFC 6083 to disable it.
> 
> I apologize if my understanding is incorrect, I am new to DTLS...

Your understanding looks correct, having a method to disable the replay
protection may seem reasonable then. How would malicious replays be
detected in that case? Does the SCTP/DTLS protocol include it?

> Ok, thank you for the clarification. Then, the documentation of gnutls
> is quite misleading :)

>
http://gnutls.org/manual/gnutls.html#index-gnutls_005fheartbeat_005fset_005ftimeouts

Thanks. I've now corrected it.

regards,
Nikos



More information about the Gnutls-help mailing list