[gnutls-help] Disable anti-replay protection in DTLS ?

[Sebastien Decugis]

Hi Nikos,

> Your understanding looks correct, having a method to disable the replay
> protection may seem reasonable then. How would malicious replays be
> detected in that case? Does the SCTP/DTLS protocol include it?


This is a very good question :) I have done some more research and it appears that yes, when using DTLS over SCTP, the SCTP-AUTH extension must be used and this extension provides the anti-replay detection at the SCTP layer. When the extension is not used, there is a "light" protection in SCTP that is probably not sufficient to protect against malicious attacks.

However, I realize that in order to use this SCTP-AUTH extension, more interaction between GNU TLS and the SCTP stack is required, in particular:
- support for DTLS Keying Material Exporters as described in RFC5705 ( I did not find in the documentation if this is supported in GNU TLS),
- ability to be notified *during* handshake so that the new derived key can be set for SCTP-AUTH before the "Finished" message is sent.

Would you have any advice about these additional requirements?


I am going to start implementing DTLS over SCTP without using the SCTP-AUTH mechanism and without disabling the replay protection in a first step. Can you tell me the characteristics of the anti-replay window in GNU TLS? If I limit the number of streams I am using to this window, I should be able to avoid the messages being dropped.

If you are interested, I will send you the link to this implementation (open source) so that you can use it for further tests.

Best regards,
Sébastien.