[gnutls-help] Disable anti-replay protection in DTLS ?

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jun 10 10:04:33 CEST 2013

On Mon, Jun 10, 2013 at 4:43 AM, Sebastien Decugis
<sdecugis at freediameter.net> wrote:
> Hi Nikos,
>> Your understanding looks correct, having a method to disable the replay
>> protection may seem reasonable then. How would malicious replays be
>> detected in that case? Does the SCTP/DTLS protocol include it?
> This is a very good question :) I have done some more research and it appears that yes, when using DTLS over SCTP, the SCTP-AUTH extension must be used and this extension provides the anti-replay detection at the SCTP layer. When the extension is not used, there is a "light" protection in SCTP that is probably not sufficient to protect against malicious attacks.
> However, I realize that in order to use this SCTP-AUTH extension, more interaction between GNU TLS and the SCTP stack is required, in particular:
> - support for DTLS Keying Material Exporters as described in RFC5705 ( I did not find in the documentation if this is supported in GNU TLS),

Check gnutls_prf(). That allows access to the key material exporter.

> - ability to be notified *during* handshake so that the new derived key can be set for SCTP-AUTH before the "Finished" message is sent.

Currently hooks are allowed after client hello (post_client_hello) and
when a certificate is received. Most probably a hook to intercept the
handshake before or after any arbitrary handshake message would be
useful here. I'll try to add such functionality to 3.2 releases (in
addition with an API to disable the replay protection).

> I am going to start implementing DTLS over SCTP without using the SCTP-AUTH mechanism and without disabling the replay protection in a first step. Can you tell me the characteristics of the anti-replay window in GNU TLS? If I limit the number of streams I am using to this window, I should be able to avoid the messages being dropped.

The window size is 64 after gnutls 3.1.0 (may be 32 on 3.0.x).

> If you are interested, I will send you the link to this implementation (open source) so that you can use it for further tests.

That would be nice.


More information about the Gnutls-help mailing list