Table of Contents Categories
  Encyclosphere.org ENCYCLOREADER
  supported by EncyclosphereKSF

Datagram Transport Layer Security

From HandWiki - Reading time: 10 min

Not to be confused with TDLS.
Short description: Communications protocol

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designedREFERENCE FOR RFC4347 IS NOT DEFINED YET. You are invited to add it here.'REFERENCE FOR RFC6347 IS NOT DEFINED YET. You are invited to add it here.'REFERENCE FOR RFC9147 IS NOT DEFINED YET. You are invited to add it here. to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem[1][2] when being used to create a VPN tunnel.

Definition

The following documents define DTLS:

  • RFC 5238 from May 2008REFERENCE FOR RFC5238 IS NOT DEFINED YET. You are invited to add it here. for use with Datagram Congestion Control Protocol (DCCP)
  • RFC 5415 from March 2009REFERENCE FOR RFC5415 IS NOT DEFINED YET. You are invited to add it here. for use with Control And Provisioning of Wireless Access Points (CAPWAP)
  • RFC 5764 from May 2010REFERENCE FOR RFC5764 IS NOT DEFINED YET. You are invited to add it here. for use with Secure Real-time Transport Protocol (SRTP) subsequently called DTLS-SRTP in a draft with Secure Real-Time Transport Control Protocol (SRTCP)[3]
  • RFC 6083 from January 2011REFERENCE FOR RFC6083 IS NOT DEFINED YET. You are invited to add it here. for use with Stream Control Transmission Protocol (SCTP) encapsulation
  • RFC 6347 from January 2012REFERENCE FOR RFC6347 IS NOT DEFINED YET. You are invited to add it here. defining DTLS 1.2
  • RFC 9147 from April 2022REFERENCE FOR RFC9147 IS NOT DEFINED YET. You are invited to add it here. defining DTLS 1.3

DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS.REFERENCE FOR RFC6347 IS NOT DEFINED YET. You are invited to add it here. Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".[4]

Implementations

Libraries

Library support for DTLS
Implementation DTLS 1.0REFERENCE FOR RFC4347 IS NOT DEFINED YET. You are invited to add it here. DTLS 1.2REFERENCE FOR RFC6347 IS NOT DEFINED YET. You are invited to add it here. DTLS 1.3REFERENCE FOR RFC9147 IS NOT DEFINED YET. You are invited to add it here.
Botan Yes Yes
cryptlib No No
GnuTLS Yes Yes
Java Secure Socket Extension Yes Yes
LibreSSL Yes Yes[5]
libsystools[6] Yes No
MatrixSSL Yes Yes
mbed TLS (previously PolarSSL) Yes[7] Yes[7]
Network Security Services Yes[8] Yes[9]
OpenSSL Yes Yes[10]
PyDTLS[11][12] Yes Yes
Python3-dtls[13][14] Yes Yes
RSA BSAFE No No
s2n No No
Schannel XP/2003, Vista/2008 No No
Schannel 7/2008R2, 8/2012, 8.1/2012R2, 10 Yes[15] No[15]
Schannel 10 (1607), 2016 Yes Yes[16]
Secure Transport OS X 10.2–10.7 / iOS 1–4 No No
Secure Transport OS X 10.8–10.10 / iOS 5–8 Yes[17] No
SharkSSL No No
tinydtls [18] No Yes
Waher.Security.DTLS [19] No Yes
wolfSSL (previously CyaSSL)[20] Yes Yes Yes
@nodertc/dtls [21][22] No Yes
java-dtls[23] Yes Yes
pion/dtls[24] (Go) No Yes
californium/scandium[25] (Java) No Yes
SNF4J[26] (Java) Yes Yes
Implementation DTLS 1.0 DTLS 1.2 DTLS 1.3

Applications

  • Cisco AnyConnect VPN Client uses TLS and invented DTLS-based VPN.[27]
  • OpenConnect is an open source AnyConnect-compatible client and ocserv server that supports (D)TLS.[28]
  • Cisco InterCloud Fabric uses DTLS to form a tunnel between private and public/provider compute environments.[29]
  • Cato Networks utilizes DTLS v1.2 for the underlay tunnel used by both the Cato Socket and Cato ZTNA (formerly SDP) client when forming tunnels to the Cato POPs [30] and when forming off-cloud tunnels between Cato sockets.[31]
  • ZScaler tunnel 2.0 for ZScaler Internet Access (ZIA) uses DTLS for tunneling. ZScaler Private Access (ZPA) does not support DTLS [32]
  • F5 Networks Edge VPN Client uses TLS and DTLS.[33]
  • Fortinet's SSL VPN[34] and Array Networks SSL VPN[35] also use DTLS for VPN tunneling.
  • Citrix Systems NetScaler uses DTLS to secure UDP.[36]
  • Web browsers: Google Chrome, Opera and Firefox support DTLS-SRTP[37] for WebRTC. Firefox 86 and onward does not support DTLS 1.0.[38]
  • Remote Desktop Protocol 8.0 and onwards.

Vulnerabilities

In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack[39] which allowed them to recover (parts of the) plaintext from a DTLS connection using the OpenSSL or GnuTLS implementation of DTLS when Cipher Block Chaining mode encryption was used.

See also

References

  1. Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". http://sites.inka.de/bigred/devel/tcp-tcp.html. 
  2. Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". in Atiquzzaman, Mohammed; Balandin, Sergey I. 6011. doi:10.1117/12.630496. Bibcode2005SPIE.6011..138H. 
  3. Peck, M.; Igoe, K. (2012-09-25). "Suite B Profile for Datagram Transport Layer Security / Secure Real-time Transport Protocol (DTLS-SRTP)". IETF. https://tools.ietf.org/html/draft-peck-suiteb-dtls-srtp-02. 
  4. "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3". https://datatracker.ietf.org/doc/draft-ietf-tls-dtls13/. 
  5. "LibreSSL 3.3.2 Release Notes". The OpenBSD Project. 2021-05-01. https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.2-relnotes.txt. 
  6. Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". SourceForge. https://sourceforge.net/projects/libsystools/. 
  7. 7.0 7.1 "mbed TLS 2.0.0 released". ARM. 2015-07-13. https://tls.mbed.org/tech-updates/releases/mbedtls-2.0.0-released. 
  8. "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes. 
  9. "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.2_release_notes. 
  10. "As of version 1.0.2". The OpenSSL Project. 2015-01-22. https://www.openssl.org/news/openssl-1.0.2-notes.html. 
  11. Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub. https://github.com/rbit/pydtls. 
  12. Ray Brown. "DTLS for Python". Python Software Foundation. https://pypi.python.org/pypi/Dtls. 
  13. Ray Brown/Mobius Software LTD. "pydtls - Datagram Transport Layer Security for Python". GitHub. https://github.com/mobius-software-ltd/pyton3-dtls. 
  14. Ray Brown/Mobius Software LTD. "DTLS for Python3 Based on PyDTLS". Python Software Foundation. https://pypi.python.org/pypi/python3-dtls. 
  15. 15.0 15.1 "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. http://support.microsoft.com/kb/2574819/en-us. 
  16. Justinha. "TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016" (in en-us). https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#dtls-12. 
  17. "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc.. https://developer.apple.com/library/ios/technotes/tn2287/. 
  18. Olaf Bergmann. "tinydtls". Eclipse Foundation. https://projects.eclipse.org/projects/iot.tinydtls. 
  19. Peter Waher. "Waher.Security.DTLS". Waher Data AB. https://www.nuget.org/packages/Waher.Security.DTLS/. 
  20. "wolfSSL Embedded SSL/TLS Library". https://www.wolfssl.com/products/wolfssl/. 
  21. Dmitriy Tsvettsikh. "Secure UDP communications using DTLS in pure js". GitHub. https://github.com/nodertc/dtls. 
  22. Dmitriy Tsvettsikh. "DTLS in pure js". npm. https://www.npmjs.com/package/@nodertc/dtls. 
  23. Mobius Software LTD. "Non blocking Java DTLS Implementation based on BouncyCastle and Netty". Mobius Software LTD. https://github.com/mobius-software-ltd/java-dtls. 
  24. Sean DuBois. "pion/dtls: DTLS 1.2 Server/Client implementation for Go". GitHub. https://github.com/pion/dtls. 
  25. "californium/scandium: DTLS 1.2 Server/Client implementation for java and coap. Includes connection id extension.". Eclipse Foundation. https://github.com/eclipse/californium. 
  26. SNF4J.ORG. "Simple Network Framework for Java (SNF4J).". GitHub. https://github.com/snf4j/snf4j. 
  27. "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco. http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html. 
  28. "OpenConnect". OpenConnect. https://www.infradead.org/openconnect/. 
  29. "Cisco InterCloud Architectural Overview". Cisco Systems. http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/Intercloud_Fabric_2.pdf. 
  30. "Cato Networks Cipher Suites Used by the Cato Socket and SDP Client". https://support.catonetworks.com/hc/en-us/articles/115005910469-Cipher-Suites-Used-by-the-Cato-Socket-and-SDP-Client. 
  31. "Cato Networks Routing Traffic to an Off-Cloud Link". https://support.catonetworks.com/hc/en-us/articles/4413265642257-Routing-Traffic-to-an-Off-Cloud-Link. 
  32. "ZScaler ZTNA 2.0 Tunnel". ZScaler. https://help.zscaler.com/z-app/about-z-tunnel-1.0-z-tunnel-2.0. 
  33. "f5 Datagram Transport Layer Security (DTLS)". f5 Networks. https://f5.com/glossary/datagram-transport-layer-security-dtls. 
  34. "Using DTLS to improve SSL VPN performance". Fortinet. 25 February 2016. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-DTLS-to-improve-SSL-VPN-performance/ta-p/193881. 
  35. "array.c from OpenConnect". 23 May 2022. https://gitlab.com/openconnect/openconnect/-/blob/653ad5585af44a2b8fa7d5946645ccb0e3f6ab60/array.c#L740-749. 
  36. "Configuring a DTLS Virtual Server". Citrix Systems. http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/config-dtls-vserver.html. 
  37. "WebRTC Interop Notes". https://sites.google.com/site/webrtc/interop. 
  38. "Firefox 86.0, See All New Features, Updates and Fixes" (in en). 2021-02-23. https://www.mozilla.org/en-US/firefox/86.0/releasenotes/. "From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from now on as the minimum version." 
  39. "Plaintext-Recovery Attacks Against Datagram TLS". http://www.isg.rhul.ac.uk/~kp/dtls.pdf. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Datagram_Transport_Layer_Security&oldid=4229721"
Licensed under CC BY-SA 3.0 | Source: https://handwiki.org/wiki/Datagram_Transport_Layer_Security
36 views |
↧ Download this article as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF