Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cf-dev] Scandium connection resumption vs. renegotiation
Terminology:
  Connection and Session are defined in TLS spec. (RFC5246 [1])
  "connection
      A connection is a transport (in the OSI layering model definition)
      that provides a suitable type of service.  For TLS, such
      connections are peer-to-peer relationships.  The connections are
      transient.  Every connection is associated with one session."
  "session
      A TLS session is an association between a client and a server.
      Sessions are created by the handshake protocol.  Sessions define a
      set of cryptographic security parameters that can be shared among
      multiple connections.  Sessions are used to avoid the expensive
      negotiation of new security parameters for each connection."

Client behind NAT Firewall
  A client behind NAT should use forceResumeSessionFor when it supposes that IP/port changed.
  E.g. In LWM2M a device behind a NAT should use queue mode, and should use forceResumeSession each time it wakes up (update, notify).
  (Maybe we should add a method forceResumeSessionForAllConnection)

Renegociation vs. Resumption
  I didn't found a lot of use cases for the Renegociation.
  Even more, it seems there is some security issue with Renegociation[2]. The simple advice to fix that is to disable renegociation.
  The TLS/DTLS Profiles for the Internet of Things say that renegociation must be disabled.
  So, I suppose this is reasonable to not support renegociation (at least in a first time). As we don't really support this, we should probably remove code about that in scandium.

[1]https://tools.ietf.org/html/rfc5246#appendix-B
[2]http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
[3]https://tools.ietf.org/html/draft-ietf-dice-profile-17#section-17


Le 24/02/2016 11:46, Hudalla Kai (INST/ESY1) a écrit :
Hi,

Simon and I have been discussing for some time now about when and how a client would want to reconnect to a server and how these use cases are to be implemented according to the DTLS spec.

I have created a Wiki page [1] identifying some relevant real world use cases we would like to cover with Scandium. I would now like to use this thread to discuss the use cases and then gradually add information to the Wiki page so that we get a consistent picture over time and do not lose information.

So if you have any opinion regarding this topic I would be glad if you joined this thread :-)

[1] https://github.com/eclipse/californium/wiki/DTLS-Connection-Renegotiation-vs.-Resumption

Regards,
Kai

_______________________________________________
cf-dev mailing list
cf-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cf-dev

Back to the top