Re: [cf-dev] Sharing DTLS session state among multiple nodes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cf-dev] Sharing DTLS session state among multiple nodes

From: Simon Bernard <contact@xxxxxxxxxxxxxxx>
Date: Wed, 21 Sep 2016 18:04:01 +0200
Delivered-to: cf-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cf-dev>
List-help: <mailto:cf-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cf-dev>, <mailto:cf-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cf-dev>, <mailto:cf-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.2.0

This seems to me a better approach than the previous one :) (trying topersist ConnectionStore).


Some remarks/questions below :
1) Why LeastRecentlyUsedCache.class is no more threadsafe ?

2) The TLS spec[1] say :

"Error handling in the TLS Handshake protocol is very simple. When anerror is detected, the detecting party sends a message to the otherparty. Upon transmission or receipt of a fatal alert message, bothparties immediately close the connection. Servers and clients MUSTforget any session-identifiers, keys, and secrets associated with afailed connection. Thus, any connection terminated with a fatal alertMUST NOT be resumed."

Should we implement this ?

3) If we implement 2) the "InMemoryConnectionStore.find()" should alwayslook in the shared store (SessionCache) and should not check before inthe connections map in memory.

4) Not directly linked to this branch but the RF5077[2] is another wayto resume session:

"This mechanism is useful in the following situations:

1. servers that handle a large number of transactions fromdifferent users

   2.  servers that desire to cache sessions for a long time
   3.  ability to load balance requests across servers
   4.  embedded servers with little memory"

Here[3][4] are interesting posts about session resumption and ForwardSecrecy [3][4].


Simon

[1]https://tools.ietf.org/html/rfc5246#section-7.2.2
[2]https://tools.ietf.org/html/rfc5077
[3]https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
[4]https://blog.twitter.com/2013/forward-secrecy-at-twitter-0

Le 21/09/2016 à 12:04, Hudalla Kai (INST/ESY1) a écrit :

Hi,

some months ago I had started to work on introducing means to Scandium to be
able to share state of an established DTLS session (crypto params) among
multiple nodes.

The idea is to allow for clients being able to resume a DTLS session (using
an abbreviated handshake) with another node than the one the session has been
originally been established with (e.g. after the original node has crashed).

I have added the code to the session_cache branch based on current master
[1]. There also has been a question raised around that topic [2].

I would be interested in getting some feedback whether you think this is a
useful addition and you could put this to work in your environment.

[1] https://github.com/eclipse/californium/tree/session_cache
[2] https://github.com/eclipse/californium/issues/89

Follow-Ups:
- Re: [cf-dev] Sharing DTLS session state among multiple nodes
  - From: Kraus Achim (INST/ESY1)
- Re: [cf-dev] Sharing DTLS session state among multiple nodes
  - From: Hudalla Kai (INST/ESY1)

References:
- [cf-dev] Sharing DTLS session state among multiple nodes
  - From: Hudalla Kai (INST/ESY1)

Prev by Date: [cf-dev] Sharing DTLS session state among multiple nodes
Next by Date: Re: [cf-dev] Sharing DTLS session state among multiple nodes
Previous by thread: [cf-dev] Sharing DTLS session state among multiple nodes
Next by thread: Re: [cf-dev] Sharing DTLS session state among multiple nodes
Index(es):
- Date
- Thread

Breadcrumbs