On 06/08/2013 04:19 AM, Sebastien Decugis wrote: > Thank you for your answers Nikos, more comments inline. > >> Currently there is no way to disable anti-replay protection. Would it >> really matter though? If you say there are no replays over SCTP what >> would this disabling buy? > > I plan to use several streams over SCTP, and send my application > messages (Diameter messages) over each streams in turn. > Let's imagine I have a large message (1^14 bytes) followed by a series > of very short messages (few bytes). On the sending side, I am sending a > first record with sequence number #1 over stream #1, length is 1^14 (I > am simplifying). Then short record #2 over stream #2, record #3 over > stream #3, etc... Because the payload sizes are different, on the > receiving side the messages for streams #2, #3, ... get delivered first > and successfully parsed by the DTLS layer. > > If I undertand correctly, the anti-replay protection might cause the > record with sequence #1 to be discarded if it is delivered "too late" > with respect to the sequence number. Is it correct? This would be an > issue for the upper layer, hence the requirement in RFC 6083 to disable it. > > I apologize if my understanding is incorrect, I am new to DTLS...
Your understanding looks correct, having a method to disable the replay protection may seem reasonable then. How would malicious replays be detected in that case? Does the SCTP/DTLS protocol include it? > Ok, thank you for the clarification. Then, the documentation of gnutls > is quite misleading :) > http://gnutls.org/manual/gnutls.html#index-gnutls_005fheartbeat_005fset_005ftimeouts Thanks. I've now corrected it. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
