Hi Nikos, > Your understanding looks correct, having a method to disable the replay > protection may seem reasonable then. How would malicious replays be > detected in that case? Does the SCTP/DTLS protocol include it?
This is a very good question :) I have done some more research and it appears that yes, when using DTLS over SCTP, the SCTP-AUTH extension must be used and this extension provides the anti-replay detection at the SCTP layer. When the extension is not used, there is a "light" protection in SCTP that is probably not sufficient to protect against malicious attacks. However, I realize that in order to use this SCTP-AUTH extension, more interaction between GNU TLS and the SCTP stack is required, in particular: - support for DTLS Keying Material Exporters as described in RFC5705 ( I did not find in the documentation if this is supported in GNU TLS), - ability to be notified *during* handshake so that the new derived key can be set for SCTP-AUTH before the "Finished" message is sent. Would you have any advice about these additional requirements? I am going to start implementing DTLS over SCTP without using the SCTP-AUTH mechanism and without disabling the replay protection in a first step. Can you tell me the characteristics of the anti-replay window in GNU TLS? If I limit the number of streams I am using to this window, I should be able to avoid the messages being dropped. If you are interested, I will send you the link to this implementation (open source) so that you can use it for further tests. Best regards, Sébastien. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
