Matt Caswell <> wrote:
    >> Matt Caswell <> wrote: >> a) when the existing FD is
    >> connect(2) any future traffic to the bound >> port will get rejected
    >> with no port.  So the application really has to >> open a new socket
    >> first.  The application can do this two ways: it can >> open a new
    >> socket on which to receive new connections, or it can open >> a new
    >> socket on which to communicate with the new client.  The second >>
    >> method is better for reason (b) below.  Either way, it socket to >>
    >> communicate with the client needs to be bind(2) to the address that >>
    >> the client used to communicate with the server, and DTLSv1_listen() >>
    >> didn't collect or return that information.
    >> > The second way is what is intended.
    >> Unfortunately, there remains a race condition because we have to call
    >> bind() before connect() on the new socket.  Under load, if a packet is
    >> received between the bind() and the connect(), it might go onto the
    >> wrong socket queue. So some packets that could have been processed
    >> will get dropped and have to be retransmitted by the client.

    > This seems like a non-issue to me. At this point in the handshake the
    > client will have sent its ClientHello and won't progress until it gets
    > the server's flight back (ServerHello etc), i.e. in the vast majority
    > of cases it won't be sending anything.

*That* client will be waiting, but other clients may be sending new ClientHello
messages (with or without cookies).

    >> The address of the remote client is returned ("getpeername()") by
    >> DTLSv1_listen().  That's all that recvfrom() gives you.
    >> recvfrom() was a reasonable API for SunOS 3.x machines with a single
    >> 10Mb/s interface with a single IPv4 address.  I loved all that at the
    >> time...  But it doesn't work that well when we might have a dozen
    >> different kind of IPv6 addresses on each virtual interface.
    >> The address that I'm talking about needing is the one the remote
    >> client used to reach us.  That's the destination IP of the incoming
    >> packet ("getsockname()" in TCP speak).

    > Ahhh....its the *server's* address you are after. This requirement
    > seems more reasonable. I think the API is designed to expect you to
    > only bind to a single IP. I'd be interested in Richard Levitte's
    > opinion on this.

binding to a single IP is not scalable in many applications.

    > It seems like a fairly simple solution could solve this. Currently we
    > have BIO_dgram_get_peer() which returns the peer's address for the last
    > message read from a BIO. You could imagine a new call being introduced
    > to get our own address. You could then call that immediately after a
    > successful DTLSv1_listen() call. Obviously we'd have to change the
    > dgram BIO to use recvmsg for this to work.

That's here:

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature

openssl-dev mailing list
To unsubscribe:

Reply via email to