Hi Daniel,
why not use DTLS on top of SCTP? SCTP would check using its heartbeat
mechanism
whether the connection is still alive.
Best regards
Michael
On Jan 19, 2009, at 10:47 AM, Daniel Mentz wrote:
Hi everybody,
how can I detect a dead server with *DTLS*?
I'm developing an application (IPFIX exporter and collector) that
only *sends* data using DTLS over UDP. Imagine the collector (DTLS
server) crashes and comes up again. The exporter (DTLS client) does
not notice the fact that the server went down and keeps on sending
data using the old pre-master secret. The only thing the server can
do is to drop those packets because due to the crash he lost the pre-
master secret and also the whole state that constitutes the SSL
object.
Please note that the underlying protocol which is UDP - as opposed
to TCP - does *not* tell me that the peer died. I might get some
ICMP port-unreachable messages but I don't want to rely on that.
Is there some kind of Dead Peer Detection like in the IPSec/IKE
protocol that allows me to verify that my peer is still alive? In
case the peer died I would just backup and initiate a new DTLS
connection from scratch.
Also, this mechanism would be useful to keep NAT mappings alive.
Please note that I can not solve this problem via the protocol that
I use on top of DTLS - which is IPFIX - because IPFIX - by
definition - only *sends* but does not receive data. I.e. I can not
infer that the server crashed from the fact the he does not send any
data because he does not send data anyway (except Handshake messages
like ServerHello, ServerKeyExchange, etc.). I guess IPFIX is a one-
way protocol.
Thanks
Daniel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
