From: bnv@nc.rr.com
To: linux-kernel@vger.kernel.org
Subject: DTLS and UDP servers
Date: Fri, 11 Jan 2019 09:19:44 -0500 [thread overview]
Message-ID: <b2c00870-c2bf-bd62-0476-4140c3a5a4e6@nc.rr.com> (raw)
[Due to list volume, this address is not subscribed. Please CC with any
replies]
Standard practice when using DTLS on a UDP server is to bind and connect
a new socket upon receipt of a valid ClientHello on the listener
socket. SO_REUSEPORT is required to ensure new sockets can bind to the
same port as the listener socket.
This works because the listener socket will see nothing but ClientHello
messages, and clients will block on a ServerHello message which is sent
after the new connected socket is created.
However, there is a window of opportunity between the bind and connect
calls, where the new socket temporarily takes over the port from the
listener socket. Ingress ClientHello messages will get delivered to the
queue of the new socket within this window. The result is that
authentication fails for the new client, and isn't begun for the other
clients whose ClientHello messages were diverted.
Arguably, this is UDP so clients should not expect reliability and
simply try again.However, this issue is addressable if a mechanism
existed to bind and connect simultaneously. Is it feasible?
Note: This would benefit the unsecured UDP server case as well, where it
is desired to move a new "session" off the listener descriptor to its
own for better scaling. SO_REUSEPORT addresses this to a degree, but is
modeled on multiple server processes rather than multiple threads within
a single server process.
Regards, BH
reply other threads:[~2019-01-11 15:08 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b2c00870-c2bf-bd62-0476-4140c3a5a4e6@nc.rr.com \
--to=bnv@nc.rr.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).