linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: bnv@nc.rr.com
To: linux-kernel@vger.kernel.org
Subject: DTLS and UDP servers
Date: Fri, 11 Jan 2019 09:19:44 -0500	[thread overview]
Message-ID: <b2c00870-c2bf-bd62-0476-4140c3a5a4e6@nc.rr.com> (raw)

[Due to list volume, this address is not subscribed.  Please CC with any 
replies]

Standard practice when using DTLS on a UDP server is to bind and connect 
a new socket upon receipt of a valid ClientHello on the listener 
socket.  SO_REUSEPORT is required to ensure new sockets can bind to the 
same port as the listener socket.

This works because the listener socket will see nothing but ClientHello 
messages, and clients will block on a ServerHello message which is sent 
after the new connected socket is created.

However, there is a window of opportunity between the bind and connect 
calls, where the new socket temporarily takes over the port from the 
listener socket.  Ingress ClientHello messages will get delivered to the 
queue of the new socket within this window. The result is that 
authentication fails for the new client, and isn't begun for the other 
clients whose ClientHello messages were diverted.

Arguably, this is UDP so clients should not expect reliability and 
simply try again.However, this issue is addressable if a mechanism 
existed to bind and connect simultaneously.  Is it feasible?

Note: This would benefit the unsecured UDP server case as well, where it 
is desired to move a new "session" off the listener descriptor to its 
own for better scaling.  SO_REUSEPORT addresses this to a degree, but is 
modeled on multiple server processes rather than multiple threads within 
a single server process.

Regards, BH



                 reply	other threads:[~2019-01-11 15:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b2c00870-c2bf-bd62-0476-4140c3a5a4e6@nc.rr.com \
    --to=bnv@nc.rr.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).