* DTLS and UDP servers
@ 2019-01-11 14:19 bnv
0 siblings, 0 replies; only message in thread
From: bnv @ 2019-01-11 14:19 UTC (permalink / raw)
To: linux-kernel
[Due to list volume, this address is not subscribed. Please CC with any
replies]
Standard practice when using DTLS on a UDP server is to bind and connect
a new socket upon receipt of a valid ClientHello on the listener
socket. SO_REUSEPORT is required to ensure new sockets can bind to the
same port as the listener socket.
This works because the listener socket will see nothing but ClientHello
messages, and clients will block on a ServerHello message which is sent
after the new connected socket is created.
However, there is a window of opportunity between the bind and connect
calls, where the new socket temporarily takes over the port from the
listener socket. Ingress ClientHello messages will get delivered to the
queue of the new socket within this window. The result is that
authentication fails for the new client, and isn't begun for the other
clients whose ClientHello messages were diverted.
Arguably, this is UDP so clients should not expect reliability and
simply try again.However, this issue is addressable if a mechanism
existed to bind and connect simultaneously. Is it feasible?
Note: This would benefit the unsecured UDP server case as well, where it
is desired to move a new "session" off the listener descriptor to its
own for better scaling. SO_REUSEPORT addresses this to a degree, but is
modeled on multiple server processes rather than multiple threads within
a single server process.
Regards, BH
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-01-11 15:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-11 14:19 DTLS and UDP servers bnv
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).