LKML Archive on
 help / color / Atom feed
* DTLS and UDP servers
@ 2019-01-11 14:19 bnv
  0 siblings, 0 replies; only message in thread
From: bnv @ 2019-01-11 14:19 UTC (permalink / raw)
  To: linux-kernel

[Due to list volume, this address is not subscribed.  Please CC with any 

Standard practice when using DTLS on a UDP server is to bind and connect 
a new socket upon receipt of a valid ClientHello on the listener 
socket.  SO_REUSEPORT is required to ensure new sockets can bind to the 
same port as the listener socket.

This works because the listener socket will see nothing but ClientHello 
messages, and clients will block on a ServerHello message which is sent 
after the new connected socket is created.

However, there is a window of opportunity between the bind and connect 
calls, where the new socket temporarily takes over the port from the 
listener socket.  Ingress ClientHello messages will get delivered to the 
queue of the new socket within this window. The result is that 
authentication fails for the new client, and isn't begun for the other 
clients whose ClientHello messages were diverted.

Arguably, this is UDP so clients should not expect reliability and 
simply try again.However, this issue is addressable if a mechanism 
existed to bind and connect simultaneously.  Is it feasible?

Note: This would benefit the unsecured UDP server case as well, where it 
is desired to move a new "session" off the listener descriptor to its 
own for better scaling.  SO_REUSEPORT addresses this to a degree, but is 
modeled on multiple server processes rather than multiple threads within 
a single server process.

Regards, BH

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-11 14:19 DTLS and UDP servers bnv

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox