Hello Peter,
> Just thinking out loud here but could the transport folks define some
sort of
> reliable-UDP transport mechanism that you could then run whatever you
like
> over?
The benefit using DTLS/UDP instead of TLS/TCP is in my experience,
that the application decides for each "application record", if it's
required to use something as an ACK or not. And when an ACK is used,
if it's preferred to retransmit or drop an message, when the ACK
is missing in time . And, of course, easily have control over the
"time" to wait for ACK. If that makes a sense/difference, depends
on the application and physical transmission layer.
During the (D)TLS handshake there is not that much choice. If the
handshake record don't make it to the other side, then they are either
retransmitted or the handshake is stopped an required to be restarted
again later. Here the "application on top of UDP" decides to
"always ACK and retransmit", because it's required for that approach
(negotiate security parameter).
I guess, to encapsulate the "UDP possibilities" at in a specific API,
will move some of the "control artifacts" outside the protection of
encryption and makes it somehow more vulnerable.
br
Achim
Am 14.11.24 um 05:08 schrieb Peter Gutmann:
Christian Huitema <huit...@huitema.net> writes:
That chimes with David Benjamin's analysis about the "whole mess of
transport-related concerns that just don't apply to TLS". The expertise for
that is in the transport area, not in the TLS WG.
LDAP was once described as "a bunch of networking types trying to reinvent
1960s database technology", is this a case of a bunch of crypto types trying
to reinvent TCP, except that it's made even more difficult because of all the
crypto considerations?
Just thinking out loud here but could the transport folks define some sort of
reliable-UDP transport mechanism that you could then run whatever you like
over? Or, given that we've got WireGuard and OpenVPN already solving the
problem for a lot of cases, is what's left big enough for anyone to care? Is
there much use for it left outside of SIP and online gaming (the latter
presumably just because it's there rather than any specific need for DTLS)?
Peter.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
