Hi Andreas/Ingela,

Thanks you very much for your comments and time. I very appreciate it. I
have some inline comments marked with [YHY]:

1.) Have you tested your changes with packet loss and reordering, especially
reordering around the the Change Cipher Spec message?

Keeping the correct cipher context for re-sending old flights and decoding
incoming re-sends across CCS messages is not trivial and from reading the
code I can't convince myself that it would work.

[YHY] No, the change we made was based on existing dtls code and minor
changes, e.g. fragmented handshake messages, retransmission of old flights
and etc. The existing code dealt with cases specified by RFC on the basis
of record sequence number and handshake message sequence number. I agree
reordering is much more complicated than current code as more information
needs to be cached in order to reorder/reconstruct handshake messages. As
we move on, certainly that part in dtls_handshake.erl would be enhanced.
Very good point to bring this up.

2.) I'm not happy with the way new clients are handled. You seem to
insert them into an ETS tables without waiting for the answer to an
HelloVerifyRequest. This opens a way for resource exhaustion and denial
of service attacks. The DTLS RFC is quite explicit that the verify
cookie should be generated stateless and that the server should expend
any memory resource until the Hello was verified successfully.

[YHY] Our purpose of designing dtls_transport module is to have a thin
protocol-agnostic layer to just pass the datagram packets. Cookie mechanism
makes it hard for spoofing DoS attack but no defense from valid IP
addresses. You are right the resource leak in ETS table in this case, to
overcome this, we can start a timer to wait for CLIENT HELLO and close the
socket (remove it from ETS table) for both DoS cases. This provides another
way of invalidating the Cookies if the attacker tries to collect a number
of cookies from different addresses (See discussion in DTLS RFC). Any
comments ?

3.) TLS is almost exclusively used in a pure form over TCP, the situation
is different with DTLS where some interesting deviations exist. The TCP
like socket handling is not help full with those.

For example CAPWAP (RFC 5415) multiplexes DTLS and non DTLS data over the
same UDP socket. Some mechanism to hook between the raw socket and the
DTLS logic is required for that.

[YHY] Sorry I am not familiar with CAPWAP, is it the service discovery
(clear text) and later DTLS session established to convey encrypted data ?
To me, this might be resolved in dtls_connection module. When raw datagram
packets passed to handle_info callback, it can check data based on session
state on which the data is encrypted or not. It is flexible but sacrifice
the performance in raw socket level. This is very important because it will
impact how application developers use the interface. I hope further
discussion required for this topic.

4.) You have certainly added lots of code, but you have still reused some
ideas and code from my earlier versions. A small attribution wouldn't hurt.

[YHY] The existing DTLS code is well-written. We guess it just you didn't
have enough time to polish it further. We actually didn't change too much
and it works well in sunny cases. Having said that our change is a patch
but not a new feature.

Regarding the test cases, we will follow ssl_to_openssl_SUITE to add
dtls_to_openssl_SUITE later, it is always a good idea to have test cases.

This is a start point toward complete DTLS implementation as Ingela
mentioned. We are sure more comments and ideas would come out when we dig
deep further.

We will continue follow up on this,

Cheers,

/Haiyang

On Mon, Jun 1, 2015 at 9:32 AM, Ingela Anderton Andin <

Well, implementing DTLS is a very nice thing =)

I'm trying to look if it is possible to reuse existing SSL implementation
for it, but it seems that it is rather hard, because erlang SSL is a very
self-contained thing, designed for isolated usage, not like a library on
top of existing socket.