Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)

To: Gerhard Muenz <muenz at net.in.tum.de>
Subject: Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
From: fenghongyan <hongyanfeng at huaweisymantec.com>
Date: Wed, 05 Aug 2009 17:16:51 +0800
Cc: syslog at ietf.org
Delivered-to: syslog at core3.amsl.com
In-reply-to: <4A786066.2080505 at net.in.tum.de>
List-archive: <http://www.ietf.org/mail-archive/web/syslog>
List-help: <mailto:syslog-request@ietf.org?subject=help>
List-id: Security Issues in Network Event Logging <syslog.ietf.org>
List-post: <mailto:syslog@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
Priority: normal
References: <mailman.152.1248807621.17772.syslog at ietf.org> <fc16b80131ef.4a75658d at huaweisymantec.com> <4A75F11B.4050201 at net.in.tum.de> <fbc4f6346109.4a78c7e4 at huaweisymantec.com> <4A786066.2080505 at net.in.tum.de>

Hi,
  
>  The definition of IPFIX Transport Sessions allows to distinguish the
>  different sessions. In the case of UDP, the Transport Session is defined
>  by the IP-5-Tuple plus the Observation Domain ID, which is a field in
>  the IPFIX message header.
>  In the case of DTLS/UDP, the Collector needs to maintain the DTLS state
>  for each Exporter.

In the case of UDP, the application can get message through udp directly. 
But for DTLS/UDP, each session maintains the DTLS state for each Exporter, and DTLS has no idea about
which session is for which exporter. Which need application maintains, like using IP-5-Tuple plus the Observation Domain ID
mapping to each session.

>  
>  A good question is when to remove the DTLS state because there is no
>  connection termination. We remove it after a certain time without
>  receiving any packets from the Exporter. However, we cannot be sure if
>  the Exporter has also deleted its DTLS state :(
>  This is another situation where DTLS Heartbeat extension is useful.

I share this opinion. "timeout" can also work for it.

>  > There may many syslog sender send logs to one receiver, which 
> brings up an issue of dtls-udp.
>  > I wrote it in my proposal, in 5.3 as session demultiplexing. 
>  > 
>  > I think if the ipfix collector need support multiple exporter, 
> ipfix need also support session demultiplexing,
>  > but I didn't see that in your proposal, what's your consideration?
>  
>  You talk about draft-mentz-ipfix-dtls-recommendations-00?
>  Note that this draft does not play the same role as
>  draft-feng-syslog-transport-dtls-01 because IPFIX over DTLS/UDP is
>  already standardized in RFC5101.
>  draft-mentz-ipfix-dtls-recommendations-00 only covers DTLS specific
>  implementation problems and might be considered as an update of RFC 5153
>  (IPFIX Implementation Guidelines).
>  
I mean that is the application need to implement when using DTLS/UDP as transport,
which is the issue of DTLS/UDP, I stated in my proposal, but I didn't see you add any comments
on it:(. That is why I asked if you have any other consideration. I asked for your valuable comments.



Thanks
Linda

>  Gerhard
>

References:
- Re: [Syslog] Missing dead peer detection in DTLS (Gerhard Muenz)
  - From: fenghongyan
- Re: [Syslog] Missing dead peer detection in DTLS (Gerhard Muenz)
  - From: Gerhard Muenz
- [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
  - From: fenghongyan
- Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
  - From: Gerhard Muenz

Prev by Date: Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
Next by Date: Re: [Syslog] Missing dead peer detection in DTLS
Previous by thread: Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
Index(es):
- Date
- Thread

Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.