idnits 2.17.1 draft-ietf-dccp-dtls-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 258. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 235. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 242. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 248. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? RFC 2119 keyword, line 96: '...ple DTLS records MAY be sent in one DC...' RFC 2119 keyword, line 99: '...). A single DTLS record MUST be fully...' RFC 2119 keyword, line 100: '... DCCP packet; it MUST NOT be split ove...' RFC 2119 keyword, line 124: '... implementations MAY choose to transmi...' RFC 2119 keyword, line 126: '... implementations MAY choose to respond...' (8 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 2007) is 6010 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC4347' on line 203 looks like a reference -- Missing reference section? 'RFC4340' on line 206 looks like a reference -- Missing reference section? 'RFC4346' on line 209 looks like a reference -- Missing reference section? 'RFC2119' on line 212 looks like a reference -- Missing reference section? 'SCODES' on line 215 looks like a reference Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT DTLS over DCCP October 2007 4 DTLS over DCCP 5 Internet Draft T. Phelan 6 Document: draft-ietf-dccp-dtls-02.txt Sonus Networks 7 Expires: April 2008 October 2007 8 Intended status: Proposed Standard 10 Datagram Transport Layer Security (DTLS) over the Datagram 11 Congestion Control Protocol (DCCP) 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on September 30, 2007. 38 Abstract 40 This document specifies the use of Datagram Transport Layer Security 41 (DTLS) over the Datagram Congestion Control Protocol (DCCP). DTLS 42 provides communications privacy for datagram protocols and allows 43 client/server applications to communicate in a way that is designed 44 to prevent eavesdropping, tampering, or message forgery. DCCP is a 45 transport protocol that provides a congestion-controlled unreliable 46 datagram service. 48 Table of Contents 50 1. Introduction...................................................3 51 2. Terminology....................................................3 52 3. DTLS over DCCP.................................................3 53 3.1 DCCP and DTLS Sequence Numbers.............................3 54 3.2 DCCP and DTLS Connection Handshakes........................4 55 3.3 PMTU Discovery.............................................4 56 3.4 DCCP Service Codes.........................................4 57 3.5 New Versions of DTLS.......................................5 58 4. Security Considerations........................................5 59 5. IANA Considerations............................................5 60 6. References.....................................................5 61 6.1 Normative References.......................................5 62 7. Author's Address...............................................6 63 1. Introduction 65 This document specifies how to use Datagram Transport Layer Security 66 (DTLS), as specified in [RFC4347], over the Datagram Congestion 67 Control Protocol (DCCP), as specified in [RFC4340]. 69 DTLS is an extension of Transport Layer Security (TLS, [RFC4346]) 70 that modifies TLS for use with the unreliable transport protocol UDP. 71 TLS is a protocol that allows client/server applications to 72 communicate in a way that is designed to prevent eavesdropping, 73 tampering and message forgery. DTLS can be viewed as TLS-plus- 74 adaptations-for-unreliability. 76 DCCP provides an unreliable transport service, similar to UDP, but 77 with adaptive congestion control, similar to TCP and SCTP. DCCP can 78 be viewed equally well as either UDP-plus-congestion-control or TCP- 79 minus-reliability (although, unlike TCP, DCCP offers multiple 80 congestion control algorithms). 82 The combination of DTLS and DCCP will offer transport security 83 capabilities to DCCP users similar to those available for TCP, UDP 84 and SCTP. 86 2. Terminology 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as specified in [RFC2119]. 92 3. DTLS over DCCP 94 The approach here is very straightforward -- DTLS records are 95 transmitted in the Application Data fields of DCCP-Data and DCCP- 96 DataAck packets. Multiple DTLS records MAY be sent in one DCCP 97 packet, as long as the resulting packet is within the Path Maximum 98 Transfer Unit (PMTU) currently in force (see section 3.3 for more 99 information on PMTU Discovery). A single DTLS record MUST be fully 100 contained in a single DCCP packet; it MUST NOT be split over multiple 101 packets. 103 3.1 DCCP and DTLS Sequence Numbers 105 Both DCCP and DTLS use sequence numbers in their packets/records. 106 These sequence numbers serve somewhat, but not completely, 107 overlapping functions. Consequently, there is no connection between 108 the sequence number of a DCCP packet and the sequence number in a 109 DTLS record contained in that packet. 111 3.2 DCCP and DTLS Connection Handshakes 113 Unlike UDP, DCCP is connection-oriented, and has a connection 114 handshake procedure that precedes the transmission of DCCP-Data and 115 DCCP-DataAck packets. DTLS is also connection-oriented, and has a 116 handshake procedure of its own that must precede the transmission of 117 actual application information. Using the rule of mapping DTLS 118 records to DCCP-Data and DCCP-DataAck packets in section 3, above, 119 the two handshakes are forced to happen in series, with the DCCP 120 handshake first, followed by the DTLS handshake. 122 However, the DCCP handshake packets DCCP-Request and DCCP-Response 123 have Application Data fields and can carry user data during the DCCP 124 handshake. DTLS client implementations MAY choose to transmit the 125 ClientHello message in the DCCP-Request packet. DTLS server 126 implementations MAY choose to respond to a ClientHello message 127 received in a DCCP-Request packet with a HelloVerifyRequest message, 128 if denial of service countermeasures are to be used or, a 129 ServerHelloDone message otherwise, in the DCCP-Response packet. 131 Subsequent DTLS handshake messages, and retransmissions of the 132 ClientHello message, if necessary, MUST wait for the completion of 133 the DCCP handshake. 135 3.3 PMTU Discovery 137 Each DTLS record must fit within a single DCCP-Data packet. DCCP 138 packets are normally transmitted with the DF (Don't Fragment) bit set 139 for IPv4, and of course all IPv6 packets are unfragmentable. Because 140 of this, DCCP performs Path Maximum Transmission Unit (PMTU) 141 Discovery. In determining the maximum size for DTLS records, a DTLS 142 over DCCP implementation SHOULD use the DCCP-managed value for PMTU. 143 A DTLS over DCCP implementation MAY choose to use its own PMTU 144 Discovery calculations, as specified in [RFC4347], but MUST NOT use a 145 value greater the value determined by DCCP. 147 3.4 DCCP Service Codes 149 The DCCP connection handshake includes a field called Service Code 150 that is intended to describe "the application-level service to which 151 the client application wants to connect". Further, "Service Codes 152 are intended to provide information about which application protocol 153 a connection intends to use, thus aiding middleboxes and reducing 154 reliance on globally well-known ports" [RFC4340]. Further rules and 155 clarifications for the use of Service Codes are included in [SCODES]. 157 It is expected that many middleboxes will give different privileges 158 to applications running DTLS over DCCP versus just DCCP. Therefore, 159 applications that use DTLS over DCCP sometimes and just DCCP other 160 times MUST register and use different Service Codes for each mode of 161 operation. Applications that use both DCCP and DTLS over DCCP MAY 162 choose to listen for incoming connections on the same DCCP port and 163 distinguish the mode of the request by the offered Service Code, as 164 allowed by [SCODES]. 166 3.5 New Versions of DTLS 168 As DTLS matures, revisions to and updates for [RFC4347] can be 169 expected. DTLS includes mechanisms for identifying the version in 170 use and presumably future versions will either include backward 171 compatibility modes or at least not allow connections between 172 dissimilar versions. Since DTLS over DCCP simply encapsulates the 173 DTLS records transparently, these changes should not affect this 174 document and the methods of this document should apply to future 175 versions of DTLS. 177 Therefore, in the absence of a revision to this document, it is 178 assumed to apply to all future versions of DTLS. This document will 179 only be revised if a revision to DTLS makes a revision to the 180 encapsulation necessary. 182 It is RECOMMENDED that an application migrating to a new version of 183 DTLS keep the same DCCP Service Code used for the old version and 184 allow DTLS to provide the version negotiation support. If the 185 application developers feel that the new version of DTLS provides 186 significant new capabilities to the application that will change the 187 behavior of middleboxes, they MAY use a new Service Code. 189 4. Security Considerations 191 Security considerations for DTLS are specified in [RFC4347] and for 192 DCCP in [RFC4340]. The combination of DTLS and DCCP introduces no 193 new security considerations. 195 5. IANA Considerations 197 There are no IANA actions required for this document. 199 6. References 201 6.1 Normative References 203 [RFC4347] Rescorla, E., "Datagram Transport Layer Security", RFC 204 4347, April 2006. 206 [RFC4340] Kohler, E., Handley, M., Floyd, S., "Datagram Congestion 207 Control Protocol (DCCP)", RFC 4340, March 2006. 209 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 210 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 212 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 213 Requirement Levels", RFC 2119, March 1997. 215 [SCODES] Fairhurst, G., "The DCCP Service Code", draft-ietf-dccp- 216 serv-codes-03.txt, June 2007 218 7. Author's Address 220 Tom Phelan 221 Sonus Networks 222 7 Technology Park Dr. 223 Westford, MA USA 01886 224 Phone: 978-614-8456 225 Email: tphelan@sonusnet.com 226 Intellectual Property Statement 228 The IETF takes no position regarding the validity or scope of any 229 Intellectual Property Rights or other rights that might be claimed to 230 pertain to the implementation or use of the technology described in 231 this document or the extent to which any license under such rights 232 might or might not be available; nor does it represent that it has 233 made any independent effort to identify any such rights. Information 234 on the procedures with respect to rights in RFC documents can be 235 found in BCP 78 and BCP 79. 237 Copies of IPR disclosures made to the IETF Secretariat and any 238 assurances of licenses to be made available, or the result of an 239 attempt made to obtain a general license or permission for the use of 240 such proprietary rights by implementers or users of this 241 specification can be obtained from the IETF on-line IPR repository at 242 http://www.ietf.org/ipr. 244 The IETF invites any interested party to bring to its attention any 245 copyrights, patents or patent applications, or other proprietary 246 rights that may cover technology that may be required to implement 247 this standard. Please address the information to the IETF at ietf- 248 ipr@ietf.org. 250 Disclaimer of Validity 252 This document and the information contained herein are provided on an 253 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 254 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 255 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 256 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 257 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 258 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 260 Copyright Statement 262 Copyright (C) The IETF Trust (2007). 264 This document is subject to the rights, licenses and restrictions 265 contained in BCP 78, and except as set forth therein, the authors 266 retain all their rights. 268 Acknowledgment 270 Funding for the RFC Editor function is currently provided by the 271 Internet Society.