DTLS Discussion

[jasnell]

There's been an ongoing, unresolved discussion around adding DTLS support to joyent/node.
The original PR (nodejs/node-v0.x-archive#6704) is not going to be able to land and needs to continue here. Discussion also happening here: nodejs/node-v0.x-archive#25354. I am closing the original PR but want to make sure the conversation is not lost.

@indutny @rgillan @natbro @migounette

[natbro]

so @migounette, implicit answer to your question is: here in the io.js fork :) i have time this week to help move your PR (joyent/node#6704) over here if you want to share a branch? or just let me know and i can help test & work on samples + documentation for now. happy to give API feedback as well when you're ready.
looking through the original PR, it seems like getting ipv6 and DTLS 1.2 wired up would be useful (i might even suggest ditching DTLS 1.0. io.js uses >= OpenSSL 1.0.2 and may be worth leaving DTLS 1.0 cruft behind).
I'm USA west-coast time-zone, UTC−08:00. lmk if you prefer email or glitter chat to chatting here.

[jasnell]

Well... it's not technically an io.js fork any more ;-). But updating this would be awesome.

[natbro]

sorry, trigger word :) let's just say HEAD

[migounette]

@natbro GMT+1 :) but working late
I agree DTLS 1.2 will be the target
I will re-start the activity Thursday or Friday

[jorangreef]

I don't think adding DTLS to core would be as profitable as improving UDP performance and adding support for userspace networking (skipping the kernel control plane to avoid unnecessary memcopies, system calls etc.).

DTLS is also quite old now compared to a protocol such as QUIC, which has advantages over DTLS (e.g. packet-aligned encryption), although QUIC is also complex.

I have been working on a simpler protocol taking many ideas from Dan Bernstein's protocols, QUIC etc. and combining these. Improving UDP performance and Crypto performance would really help.

[YurySolovyov]

I think DTLS is used in WebRTC, which is quite popular in messaging/communications apps.

[jorangreef]

@YuriSolovyov thanks, then it would be good to do I guess.

[rgillan]

Hello,

DTLS is a requirement for many IoT applications and it isn't relevant whether people have opinions on how efficient it is. Standards fora such as oneM2M and LWM2M have already decided to use DTLS, as well as WebRTC. Always happy to have constructive involvement but please read back through the thread before adding to this discussion

Cheers Rob

On Aug 18, 2015, at 5:36 AM, Joran Dirk Greef notifications@github.com wrote:

@YuriSolovyov thanks, then it would be good to do I guess.

—
Reply to this email directly or view it on GitHub.

[Rantanen]

Yes. While DTLS is not "optimal" or "best" - it's used which makes it important and required for many scenarios, the main ones for Node are WebRTC and IoT as stated above.

Also tying DTLS directly to UDP will make it challenging to implement WebRTC on top of it. WebRTC multiplexes different protocols on top of the same UDP socket - some of which use DTLS and some which don't use.

Essentially WebRTC would require a DTLS implementation similar to the TLSSocket that can be invoked from JS code with user defined packets. This way the user code can first resolve whether the packets use DTLS or not according to WebRTC specification and then pass the DTLS packets to the DTLS implementation.

I've been a bit silent on this front lately seeing where and how the feature gets momentum. While I still want to finish the node-dtls project I started, I'm having difficulties figuring out what to do next given there's just so many different things that would need improvement.

If @migounette is continuing the native DTLS implementation, you can count me in for whatever resources. Be it code (to some extent anyway), API design, test cases - either for unit testing or integration for WebRTC purposes. I'm happy as long as Node gets some way to use DTLS.

[avesus]

👍 Shure, DTLS support for WebRTC will be market-changer for Node.

[mcollina]

Just adding that DTLS is needed for the CoAP protocol see coapjs/node-coap#11.

The need for DTLS to be in core comes from OpenSSL. Maintaining another version of OpenSSL inside an user-land module is extremely complicated.

I'm 👍 in having a separate module, plus maybe a stream-like interface for DTLS over UDP (but that can be on NPM).

[ohord]

+1 DTLS will enable ability to implement secure IoT servers and clients in node.js

[natbro]

@mcollina - when you say "stream-like interface for DTLS over UDP" what do you mean? in terms of writing without specifying a destination host+port as currently required with dgram.send? in terms of in-order delivery/re-assembly of longer-than-MTU sized buffers?