-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS Discussion #2398
Comments
so @migounette, implicit answer to your question is: here in the io.js fork :) i have time this week to help move your PR (joyent/node#6704) over here if you want to share a branch? or just let me know and i can help test & work on samples + documentation for now. happy to give API feedback as well when you're ready. |
Well... it's not technically an io.js fork any more ;-). But updating this would be awesome. |
sorry, trigger word :) let's just say HEAD |
@natbro GMT+1 :) but working late |
I don't think adding DTLS to core would be as profitable as improving UDP performance and adding support for userspace networking (skipping the kernel control plane to avoid unnecessary memcopies, system calls etc.). DTLS is also quite old now compared to a protocol such as QUIC, which has advantages over DTLS (e.g. packet-aligned encryption), although QUIC is also complex. I have been working on a simpler protocol taking many ideas from Dan Bernstein's protocols, QUIC etc. and combining these. Improving UDP performance and Crypto performance would really help. |
I think DTLS is used in WebRTC, which is quite popular in messaging/communications apps. |
@YuriSolovyov thanks, then it would be good to do I guess. |
Hello, DTLS is a requirement for many IoT applications and it isn't relevant whether people have opinions on how efficient it is. Standards fora such as oneM2M and LWM2M have already decided to use DTLS, as well as WebRTC. Always happy to have constructive involvement but please read back through the thread before adding to this discussion Cheers Rob
|
Yes. While DTLS is not "optimal" or "best" - it's used which makes it important and required for many scenarios, the main ones for Node are WebRTC and IoT as stated above. Also tying DTLS directly to UDP will make it challenging to implement WebRTC on top of it. WebRTC multiplexes different protocols on top of the same UDP socket - some of which use DTLS and some which don't use. Essentially WebRTC would require a DTLS implementation similar to the I've been a bit silent on this front lately seeing where and how the feature gets momentum. While I still want to finish the If @migounette is continuing the native DTLS implementation, you can count me in for whatever resources. Be it code (to some extent anyway), API design, test cases - either for unit testing or integration for WebRTC purposes. I'm happy as long as Node gets some way to use DTLS. |
👍 Shure, DTLS support for WebRTC will be market-changer for Node. |
Just adding that DTLS is needed for the CoAP protocol see coapjs/node-coap#11. The need for DTLS to be in core comes from OpenSSL. Maintaining another version of OpenSSL inside an user-land module is extremely complicated. I'm 👍 in having a separate module, plus maybe a stream-like interface for DTLS over UDP (but that can be on NPM). |
+1 DTLS will enable ability to implement secure IoT servers and clients in node.js |
@mcollina - when you say "stream-like interface for DTLS over UDP" what do you mean? in terms of writing without specifying a destination host+port as currently required with |
DTLS maintains the concept of a connection/stream. It needs to do packet If anybody interested in this comes to nodeconfeu, let's meet up! I can confirm I will have time to spend on this starting from October.
|
Just to clear this up: DTLS maintains the concept of a session, but not stream. It doesn't do payload packet reordering or even guarantee that all payload packets are received and decrypted. Once the security parameters are negotiated and confirmed, every individual packet in the session can be decrypted independent of other packets in the same epoch. Still, an Essentially initializing a client-mode DTLSSocket should emit the initial handshake datagrams just the same as in the case the socket is bound to an UDP socket. Feeding these packets to the server-mode DTLSSocket should cause the server socket to emit the datagrams required to continue the handshake and so on. |
+1 thanks, @Rantanen - exactly, that's why i asked what @mcollina meant :) there should definitely no in-order or guaranteed delivery happening in a
|
@Rantanen great job done on the js side. But I have a concern with this Regarding the point 2, it's a good point, but a bit more difficult to Happy to see discussion on this topic, waiting for a while 😴 My 2 cents On Thu, Aug 20, 2015 at 11:48 PM, Nat Brown notifications@github.com
|
Some more thoughts:
What's the purpose of the security context API? Is that needed somewhere? Il giorno ven 21 ago 2015 alle 00:39 Yann Stephan notifications@github.com
|
totally agree doing it native makes the most sense (and i think @Rantanen has also said it's his preference, he just began building his JS version since no native was pending) - i was just commenting on the API choice you both made is similar ( |
@migounette - Yes, I prefer native - but given node was in a bit of a turmoil back when I wanted DTLS, I decided to go with a JS module that could be released on NPM instead of waiting for a PR merge and Node release. @mcollina, that reordering only affects the handshake messages. The actual encrypted content is not reordered or resent in case of packet loss. The main benefit of UDP is to get packets with as little delay as possible across the network after all. :) Given the handshake messages shouldn't be something the user needs to care about anyway, the fact that they are reordered shouldn't be a consideration when designing the API. Node's TLS module manages to abstract these away - same should be attempted with DTLS. @natbro, I think abstracting DTLS away from However at the same time I believe the |
Let me rephrase, if dtls is going to base itself on From a client perspective, a DTLS context pairs something local to something remote: it is stateful. Currently all of From a personal taste, I don't like that you need the To my best understanding of the problem, this are the changes needed to have the less impact in the API:
Another completely different API is:
|
I just started playing around with a streaming IoT application in Node and it seemed like udp + dtls might fit the bill quite nicely. I was sad to see the discussion died in August. Any updates or progress on this issue? I don't have much bandwidth but would be open to lending a hand when I can. |
I would find this useful ;) |
@mcollina DTLS is reodering/unfragmenting packets only in the handshake/re-handshake phase not in the application phase, so a datagram based attraction fit in most language (because the handshake phase is hidden). This make easier to move non DTLS UDP code to DTLS. |
@jvermillard yes, I agree. Attaching the context can be easy API-wise: var dtls = require('dtls')
var socket = dtls.createSocket()
var context = dtls.createContext(url) // or socket.createContext(url)
dtls.send(new Buffer('mybuf'), context, (err) => console.log('err', err)) const dtls = require('dtls');
const server = dtls.createSocket('udp4', {
key: mykey,
cert: mycert
});
server.on('error', (err) => {
console.log(`server error:\n${err.stack}`);
server.close();
});
server.on('message', (msg, rinfo) => {
server.send(msg, rinfo, () => console.log('reply sent'))
});
server.on('listening', () => {
var address = server.address();
console.log(`server listening ${address.address}:${address.port}`);
});
server.bind(41234); |
Nice! I just found this thread. Sounds like the general consensus is that DTLS is a reasonable addition to node core. Excellent! It's required for IoT and WebRTC use cases, it's super difficult to do in user-land, and it's already implemented in OpenSSL so it just needs to be exposed via a JavaScript API. What are the next steps? Sounds like someone should take the old PR and rebase it onto I'm happy to help with testing, code review, however I can. |
@mcollina You don't need any special linker flags, the challenge is the include path for openssl's headers. They're in a different location when you build against a node source tree vs. the headers tarball that node-gyp downloads. I don't think that's currently documented. @eljefedelrodeodeljefe Thank you. :) What I mean is, the module can live under the nodejs GitHub organization and be published by the Node.js Foundation. That will give it the veneer of officialness and trustworthiness that you want, but it will be much easier to prototype and iterate on than if it was in core out of the gate. |
@bnoordhuis sounds good to me. Thx for clarifying. |
Should this remain open? |
Yes. It is still a major lack in Node.js. |
Is this something recent additions to libuv might be helpful with. E.g. |
It could, it would make it useful to a larger audience, but you'd still need some glue code for node.js. |
@eljefedelrodeodeljefe @bnoordhuis can you add a link? |
@mcollina https://github.com/libuv/libuv-extras - the idea is to have a place for things that can be layered on top of libuv but don't belong in libuv proper (like TLS / DTLS; a C cluster implementation would be another example.) Not much in there yet, though. |
@bnoordhuis yeah, I see that. I do not think there is anything we can use here, or maybe I am mistaken. |
dragging in @saghul. Context: Whether it would be interesting to have DTLS in libuv-extras to enable Node community easy access. |
The main issue remains the API, who can drive the discussion in order to get the right API for node (Stream, TLS, UDP) and libuv you can close the thread |
I am happy to join a biweekly team, if someone has time to put into the implementation. |
I'm happy to participate in discussions or code review, but I'm afraid I won't be able to contribute code myself. Agreed with Ben, libuv-extras seems like the right place for it. |
Would absolutely love to see this happen. I think it would help a lot since IoT is becoming very popular, especially in connection with Node.js. |
It's time for DTLS !!! @saghul you have a project but seems to be empty: https://github.com/libuv/libuv-extras |
@migounette Creating the source and header files, together with a simple Makefile should be enough to get the ball rolling. We'll see where we go from there :-) (I've been afk for some time, so I don't know if any decisions have been made regarding the extras repo in the mean time.) |
Few month ago i`m started working on pure js dtls implementation. Here is my experimental work: |
Hello everyone. Needing to bridge this gap ASAP we at Krekeltronics have looked for a solution. The best we have found so far is Spark's module for inclusion of mbedtls library into node. Since we did not get the impression that there was any maintaining or further development going on in that repo or in others downstream, we have decided to take on further developing the module. We would appreciate any input you may have toward getting this code production ready. Feel free to comment on the roadmap and the tickets, help us test the code or submit pull requests. Take a look at the project: https://github.com/krekeltronics/node-mbed-dtls |
Closing due to lack of activity |
Has this been implemented? Isn't it considered as an option to add it to the core? |
@jasnell @mcollina @bnoordhuis @saghul is there any chance of reopening this? DTLS continues to be a missing piece to secure IoT |
I am eager to pariticapte to DTLS implementation I have a native implementation of DTLS on top of nodejs 10 (NAPI) for our WebRTC product DTLS (UDP) uses 80% of TLS code and it requires only a few hooks in order to support key exchange (such as https://tools.ietf.org/html/rfc5764) LibUV/No LibUV, in Core/No Core.... pushing our work to community will be great just let us know where to push it and how we can discuss API changes, impacts and documentation. The real question, we have stuff to push but we need some to lead the job in order to take decisions where it can be put. My 2 cents |
@migounette It would be good if you could issue a PR adding DTLS to Node Core. Why would you need changes in libuv? |
Wow @migounette ! It would be amazing if you could create a PR with DTLS |
@migounette I think that the official guide "Contributing a new API to N-API" can provide some guidance |
There's been an ongoing, unresolved discussion around adding DTLS support to joyent/node.
The original PR (nodejs/node-v0.x-archive#6704) is not going to be able to land and needs to continue here. Discussion also happening here: nodejs/node-v0.x-archive#25354. I am closing the original PR but want to make sure the conversation is not lost.
@indutny @rgillan @natbro @migounette
The text was updated successfully, but these errors were encountered: