-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LWM2M: DTLS session resumption in practice #25935
Comments
To try out my theory, I made a hack to close and reopen sockets like this: loopshore/sdk-zephyr@a35f03c In server side pcaps I can see ALERT from device and then client hello + resumption + payload. I guess that is as lean as it can get with these protocols. |
Hi @JusbeR, IMO a socket that can no longer use the original port number should return an error and not silently modify it. That would trigger a proper re-registration procedure, instead of sending a Register Update and wating for CoAP to time-out. What do we need a full registration I've explained before. If we don't bother about observations, we could probably introduce some simplified procedure to re-open a socket w/o re-registration, just a as you did. |
I remember reading from somewhere(maybe califonium repo) that COAP observation/notifications/whaever-they-are-called are specified to be only valid inside "epoch" and "epoch" is started from scratch always when DTLS connection is resumed. This will effectively make observations not working in real life just as you said. I believe this is fundamental specification bug and I have no idea how to fix it without changing the specs. Personally, I decided to just not even try to make anything on top of notifications.
The problem here is that socket has absolutely no idea if it uses the same port or not. It is up to the operator NAT rules and application can only quess or indirectly detect/test how long it has the same port. Edit: It was this https://github.com/eclipse/leshan/wiki/LWM2M-Observe#for-dtls |
Thanks for the link. While they seem to relax this for DTLS in Leshan, the default for UDP is still "strict" matching (so change in a port number invalidates the observation). Good to know you can relax this requirement if you put your own server instance up.
Indeed, after educating myself a bit more about the NAT rules in cellular networks, they don't seem to be very user-friendly. To be honest, for now I don't see a clean way how such NAT timeouts could be handled. As a workaround, your proposal looks fine. But probably for a proper fix we would need to look into DTLS Connection ID extension (already proposed in #23424). This should help to maintain DTLS session even after IP/port values change. I understand though that since you use bsdlib, it should be first added there. |
Yes, this is the issue. The modem has no indication that the IP address and port have changed. |
@JusbeR This looks good, and is similar to a hack I used for a demo a few months ago, before any session resumption was available. I need to try this. |
Anything but decoupling DTLS session from ip/port will be an insufficient solution IMO. Check out the RFC for "DTLS connection id" - last I checked it was still in draft stage but both mbedTLS and Leshan had implemented it in later versions I believe. With session IDs, the session epoch won't be reset, the ip/port will be irrelevant and everything will be beautiful. https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/ |
I've submitted a draft PR with DTLS Connection ID socket option, see #36738. I think however that we should postpone the integration of this feature until some problems on the mbed TLS side are resolved (see the PR, where I've described in a more detail the issues I've faced). There are no LwM2M changes yet that'd utilize this new option, it should be pretty straightforward to add though (just a single |
DTLS session resumption on QUEUE mode have been fixed already: #45065 DTLS connection ID is (I belive) not yet supported. |
@SeppoTakalo Do you have plans to implement Connection ID in upstream Zephyr for LWM2M? |
@carlescufi I did not have a plan, but then I just enabled it in Interoperability test, and it just works. CID support is enabled in Zephyr when MbedTLS stack is used. zephyr/tests/net/lib/lwm2m/interop/src/lwm2m-client.c Lines 64 to 77 in 1506a43
Maybe I can create a PR to set that option on in the LwM2M client, |
Thank you @SeppoTakalo! |
Is your enhancement proposal related to a problem? Please describe.
It is impossible to do low power app with NB-IoT radio and zephyr LWM2M protocol stack
OMA spec says that
In practice, using NB-IoT radio technology it looks like this NAT bindings are released in 60s(Tested with 2 Finnish operators)
Now, I could be wrong, but here is what I think that happens when using Nordic NRF91 + offloaded sockets and UDP+DTLS+COAP+LWM2M stack. pcap attached
ip_port_changes_90s.zip
Describe the solution you'd like
There should be a way to configure the
may have been released
time to LWM2M stack or somekind of API to to inform the stack about this. LWM2M should then close the socket and reopen to cause DTSL resumption to kick in, while still keeping the lwm2m context alive.Describe alternatives you've considered
Additional context
Issue when I was still accusing DTLS
The text was updated successfully, but these errors were encountered: