| RFC 9147 | DTLS 1.3 | April 2022 |
| Rescorla, et al. | Standards Track | [Page] |
This document specifies version 1.3 of the Datagram Transport Layer Security(DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over theInternet in a way that is designed to prevent eavesdropping, tampering, and messageforgery.¶
The DTLS 1.3 protocol is based on the Transport Layer Security (TLS)1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.¶
This document obsoletes RFC 6347.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9147.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.¶
The primary goal of the TLS protocol is to establish an authenticated,confidentiality- and integrity-protected channel between two communicating peers.The TLS protocol is composed of two layers:the TLS record protocol and the TLS handshake protocol. However, TLS mustrun over a reliable transport channel -- typically TCP[RFC0793].¶
There are applications that use UDP[RFC0768] as a transportand the Datagram Transport LayerSecurity (DTLS) protocol has been developed to offer communication security protectionfor those applications. DTLS is deliberately designed to beas similar to TLS as possible, both to minimize new security invention and tomaximize the amount of code and infrastructure reuse.¶
DTLS 1.0[RFC4347] was originally defined as a delta from TLS 1.1[RFC4346], andDTLS 1.2[RFC6347] was defined as a series of deltas to TLS 1.2[RFC5246]. Thereis no DTLS 1.1; that version number was skipped in order to harmonize version numberswith TLS. This specification describes the most current version of the DTLS protocolas a delta from TLS 1.3[TLS13]. It obsoletes DTLS 1.2.¶
Implementations that speak both DTLS 1.2 and DTLS 1.3 can interoperate with thosethat speak only DTLS 1.2 (using DTLS 1.2 of course), just as TLS 1.3 implementationscan interoperate with TLS 1.2 (seeAppendix D of [TLS13] for details).While backwards compatibility with DTLS 1.0 is possible, the use of DTLS 1.0 is notrecommended, as explained inSection 3.1.2 of [RFC7525].[DEPRECATE] forbids the use of DTLS 1.0.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following terms are used:¶
The reader is assumed to be familiar with[TLS13].As in TLS 1.3, the HelloRetryRequest has the same format as a ServerHellomessage, but for convenience we use the term HelloRetryRequest throughoutthis document as if it were a distinct message.¶
DTLS 1.3 uses network byte order (big-endian) format for encoding messagesbased on the encoding format defined in[TLS13] and earlier (D)TLS specifications.¶
The reader is also assumed to be familiar with[RFC9146],as this document applies the CID functionality to DTLS 1.3.¶
Figures in this document illustrate various combinations of the DTLS protocol exchanges, and the symbols have the following meaning:¶
The basic design philosophy of DTLS is to construct "TLS over datagram transport".Datagram transport neither requires nor provides reliable or in-order delivery of data.The DTLS protocol preserves this property for application data.Applications such as media streaming, Internet telephony, and online gaming usedatagram transport for communication due to the delay-sensitive natureof transported data. The behavior of such applications is unchanged when theDTLS protocol is used to secure communication, since the DTLS protocoldoes not compensate for lost or reordered data traffic. Note that whilelow-latency streaming and gaming use DTLS to protect data (e.g., forprotection of a WebRTC data channel), telephony utilizes DTLS forkey establishment and the Secure Real-time Transport Protocol (SRTP) forprotection of data[RFC5763].¶
TLS cannot be used directly over datagram transports for the following four reasons:¶
DTLS uses a simple retransmission timer to handle packet loss.Figure 1 demonstrates the basic concept, using the firstphase of the DTLS handshake:¶
Client Server ------ ------ ClientHello ------> X<-- HelloRetryRequest (lost) [Timer Expires] ClientHello ------> (retransmit)
Once the client has transmitted the ClientHello message, it expectsto see a HelloRetryRequest or a ServerHello from the server. However, if thetimer expires, the client knows that either theClientHello or the response from the server has been lost, whichcauses the clientto retransmit the ClientHello. When the server receives the retransmission,it knows to retransmit its HelloRetryRequest or ServerHello.¶
The server also maintains a retransmission timer for messages itsends (other than HelloRetryRequest) and retransmits when that timer expires. Notapplying retransmissions to the HelloRetryRequest avoids the need tocreate state on the server. The HelloRetryRequest is designed to besmall enough that it will not itself be fragmented, thus avoidingconcerns about interleaving multiple HelloRetryRequests.¶
For more detail on timeouts and retransmission,seeSection 5.8.¶
In DTLS, each handshake message is assigned a specific sequencenumber. When a peer receives a handshakemessage, it can quickly determine whether that message is the nextmessage it expects. If it is, then it processes it. If not, itqueues it for future handling once all previous messages have beenreceived.¶
TLS and DTLS handshake messages can be quite large (in theory up to2^24-1 bytes, in practice many kilobytes). By contrast, UDPdatagrams are often limited to less than 1500 bytes if IP fragmentation is notdesired. In order to compensate for this limitation, each DTLShandshake message may be fragmented over several DTLS records, eachof which is intended to fit in a single UDP datagram(seeSection 4.4 for guidance). Each DTLShandshake message contains both a fragment offset and a fragmentlength. Thus, a recipient in possession of all bytes of a handshakemessage can reassemble the original unfragmented message.¶
DTLS optionally supports record replay detection. The technique usedis the same as in IPsec AH/ESP, by maintaining a bitmap window ofreceived records. Records that are too old to fit in the window andrecords that have previously been received are silently discarded.The replay detection feature is optional, since packet duplication isnot always malicious but can also occur due to routing errors.Applications may conceivably detect duplicate packets and accordinglymodify their data transmission strategy.¶
The DTLS 1.3 record layer is different from the TLS 1.3 record layer andalso different from the DTLS 1.2 record layer.¶
DTLSPlaintext records are used to send unprotected records and DTLSCiphertextrecords are used to send protected records.¶
The DTLS record formats are shown below. Unless explicitly stated themeaning of the fields is unchanged from previous TLS/DTLS versions.¶
struct { ContentType type; ProtocolVersion legacy_record_version; uint16 epoch = 0 uint48 sequence_number; uint16 length; opaque fragment[DTLSPlaintext.length]; } DTLSPlaintext; struct { opaque content[DTLSPlaintext.length]; ContentType type; uint8 zeros[length_of_padding]; } DTLSInnerPlaintext; struct { opaque unified_hdr[variable]; opaque encrypted_record[length]; } DTLSCiphertext;0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |0|0|1|C|S|L|E E| +-+-+-+-+-+-+-+-+ | Connection ID | Legend: | (if any, | / length as / C - Connection ID (CID) present | negotiated) | S - Sequence number length +-+-+-+-+-+-+-+-+ L - Length present | 8 or 16 bit | E - Epoch |Sequence Number| +-+-+-+-+-+-+-+-+ | 16 bit Length | | (if present) | +-+-+-+-+-+-+-+-+
As with previous versions of DTLS, multiple DTLSPlaintextand DTLSCiphertext records can be included in the sameunderlying transport datagram.¶
Figure 4 illustrates different record headers.¶
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+| Content Type | |0|0|1|1|1|1|E E| |0|0|1|0|0|0|E E|+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+| 16 bit | | | |8 bit Seq. No. || Version | / Connection ID / +-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+ | | | || 16 bit | +-+-+-+-+-+-+-+-+ | Encrypted || Epoch | | 16 bit | / Record /+-+-+-+-+-+-+-+-+ |Sequence Number| | || | +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+| | | 16 bit || 48 bit | | Length | DTLSCiphertext|Sequence Number| +-+-+-+-+-+-+-+-+ Structure| | | | (minimal)| | | Encrypted |+-+-+-+-+-+-+-+-+ / Record /| 16 bit | | || Length | +-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+| | DTLSCiphertext| | Structure/ Fragment / (full)| |+-+-+-+-+-+-+-+-+ DTLSPlaintext Structure
The length fieldMAY be omitted by clearing the L bit, which means that therecord consumes the entire rest of the datagram in the lowerlevel transport. In this case, it is not possible to have multipleDTLSCiphertext format records without length fields in the same datagram.Omitting the length fieldMUST only be used for the last record in adatagram. ImplementationsMAY mix records with and without lengthfields on the same connection.¶
If a Connection ID is negotiated, then itMUST be contained in alldatagrams. Sending implementationsMUST NOT mix records from multiple DTLS associationsin the same datagram. If the second or later record has a connectionID which does not correspond to the same association usedfor previous records, the rest of the datagramMUST be discarded.¶
When expanded, the epoch and sequence number can be combined into anunpacked RecordNumber structure, as shown below:¶
struct { uint64 epoch; uint64 sequence_number; } RecordNumber;¶This 128-bit value is used in the ACK message as well as in the "record_sequence_number"input to the Authenticated Encryption with Associated Data (AEAD) function. The entire header value shown inFigure 4 (but prior to record numberencryption; seeSection 4.2.3) is used as the additional data value for the AEADfunction. For instance, if the minimal variant is used,the Associated Data (AD) is 2 octets long. Note that this design is different from the additional datacalculation for DTLS 1.2 and for DTLS 1.2 with Connection IDs.In DTLS 1.3 the 64-bit sequence_number is used as the sequence number forthe AEAD computation; unlike DTLS 1.2, the epoch is not included.¶
DTLS 1.3's header format is more complicated to demux thanDTLS 1.2, which always carried the content type as the firstbyte. As described inFigure 5, the first byte determines how an incomingDTLS record is demultiplexed. The first 3 bits of the first bytedistinguish a DTLS 1.3 encrypted record from record types used inprevious DTLS versions and plaintext DTLS 1.3 record types. Hence, therange 32 (0b0010 0000) to 63 (0b0011 1111) needs to be excludedfrom future allocations by IANA to avoid problems while demultiplexing;seeSection 14.Implementations can demultiplex DTLS 1.3 recordsby examining the first byte as follows:¶
Figure 5 shows this demultiplexing procedure graphically,taking DTLS 1.3 and earlier versions of DTLS into account.¶
+----------------+ | Outer Content | | Type (OCT) | | | | OCT == 20 -+--> ChangeCipherSpec (DTLS <1.3) | OCT == 21 -+--> Alert (Plaintext) | OCT == 22 -+--> DTLSHandshake (Plaintext) | OCT == 23 -+--> Application Data (DTLS <1.3) | OCT == 24 -+--> Heartbeat (DTLS <1.3)packet --> | OCT == 25 -+--> DTLSCiphertext with CID (DTLS 1.2) | OCT == 26 -+--> ACK (DTLS 1.3, Plaintext) | | | | /+----------------+\ | 31 < OCT < 64 -+--> |DTLSCiphertext | | | |(header bits | | else | | start with 001)| | | | /+-------+--------+\ +-------+--------+ | | | v Decryption | +---------+ +------+ | Reject | | +---------+ v +----------------+ | Decrypted | | Content Type | | (DCT) | | | | DCT == 21 -+--> Alert | DCT == 22 -+--> DTLSHandshake | DCT == 23 -+--> Application Data | DCT == 24 -+--> Heartbeat | DCT == 26 -+--> ACK | else ------+--> Error +----------------+
DTLS uses an explicit or partly explicit sequence number, rather than an implicit one,carried in the sequence_number field of the record. Sequence numbersare maintained separately for each epoch, with each sequence_numberinitially being 0 for each epoch.¶
The epoch number is initially zero and is incremented each timekeying material changes and a sender aims to rekey. More detailsare provided inSection 6.1.¶
Because DTLS records could be reordered, a record from epochM may be received after epoch N (where N > M) has begun.ImplementationsSHOULD discard records from earlier epochs butMAY choose toretain keying material from previous epochs for up to the default MSLspecified for TCP[RFC0793] to allow for packet reordering. (Note thatthe intention here is that implementers use the current guidance fromthe IETF for MSL, as specified in[RFC0793] or successors,not that they attempt to interrogate the MSL thatthe system TCP stack is using.)¶
Conversely, it is possible for records that are protected with thenew epoch to be received prior to the completion of ahandshake. For instance, the server may send its Finished messageand then start transmitting data. ImplementationsMAY either bufferor discard such records, though when DTLS is used over reliabletransports (e.g., SCTP[RFC4960]), theySHOULD be buffered andprocessed once the handshake completes. Note that TLS's restrictionson when records may be sent still apply, and the receiver treats therecords as if they were sent in the right order.¶
ImplementationsMUST send retransmissions of lost messages using the sameepoch and keying material as the original transmission.¶
ImplementationsMUST either abandon an association or rekey prior toallowing the sequence number to wrap.¶
ImplementationsMUST NOT allow the epoch to wrap, but insteadMUSTestablish a new association, terminating the old association.¶
When receiving protected DTLS records, the recipient does nothave a full epoch or sequence number value in the record and so there is someopportunity for ambiguity. Because the full sequence numberis used to compute the per-record nonce and the epoch determinesthe keys, failure to reconstruct thesevalues leads to failure to deprotect the record, and so implementationsMAY use a mechanism of their choice to determine the full values.This section provides an algorithm which is comparatively simpleand which implementations areRECOMMENDED to follow.¶
If the epoch bits match those of the current epoch, thenimplementationsSHOULD reconstruct the sequence number by computingthe full sequence number which is numerically closest to one plus thesequence number of the highest successfully deprotected record in thecurrent epoch.¶
During the handshake phase, the epoch bits unambiguously indicate thecorrect key to use. After thehandshake is complete, if the epoch bits do not match those from thecurrent epoch, implementationsSHOULD use the most recent past epochwhich has matching bits, and then reconstruct the sequence number forthat epoch as described above.¶
In DTLS 1.3, when records are encrypted, record sequence numbers arealso encrypted. The basic pattern is that the underlying encryptionalgorithm used with the AEAD algorithm is used to generate a maskwhich is then XORed with the sequence number.¶
When the AEAD is based on AES, then the mask is generated bycomputing AES-ECB on the first 16 bytes of the ciphertext:¶
Mask = AES-ECB(sn_key, Ciphertext[0..15])¶
When the AEAD is based on ChaCha20, then the mask is generatedby treating the first 4 bytes of the ciphertext as the blockcounter and the next 12 bytes as the nonce, passing them to the ChaCha20block function (Section 2.3 of [CHACHA]):¶
Mask = ChaCha20(sn_key, Ciphertext[0..3], Ciphertext[4..15])¶
The sn_key is computed as follows:¶
[sender]_sn_key = HKDF-Expand-Label(Secret, "sn", "", key_length)¶
[sender] denotes the sending side. The per-epoch Secret value to be used is describedinSection 7.3 of [TLS13]. Note that a new key is used for each epoch: because the epoch is sent in the clear, this does not result in ambiguity.¶
The encrypted sequence number is computed by XORing the leadingbytes of the mask with the on-the-wire representation of thesequence number. Decryption is accomplished by the same process.¶
This procedure requires the ciphertext length to be at least 16 bytes. ReceiversMUST reject shorter records as if they had failed deprotection, as described inSection 4.5.2. SendersMUST pad short plaintexts out (using theconventional record padding mechanism) in order to make a suitable-lengthciphertext. Note that most of the DTLS AEAD algorithms have a 16 byte authenticationtag and need no padding. However, some algorithms, such asTLS_AES_128_CCM_8_SHA256, have a shorter authentication tag and may require paddingfor short inputs.¶
Future cipher suites, which are not based on AES or ChaCha20,MUST definetheir own record sequence number encryption in order to be used withDTLS.¶
Note that sequence number encryption is only applied to the DTLSCiphertextstructure and not to the DTLSPlaintext structure, even though it also contains asequence number.¶
DTLS messagesMAY be fragmented into multiple DTLS records.Each DTLS recordMUST fit within a single datagram. In order toavoid IP fragmentation, clients of the DTLS record layerSHOULDattempt to size records so that they fit within any Path MTU (PMTU) estimatesobtained from the record layer. For more information about PMTU issues,seeSection 4.4.¶
Multiple DTLS recordsMAY be placed in a single datagram. Records are encodedconsecutively. The length field from DTLS records containing that field can beused to determine the boundaries between records. The final record in adatagram can omit the length field. The first byte of the datagram payloadMUSTbe the beginning of a record. RecordsMUST NOT span datagrams.¶
DTLS records without CIDs do not contain any associationidentifiers, and applications must arrange to multiplex between associations.With UDP, the host/port number is used to look up the appropriate securityassociation for incoming records without CIDs.¶
Some transports, such as DCCP[RFC4340], provide their own sequencenumbers. When carried over those transports, both the DTLS and thetransport sequence numbers will be present. Although this introducesa small amount of inefficiency, the transport layer and DTLS sequencenumbers serve different purposes; therefore, for conceptual simplicity,it is superior to use both sequence numbers.¶
Some transports provide congestion control for trafficcarried over them. If the congestion window is sufficiently narrow,DTLS handshake retransmissions may be held rather than transmittedimmediately, potentially leading to timeouts and spuriousretransmission. When DTLS is used over such transports, care shouldbe taken not to overrun the likely congestion window.[RFC5238]defines a mapping of DTLS to DCCP that takes these issues into account.¶
In general, DTLS's philosophy is to leave PMTU discovery to the application.However, DTLS cannot completely ignore the PMTU for three reasons:¶
In order to deal with the first two issues, the DTLS record layerSHOULD behave as described below.¶
If PMTU estimates are available from the underlying transportprotocol, they should be made available to upper layerprotocols. In particular:¶
The DTLS record layerSHOULD also allow the upper layer protocol todiscover the amount of record expansion expected by the DTLSprocessing; alternately, itMAY report PMTU estimates minus theestimated expansion from the transport layer and DTLS recordframing.¶
Note that DTLS does not defend against spoofed ICMP messages;implementationsSHOULD ignore any such messages that indicatePMTUs below the IPv4 and IPv6 minimums of 576 and 1280 bytes,respectively.¶
If there is a transport protocol indication that the PMTU was exceeded(either via ICMP or via arefusal to send the datagram as inSection 14 of [RFC4340]), then theDTLS record layerMUST inform the upper layer protocol of the error.¶
The DTLS record layerSHOULD NOT interfere with upper layer protocolsperforming PMTU discovery, whether via[RFC1191] and[RFC4821] forIPv4 or via[RFC8201] for IPv6. In particular:¶
The final issue is the DTLS handshake protocol. From the perspectiveof the DTLS record layer, this is merely another upper layerprotocol. However, DTLS handshakes occur infrequently and involveonly a few round trips; therefore, the handshake protocol PMTUhandling places a premium on rapid completion over accurate PMTUdiscovery. In order to allow connections under these circumstances,DTLS implementationsSHOULD follow the following rules:¶
Like TLS, DTLS transmits data as a series of protected records. Therest of this section describes the details of that format.¶
Each DTLS record contains a sequence number to provide replay protection.Sequence number verificationSHOULD be performed using the followingsliding window procedure, borrowed fromSection 3.4.3 of [RFC4303].Because each epoch resets the sequence number space, a separate slidingwindow is needed for each epoch.¶
The received record counter for an epochMUST be initialized tozero when that epoch is first used. For each received record, thereceiverMUST verify that the record contains a sequence number thatdoes not duplicate the sequence number of any other record receivedin that epoch during the lifetime of the association.This checkSHOULD happen afterdeprotecting the record; otherwise, the record discard might itselfserve as a timing channel for the record number. Note that computingthe full record number from the partial is still a potential timingchannel for the record number, though a less powerful one than whetherthe record was deprotected.¶
Duplicates are rejected through the use of a sliding receive window.(How the window is implemented is a local matter, but the followingtext describes the functionality that the implementation mustexhibit.) The receiverSHOULD pick a window large enough to handleany plausible reordering, which depends on the data rate.(The receiver does not notify the sender of the windowsize.)¶
The "right" edge of the window represents the highest validatedsequence number value received in the epoch. Records that containsequence numbers lower than the "left" edge of the window arerejected. Records falling within the window are checked against alist of received records within the window. An efficient means forperforming this check, based on the use of a bit mask, is described inSection 3.4.3 of [RFC4303]. If the received record falls within thewindow and is new, or if the record is to the right of the window,then the record is new.¶
The windowMUST NOT be updated due to a received record until that record has been deprotectedsuccessfully.¶
Unlike TLS, DTLS is resilient in the face of invalid records (e.g.,invalid formatting, length, MAC, etc.). In general, invalid recordsSHOULD be silently discarded, thus preserving the association;however, an errorMAY be logged for diagnostic purposes.Implementations which choose to generate an alert insteadMUSTgenerate fatal alerts to avoid attacks where the attackerrepeatedly probes the implementation to see how it responds tovarious types of error. Note that if DTLS is run over UDP, then anyimplementation which does this will be extremely susceptible toDoS attacks because UDP forgery is so easy.Thus, generating fatal alerts isNOT RECOMMENDED for such transports, bothto increase the reliability of DTLS service and to avoid the riskof spoofing attacks sending traffic to unrelated third parties.¶
If DTLS is being carried over a transport that is resistant toforgery (e.g., SCTP with SCTP-AUTH), then it is safer to send alertsbecause an attacker will have difficulty forging a datagram that willnot be rejected by the transport layer.¶
Note that because invalid records are rejected at a layer lower thanthe handshake state machine, they do not affect pendingretransmission timers.¶
Section 5.5 of [TLS13] defines limits on the number of records that canbe protected using the same keys. These limits are specific to an AEADalgorithm and apply equally to DTLS. ImplementationsSHOULD NOT protect morerecords than allowed by the limit specified for the negotiated AEAD.ImplementationsSHOULD initiate a key update before reaching this limit.¶
[TLS13] does not specify a limit for AEAD_AES_128_CCM, but the analysis inAppendix B shows that a limit of 2^23 packets can be used to obtain thesame confidentiality protection as the limits specified in TLS.¶
The usage limits defined in TLS 1.3 exist for protection against attackson confidentiality and apply to successful applications of AEAD protection. Theintegrity protections in authenticated encryption also depend on limiting thenumber of attempts to forge packets. TLS achieves this by closing connectionsafter any record fails an authentication check. In comparison, DTLS ignores anypacket that cannot be authenticated, allowing multiple forgery attempts.¶
ImplementationsMUST count the number of received packets that failauthentication with each key. If the number of packets that fail authenticationexceeds a limit that is specific to the AEAD in use, an implementationSHOULDimmediately close the connection. ImplementationsSHOULD initiate a key updatewith update_requested before reaching this limit. Once a key update has beeninitiated, the previous keys can be dropped when the limit is reached ratherthan closing the connection. Applying a limit reduces the probability that anattacker is able to successfully forge a packet; see[AEBounds] and[ROBUST].¶
For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limiton the number of records that fail authentication is 2^36. Note that theanalysis in[AEBounds] supports a higher limit for AEAD_AES_128_GCM andAEAD_AES_256_GCM, but this specification recommends a lower limit. ForAEAD_AES_128_CCM, the limit on the number of records that fail authenticationis 2^23.5; seeAppendix B.¶
The AEAD_AES_128_CCM_8 AEAD, as used in TLS_AES_128_CCM_8_SHA256, does not have alimit on the number of records that fail authentication that both limits theprobability of forgery by the same amount and does not expose implementationsto the risk of denial of service; seeAppendix B.3. Therefore,TLS_AES_128_CCM_8_SHA256MUST NOT be used in DTLS without additional safeguardsagainst forgery. ImplementationsMUST set usage limits for AEAD_AES_128_CCM_8based on an understanding of any additional forgery protections that are used.¶
Any TLS cipher suite that is specified for use with DTLSMUST define limits onthe use of the associated AEAD function that preserves margins for bothconfidentiality and integrity. That is, limitsMUST be specified for the numberof packets that can be authenticated and for the number of packets that can failauthentication before a key update is required. Providing a reference to any analysis upon which values arebased -- and any assumptions used in that analysis -- allows limits to be adaptedto varying usage conditions.¶
DTLS 1.3 reuses the TLS 1.3 handshake messages and flows, withthe following changes:¶
In addition, DTLS reuses TLS 1.3's "cookie" extension to provide a return-routabilitycheck as part of connection establishment. This is an important DoSprevention mechanism for UDP-based protocols, unlike TCP-based protocols, for whichTCP establishes return-routability as part of the connection establishment.¶
DTLS implementations do not use the TLS 1.3 "compatibility mode" described inAppendix D.4 of [TLS13]. DTLS serversMUST NOT echo the"legacy_session_id" value from the client and endpointsMUST NOT send ChangeCipherSpecmessages.¶
With these exceptions, the DTLS message formats, flows, and logic arethe same as those of TLS 1.3.¶
Datagram security protocols are extremely susceptible to a variety ofDoS attacks. Two attacks are of particular concern:¶
In order to counter both of these attacks, DTLS borrows the statelesscookie technique used by Photuris[RFC2522] and IKE[RFC7296]. Whenthe client sends its ClientHello message to the server, the serverMAY respond with a HelloRetryRequest message. The HelloRetryRequest message,as well as the "cookie" extension, is defined in TLS 1.3.The HelloRetryRequest message contains a stateless cookie (see[TLS13],Section 4.2.2).The clientMUST send a new ClientHellowith the cookie added as an extension. The server then verifies the cookieand proceeds with the handshake only if it is valid. This mechanism forcesthe attacker/client to be able to receive the cookie, which makes DoS attackswith spoofed IP addresses difficult. This mechanism does not provide any defenseagainst DoS attacks mounted from valid IP addresses.¶
The DTLS 1.3 specification changes how cookies are exchangedcompared to DTLS 1.2. DTLS 1.3 reuses the HelloRetryRequest messageand conveys the cookie to the client via an extension. The clientreceiving the cookie uses the same extension to placethe cookie subsequently into a ClientHello message.DTLS 1.2, on the other hand, used a separate message, namely the HelloVerifyRequest,to pass a cookie to the client and did not utilize the extension mechanism.For backwards compatibility reasons, the cookie field in the ClientHellois present in DTLS 1.3 but is ignored by a DTLS 1.3-compliant serverimplementation.¶
The exchange is shown inFigure 6. Note thatthe figure focuses on the cookie exchange; all other extensionsare omitted.¶
Client Server ------ ------ ClientHello ------> <----- HelloRetryRequest + cookie ClientHello ------> + cookie [Rest of handshake]
The "cookie" extension is defined inSection 4.2.2 of [TLS13]. When sending theinitial ClientHello, the client does not have a cookie yet. In this case,the "cookie" extension is omitted and the legacy_cookie field in the ClientHellomessageMUST be set to a zero-length vector (i.e., a zero-valued single byte length field).¶
When responding to a HelloRetryRequest, the clientMUST create a newClientHello message following the description inSection 4.1.2 of [TLS13].¶
If the HelloRetryRequest message is used, the initial ClientHello andthe HelloRetryRequest are included in the calculation of thetranscript hash. The computation of themessage hash for the HelloRetryRequest is done according to the descriptioninSection 4.4.1 of [TLS13].¶
The handshake transcript is not reset with the second ClientHello,and a stateless server-cookie implementation requires the content or hashof the initial ClientHello (and HelloRetryRequest)to be stored in the cookie. The initial ClientHello is included in thehandshake transcript as a synthetic "message_hash" message, so only the hashvalue is needed for the handshake to complete, though the completeHelloRetryRequest contents are needed.¶
When the second ClientHello is received, the server can verify thatthe cookie is valid and that the client can receive packets at thegiven IP address. If the client's apparent IP address is embeddedin the cookie, this prevents an attacker from generating an acceptableClientHello apparently from another user.¶
One potential attack on this scheme is for the attacker to collect anumber of cookies from different addresses where it controls endpointsand then reuse them to attack the server.The server can defend against this attack bychanging the secret value frequently, thus invalidating thosecookies. If the server wishes to allow legitimate clients tohandshake through the transition (e.g., a client received a cookie withSecret 1 and then sent the second ClientHello after the server haschanged to Secret 2), the server can have a limited window duringwhich it accepts both secrets.[RFC7296] suggests adding a keyidentifier to cookies to detect this case. An alternative approach issimply to try verifying with both secrets. It isRECOMMENDED thatservers implement a key rotation scheme that allows the serverto manage keys with overlapping lifetimes.¶
Alternatively, the server can store timestamps in the cookie andreject cookies that were generated outside a certaininterval of time.¶
DTLS serversSHOULD perform a cookie exchange whenever a newhandshake is being performed. If the server is being operated in anenvironment where amplification is not a problem, e.g., whereICE[RFC8445] has been used to establish bidirectional connectivity,the serverMAY beconfigured not to perform a cookie exchange. The defaultSHOULD bethat the exchange is performed, however. In addition, the serverMAYchoose not to do a cookie exchange when a session is resumed or, moregenerically, when the DTLS handshake uses a PSK-based key exchangeand the IP address matches one associated with the PSK.Servers which process 0-RTT requests and send 0.5-RTT responses without a cookie exchange risk being used in an amplification attack if the size of outgoing messages greatly exceeds the size of those that are received.A serverSHOULD limit the amount of data it sends toward a client addressto three times the amount of data sent by the client beforeit verifies that the client is able to receive data at that address.A client address is valid after a cookie exchange or handshake completion.ClientsMUST be prepared to do a cookie exchange with everyhandshake. Note that cookies are only valid for the existinghandshake and cannot be stored for future handshakes.¶
If a server receives a ClientHello with an invalid cookie, itMUST terminate the handshake with an "illegal_parameter" alert.This allows the client to restart the connection fromscratch without a cookie.¶
As described inSection 4.1.4 of [TLS13], clientsMUSTabort the handshake with an "unexpected_message" alert in responseto any second HelloRetryRequest which was sent in the same connection(i.e., where the ClientHello was itself in response to a HelloRetryRequest).¶
DTLS clients which do not want to receive a Connection IDSHOULDstill offer the "connection_id" extension[RFC9146] unlessthere is an application profile to the contrary. This permitsa server which wants to receive a CID to negotiate one.¶
DTLS uses the same Handshake messages as TLS 1.3. However,prior to transmission they are converted to DTLSHandshakemessages, which contain extra data needed to supportmessage loss, reordering, and message fragmentation.¶
enum { client_hello(1), server_hello(2), new_session_ticket(4), end_of_early_data(5), encrypted_extensions(8), request_connection_id(9), /* New */ new_connection_id(10), /* New */ certificate(11), certificate_request(13), certificate_verify(15), finished(20), key_update(24), message_hash(254), (255) } HandshakeType;¶ struct { HandshakeType msg_type; /* handshake type */ uint24 length; /* bytes in message */ uint16 message_seq; /* DTLS-required field */ uint24 fragment_offset; /* DTLS-required field */ uint24 fragment_length; /* DTLS-required field */ select (msg_type) { case client_hello: ClientHello; case server_hello: ServerHello; case end_of_early_data: EndOfEarlyData; case encrypted_extensions: EncryptedExtensions; case certificate_request: CertificateRequest; case certificate: Certificate; case certificate_verify: CertificateVerify; case finished: Finished; case new_session_ticket: NewSessionTicket; case key_update: KeyUpdate; case request_connection_id: RequestConnectionId; case new_connection_id: NewConnectionId; } body; } DTLSHandshake;¶In DTLS 1.3, the message transcript is computed over the originalTLS 1.3-style Handshake messages without the message_seq,fragment_offset, and fragment_length values. Note that this isa change from DTLS 1.2 where those values were includedin the transcript.¶
The first message each side transmits in each association always hasmessage_seq = 0. Whenever a new message is generated, themessage_seq value is incremented by one. When a message isretransmitted, the old message_seq value is reused, i.e., notincremented. From the perspective of the DTLS record layer, the retransmission isa new record. This record will have a newDTLSPlaintext.sequence_number value.¶
Note: In DTLS 1.2, the message_seq was reset to zero in case of arehandshake (i.e., renegotiation). On the surface, a rehandshake in DTLS 1.2shares similarities with a post-handshake message exchange in DTLS 1.3. However,in DTLS 1.3 the message_seq is not reset, to allow distinguishing aretransmission from a previously sent post-handshake message from a newlysent post-handshake message.¶
DTLS implementations maintain (at least notionally) anext_receive_seq counter. This counter is initially set to zero.When a handshake message is received, if its message_seq value matchesnext_receive_seq, next_receive_seq is incremented and the message isprocessed. If the sequence number is less than next_receive_seq, themessageMUST be discarded. If the sequence number is greater thannext_receive_seq, the implementationSHOULD queue the message butMAYdiscard it. (This is a simple space/bandwidth trade-off).¶
In addition to the handshake messages that are deprecated by the TLS 1.3specification, DTLS 1.3 furthermore deprecates the HelloVerifyRequest messageoriginally defined in DTLS 1.0. DTLS 1.3-compliant implementationsMUST NOTuse the HelloVerifyRequest to execute a return-routability check. Adual-stack DTLS 1.2 / DTLS 1.3 clientMUST, however, be prepared tointeract with a DTLS 1.2 server.¶
The format of the ClientHello used by a DTLS 1.3 client differs from theTLS 1.3 ClientHello format, as shown below.¶
uint16 ProtocolVersion; opaque Random[32]; uint8 CipherSuite[2]; /* Cryptographic suite selector */ struct { ProtocolVersion legacy_version = { 254,253 }; // DTLSv1.2 Random random; opaque legacy_session_id<0..32>; opaque legacy_cookie<0..2^8-1>; // DTLS CipherSuite cipher_suites<2..2^16-2>; opaque legacy_compression_methods<1..2^8-1>; Extension extensions<8..2^16-1>; } ClientHello;¶The DTLS 1.3 ServerHello message is the same as the TLS 1.3ServerHello message, except that the legacy_version fieldis set to 0xfefd, indicating DTLS 1.2.¶
As described inSection 4.3, one or more handshakemessages may be carried in a single datagram. However, handshake messages arepotentially bigger than the size allowed by the underlying datagram transport.DTLS provides a mechanism for fragmenting a handshake message over anumber of records, each of which can be transmitted in separate datagrams, thusavoiding IP fragmentation.¶
When transmitting the handshake message, the sender divides themessage into a series of N contiguous data ranges. The rangesMUST NOToverlap. The sender then creates N DTLSHandshake messages, all with thesame message_seq value as the original DTLSHandshake message. Each newmessage is labeled with the fragment_offset (the number of bytescontained in previous fragments) and the fragment_length (the lengthof this fragment). The length field in all messages is the same asthe length field of the original message. An unfragmented message isa degenerate case with fragment_offset=0 and fragment_length=length.Each handshake message fragment that is placed into a recordMUST be delivered in a single UDP datagram.¶
When a DTLS implementation receives a handshake message fragment correspondingto the next expected handshake message sequence number, itMUST process it, either by buffering it until it has the entirehandshake message or by processing any in-order portions of the message.The transcript consists of complete TLS Handshake messages (reassembledas necessary). Note that this requires removing the message_seq,fragment_offset, and fragment_length fields to create the Handshakestructure.¶
DTLSimplementationsMUST be able to handle overlapping fragment ranges.This allows senders to retransmit handshake messages with smallerfragment sizes if the PMTU estimate changes. SendersMUST NOT changehandshake message bytes upon retransmission. ReceiversMAY checkthat retransmitted bytes are identical andSHOULD abort the handshakewith an "illegal_parameter" alert if the value of a byte changes.¶
Note that as with TLS, multiple handshake messages may be placed inthe same DTLS record, provided that there is room and that they arepart of the same flight. Thus, there are two acceptable ways to packtwo DTLS handshake messages into the same datagram: in the same record or inseparate records.¶
The DTLS 1.3 handshake has one important difference from theTLS 1.3 handshake: the EndOfEarlyData message is omitted bothfrom the wire and the handshake transcript. Because DTLSrecords have epochs, EndOfEarlyData is not necessary to determinewhen the early data is complete, and because DTLS is lossy,attackers can trivially mount the deletion attacks that EndOfEarlyDataprevents in TLS. ServersSHOULD NOT accept records from epoch 1 indefinitely once they are able to process records from epoch 3. Though reordering of IP packets can result in records from epoch 1 arriving after records from epoch 3, this is not likely to persist for very long relative to the round trip time. Servers could discard epoch 1 keys after the first epoch 3 data arrives, or retain keys for processing epoch 1 data for a short period.(SeeSection 6.1 for the definitions of each epoch.)¶
DTLS handshake messages are grouped into a series of message flights. A flight starts with thehandshake message transmission of one peer and ends with the expected response from theother peer.Table 1 contains a complete list of message combinations that constitute flights.¶
| Note | Client | Server | Handshake Messages |
|---|---|---|---|
| x | ClientHello | ||
| x | HelloRetryRequest | ||
| x | ServerHello, EncryptedExtensions, CertificateRequest, Certificate, CertificateVerify, Finished | ||
| 1 | x | Certificate, CertificateVerify, Finished | |
| 1 | x | NewSessionTicket |
Remarks:¶
Below are several example message exchanges illustrating the flight concept.The notational conventions from[TLS13] are used.¶
Client Server +--------+ ClientHello | Flight | --------> +--------+ +--------+ <-------- HelloRetryRequest | Flight | + cookie +--------+ +--------+ClientHello | Flight | + cookie --------> +--------+ ServerHello {EncryptedExtensions} +--------+ {CertificateRequest*} | Flight | {Certificate*} +--------+ {CertificateVerify*} {Finished} <-------- [Application Data*] {Certificate*} +--------+ {CertificateVerify*} | Flight | {Finished} --------> +--------+ [Application Data] +--------+ <-------- [ACK] | Flight | [Application Data*] +--------+ [Application Data] <-------> [Application Data] ClientHello +--------+ + pre_shared_key | Flight | + psk_key_exchange_modes +--------+ + key_share* --------> ServerHello + pre_shared_key +--------+ + key_share* | Flight | {EncryptedExtensions} +--------+ <-------- {Finished} [Application Data*] +--------+ {Finished} --------> | Flight | [Application Data*] +--------+ +--------+ <-------- [ACK] | Flight | [Application Data*] +--------+ [Application Data] <-------> [Application Data]Client Server ClientHello + early_data + psk_key_exchange_modes +--------+ + key_share* | Flight | + pre_shared_key +--------+ (Application Data*) --------> ServerHello + pre_shared_key + key_share* +--------+ {EncryptedExtensions} | Flight | {Finished} +--------+ <-------- [Application Data*] +--------+ {Finished} --------> | Flight | [Application Data*] +--------+ +--------+ <-------- [ACK] | Flight | [Application Data*] +--------+ [Application Data] <-------> [Application Data]Client Server +--------+ <-------- [NewSessionTicket] | Flight | +--------+ +--------+[ACK] --------> | Flight | +--------+
KeyUpdate, NewConnectionId, and RequestConnectionId follow a similar patternto NewSessionTicket: a single message sent by one sidefollowed by an ACK by the other.¶
DTLS uses a simple timeout and retransmission scheme with thestate machine shown inFigure 11.¶
+-----------+ | PREPARING | +----------> | | | | | | +-----------+ | | | | Buffer next flight | | | \|/ | +-----------+ | | | | | SENDING |<------------------+ | | | | | +-----------+ | Receive | | | next | | Send flight or partial | flight | | flight | | | | | | Set retransmit timer | | \|/ | | +-----------+ | | | | | +------------| WAITING |-------------------+ | +----->| | Timer expires | | | +-----------+ | | | | | | | | | | | | | | +----------+ | +--------------------+ | Receive record | Read retransmit or ACK Receive | (Maybe Send ACK) | last | | flight | | Receive ACK | | for last flight \|/ | | +-----------+ | | | <---------+ | FINISHED | | | +-----------+ | /|\ | | | | +---+ Server read retransmit Retransmit ACK
The state machine has four basic states: PREPARING, SENDING, WAITING,and FINISHED.¶
In the PREPARING state, the implementation does whatever computationsare necessary to prepare the next flight of messages. It thenbuffers them up for transmission (emptying the transmissionbuffer first) and enters the SENDING state.¶
In the SENDING state, the implementation transmits the bufferedflight of messages. If the implementation has received one or moreACKs (seeSection 7) from the peer, then itSHOULD omit any messages ormessage fragments which have already been acknowledged. Once the messageshave been sent, the implementation then sets a retransmit timerand enters the WAITING state.¶
There are four ways to exit the WAITING state:¶
Because DTLS clients send the first message (ClientHello), they startin the PREPARING state. DTLS servers start in the WAITING state, butwith empty buffers and no retransmit timer.¶
In addition, for at least twice the default MSL defined for[RFC0793],when in the FINISHED state, the serverMUST respond to retransmissionof the client's final flight with a retransmit of its ACK.¶
Note that because of packet loss, it is possible for one side to besending application data even though the other side has not receivedthe first side's Finished message. ImplementationsMUST eitherdiscard or buffer all application data records for epoch 3 andabove until they have received the Finished message from thepeer. ImplementationsMAY treat receipt of application data with a newepoch prior to receipt of the corresponding Finished message asevidence of reordering or packet loss and retransmit their finalflight immediately, shortcutting the retransmission timer.¶
The configuration of timer settings varies with implementations, and certaindeployment environments require timer value adjustments. Mishandlingof the timer can lead to serious congestion problems -- for example, ifmany instances of a DTLS time out early and retransmit too quickly ona congested link.¶
Unless implementations have deployment-specific and/or external information about the round trip time,implementationsSHOULD use an initial timer value of 1000 ms and doublethe value at each retransmission, up to no less than 60 seconds (the maximum as specified inRFC 6298[RFC6298]). Application-specific profilesMAYrecommend shorter or longer timer values. For instance:¶
In settings where there is external information (for instance, from an ICE[RFC8445] handshake, or from previous connections to the same server)about the RTT, implementationsSHOULD use 1.5 times that RTT estimateas the retransmit timer.¶
ImplementationsSHOULD retain the current timer value until amessage is transmitted and acknowledged without having tobe retransmitted, at which time the valueSHOULD be adjustedto 1.5 times the measured round trip time for thatmessage. After a long period of idleness, no lessthan 10 times the current timer value, implementationsMAY reset thetimer to the initial value.¶
Note that because retransmission is for the handshake and not dataflow, the effect oncongestion of shorter timeouts is smaller than in generic protocolssuch as TCP or QUIC. Experience with DTLS 1.2, which uses asimpler "retransmit everything on timeout" approach, has not shownserious congestion problems in practice.¶
DTLS does not have any built-in congestion control or rate control;in general, this is not an issue because messages tend to be small.However, in principle, some messages -- especially Certificate -- canbe quite large. If all the messages in a large flight are sentat once, this can result in network congestion. A better strategyis to send out only part of the flight, sending more whenmessages are acknowledged. Several extensions have been standardizedto reduce the size of the Certificate message -- for example,the "cached_info" extension[RFC7924]; certificatecompression[RFC8879]; and[RFC6066], which defines the "client_certificate_url"extension allowing DTLS clients to send a sequence of UniformResource Locators (URLs) instead of the client certificate.¶
DTLS stacksSHOULD NOT send more than 10 records in a single transmission.¶
DTLS 1.3 makes use of the following categories of post-handshake messages:¶
Messages of each category can be sent independently, and reliability is establishedvia independent state machines, each of which behaves as described inSection 5.8.1.For example, if a server sends a NewSessionTicket and a CertificateRequest message,two independent state machines will be created.¶
Sending multiple instances of messages ofa given category without having completed earlier transmissions is allowed for somecategories, but not for others. Specifically, a serverMAY send multiple NewSessionTicketmessages at once without awaiting ACKs for earlier NewSessionTicket messages first. Likewise, aserverMAY send multiple CertificateRequest messages at once without having completedearlier client authentication requests before. In contrast, implementationsMUST NOTsend KeyUpdate, NewConnectionId, or RequestConnectionId messages if an earlier messageof the same type has not yet been acknowledged.¶
Note: Except for post-handshake client authentication, which involves handshake messagesin both directions, post-handshake messages are single-flight, and their respective statemachines on the sender side reduce to waiting for an ACK and retransmitting the originalmessage. In particular, note that a RequestConnectionId message does not force the receiverto send a NewConnectionId message in reply, and both messages are therefore treatedindependently.¶
Creating and correctly updating multiple state machines requires feedback from the handshakelogic to the state machine layer, indicating which message belongs to which state machine.For example, if a server sends multiple CertificateRequest messages and receives a Certificatemessage in response, the corresponding state machine can only be determined after inspecting thecertificate_request_context field. Similarly, a server sending a single CertificateRequestand receiving a NewConnectionId message in response can only decide that the NewConnectionIdmessage should be treated through an independent state machine after inspecting the handshakemessage type.¶
Section 7.1 of [TLS13] specifies that HKDF-Expand-Label usesa label prefix of "tls13 ". For DTLS 1.3, that labelSHALL be"dtls13". This ensures key separation between DTLS 1.3 andTLS 1.3. Note that there is no trailing space; this is necessaryin order to keep the overall label size inside of one hashiteration because "DTLS" is one letter longer than "TLS".¶
Note that alert messages are not retransmitted at all, even when theyoccur in the context of a handshake. However, a DTLS implementationwhich would ordinarily issue an alertSHOULD generate a new alertmessage if the offending record is received again (e.g., as aretransmitted handshake message). ImplementationsSHOULD detect whena peer is persistently sending bad messages and terminate the localconnection state after such misbehavior is detected. Note that alertsare not reliably transmitted; implementationsSHOULD NOT depend onreceiving alerts in order to signal errors or connection closure.¶
Any data received with an epoch/sequence number pair afterthat of a valid received closure alertMUST be ignored. Note:this is a change from TLS 1.3 which depends on the order ofreceipt rather than the epoch and sequence number.¶
If a DTLS client-server pair is configured in such a way thatrepeated connections happen on the same host/port quartet, then it ispossible that a client will silently abandon one connection and theninitiate another with the same parameters (e.g., after a reboot).This will appear to the server as a new handshake with epoch=0. Incases where a server believes it has an existing association on agiven host/port quartet and it receives an epoch=0 ClientHello, itSHOULD proceed with a new handshake butMUST NOT destroy the existingassociation until the client has demonstrated reachability either bycompleting a cookie exchange or by completing a complete handshakeincluding delivering a verifiable Finished message. After a correctFinished message is received, the serverMUST abandon the previousassociation to avoid confusion between two valid associations withoverlapping epochs. The reachability requirement preventsoff-path/blind attackers from destroying associations merely bysending forged ClientHellos.¶
Note: It is not always possible to distinguish which associationa given record is from. For instance, if the client performsa handshake, abandons the connection, and then immediately startsa new handshake, it may not be possible to tell which connectiona given protected record is for. In these cases, trial decryptionmay be necessary, though implementations could use CIDs to avoidthe 5-tuple-based ambiguity.¶
The following is an example of a handshake with lost packets andretransmissions. Note that the client sends an empty ACK messagebecause it can only acknowledge Record 2 sent by the server once it hasprocessed messages in Record 0 needed to establish epoch 2 keys, whichare needed to encrypt or decrypt messages found in Record 2.Section 7provides the necessary background details for this interaction.Note: For simplicity, we are not resetting record numbers in thisdiagram, so "Record 1" is really "Epoch 2, Record 0", etc.¶
Client Server------ ------ Record 0 --------> ClientHello (message_seq=0) X<----- Record 0 (lost) ServerHello (message_seq=0) Record 1 EncryptedExtensions (message_seq=1) Certificate (message_seq=2) <-------- Record 2 CertificateVerify (message_seq=3) Finished (message_seq=4) Record 1 --------> ACK [] <-------- Record 3 ServerHello (message_seq=0) EncryptedExtensions (message_seq=1) Certificate (message_seq=2) <-------- Record 4 CertificateVerify (message_seq=3) Finished (message_seq=4) Record 2 --------> Certificate (message_seq=1) CertificateVerify (message_seq=2) Finished (message_seq=3) <-------- Record 5 ACK [2]
A recipient of a DTLS message needs to select the correct keying materialin order to process an incoming message. With the possibility of message loss and reordering, an identifier is needed to determine which cipher statehas been used to protect the record payload. The epoch value fulfills thisrole in DTLS. In addition to the TLS 1.3-defined key derivation steps (seeSection 7 of [TLS13]), a sender may want to rekey at any time duringthe lifetime of the connection. It therefore needs to indicate that it isupdating its sending cryptographic keys.¶
This version of DTLS assigns dedicated epoch values to messages in theprotocol exchange to allow identification of the correct cipher state:¶
Using these reserved epoch values, a receiver knows what cipher statehas been used to encrypt and integrity protect amessage. Implementations that receive a record with an epoch valuefor which no corresponding cipher state can be determinedSHOULDhandle it as a record which fails deprotection.¶
Note that epoch values do not wrap. If a DTLS implementation wouldneed to wrap the epoch value, itMUST terminate the connection.¶
The traffic key calculation is described inSection 7.3 of [TLS13].¶
Figure 13 illustrates the epoch values in an example DTLS handshake.¶
Client Server------ ------ Record 0 ClientHello (epoch=0) --------> Record 0 <-------- HelloRetryRequest (epoch=0) Record 1 ClientHello --------> (epoch=0) Record 1 <-------- ServerHello (epoch=0) {EncryptedExtensions} (epoch=2) {Certificate} (epoch=2) {CertificateVerify} (epoch=2) {Finished} (epoch=2) Record 2 {Certificate} --------> (epoch=2) {CertificateVerify} (epoch=2) {Finished} (epoch=2) Record 2 <-------- [ACK] (epoch=3) Record 3 [Application Data] --------> (epoch=3) Record 3 <-------- [Application Data] (epoch=3) Some time later ... (Post-Handshake Message Exchange) Record 4 <-------- [NewSessionTicket] (epoch=3) Record 4 [ACK] --------> (epoch=3) Some time later ... (Rekeying) Record 5 <-------- [Application Data] (epoch=4) Record 5 [Application Data] --------> (epoch=4)The ACK message is used by an endpoint to indicate which handshake recordsit has received and processed from the other side. ACK is nota handshake message but is rather a separate content type,with code point 26. This avoids having ACK being addedto the handshake transcript. Note that ACKs can still besent in the same UDP datagram as handshake records.¶
struct { RecordNumber record_numbers<0..2^16-1>; } ACK;¶ImplementationsMUST NOT acknowledge records containinghandshake messages or fragments which have not beenprocessed or buffered. Otherwise, deadlock can ensue.As an example, implementationsMUST NOT send ACKs forhandshake messages which they discard because they arenot the next expected message.¶
During the handshake, ACKs only cover the current outstanding flight (this ispossible because DTLS is generally a lock-step protocol). In particular,receiving a message from a handshake flight implicitly acknowledges allmessages from the previous flight(s). Accordingly, an ACKfrom the server would not cover both the ClientHello and the client's Certificate message, because the ClientHello and client Certificate are in differentflights. Implementations can accomplish this by clearing their ACKlist upon receiving the start of the next flight.¶
For post-handshake messages, ACKsSHOULD be sent once for each receivedand processed handshake record (potentially subject to some delay) andMAYcover more than one flight. This includes records containing messages which arediscarded because a previous copy has been received.¶
During the handshake, ACK recordsMUST be sent with an epoch which isequal to or higher than the record which is being acknowledged.Note that some care is required when processing flights spanningmultiple epochs. For instance, if the client receives only the ServerHelloand Certificate and wishes to ACK them in a single record,it must do so in epoch 2, as it is required to use an epochgreater than or equal to 2 and cannot yet send with any greaterepoch. ImplementationsSHOULD simply use the highestcurrent sending epoch, which will generally be the highest available.After the handshake, implementationsMUST use the highest availablesending epoch.¶
When an implementation detects a disruption in the receipt of thecurrent incoming flight, itSHOULD generate an ACK that covers themessages from that flight which it has received and processed so far.Implementations have some discretion about which events to treatas signs of disruption, but it isRECOMMENDED that they generateACKs under two circumstances:¶
In general, flightsMUST be ACKed unless they are implicitlyacknowledged. In the present specification, the following flights are implicitly acknowledgedby the receipt of the next flight, which generally immediately follows the flight:¶
ACKsSHOULD NOT be sent for these flights unless the responding flight cannot be generated immediately. All other flightsMUST be ACKed.In this case,implementationsMAY send explicit ACKs for the complete receivedflight even though it will eventually also be implicitly acknowledgedthrough the responding flight. A notable example for this isthe case of client authentication in constrainedenvironments, where generating the CertificateVerify message cantake considerable time on the client.ImplementationsMAY acknowledge the records corresponding to each transmission ofeach flight or simply acknowledge the most recent one. In general,implementationsSHOULD ACK as many received packets as can fitinto the ACK record, as this provides the most complete informationand thus reduces the chance of spurious retransmission; if spaceis limited, implementationsSHOULD favor including records whichhave not yet been acknowledged.¶
Note: While some post-handshake messages follow a request/responsepattern, this does not necessarily imply receipt.For example, a KeyUpdate sent in response to a KeyUpdate withrequest_update set to "update_requested" does not implicitlyacknowledge the earlier KeyUpdate message because the two KeyUpdatemessages might have crossed in flight.¶
ACKsMUST NOT be sent for records of any content typeother than handshake or for records which cannot be deprotected.¶
Note that in some cases it may be necessary to send an ACK whichdoes not contain any record numbers. For instance, a clientmight receive an EncryptedExtensions message prior to receivinga ServerHello. Because it cannot decrypt the EncryptedExtensions,it cannot safely acknowledge it (as it might be damaged). If the clientdoes not send an ACK, the server will eventually retransmitits first flight, but this might take far longer than theactual round trip time between client and server. Havingthe client send an empty ACK shortcuts this process.¶
When an implementation receives an ACK, itSHOULD record that themessages or message fragments sent in the records beingACKed were received and omit them from any futureretransmissions. Upon receipt of an ACK that leaves it withonly some messages from a flight having been acknowledged,an implementationSHOULD retransmit the unacknowledgedmessages or fragments. Note that this requires implementations totrack which messages appear in which records. Once all the messages in a flight have beenacknowledged, the implementationMUST cancel all retransmissionsof that flight.ImplementationsMUST treat a recordas having been acknowledged if it appears in any ACK; thisprevents spurious retransmission in cases where a flight isvery large and the receiver is forced to elide acknowledgementsfor records which have already been ACKed.As noted above, the receipt of any record respondingto a given flightMUST be taken as an implicit acknowledgement for the entireflight to which it is responding.¶
ACK messages are used in two circumstances, namely:¶
In the first case, the use of the ACK message is optional, because the peer will retransmit in any case and therefore the ACK just allows for selective or early retransmission, as opposed to the timeout-based whole flight retransmission in previous versions of DTLS. When DTLS 1.3 is used in deploymentswith lossy networks, such as low-power, long-range radio networks as well aslow-power mesh networks, the use of ACKs is recommended.¶
The use of the ACK for the second case is mandatory for the proper functioning of theprotocol. For instance, the ACK message sent by the client inFigure 13acknowledges receipt and processing of Record 4 (containing the NewSessionTicketmessage), and if it is not sent, the server will continue retransmissionof the NewSessionTicket indefinitely until its maximum retransmission count is reached.¶
As with TLS 1.3, DTLS 1.3 implementations send a KeyUpdate message toindicate that they are updating their sending keys. As with otherhandshake messages with no built-in response, KeyUpdatesMUST beacknowledged. In order to facilitate epoch reconstruction(Section 4.2.2), implementationsMUST NOT send records with the new keys orsend a new KeyUpdate until the previous KeyUpdate has beenacknowledged (this avoids having too many epochs in active use).¶
Due to loss and/or reordering, DTLS 1.3 implementationsmay receive a record with an older epoch than thecurrent one (the requirements above preclude receivinga newer record). TheySHOULD attempt to process those recordswith that epoch (seeSection 4.2.2 for informationon determining the correct epoch) butMAY opt to discardsuch out-of-epoch records.¶
Due to the possibility of an ACK message for a KeyUpdate being lost and therebypreventing the sender of the KeyUpdate from updating its keying material,receiversMUST retain the pre-update keying material until receipt and successfuldecryption of a message using the new keys.¶
Figure 14 shows an example exchange illustrating that successfulACK processing updates the keys of the KeyUpdate message sender, which isreflected in the change of epoch values.¶
Client Server /-------------------------------------------\ | | | Initial Handshake | \-------------------------------------------/ [Application Data] --------> (epoch=3) <-------- [Application Data] (epoch=3) /-------------------------------------------\ | | | Some time later ... | \-------------------------------------------/ [Application Data] --------> (epoch=3) [KeyUpdate] (+ update_requested --------> (epoch 3) <-------- [Application Data] (epoch=3) [ACK] <-------- (epoch=3) [Application Data] (epoch=4) --------> <-------- [KeyUpdate] (epoch=3) [ACK] --------> (epoch=4) <-------- [Application Data] (epoch=4)
With a 128-bit key as in AES-128, rekeying 2^64 times has a highprobability of key reuse within a given connection. Note that even ifthe key repeats, the IV is also independently generated. In order toprovide an extra margin of security, sending implementationsMUST NOTallow the epoch to exceed 2^48-1. In order to allow this value tobe changed later, receiving implementationsMUST NOTenforce this rule. If a sending implementation receives a KeyUpdatewith request_update set to "update_requested", itMUST NOT sendits own KeyUpdate if that would cause it to exceed these limitsandSHOULD instead ignore the "update_requested" flag.Note: this overrides the requirement in TLS 1.3 to alwayssend a KeyUpdate in response to "update_requested".¶
If the client and server have negotiated the "connection_id"extension[RFC9146], either sidecan send a new CID that it wishes the other side to usein a NewConnectionId message.¶
enum { cid_immediate(0), cid_spare(1), (255) } ConnectionIdUsage; opaque ConnectionId<0..2^8-1>; struct { ConnectionId cids<0..2^16-1>; ConnectionIdUsage usage; } NewConnectionId;¶EndpointsSHOULD use receiver-provided CIDs in the order they were provided.Implementations which receive more spare CIDs than they wish to maintainMAY simply discard any extra CIDs.EndpointsMUST NOT have more than one NewConnectionId message outstanding.¶
Implementations which either did not negotiate the "connection_id" extensionor which have negotiated receiving an empty CIDMUST NOTsend NewConnectionId. ImplementationsMUST NOT send RequestConnectionIdwhen sending an empty Connection ID. Implementations which detect a violationof these rulesMUST terminate the connection with an "unexpected_message"alert.¶
ImplementationsSHOULD use a new CID whenever sending on a new pathandSHOULD request new CIDs for this purpose if path changes are anticipated.¶
struct { uint8 num_cids; } RequestConnectionId;¶EndpointsSHOULD respond to RequestConnectionId by sending aNewConnectionId with usage "cid_spare" containing num_cids CIDs as soon aspossible. EndpointsMUST NOT send a RequestConnectionId messagewhen an existing request is still unfulfilled; this implies thatendpoints need to request new CIDs well in advance. An endpointMAYhandle requests which it considers excessive by responding witha NewConnectionId message containing fewer than num_cids CIDs,including no CIDs at all. EndpointsMAY handle an excessive numberof RequestConnectionId messages by terminating the connectionusing a "too_many_cids_requested" (alert number 52) alert.¶
EndpointsMUST NOT send either of these messages if they did not negotiate aCID. If an implementation receives these messages when CIDswere not negotiated, itMUST abort the connection with an "unexpected_message"alert.¶
Below is an example exchange for DTLS 1.3 using a singleCID in each direction.¶
Note: The "connection_id" extension, which is used in ClientHello and ServerHello messages, is defined in[RFC9146].¶
Client Server------ ------ClientHello(connection_id=5) --------> <-------- HelloRetryRequest (cookie)ClientHello -------->(connection_id=5) + cookie <-------- ServerHello (connection_id=100) EncryptedExtensions (cid=5) Certificate (cid=5) CertificateVerify (cid=5) Finished (cid=5)Certificate -------->(cid=100)CertificateVerify(cid=100)Finished(cid=100) <-------- ACK (cid=5)Application Data ========>(cid=100) <======== Application Data (cid=5)
If no CID is negotiated, then the receiverMUST reject anyrecords it receives that contain a CID.¶
Application data messages are carried by the record layer and are splitinto recordsand encrypted based on the current connection state. The messagesare treated as transparent data to the record layer.¶
Security issues are discussed primarily in[TLS13].¶
The primary additional security consideration raised by DTLS is thatof denial of service by excessive resource consumption. DTLS includes a cookie exchange designed toprotect against denial of service. However, implementations that donot use this cookie exchange are still vulnerable to DoS. Inparticular, DTLS servers that do not use the cookie exchange may beused as attack amplifiers even if they themselves are notexperiencing DoS. Therefore, DTLS serversSHOULD use the cookieexchange unless there is good reason to believe that amplification isnot a threat in their environment. ClientsMUST be prepared to do acookie exchange with every handshake.¶
Some key properties required of the cookie for the cookie-exchange mechanismto be functional are described inSection 3.3 of [RFC2522]:¶
Although the cookie must allow the server to produce the right handshaketranscript, itSHOULD be constructed so that knowledge of the cookieis insufficient to reproduce the ClientHello contents. Otherwise,this may create problems with future extensions such as Encrypted Client Hello[TLS-ECH].¶
When cookies are generated using a keyed authentication mechanism,it should be possible to rotate the associatedsecret key, so that temporary compromise of the key does not permanentlycompromise the integrity of the cookie-exchange mechanism. Though this secretis not as high-value as, e.g., a session-ticket-encryption key, rotating thecookie-generation key on a similar timescale would ensure that thekey rotation functionality is exercised regularly and thus in working order.¶
The cookie exchange provides address validation during the initial handshake.DTLS with Connection IDs allows for endpoint addresses to change during theassociation; any such updated addresses are not covered by the cookie exchangeduring the handshake.DTLS implementationsMUST NOT update the address they send to in responseto packets from a different address unless they first perform somereachability test; no such test is defined in this specificationand a future specification would need to specify a complete procedure forhow and when to update addresses. Evenwith such a test, an active on-path adversary can also black-hole traffic orcreate a reflection attack against third parties because a DTLS peerhas no means to distinguish a genuine address update event (forexample, due to a NAT rebinding) from one that is malicious. Thisattack is of concern when there is a large asymmetry ofrequest/response message sizes.¶
With the exception of order protection and non-replayability, the securityguarantees for DTLS 1.3 are the same as TLS 1.3. While TLS always providesorder protection and non-replayability, DTLS does not provide order protectionand may not provide replay protection.¶
Unlike TLS implementations, DTLS implementationsSHOULD NOT respondto invalid records by terminating the connection.¶
TLS 1.3 requires replay protection for 0-RTT data (or rather, for connectionsthat use 0-RTT data; seeSection 8 of [TLS13]). DTLS provides an optionalper-record replay-protection mechanism, since datagram protocols areinherently subject to message reordering and replay. These tworeplay-protection mechanisms are orthogonal, and neither mechanism meets the requirements for the other.¶
DTLS 1.3's handshake transcript does not include the new DTLS fields,which makes it have the same format as TLS 1.3. However, the DTLS 1.3 andTLS 1.3 transcripts are disjoint because they use different versionnumbers. Additionally, the DTLS 1.3 key schedule uses a different labeland so will produce different keys for the same transcript.¶
The security and privacy properties of the CID for DTLS 1.3 buildon top of what is described for DTLS 1.2 in[RFC9146]. There are,however, several differences:¶
Since TLS 1.3 introduces a large number of changes with respect to TLS 1.2, the listof changes from DTLS 1.2 to DTLS 1.3 is equally large. For this reason,this section focuses on the most important changes only.¶
This document defines several changes that optionally affectimplementations of DTLS 1.2, including those which do not also supportDTLS 1.3.¶
IANA has allocated the content type value 26 in the "TLS ContentType"registry for the ACK message, defined inSection 7.The value for the "DTLS-OK" column is "Y". IANA has reservedthe content type range 32-63 so that content types in this range are notallocated.¶
IANA has allocated value 52 for the "too_many_cids_requested" alert inthe "TLS Alerts" registry. The value for the "DTLS-OK" column is "Y".¶
IANA has allocated two values in the "TLS HandshakeType"registry, defined in[TLS13], for request_connection_id (9) andnew_connection_id (10), as defined in this document. The value for the"DTLS-OK" column is "Y".¶
IANA has added this RFC as a reference to the "TLS Cipher Suites" registryalong with the following Note:¶
Any TLS cipher suite that is specified for use with DTLSMUSTdefine limits on the use of the associated AEAD function thatpreserves margins for both confidentiality and integrity,as specified inSection 4.5.3 of RFC 9147.¶
This section provides the normative protocol types and constants definitions.¶
struct { ContentType type; ProtocolVersion legacy_record_version; uint16 epoch = 0 uint48 sequence_number; uint16 length; opaque fragment[DTLSPlaintext.length]; } DTLSPlaintext; struct { opaque content[DTLSPlaintext.length]; ContentType type; uint8 zeros[length_of_padding]; } DTLSInnerPlaintext; struct { opaque unified_hdr[variable]; opaque encrypted_record[length]; } DTLSCiphertext; 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |0|0|1|C|S|L|E E| +-+-+-+-+-+-+-+-+ | Connection ID | Legend: | (if any, | / length as / C - Connection ID (CID) present | negotiated) | S - Sequence number length +-+-+-+-+-+-+-+-+ L - Length present | 8 or 16 bit | E - Epoch |Sequence Number| +-+-+-+-+-+-+-+-+ | 16 bit Length | | (if present) | +-+-+-+-+-+-+-+-+ struct { uint64 epoch; uint64 sequence_number; } RecordNumber;¶ enum { hello_request_RESERVED(0), client_hello(1), server_hello(2), hello_verify_request_RESERVED(3), new_session_ticket(4), end_of_early_data(5), hello_retry_request_RESERVED(6), encrypted_extensions(8), request_connection_id(9), /* New */ new_connection_id(10), /* New */ certificate(11), server_key_exchange_RESERVED(12), certificate_request(13), server_hello_done_RESERVED(14), certificate_verify(15), client_key_exchange_RESERVED(16), finished(20), certificate_url_RESERVED(21), certificate_status_RESERVED(22), supplemental_data_RESERVED(23), key_update(24), message_hash(254), (255) } HandshakeType; struct { HandshakeType msg_type; /* handshake type */ uint24 length; /* bytes in message */ uint16 message_seq; /* DTLS-required field */ uint24 fragment_offset; /* DTLS-required field */ uint24 fragment_length; /* DTLS-required field */ select (msg_type) { case client_hello: ClientHello; case server_hello: ServerHello; case end_of_early_data: EndOfEarlyData; case encrypted_extensions: EncryptedExtensions; case certificate_request: CertificateRequest; case certificate: Certificate; case certificate_verify: CertificateVerify; case finished: Finished; case new_session_ticket: NewSessionTicket; case key_update: KeyUpdate; case request_connection_id: RequestConnectionId; case new_connection_id: NewConnectionId; } body; } Handshake; uint16 ProtocolVersion; opaque Random[32]; uint8 CipherSuite[2]; /* Cryptographic suite selector */ struct { ProtocolVersion legacy_version = { 254,253 }; // DTLSv1.2 Random random; opaque legacy_session_id<0..32>; opaque legacy_cookie<0..2^8-1>; // DTLS CipherSuite cipher_suites<2..2^16-2>; opaque legacy_compression_methods<1..2^8-1>; Extension extensions<8..2^16-1>; } ClientHello;¶ enum { cid_immediate(0), cid_spare(1), (255) } ConnectionIdUsage; opaque ConnectionId<0..2^8-1>; struct { ConnectionId cids<0..2^16-1>; ConnectionIdUsage usage; } NewConnectionId; struct { uint8 num_cids; } RequestConnectionId;¶TLS[TLS13] and[AEBounds] do not specify limits on key usage forAEAD_AES_128_CCM. However, any AEAD that is used with DTLS requires limits onuse that ensure that both confidentiality and integrity are preserved. Thissection documents that analysis for AEAD_AES_128_CCM.¶
[CCM-ANALYSIS] is used as the basis of thisanalysis. The results of that analysis are used to derive usage limits that arebased on those chosen in[TLS13].¶
This analysis uses symbols for multiplication (*), division (/), andexponentiation (^), plus parentheses for establishing precedence. The followingsymbols are also used:¶
The analysis of AEAD_AES_128_CCM relies on a count of the number of blockoperations involved in producing each message. For simplicity, and to match theanalysis of other AEAD functions in[AEBounds], this analysis assumes apacket length of 2^10 blocks and a packet size limit of 2^14 bytes.¶
For AEAD_AES_128_CCM, the total number of block cipher operations is the sumof: the length of the associated data in blocks, the length of the ciphertext in blocks, and the length of the plaintext in blocks, plus 1. In this analysis,this is simplified to a value of twice the maximum length of a record in blocks(that is,2l = 2^11). This simplification is based on the associated databeing limited to one block.¶
For confidentiality, Theorem 2 in[CCM-ANALYSIS] establishes that an attackergains a distinguishing advantage over an ideal pseudorandom permutation (PRP) ofno more than:¶
(2l * q)^2 / 2^n¶
For a target advantage in a single-key setting of 2^-60, which matches that used by TLS 1.3, as summarized in[AEAD-LIMITS], this results in the relation:¶
q <= 2^23¶
That is, endpoints cannot protect more than 2^23 packets with the same set ofkeys without causing an attacker to gain a larger advantage than the target of2^-60.¶
For integrity, Theorem 1 in[CCM-ANALYSIS] establishes that an attackergains an advantage over an ideal PRP of no more than:¶
v / 2^t + (2l * (v + q))^2 / 2^n¶
The goal is to limit this advantage to 2^-57, to match the target inTLS 1.3, as summarized in[AEAD-LIMITS]. Ast andn are both 128, the first term is negligible relativeto the second, so that term can be removed without a significant effect on theresult. This produces the relation:¶
v + q <= 2^24.5¶
Using the previously established value of 2^23 forq and rounding, this leadsto an upper limit onv of 2^23.5. That is, endpoints cannot attempt toauthenticate more than 2^23.5 packets with the same set of keys without causingan attacker to gain a larger advantage than the target of 2^-57.¶
The TLS_AES_128_CCM_8_SHA256 cipher suite uses the AEAD_AES_128_CCM_8 function,which uses a short authentication tag (that is, t=64).¶
The confidentiality limits of AEAD_AES_128_CCM_8 are the same as those forAEAD_AES_128_CCM, as this does not depend on the tag length; seeAppendix B.1.¶
The shorter tag length of 64 bits means that the simplification used inAppendix B.2 does not apply to AEAD_AES_128_CCM_8. If the goal is topreserve the same margins as other cipher suites, then the limit on forgeriesis largely dictated by the first term of the advantage formula:¶
v <= 2^7¶
As this represents attempts that fail authentication, applying this limit mightbe feasible in some environments. However, applying this limit in animplementation intended for general use exposes connections to an inexpensivedenial-of-service attack.¶
This analysis supports the view that TLS_AES_128_CCM_8_SHA256 is not suitablefor general use. Specifically, TLS_AES_128_CCM_8_SHA256 cannot be used withoutadditional measures to prevent forgery of records, or to mitigate the effect offorgeries. This might require understanding the constraints that exist in aparticular deployment or application. For instance, it might be possible to seta different target for the advantage an attacker gains based on anunderstanding of the constraints imposed on a specific usage of DTLS.¶
In addition to the aspects of TLS that have been a source of interoperabilityand security problems (Appendix C.3 of [TLS13]), DTLS presents a few newpotential sources of issues, noted here.¶
Many people have contributed to previous DTLS versions, and they are acknowledgedin prior versions of DTLS specifications or in the referenced specifications.¶
Thesequence number encryption concept is taken from QUIC[RFC9000]. We wouldlike to thank the authors of RFC 9000 for their work.Felix Günther andMartin Thomson contributed the analysis inAppendix B. We would like to thankJonathan Hammell,Bernard Aboba, andAndy Cunningham for their review comments.¶
Additionally, we would like to thank the IESG members for their review comments:Martin Duke,Erik Kline,Francesca Palombini,Lars Eggert,Zaheduzzaman Sarker,John Scudder,Éric Vyncke,Robert Wilton,Roman Danyliw,Benjamin Kaduk,Murray Kucherawy,Martin Vigoureux, andAlvaro Retana.¶