Network Working Group T. Phelan Request for Comments: 5238 Sonus Networks Category: Standards Track May 2008
Network Working Group T. Phelan Request for Comments: 5238 Sonus Networks Category: Standards Track May 2008
Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP)
数据报拥塞控制协议(DCCP)上的数据报传输层安全性(DTLS)
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Abstract
摘要
This document specifies the use of Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP). DTLS provides communications privacy for applications that use datagram transport protocols and allows client/server applications to communicate in a way that is designed to prevent eavesdropping and detect tampering or message forgery. DCCP is a transport protocol that provides a congestion-controlled unreliable datagram service.
本文件规定了在数据报拥塞控制协议(DCCP)上使用数据报传输层安全性(DTLS)。DTLS为使用数据报传输协议的应用程序提供通信隐私,并允许客户机/服务器应用程序以防止窃听和检测篡改或消息伪造的方式进行通信。DCCP是一种传输协议,提供拥塞控制的不可靠数据报服务。
Table of Contents
目录
1. Introduction ....................................................2 2. Terminology .....................................................2 3. DTLS over DCCP ..................................................2 3.1. DCCP and DTLS Sequence Numbers .............................3 3.2. DCCP and DTLS Connection Handshakes ........................3 3.3. Effects of DCCP Congestion Control .........................4 3.4. Relationships between DTLS Sessions/Connections and DCCP Connections ................................................5 3.5. PMTU Discovery .............................................6 3.6. DCCP Service Codes .........................................7 3.7. New Versions of DTLS .......................................8 4. Security Considerations .........................................8 5. Acknowledgments .................................................8 6. References ......................................................9 6.1. Normative References .......................................9 6.2. Informative References .....................................9
1. Introduction ....................................................2 2. Terminology .....................................................2 3. DTLS over DCCP ..................................................2 3.1. DCCP and DTLS Sequence Numbers .............................3 3.2. DCCP and DTLS Connection Handshakes ........................3 3.3. Effects of DCCP Congestion Control .........................4 3.4. Relationships between DTLS Sessions/Connections and DCCP Connections ................................................5 3.5. PMTU Discovery .............................................6 3.6. DCCP Service Codes .........................................7 3.7. New Versions of DTLS .......................................8 4. Security Considerations .........................................8 5. Acknowledgments .................................................8 6. References ......................................................9 6.1. Normative References .......................................9 6.2. Informative References .....................................9
This document specifies how to carry application payloads with Datagram Transport Layer Security (DTLS), as specified in [RFC4347], in the Datagram Congestion Control Protocol (DCCP), as specified in [RFC4340].
本文件规定了如何使用[RFC4347]中规定的数据报传输层安全性(DTLS)以及[RFC4340]中规定的数据报拥塞控制协议(DCCP)承载应用程序有效载荷。
DTLS is an adaptation of Transport Layer Security (TLS, [RFC4346]) that modifies TLS for use with the unreliable transport protocol UDP. TLS is a protocol that allows client/server applications to communicate in a way that is designed to prevent eavesdropping and detect tampering and message forgery. DTLS can be viewed as TLS-plus-adaptations-for-unreliability.
DTLS是传输层安全性(TLS,[RFC4346])的一种改编,它修改TLS以用于不可靠的传输协议UDP。TLS是一种协议,允许客户机/服务器应用程序以防止窃听和检测篡改和消息伪造的方式进行通信。DTL可被视为TLS加上对不可靠性的调整。
DCCP provides an unreliable transport service, similar to UDP, but with adaptive congestion control, similar to TCP and Stream Control Transmission Protocol (SCTP). DCCP can be viewed equally well as either UDP-plus-congestion-control or TCP-minus-reliability (although, unlike TCP, DCCP offers multiple congestion control algorithms).
DCCP提供不可靠的传输服务,类似于UDP,但具有自适应拥塞控制,类似于TCP和流控制传输协议(SCTP)。DCCP可以与UDP加拥塞控制或TCP减可靠性(尽管与TCP不同,DCCP提供了多种拥塞控制算法)同等好。
The combination of DTLS and DCCP will offer transport security capabilities to applications using DCCP similar to those available for TCP, UDP, and SCTP.
DTL和DCCP的组合将为使用DCCP的应用程序提供传输安全功能,类似于TCP、UDP和SCTP的传输安全功能。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The approach here is very straightforward -- DTLS records are transmitted in the Application Data fields of DCCP-Data and DCCP-DataAck packets (in the rest of the document assume that "DCCP-Data packet" means "DCCP-Data or DCCP-DataAck packet"). Multiple DTLS records MAY be sent in one DCCP-Data packet, as long as the resulting packet is within the Path Maximum Transfer Unit (PMTU) currently in force for normal data packets, if fragmentation is not allowed (the Don't Fragment (DF) bit is set for IPv4 or no fragmentation extension headers are being used for IPv6), or within the current DCCP maximum packet size if fragmentation is allowed (see Section 3.5 for more information on PMTU Discovery). A single DTLS record MUST be fully contained in a single DCCP-Data packet; it MUST NOT be split over multiple packets.
这里的方法非常简单——DTLS记录在DCCP数据和DCCP数据包的应用程序数据字段中传输(在文档的其余部分中,假设“DCCP数据包”表示“DCCP数据或DCCP数据包”)。如果不允许分段(IPv4设置了不分段(DF)位,或者IPv6未使用分段扩展头),则可以在一个DCCP数据包中发送多个DTLS记录,只要生成的数据包在正常数据包当前有效的路径最大传输单元(PMTU)内,或者,如果允许分段,则在当前DCCP最大数据包大小内(有关PMTU发现的更多信息,请参阅第3.5节)。单个DTLS记录必须完全包含在单个DCCP数据包中;不能将其拆分为多个数据包。
Both DCCP and DTLS use sequence numbers in their packets/records. These sequence numbers serve somewhat, but not completely, overlapping functions. Consequently, there is no connection between the sequence number of a DCCP packet and the sequence number in a DTLS record contained in that packet, and there is no connection between sequence number-related features such as DCCP synchronization and DTLS anti-replay protection.
DCCP和DTL都在其数据包/记录中使用序列号。这些序列号在某种程度上起着重叠的作用,但并非完全如此。因此,DCCP数据包的序列号和该数据包中包含的DTLS记录中的序列号之间没有连接,并且序列号相关功能(如DCCP同步和DTLS防重放保护)之间没有连接。
Unlike UDP, DCCP is connection-oriented, and has a connection handshake procedure that precedes the transmission of DCCP-Data and DCCP-DataAck packets. DTLS is also connection-oriented, and has a handshake procedure of its own that must precede the transmission of actual application information. Using the rule of mapping DTLS records to DCCP-Data and DCCP-DataAck packets in Section 3, above, the two handshakes are forced to happen in series, with the DCCP handshake first, followed by the DTLS handshake. This is how TLS over TCP works.
与UDP不同,DCCP面向连接,在传输DCCP数据和DCCP数据包之前有一个连接握手过程。DTLS也是面向连接的,它有自己的握手过程,必须在传输实际应用程序信息之前进行。使用上面第3节中的将DTLS记录映射到DCCP数据和DCCP DataAck数据包的规则,强制两次握手串联进行,首先是DCCP握手,然后是DTLS握手。这就是TCP上的TLS的工作原理。
However, the DCCP handshake packets DCCP-Request and DCCP-Response have Application Data fields and can carry user data during the DCCP handshake, and this creates the opportunity to perform the handshakes partially in parallel. DTLS client implementations MAY choose to transmit one or more DTLS records (typically containing DTLS handshake messages or parts of them) in the DCCP-Request packet. A DTLS server implementation MAY choose to process these records as usual, and if it has one or more DTLS records to send as a response (typically containing DTLS handshake messages or parts of them), it MAY include those records in the DCCP-Response packet. DTLS servers MAY also choose to delay the response until the DCCP handshake completes and then send the DTLS response in a DCCP-Data packet.
然而,DCCP握手包DCCP请求和DCCP响应具有应用程序数据字段,并且可以在DCCP握手期间携带用户数据,这创造了部分并行执行握手的机会。DTLS客户端实现可以选择在DCCP请求数据包中传输一个或多个DTLS记录(通常包含DTLS握手消息或其中的一部分)。DTLS服务器实现可以选择像往常一样处理这些记录,并且如果它有一个或多个DTLS记录作为响应发送(通常包含DTLS握手消息或其中的一部分),它可以将这些记录包括在DCCP响应包中。DTLS服务器还可以选择延迟响应,直到DCCP握手完成,然后在DCCP数据包中发送DTLS响应。
Note that even though the DCCP handshake is a reliable process (DCCP handshake messages are retransmitted as required if messages are lost), the transfer of Application Data in DCCP-Request and DCCP-Response packets is not necessarily reliable. For example, DCCP server implementations are free to discard Application Data received in DCCP-Request packets. And if DCCP-Request or DCCP-Response packets need to be retransmitted, the DCCP implementation may choose to not include the Application Data present in the initial message.
注意,即使DCCP握手是一个可靠的过程(如果消息丢失,DCCP握手消息将根据需要重新传输),DCCP请求和DCCP响应数据包中应用程序数据的传输也不一定可靠。例如,DCCP服务器实现可以自由丢弃DCCP请求数据包中接收的应用程序数据。并且如果需要重传DCCP请求或DCCP响应分组,则DCCP实现可以选择不包括初始消息中存在的应用数据。
Since the DTLS handshake is also a reliable process, it will interoperate across the data delivery unreliability of DCCP (after all, one of the basic functions of DTLS is to work over unreliable transport). If the DTLS records containing DTLS handshake messages are lost, they will be retransmitted by DTLS.
由于DTLS握手也是一个可靠的过程,因此它将在DCCP的数据传输不可靠的情况下进行互操作(毕竟,DTLS的基本功能之一是处理不可靠的传输)。如果包含DTLS握手消息的DTLS记录丢失,DTLS将重新传输这些记录。
This is regardless of whether the messages were sent in DCCP-Response/Request packets or DCCP-Data packets. However, the only way for DTLS to retransmit DTLS records that were originally transmitted in DCCP-Request/Response packets (and they or the responses were lost somehow) is to wait for the DCCP handshake to complete and then resend the records in DCCP-Data packets. This is due to the characteristic of DCCP that the next opportunity to send data after sending data in a DCCP-Request is only after the connection handshake completes.
这与消息是在DCCP响应/请求数据包还是DCCP数据包中发送无关。但是,DTL重新传输最初在DCCP请求/响应数据包中传输的DTLS记录(并且这些记录或响应不知何故丢失)的唯一方法是等待DCCP握手完成,然后在DCCP数据包中重新发送记录。这是由于DCCP的特点,即在DCCP请求中发送数据之后,下一次发送数据的机会仅在连接握手完成之后。
DCCP and DTLS use similar strategies for retransmitting handshake messages. If there is no response to the original request (DCCP-Request or any DTLS handshake message where a response is expected) within normally 1 second, the message is retransmitted. The timer is then doubled and the process repeated until a response is received, or a maximum time is exceeded.
DCCP和DTL使用类似的策略重新传输握手消息。如果原始请求(DCCP请求或任何预期有响应的DTLS握手消息)在通常1秒内没有响应,则重新传输该消息。然后将计时器加倍并重复该过程,直到收到响应或超过最长时间。
Therefore, if DTLS records are sent in a DCCP-Request packet, and the DCCP-Request or DCCP-Response message is lost, the DCCP and DTLS handshakes could be timing out on similar schedules. The DCCP-Request packets will be retransmitted on timeout, but the DTLS records cannot be retransmitted until the DCCP handshake completes (there is no possibility of adding new Application Data to a DCCP-Request retransmission). In order to avoid multiple DTLS retransmissions queuing up before the first retransmission can be sent, DTLS over DCCP MUST wait until the completion of the DCCP handshake before restarting its DTLS handshake retransmission timer.
因此,如果DTLS记录在DCCP请求数据包中发送,并且DCCP请求或DCCP响应消息丢失,则DCCP和DTLS握手可能会按照类似的时间表超时。DCCP请求数据包将在超时时重新传输,但DTLS记录在DCCP握手完成之前无法重新传输(不可能向DCCP请求重新传输添加新的应用程序数据)。为了避免在发送第一次重传之前多个DTLS重传排队,DCCP上的DTLS必须等到DCCP握手完成后再重新启动其DTLS握手重传计时器。
Given the large potential sizes of the DTLS handshake messages, it is possible that DCCP congestion control could throttle the transmission of the DTLS handshake to the point that the transfer cannot complete before the DTLS timeout and retransmission procedures take effect. Adding retransmitted messages to a congested situation might only make matters worse and delay connection establishment.
鉴于DTLS握手消息的潜在大小较大,DCCP拥塞控制可能会限制DTLS握手的传输,使传输无法在DTLS超时和重传过程生效之前完成。在拥挤的情况下添加重新传输的消息只会使情况变得更糟,并延迟连接的建立。
Note that a DTLS over UDP application transmitting handshake data into this same network situation will not necessarily receive better throughput, and might actually see worse effective throughput.
请注意,UDP上的DTLS应用程序将握手数据传输到相同的网络环境中,不一定会获得更好的吞吐量,实际上可能会看到更差的有效吞吐量。
Without the pacing of slow-start and congestion control, a UDP application might be making congestion worse and lowering the effective throughput it receives.
如果没有慢启动和拥塞控制,UDP应用程序可能会使拥塞恶化,并降低其接收的有效吞吐量。
As stated in [RFC4347], "mishandling of the [retransmission] timer can lead to serious congestion problems". This remains as true for DTLS over DCCP as it is for DTLS over UDP.
如[RFC4347]所述,“错误处理[重传]计时器可能导致严重的拥塞问题”。这对于DCCP上的DTL仍然是正确的,就像对于UDP上的DTL一样。
DTLS over DCCP implementations SHOULD take steps to avoid retransmitting a request that has been queued but not yet actually transmitted by DCCP, when the underlying DCCP implementation can provide this information. For example, DTLS could delay starting the retransmission timer until DCCP indicates the message has been transferred from DCCP to the IP layer.
当底层DCCP实现可以提供此信息时,DCCP上的DTL实现应采取措施避免重新传输已排队但尚未由DCCP实际传输的请求。例如,DTL可以延迟启动重传计时器,直到DCCP指示消息已从DCCP传输到IP层。
In addition to the retransmission issues, if the throughput needs of the actual application data differ from the needs of the DTLS handshake, it is possible that the handshake transference could leave the DCCP congestion control in a state that is not immediately suitable for the application data that will follow. For example, DCCP Congestion Control Identifier (CCID) 2 ([RFC4341]) congestion control uses an Additive Increase Multiplicative Decrease (AIMD) algorithm similar to TCP congestion control. If it is used, then it is possible that transference of a large handshake could cause a multiplicative decrease that would not have happened with the application data. The application might then be throttled while waiting for additive increase to return throughput to acceptable levels.
除了重传问题之外,如果实际应用数据的吞吐量需求不同于DTLS握手的需求,则握手传输可能使DCCP拥塞控制处于不立即适合随后的应用数据的状态。例如,DCCP拥塞控制标识符(CCID)2([RFC4341])拥塞控制使用类似于TCP拥塞控制的加性增加乘性减少(AIMD)算法。如果使用它,则大握手的传输可能会导致应用程序数据不会发生的乘法减少。然后,应用程序可能会在等待附加增加以将吞吐量返回到可接受的水平时被限制。
Applications where this might be a problem should consider using DCCP CCID 3 ([RFC4342]). CCID 3 implements TCP-Friendly Rate Control (TFRC, [RFC3448])). TFRC varies the allowed throughput more slowly than AIMD and might avoid the discontinuities possible with CCID 2.
这可能是一个问题的应用程序应该考虑使用DCCP CCID 3([RCF432])。CCID3实现了TCP友好的速率控制(TFRC,[RFC3448])。TFRC改变允许吞吐量的速度比AIMD慢,可以避免CCID 2可能出现的不连续性。
3.4. Relationships between DTLS Sessions/Connections and DCCP Connections
3.4. DTLS会话/连接与DCCP连接之间的关系
DTLS uses the concepts of sessions and connections. A DTLS connection is used by upper-layer endpoints to exchange data over a transport protocol. DTLS sessions contain cached state information that is used to reduce the number of roundtrips and computation required to create multiple DTLS connections between the same endpoints.
DTLS使用会话和连接的概念。上层端点使用DTLS连接通过传输协议交换数据。DTLS会话包含缓存状态信息,用于减少在相同端点之间创建多个DTLS连接所需的往返次数和计算。
In DTLS over DCCP, a DTLS connection is carried by a DCCP connection. Often the DCCP connection establishment is immediately followed by DTLS connection establishment (either creating a new DTLS session with full handshake, or resuming an existing DTLS session), and the DTLS connection termination is immediately followed by DCCP connection termination, but this is not the only possibility.
在DCCP上的DTLS中,DTLS连接由DCCP连接承载。通常,DCCP连接建立之后紧接着DTLS连接建立(通过完全握手创建新的DTLS会话,或恢复现有DTLS会话),DTLS连接终止之后紧接着DCCP连接终止,但这不是唯一的可能性。
The life of a DTLS over DCCP connection is completely contained within the life of the underlying DCCP connection; a DTLS connection cannot continue if its underlying DCCP connection terminates. However, multiple DTLS connections can be resumed from the same DTLS session, each running over its own DCCP connection. The session resumption features of DTLS are widely used, and this situation is likely to occur in many use cases. It is also possible to resume a DTLS session with a new DTLS connection running over a different transport.
DTLS over DCCP连接的寿命完全包含在基础DCCP连接的寿命内;如果DTLS连接的基础DCCP连接终止,则DTLS连接无法继续。但是,可以从同一DTLS会话恢复多个DTLS连接,每个连接都通过其自己的DCCP连接运行。DTL的会话恢复功能被广泛使用,这种情况在许多用例中都可能发生。也可以通过在不同传输上运行的新DTLS连接来恢复DTLS会话。
Note that it is possible for an application to start a DCCP connection by transferring unprotected packets, and then switch to DTLS after some time. This is likely to be useful for applications that would like to negotiate using DTLS or not and has implications for the choice of DCCP Service Code. See Section 3.6 for more information.
请注意,应用程序可以通过传输未受保护的数据包来启动DCCP连接,然后在一段时间后切换到DTL。这对于希望使用或不使用DTL进行协商的应用程序可能很有用,并且对DCCP服务代码的选择有影响。更多信息请参见第3.6节。
Many DTLS Application Programming Interfaces (APIs) do not prevent an application from sending a mix of encrypted and clear packets over the same transport connection. Applications MUST NOT send unprotected data on a DCCP connection while it is also carrying a DTLS connection, since this presents a vulnerability to packet insertion attacks.
许多DTLS应用程序编程接口(API)并不阻止应用程序通过同一传输连接发送加密和清除数据包的混合。当DCCP连接同时承载DTLS连接时,应用程序不得在DCCP连接上发送未受保护的数据,因为这会造成数据包插入攻击的漏洞。
Many DTLS APIs also allow an application to start multiple DTLS connections over one transport connection in series, with the termination of one DTLS connection followed by the start of another. Processing a DTLS handshake is relatively CPU intensive. An application that uses this strategy is open to an attacker that repeatedly starts and immediately stops sessions. Therefore, applications that use this strategy SHOULD limit the potential burden on the system by some means. For example, the application could enforce a minimum time of 1 second between session initiations.
许多DTLS API还允许应用程序通过一个串联的传输连接启动多个DTLS连接,一个DTLS连接终止后再启动另一个DTLS连接。处理DTLS握手相对CPU密集。使用此策略的应用程序对反复启动并立即停止会话的攻击者开放。因此,使用此策略的应用程序应该通过某种方式限制系统的潜在负担。例如,应用程序可以在会话启动之间强制执行最短1秒的时间。
Each DTLS record must fit within a single DCCP-Data packet. DCCP packets are normally transmitted with the DF (Don't Fragment) bit set for IPv4 (or without fragmentation extension headers for IPv6). Because of this, DCCP performs Path Maximum Transmission Unit (PMTU) Discovery.
每个DTLS记录必须适合单个DCCP数据包。DCCP数据包通常使用为IPv4设置的DF(不分段)位进行传输(或不使用为IPv6设置的分段扩展头)。因此,DCCP执行路径最大传输单元(PMTU)发现。
DTLS also normally uses the DF bit and performs PMTU Discovery on its own, using an algorithm that is strongly similar to the one used by DCCP. A DTLS over DCCP implementation MAY use the DCCP-managed value for PMTU and not perform PMTU Discovery on its own. However, implementations that choose to use the DCCP-managed PMTU value SHOULD continue to follow the procedures of Section 4.1.1.1 of [RFC4347] with regard to fragmenting handshake messages during handshake retransmissions. Alternatively, a DTLS over DCCP implementation MAY choose to use its own PMTU Discovery calculations, as specified in [RFC4347], but MUST NOT use a value greater than the value determined by DCCP.
DTLS通常也使用DF位,并使用与DCCP使用的算法非常相似的算法自行执行PMTU发现。DTLS over DCCP实现可以使用PMTU的DCCP管理值,而不单独执行PMTU发现。但是,选择使用DCCP管理的PMTU值的实施应继续遵循[RFC4347]第4.1.1.1节中关于在握手重新传输期间分割握手消息的程序。或者,DTLS over DCCP实现可以选择使用[RFC4347]中规定的自己的PMTU发现计算,但不得使用大于DCCP确定的值的值。
DTLS implementations normally allow applications to reset the PMTU estimate back to the initial state. When that happens, DTLS over DCCP implementations SHOULD also reset the DCCP PMTU estimation.
DTLS实现通常允许应用程序将PMTU估计值重置回初始状态。发生这种情况时,DCCP上的DTL实现还应重置DCCP PMTU估计。
DTLS implementations also sometimes allow applications to control the use of the DF bit (when running over IPv4) or the use of fragmentation extension headers (when running over IPv6). DTLS over DCCP implementations SHOULD control the use of the DF bit or fragmentation extension headers by DCCP in concert with the application's indications, when the DCCP implementation supports this. Note that DCCP implementations are not required to support sending fragmentable packets.
DTLS实现有时还允许应用程序控制DF位的使用(在IPv4上运行时)或分段扩展头的使用(在IPv6上运行时)。当DCCP实现支持DF位或分段扩展头时,DCCP的DTL over DCCP实现应控制DCCP与应用程序指示一起使用DF位或分段扩展头。请注意,DCCP实现不需要支持发送碎片数据包。
Note that the DCCP Maximum Packet Size (MPS in [RFC4340]) is bounded by the current congestion control state (Congestion Control Maximum Packet Size, CCMPS in [RFC4340]). Even when the DF bit is not set and DCCP packets may then be fragmented, the MPS may be less than the 65,535 bytes normally used in UDP. It is also possible for the DCCP CCMPS, and thus the MPS, to vary over time as congestion conditions change. DTLS over DCCP implementations MUST NOT use a DTLS record size that is greater than the DCCP MPS currently in force.
注意,DCCP最大数据包大小(MPS在[RFC4340]中)受当前拥塞控制状态(拥塞控制最大数据包大小,[RFC4340]中的CCMPS)的限制。即使未设置DF位且DCCP数据包随后可能被分段,MPS也可能小于UDP中通常使用的65535字节。DCCP CCMP和MPS也可能随着拥塞条件的变化而随时间变化。DCCP上的DTLS实施不得使用大于当前生效的DCCP MPS的DTLS记录大小。
The DCCP connection handshake includes a field called Service Code that is intended to describe "the application-level service to which the client application wants to connect". Further, "Service Codes are intended to provide information about which application protocol a connection intends to use, thus aiding middleboxes and reducing reliance on globally well-known ports" [RFC4340].
DCCP连接握手包括一个名为“服务代码”的字段,用于描述“客户端应用程序希望连接到的应用程序级服务”。此外,“服务代码旨在提供有关连接打算使用哪种应用协议的信息,从而帮助中间盒并减少对全球知名端口的依赖”[RFC4340]。
It is expected that many middleboxes will give different privileges to applications running DTLS over DCCP versus just DCCP. Therefore, applications that use DTLS over DCCP sometimes and just DCCP other times SHOULD register and use different Service Codes for each mode
预计许多中间盒将为通过DCCP运行DTL的应用程序授予不同的权限,而不仅仅是DCCP。因此,有时在DCCP上使用DTL,而其他时候仅在DCCP上使用DTL的应用程序应该为每种模式注册并使用不同的服务代码
of operation. Applications that use both DCCP and DTLS over DCCP MAY choose to listen for incoming connections on the same DCCP port and distinguish the mode of the request by the offered Service Code.
手术的时间。通过DCCP同时使用DCCP和DTL的应用程序可以选择侦听同一DCCP端口上的传入连接,并通过提供的服务代码区分请求的模式。
Some applications may start out using DCCP without DTLS, and then optionally switch to using DTLS over the same connection. Since there is no way to change the Service Code for a connection after it is established, these applications will use one Service Code.
一些应用程序可能在不使用DTL的情况下开始使用DCCP,然后可以选择通过相同的连接切换到使用DTL。由于建立连接后无法更改服务代码,因此这些应用程序将使用一个服务代码。
As DTLS matures, revisions to and updates for [RFC4347] can be expected. DTLS includes mechanisms for identifying the version in use, and presumably future versions will either include backward compatibility modes or at least not allow connections between dissimilar versions. Since DTLS over DCCP simply encapsulates the DTLS records transparently, these changes should not affect this document and the methods of this document should apply to future versions of DTLS.
随着DTL的成熟,[RFC4347]的修订和更新是可以预期的。DTL包括识别正在使用的版本的机制,未来的版本可能包括向后兼容模式,或者至少不允许不同版本之间的连接。由于DCCP上的DTLS只是透明地封装DTLS记录,因此这些更改不应影响本文档,本文档的方法应适用于未来版本的DTLS。
Therefore, in the absence of a revision to this document, this document is assumed to apply to all future versions of DTLS. This document will only be revised if a revision to DTLS or DCCP (including its related CCIDs) makes a revision to the encapsulation necessary.
因此,在本文件无修订的情况下,假定本文件适用于DTL的所有未来版本。仅当DTLS或DCCP(包括其相关CCID)的修订使封装的修订成为必要时,才对本文件进行修订。
It is RECOMMENDED that an application migrating to a new version of DTLS keep the same DCCP Service Code used for the old version and allow DTLS to provide the version negotiation support. If a new version of DTLS provides significant new capabilities to the application that could change the behavior of middleboxes with regard to the application, an application developer MAY register a new Service Code.
建议迁移到新版本DTLS的应用程序保留与旧版本相同的DCCP服务代码,并允许DTLS提供版本协商支持。如果新版本的DTLS为应用程序提供了重要的新功能,这些功能可能会改变与应用程序相关的中间盒的行为,则应用程序开发人员可以注册新的服务代码。
Security considerations for DTLS are specified in [RFC4347] and for DCCP in [RFC4340]. The combination of DTLS and DCCP introduces no new security considerations.
[RFC4347]中规定了DTL的安全注意事项,[RFC4340]中规定了DCCP的安全注意事项。DTL和DCCP的结合没有引入新的安全考虑。
The author would like to thank Eric Rescorla for initial guidance on adapting DTLS to DCCP, and Gorry Fairhurst, Pasi Eronen, Colin Perkins, Lars Eggert, Magnus Westerlund, and Tom Petch for comments on the document.
作者要感谢Eric Rescorla就如何将DTL适应DCCP提供的初步指导,以及Gorry Fairhurst、Pasi Eronen、Colin Perkins、Lars Eggert、Magnus Westerlund和Tom Petch对该文件的评论。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, March 2006.
[RFC4340]Kohler,E.,Handley,M.和S.Floyd,“数据报拥塞控制协议(DCCP)”,RFC 43402006年3月。
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4346]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。
[RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006.
[RFC4347]Rescorla,E.和N.Modadugu,“数据报传输层安全”,RFC 4347,2006年4月。
[RFC3448] Handley, M., Floyd, S., Padhye, J., and J. Widmer, "TCP Friendly Rate Control (TFRC): Protocol Specification", RFC 3448, January 2003.
[RFC3448] Handley, M., Floyd, S., Padhye, J., and J. Widmer, "TCP Friendly Rate Control (TFRC): Protocol Specification", RFC 3448, January 2003.translate error, please retry
[RFC4341] Floyd, S. and E. Kohler, "Profile for Datagram Congestion Control Protocol (DCCP) Congestion Control ID 2: TCP-like Congestion Control", RFC 4341, March 2006.
[RFC4341]Floyd,S.和E.Kohler,“数据报拥塞控制协议(DCCP)拥塞控制ID 2的配置文件:类似TCP的拥塞控制”,RFC 43412006年3月。
[RFC4342] Floyd, S., Kohler, E., and J. Padhye, "Profile for Datagram Congestion Control Protocol (DCCP) Congestion Control ID 3: TCP-Friendly Rate Control (TFRC)", RFC 4342, March 2006.
[RFC4342]Floyd,S.,Kohler,E.,和J.Padhye,“数据报拥塞控制协议(DCCP)拥塞控制ID 3的配置文件:TCP友好速率控制(TFRC)”,RFC 43422006年3月。
Author's Address
作者地址
Tom Phelan Sonus Networks 7 Technology Park Dr. Westford, MA USA 01886 Phone: 978-614-8456 Email: tphelan@sonusnet.com
Tom Phelan Sonus Networks 7科技园美国马萨诸塞州韦斯特福德博士01886电话:978-614-8456电子邮件:tphelan@sonusnet.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2008).
版权所有(C)IETF信托基金(2008年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.