New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto: include support for DTLS in stdlib or x/crypto #46915
Comments
Thanks for making this happen @daenney! If this does get accepted DTLS I would IMO value is lost having it under the Pion organization. We have our own rules/culture that isn't benefiting I have also had a few people not interested in getting involved/contributing because it is under Pion. Maybe |
cc @julieqiu |
This proposal has been added to the active column of the proposals project |
cc @golang/security |
Talked to the security team about this. It's a large effort, estimated to increase TLS maintenance burden by 20%, but it's also potentially important for a large fraction of the Go ecosystem. We are not staffed to take this on at the moment. But it sounds like the team behind pion/tls is entirely volunteer, which is not ideal either from a staffing perspective. The path ahead is unclear on this one. Perhaps we can work out what the API would look like. Is it small, or is it big? What would it look like? |
@rsc The API for Should I submit a proposal? @daenney and I would love to do that work if a well designed DTLS implementation has a high probability of getting merged. I am hesitant to take time away from other work if it is unlikely. |
If you can just paste the API additions relative to crypto/tls into this thread, that would probably be the right next step. Thanks! |
The following is a diff of This brings all the functionality that
|
Thanks for the API. Presumably those changed method signatures would become new methods, like PacketClient, etc. @rolandshoemaker or anyone else, do these look like plausible API additions for crypto/tls to support DTLS? |
@rolandshoemaker For a good first step I was hoping to use the existing We could have an additional layer that handles the DTLS Specific header for loss/reordering/fragmentation. Nothing in |
Here are some comments from my perspective... First, as background, I created github.com/qwerty-iot/dtls (formerly github.com/bocajim/dtls) which is used in several IoT platforms as the DTLS server. It was never intended to have any compatibility with crypto/tls, so it is not a good target for consideration, but it does identify some key requirements for the IoT community. If I have to summarize the use case in a sentence, it would go like this: We require a solution for "millions of DTLS sessions that communicate once or twice per day that is compatible with high-availability deployments".
We have two corporate sponsors for qwerty-iot/dtls, so we have funding to support a long-term solution, but it would need to align with our core requirements. I also support improvements to crypto/tls to remove the amount of overlapping code in the current DTLS implementations. |
Hey @bocajim I didn't realize pion/dtls didn't have the features you needed. Are you blocked on 5? It might make more sense to keep things in userland if DTLS has intractable requirements by users? |
@Sean-Der I can't say if my use case is mainstream or fringe, so I wouldn't want to scuttle efforts to standardize a DTLS implementation if my use case is outside of the core needs of developers. But given the high usage of DTLS within the IoT community, specifically the LPWA community, I think there will be more demand over time for a highly scalable stack. The pion/dtls package is the most complete implementation in Go, and I tried to rewrite parts of it to maintain the same interface but scale in a less resource intensive way, but it became too much work for my team. The qwerty-iot/dtls library is missing lots of little elements of the DTLS RFC, but does check the box for high scalability, so maybe there is some work we can do to try to bring the two concepts together. |
Something I'm worried about is that while TLS has a broadly compatible
subset we can target to get > 99% of the usefulness with < 10% of the
complexity, DTLS might very well not. We should at the very least figure
out what our compatibility target is in advance, and refuse any additional
complexity that's out of scope.
Moreover, TLS has the driving force of browsers forcing the rest of the
ecosystem to modernize, while DTLS has the anchor of hard-to-update IoT
devices making it impossible to drop compatibility with any old or insecure
version, so we might not ever get to drop DTLS complexity.
Honestly, if my impression is correct, I think DTLS is a better fit for its
own module, as it's hard to reconcile with the standard library
cryptography principles, and applications might want to stay on a previous
major version.
…On Sun, Mar 20, 2022 at 9:17 PM Jim W. ***@***.***> wrote:
@Sean-Der <https://github.com/Sean-Der> I can't say if my use case is
mainstream or fringe, so I wouldn't want to scuttle efforts to standardize
a DTLS implementation if my use case is outside of the core needs of
developers. But given the high usage of DTLS within the IoT community,
specifically the LPWA community, I think there will be more demand over
time for a highly scalable stack.
The pion/dtls package is the most complete implementation in Go, and I
tried to rewrite parts of it to maintain the same interface but scale in a
less resource intensive way, but it became too much work for my team. The
qwerty-iot/dtls library is missing lots of little elements of the DTLS RFC,
but does check the box for high scalability, so maybe there is some work we
can do to try to bring the two concepts together.
—
Reply to this email directly, view it on GitHub
<#46915 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJLETTVYHNMUWUQCURDNDLVA7E2HANCNFSM47IZISJA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@FiloSottile This is a definite problem, once supported, general lifetime of a device could be as much as 10 years where compatibility needs to be maintained regardless of security concerns or advances. This is generally easy to manage by letting the server implementation choose which ciphers/extensions to support, so it shouldnt be a problem. The hardest part to manage is that have somewhere between 3-5 hacks in my implementation for clients that do not adhere to the DTLS specification correctly, but the device vendors do not have the ability to update their clients, so we are stuck supporting their poor implementation on the server side. I don't see being able to do these types of hacks in the standard library. |
IoT isn't the only use-case of DTLS as we've shown in the proposal. I'd like to be careful about overindexing on "IoT is turrible, we shouldn't have to deal with it in stdlib". There are many places where DTLS is used where we are not constrained by poor vendor implementations that can't be updated. Having an implementation in stdlib also doesn't preclude anyone maintaining their own with speciality hacks if their needs call for it. |
Absolutely agree, just make sure we highlight the intended use cases and the expected gaps so there are no delusions about the applicability of the end result.
|
It sounds like maybe there's no clear reason (not enough usage) for the Go team to pick up and maintain this, and it sounds like people don't use pion/dtls because of concerns about maintainer responsiveness too. So it sounds like we're not going to solve that, and maybe the right answer is to keep using pion/dtls or leave space for someone else to step forward with more maintenance? |
Very well. Lets leave it at that then. |
This proposal has been declined as retracted. |
The purpose of this proposal is to renew a discussion around potentially
including support for DTLS in either the Go standard library or x/crypto.
A proposal for this was filed in 2015 as #13525 and closed in 2018. It's now 3
to 6 years later so I'm looking to revisit that. A lot of things have changed
during that time. Even if we end up coming to the same conclusion, I believe
there's value for the community in clarifying the Go team's position on whether
they feel they are now properly staffed, able and willing to take on such an
endeavour.
I would also like to explore a possibility of having DTLS remain a third-party
package but somehow being able to make greater use of the crypto/tls machinery.
What is DTLS
DTLS, or Datagram Transport Layer Security, is the UDP equivalent of TLS. It
needs to exist because UDP is stateless and unreliable, but in order to
negotiate the parameters of an encrypted connection we need to temporarily
create some form of reliable, in order, exchange of packets.
For the purpose of completing the TLS handshake, DTLS extends the TLS handshake
so we can handle the problems of packet reordering and loss. Once the handshake
is completed, DTLS is no more reliable than using UDP. The difference at that
point is that the application payload is encrypted going forward.
Due to this, DTLS isn't specified as a complete protocol by itself, but as a
set of diffs "on top of" TLS.
Where it is used
DTLS is seeing more and more adoption as more protocols are being standardised
that leverage UDP as their transport layer instead of TCP. In the past half a
decade or so that has meant at least:
WebRTC is used extensively for modern day-to-day audio/video conferencing. CoAP
is used across a wide range of IoT use-cases, both personal (like IKEA's TRÅDFRI
gateway and Philips Hue) as well as in industrial applications. It is currently
also in use in low-bandwidth Matrix.
DTLS also sees wide spread usage as part of security products such as VPNs like
Cisco AnyConnect, in things like Microsoft Remote Desktop, or in IPFIX exporters
implemented on top of VMware's Go library. It's also found its way into other
projects like RouteDNS and coder.com.
Though these are some of the more common or obvious uses of DTLS that folks might
run into in their day-to-day, DTLS is used in a lot more places. There are RFCs
for using DTLS to secure things from DNS, RTP, certificate provisioning
through EST, the Babel routing protocol, RELOAD, RADIUS, MPLS-in-UDP, GRE-in-UDP or
things like a DTLS tunneling protocol for use in multimedia conferences, using
DTLS with SCTP and the list goes on. That's just what the IETF is discussing.
The current state
As the previous section aimed to illustrate, more and more communication is by default
built on top of encrypted transports and the share of new protocols building on top of UDP
is increasing. Older protocols built on UDP are being updated to define how to secure them
using DTLS. DTLS is no longer a niche thing, but has become part of foundational protocols
that power planet-scale communication today and in the future.
The lack of DTLS support in Go has seen it go underused in these areas. This is
unfortunate as Go is a common choice for writing protocol implementations and systems
that communicate over networks, while providing stronger safety guarantees compared
to other commonly used languages in this area.
The community has responded to this gap in two manners. Some have built
cgo wrappers around OpenSSL. But cgo is not Go, and ensuring we transit safely
across the cgo boundary while handling sensitive data is tricky. It complicates
debugging these systems and complicates cross-compiling for different platforms.
Many of these wrappers are experimental, incomplete and have gone unmaintained since
their creation, making them almost certainly dangerous to use in practice.
The second approach has been to implenment DTLS natively in Go. This is what the
Pion project did, which was orginally started with the aim of being able to build
out a WebRTC ecosystem in Go. It has since then been adopted by others, like the
go-coap project which provides a CoAP implementation for Go.
pion/dtls is maintained by a team of volunteer FLOSS maintainers. Even though we're
not rolling our own crypto and despite the fact that everyone should be able to
implement DTLS by following the RFCs, there is a meaningful gap between "being a
competent developer" and "having years of pratical experience dealing with crypto"
and potentially a formal education to back that up. Due to our limited resources,
responding to security issues can also be tricky for us. Because of this and the
fact that the library doesn't hold any kind of official status, the Go community
has understandably been weary of building on top of it.
Possible futures
I'd like to consider if we can change the current status quo. Bar some entities
being able to finanically support Pion so that we can have people work on this
full-time and get funding for audits, I can see roughly three outcomes:
Nothing changes. The Go maintainers don't have the resources to devote spending
time on this and/or continue to feel that the lack of DTLS support isn't holding
back Go. pion/dtls continues to be maintained as is by the current team of volunteers,
as their time and resources permit.
The Go maintainers decide that providing DTLS support through the Go standard libary
or x/crypto would be meaningful to the community and would help further Go's adoption
in certain areas. The necessary code to support DTLS makes it upstream and
pion/dtls enters deprecation until all supported versions of Go ship with DTLS (in
case of inclusion in the standard library) or becomes an adapter for a hypothetical
x/crypto/dtls to ease transition.
Since DTLS is specified as a set of diffs or extensions of TLS, it stands to reason
it might be possible to take the same approach with crypto/tls. It might be possible
to provide the necessary extension points from crypto/tls to allow a DTLS library
to remain as a third-party package that is able to affect the handshake while being
able to reuse the rest of crypto/tls. It's unclear right now if this would be
possible, and if the effort involved to do so and any potential long-term maintenance
burden on both the Go and Pion teams would be worth it.
.. other options the Go team might propose ..
Acknowledgements
No matter the outcome here, I'd like to extend a heartfelt thank you to the Go
maintainers. While building pion/dtls we've been able to learn a lot by taking cues
from crypto/tls. It remains a source of inspiration and reference to us. We regularly
use it to improve ourselves, and when we need to weigh supporting a feature or not
and what the API should look like we always try to converge on what crypto/tls does.
We want to make it clear that even if nothing changes, the Pion authors do intend to
continue and maintain our DTLS implementation in the future for as long as we can.
But we're re-raising this proposal to see if we'll have to do so indefinitely.
Thank you @Sean-Der for reviewing this proposal.
The text was updated successfully, but these errors were encountered: