Hi everybody,
how can I detect a dead server with *DTLS*?
I'm developing an application (IPFIX exporter and collector) that only
*sends* data using DTLS over UDP. Imagine the collector (DTLS server)
crashes and comes up again. The exporter (DTLS client) does not notice
the fact that the server went down and keeps on sending data using the
old pre-master secret. The only thing the server can do is to drop those
packets because due to the crash he lost the pre-master secret and also
the whole state that constitutes the SSL object.
Please note that the underlying protocol which is UDP - as opposed to
TCP - does *not* tell me that the peer died. I might get some ICMP
port-unreachable messages but I don't want to rely on that.
Is there some kind of Dead Peer Detection like in the IPSec/IKE protocol
that allows me to verify that my peer is still alive? In case the peer
died I would just backup and initiate a new DTLS connection from scratch.
Also, this mechanism would be useful to keep NAT mappings alive.
Please note that I can not solve this problem via the protocol that I
use on top of DTLS - which is IPFIX - because IPFIX - by definition -
only *sends* but does not receive data. I.e. I can not infer that the
server crashed from the fact the he does not send any data because he
does not send data anyway (except Handshake messages like ServerHello,
ServerKeyExchange, etc.). I guess IPFIX is a one-way protocol.
Thanks
Daniel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org