Review Request of JDK Enhancement Proposal: DTLS

Fri Mar 21 23:46:22 UTC 2014

On Mar 22,  7:38am, xuelei.fan at oracle.com (Xuelei Fan) wrote:
-- Subject: Re: Review Request of JDK Enhancement Proposal: DTLS

| Networking experts, any suggestion?

I have not seen pmtu exposed at the application layer before. Has anyone
else?

christos

| 
| Xuelei
| 
| On 3/21/2014 8:28 AM, Matthew Hall wrote:
| > On Fri, Mar 21, 2014 at 06:58:50AM +0800, Xuelei Fan wrote:
| >> here. Although MTU is not PMTU, but it is normally "correct".
| > 
| > I would state, not "normally correct", but "frequently correct".
| > 
| > In case of IPSEC, SSL VPN, IPv6, GRE, etc. this will not be true. Many of 
| > these are used for Site-to-Site VPN, which will appear often in the context of 
| > RTP packets and SRTP packets, which happen to travel over VPNs.
| > 
| >> It would be great if there is PMTU discovery API in Java, which can
| >> simplify the implementation of DTLS.
| > 
| > Without it, I think there will be a lot of odd bugs occurring.
| > 
| > Matthew.
| > 
| 
| 
| --------------090406030702020009070402
| Content-Type: message/rfc822;
|  name="Attached Message"
| Content-Transfer-Encoding: 7bit
| Content-Disposition: attachment;
|  filename="Attached Message"
| 
| Message-ID: <532A3B53.6000407 at oracle.com>
| Date: Thu, 20 Mar 2014 08:50:27 +0800
| From: Xuelei Fan <xuelei.fan at oracle.com>
| User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
| MIME-Version: 1.0
| To: Matthew Hall <mhall at mhcomputing.net>
| CC: OpenJDK <security-dev at openjdk.java.net>
| Subject: Re: Review Request of JDK Enhancement Proposal: DTLS
| References: <532A25EA.7040802 at oracle.com> <20140320003158.GA5754 at mhcomputing.net>
| In-Reply-To: <20140320003158.GA5754 at mhcomputing.net>
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| 
| PMTU is a key point of the design.  I was wondering to expose this
| application layer as a configurable parameter.  If it is too big (or not
| configured), DTLSEngine(let call it temporarily) will downgrade the size
| automatically, just as the previous messages get lost.
| 
| It's good point that need a separate spec to determine the PMTU. I will
| see what we can do here.
| 
| Thanks,
| Xuelei
| 
| On 3/20/2014 8:31 AM, Matthew Hall wrote:
| > Xuelei,
| > 
| > Is there an existing method for determining valid PMTU from inside of Java? If 
| > not then supplying correct segment size to whatever DTLSEngine (or however 
| > it's named) class would be non-trivial and could require native code.
| > 
| > If there is not such support, then a separate spec would be needed to add that 
| > support, before it would be possible to get the new DTLS support to work very 
| > reliably.
| > 
| > Matthew.
| > 
| > On Thu, Mar 20, 2014 at 07:19:06AM +0800, Xuelei Fan wrote:
| >> Hi,
| >>
| >> Please review the JDK Enhancement Proposal, Support Datagram Transport
| >> Layer Security (DTLS) version 1.0 (RFC 4347) and 1.2 (RFC 6347) in the
| >> JSSE API and the SunJSSE security provider. Detailed, please refer to
| >> the draft JEP:
| >>
| >> http://cr.openjdk.java.net/~xuelei/7093601/jep-dtls-v00.txt
| >>
| >> Feel free to make comment and send your feedback to the alias.
| >>
| >> Thanks,
| >> Xuelei
| 
| 
| --------------090406030702020009070402--
-- End of excerpt from Xuelei Fan