Capwap Mailing List: Re: Issue 185: DTLS Session Resumption is optional

[Pasi.Eronen (Pasi.Eronen]

Scott Kelly wrote:

> > Why is this "some unique identifier" needed? (Normal apps using
> > TLS -- which usually involves session resumption, too -- don't
> > need any such identifier; session resumption is something that
> > "just happens" when possible, and the app doesn't need to know
> > about it.)
> 
> I think it's needed (along with special DTLS behavior) because of
> the way it's used: normally, TLS session resumption happens _for the
> same channel_, where the channel is identified by the 5-tuple
> (saddr, daddr, proto, sport, dport). In the capwap case, we are
> expecting DTLS to establish the control channel, and then to use
> session resumption to establish 1 or more data channel sessions (QoS
> requirements may dictate the need for more than one data channel),
> each with their own unique 5-tuples.
> 
> Granted, this won't work with off-the-shelf DTLS implementations,
> but I think the wg participants understand and accept this.

That's a good explanation, but you can't really figure it out
from the text :-) How about something like this?

"Session resumption is typically used to establish the DTLS session
used for the data channel. Since the data channel uses different port
numbers than the control channel, the DTLS implementation on the WTP
MUST provide an interface that allows the CAPWAP module to request
attempting session resumption despite of the port number (TLS
implementations usually attempt session resumption only when
connecting to the same IP address and port number). "

Best regards,
Pasi