Datagram Transport Layer Security (DTLS) is a

communications protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer science), sem ...

providing

security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...

datagram A datagram is a basic transfer unit associated with a packet-switched network. Datagrams are typically structured in header and payload sections. Datagrams provide a connectionless communication service across a packet-switched network. The de ...

-based applications by allowing them to communicate in a way designed to prevent

eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eave ...

, tampering, or message forgery. The DTLS protocol is based on the

stream A stream is a continuous body of water, body of surface water Current (stream), flowing within the stream bed, bed and bank (geography), banks of a channel (geography), channel. Depending on its location or certain characteristics, a strea ...

-oriented

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over ...

(TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses

User Datagram Protocol In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in Network packet, packets) to other hosts on an Internet Protoco ...

(UDP) or

Stream Control Transmission Protocol The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the ...

(SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram

network packet In telecommunications and computer networking, a network packet is a formatted unit of Data (computing), data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''Payload ...

. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

Definition

The following documents define DTLS: * from May 2008 for use with Datagram Congestion Control Protocol (DCCP) * from March 2009 for use with Control And Provisioning of Wireless Access Points (CAPWAP) * from May 2010 for use with

Secure Real-time Transport Protocol The Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multica ...

(SRTP) subsequently called DTLS-SRTP in a draft with Secure Real-Time Transport Control Protocol (SRTCP) * from January 2011 for use with

(SCTP) encapsulation * from April 2022 for use with

(UDP) DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS. Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees o TLS 1.3with the exception of order protection/non-replayability".

Implementations

Libraries

Applications

Cisco Cisco Systems, Inc. (using the trademark Cisco) is an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, s ...

AnyConnect VPN Client uses TLS and invented DTLS-based VPN. * OpenConnect is an open source AnyConnect-compatible client and ocserv server that supports (D)TLS. * Cisco InterCloud Fabric uses DTLS to form a tunnel between private and public/provider compute environments. *

Cato Networks Cato Networks Ltd. is a Tel Aviv, Israel-based network security company that develops Secure access service edge, Secure Access Service Edge (SASE) technology, which combines enterprise communication and security capabilities into a single cloud ...

utilizes DTLS v1.2 for the underlay tunnel used by both the Cato Socket and Cato ZTNA (formerly SDP) client when forming tunnels to the Cato POPs and when forming off-cloud tunnels between Cato sockets. *

ZScaler Zscaler, Inc. () is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data. History Zscaler was founded in 2007 by Jay Chaudhry and K. Kailash. The com ...

tunnel 2.0 for ZScaler Internet Access (ZIA) uses DTLS for tunneling. ZScaler Private Access (ZPA) does not support DTLS * F5 Networks Edge VPN Client uses TLS and DTLS. * Fortinet's SSL VPN and Array Networks SSL VPN also use DTLS for VPN tunneling. * Citrix Systems NetScaler uses DTLS to secure UDP. * Web browsers:

Google Chrome Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...

Opera Opera is a form of History of theatre#European theatre, Western theatre in which music is a fundamental component and dramatic roles are taken by Singing, singers. Such a "work" (the literal translation of the Italian word "opera") is typically ...

and

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

support DTLS-SRTP for

WebRTC WebRTC (Web Real-Time Communication) is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication and ...

. Firefox 86 and onward does not support DTLS 1.0. *

Remote Desktop Protocol Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this pu ...

8.0 and onwards.

Vulnerabilities

In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack which allowed them to recover (parts of the) plaintext from a DTLS connection using the OpenSSL or GnuTLS implementation of DTLS when

Cipher Block Chaining In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...

mode encryption was used.

References

External links

* * * * Skip to 1:07:14. * Robin Seggelmann'
Sample Code
echo, character generator, and discard client/servers.
The Illustrated DTLS Connection
{{VPN Cryptographic protocols Session layer protocols Transport Layer Security Virtual private networks