Table of Contents
RFC 6347
RFC 6347 defines version 1.2 of the Datagram Transport Layer Security (DTLS) protocol, which was published in January 2012. DTLS is an extension of the widely used Transport Layer Security (TLS) protocol but is specifically designed to operate over datagram transport protocols, such as UDP (User Datagram Protocol). The goal of DTLS is to provide the same level of security guarantees as TLS—including confidentiality, integrity, and authentication—while preserving the inherent nature of datagram communication, such as unreliable and out-of-order delivery of packets.
Unlike TLS, which requires reliable and ordered delivery (such as that provided by TCP), DTLS must function even when packets are lost, reordered, or duplicated. To achieve this, RFC 6347 introduces several mechanisms that adapt the TLS handshake and record layer for use over datagram protocols. For example, DTLS solves the issue of packet loss during the handshake process by using retransmission timers. If a packet is lost during the handshake, the sender can retransmit it after a timeout period.
Another key feature of DTLS as outlined in RFC 6347 is its ability to handle packet reordering and fragmentation. Since datagrams can arrive out of order or be fragmented during transmission, DTLS allows handshake messages to be fragmented and reassembled, ensuring that even large messages can be processed correctly without relying on underlying transport layer guarantees.
RFC 6347 is heavily based on TLS 1.2 and is designed to maximize the reuse of TLS code and infrastructure. By keeping the design of DTLS as close as possible to TLS, it simplifies implementation and reduces the need for new security mechanisms. However, there are certain differences in how DTLS handles issues like anti-replay protection and message authentication. For instance, explicit sequence numbers are added to prevent replay attacks in environments where packets may be duplicated.
Additionally, DTLS supports a feature known as replay detection, which works similarly to how it is implemented in IPsec. By maintaining a window of received records, the protocol can discard duplicated packets, ensuring that the application only processes each packet once. Replay detection is an optional feature in DTLS but is essential for security in many real-time applications.
For more technical details, you can explore the full document: - RFC 6347: https://www.rfc-editor.org/info/rfc6347
Conclusion
RFC 6347 lays out the fundamental structure for DTLS 1.2, adapting the well-established TLS protocol for use over datagram transports like UDP. By handling packet loss, reordering, and fragmentation, it ensures secure communication for applications that cannot rely on a connection-oriented transport. With similarities to TLS 1.2, DTLS 1.2 provides robust security, making it suitable for use in environments where latency-sensitive and unreliable delivery mechanisms are common, such as real-time communication systems and media streaming.