Product Documentation

Configuring a DTLS Virtual Server

Jun 17, 2015

The SSL and TLS protocols have traditionally been used to secure streaming traffic. Both of these protocols are based on TCP, which is very slow. In addition, TLS cannot handle lost or reordered packets.

UDP is the preferred protocol for audio and video applications, such as Lync, Skype, iTunes, YouTube, training videos, and flash. However, UDP is not secure or reliable. The DTLS protocol is designed to secure data over UDP and is used for applications such as media streaming, VOIP, and online gaming for communication. In DTLS, each handshake message is assigned a specific sequence number within that handshake. When a peer receives a handshake message, it can quickly determine whether that message is the next one expected. If it is, the peer processes the message. If not, the message is queued for handling after all the previous messages have been received.

You must create a DTLS virtual server and a service of type UDP. By default, a DTLS profile (nsdtls_default_profile) is bound to the virtual server. Optionally, you can create and bind a user-defined DTLS profile to the virtual server.

Note: RC4 ciphers are not supported on a DTLS virtual server.

To create a DTLS configuration by using the command line

At the command prompt, type:
	add lb vserver <vserver_name> DTLS <IPAddress>  <port> 
add service  <service_name>  <IPAddress> UDP 443 
bind lb vserver  <vserver_name>  <udp_service_name> 
The following steps are optional:
add dtlsProfile dtls1 -maxretryTime <positive_integer> 
set ssl vserver <vserver_name> -dtlsProfileName <dtls_profile_name>

To create a DTLS configuration by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create a virtual server of type DTLS, and bind a UDP service to the virtual server.
  3. A default DTLS profile is bound to the DTLS virtual server. To bind a different profile, in SSL Parameters, select a different DTLS profile. To create a new profile, click the plus (+) next to DTLS Profile.

Example

The following example is for an end-to-end DTLS configuration:

> enable ns feature SSL LB 
> add server s1 10.102.59.190 
> add service svc1 s1 UDP 32000 
> add lb vserver lb1 DTLS 10.102.59.244 443 
> add ssl certKey servercert -cert server_cert.pem -key server_key.pem  
> bind ssl vserver lb1 -certkeyname servercert 
> bind lb vserver lb1 svc1 
 
> sh lb vserver lb1 
        lb1 (10.102.59.244:443) - DTLS  Type: ADDRESS 
        State: UP 
        Last state change was at Tue May 20 16:41:27 2014 
        Time since last state change: 0 days, 00:01:39.120 
        Effective State: UP 
        Client Idle Timeout: 120 sec 
        Down state flush: ENABLED 
        Disable Primary Vserver On Down : DISABLED 
        Appflow logging: ENABLED 
        No. of Bound Services :  1 (Total)       1 (Active) 
        Configured Method: LEASTCONNECTION 
        Current Method: Round Robin, Reason: A new service is bound 
        Mode: IP 
        Persistence: NONE 
        L2Conn: OFF 
        Skip Persistency: None 
        IcmpResponse: PASSIVE 
        RHIstate: PASSIVE 
        New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0 
        TD: 0 
        Mac mode Retain Vlan: DISABLED 
        DBS_LB: DISABLED 
        Process Local: DISABLED 
 
        1 bound service: 
1) svc1 (10.102.59.190: 32000) - UDP State: UP  Weight: 1 
 Done 
> 
> sh ssl vserver lb1 
 
        Advanced SSL configuration for VServer lb1: 
        DH: DISABLED 
        Ephemeral RSA: ENABLED          Refresh Count: 0 
        Session Reuse: ENABLED          Timeout: 1800 seconds 
        Cipher Redirect: DISABLED 
 
        ClearText Port: 0 
        Client Auth: DISABLED 
        SSL Redirect: DISABLED 
        Non FIPS Ciphers: DISABLED 
        SNI: DISABLED 
        DTLSv1: ENABLED 
        Send Close-Notify: YES 
 
        DTLS profile name: nsdtls_default_profile 
 
        1 bound certificate: 
 
1)      CertKey Name: servercert        Server Certificate 
 
        1 configured cipher: 
 
1)      Cipher Name: DEFAULT 
        Description: Predefined Cipher Alias 
 Done 
 
> sh dtlsProfile nsdtls_default_profile 
1) Name: nsdtls_default_profile 
 PMTU Discovery: DISABLED 
 Max Record Size: 1460 bytes 
 Max Retry Time: 3 sec  
 Hello Verify Request: DISABLED 
 Terminate Session: DISABLED 
 Max Packet Count: 120 bytes 
 Done 

Features not supported by a DTLS virtual server

The following options cannot be enabled on a DTLS virtual server:
  • SSLv2
  • SSLv3
  • TLSv1
  • TLSv1.1
  • TLSv1.2
  • Push encrypt trigger
  • SSLv2Redirect
  • SSLv2URL
  • SNI
  • Secure renegotiation

Parameters not used by a DTLS virtual server

The following SSL parameters, even if set, are ignored by a DTLS virtual server:
  • Encryption trigger packet count
  • PUSH encryption trigger timeout
  • SSL quantum size
  • Encryption trigger timeout
  • Subject/Issuer Name Insertion Format