| Internet-Draft | TLS for DTLS in SCTP | June 2026 |
| Westerlund, et al. | Expires 20 December 2026 | [Page] |
This document defines how Transport Layer Security (TLS) 1.3 is used as a key-management method for the SCTP DTLS Chunk mechanism. It specifies how a TLS handshake establishes the initial security context for an SCTP association and how subsequent TLS handshakes provide key updates and re-authentication. The goal is to enable authenticated and confidential communication over SCTP using the DTLS Chunk, leveraging standardized TLS 1.3 features for key management and rekeying.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-porfiri-tsvwg-sctp-dtls-handshake/.¶
Discussion of this document takes place on the Transport Area Working Group (tsvwg) Working Group mailing list (mailto:tsvwg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/tsvwg/. Subscribe at https://www.ietf.org/mailman/listinfo/tsvwg/.¶
Source for this draft and an issue tracker can be found at https://github.com/teiclap/draft-porfiri-tsvwg-sctp-dtls-handshake.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Stream Control Transmission Protocol (SCTP) [RFC9260] is a transport protocol designed to support message-oriented communication with features such as multi-streaming and multi-homing. In many deployments, particularly telecommunication networks and WebRTC data channels, it is essential to provide confidentiality, integrity, and peer authentication for SCTP traffic.¶
[I-D.ietf-tsvwg-sctp-dtls-chunk] defines a mechanism for securing SCTP by encapsulating SCTP chunks within DTLS 1.3 records at the chunk level. That specification defines the DTLS chunk format, negotiation procedures, and an abstract API for key management, but delegates the actual key management to external methods identified by a DTLS Key Management Identifier.¶
This document defines one such method: it uses TLS 1.3 [RFC8446] handshakes carried as SCTP user messages to perform mutual authentication and derive keying material for the DTLS Chunk Protection Operator. The combination of the SCTP DTLS Chunk and the key-management defined in this document is referred to as "TLS for DTLS in SCTP".¶
The key advantages of this approach are:¶
It requires no extensions to TLS 1.3 to support long-lived sessions.¶
It is based on TLS 1.3 rather than DTLS 1.3, leveraging widely available TLS implementations.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In this document, || denotes concatenation of byte sequences.¶
This document uses the following terms:¶
An SCTP association.¶
A TLS 1.3 connection used for key management.¶
The keying material (record payload key, sequence number key, and IV) for both send and receive directions, together with the replay window and last used sequence number. Each DKC is identified by a tuple of (SCTP Association, restart indicator, DTLS epoch).¶
The endpoint assigned the client role during SCTP association establishment. This corresponds to the "client" role (C bit) in the DTLS Key Management Parameter of [I-D.ietf-tsvwg-sctp-dtls-chunk].¶
A DTLS Key Context used to protect regular SCTP association traffic.¶
The endpoint assigned the server role during SCTP association establishment. This corresponds to the "server" role (S bit) in the DTLS Key Management Parameter of [I-D.ietf-tsvwg-sctp-dtls-chunk].¶
A DTLS Key Context reserved exclusively for the SCTP association restart procedure.¶
This section provides an informational overview of TLS for DTLS in SCTP. Normative procedures are specified in Section 6.¶
Application data is never transmitted in TLS application_data records. Instead, application data is sent via SCTP DATA chunks protected by the DTLS Chunk Protection Operator. TLS 1.3 is used solely for key management: performing handshakes, deriving keys via the TLS Exporter, and then closing the TLS connection.¶
The protocol operates in three phases:¶
Initial Establishment: After SCTP association setup (with DTLS Key Management Parameter negotiation), a TLS 1.3 handshake derives the initial Primary and Restart DKCs. Protection is then enforced.¶
Rekeying: Either endpoint initiates a new TLS 1.3 handshake to derive fresh DKCs for the next epoch, providing forward secrecy and re-authentication. Old DKCs are removed after draining.¶
SCTP Restart: The pre-established Restart DKC protects the COOKIE ECHO/COOKIE ACK exchange, followed by a new TLS handshake to establish fresh Primary and Restart DKCs.¶
This document defines the usage of TLS 1.3 [RFC8446]. Earlier versions of TLS MUST NOT be used. Only one version of TLS MUST be used during the lifetime of an SCTP Association.¶
Parameters not marked as "Y" in the "Recommended" column of TLS registries are NOT RECOMMENDED to support. Non-AEAD cipher suites or cipher suites without confidentiality MUST NOT be supported. Cipher suites and parameters that do not provide ephemeral key-exchange MUST NOT be supported.¶
The cipher suites negotiated in the key-management TLS connection MUST only include those supported by the DTLS Chunk Protection Operator. The DTLS Chunk provides an API to query supported cipher suites (see Section 7.3 of [I-D.ietf-tsvwg-sctp-dtls-chunk]).¶
TLS for DTLS in SCTP MUST be mutually authenticated. It is RECOMMENDED to use certificate-based authentication.¶
When certificates are used, the application is responsible for certificate policies, certificate chain validation, and identity authentication. The application defines what the identity is and how it is encoded. Guidance on server certificate validation can be found in [RFC9525].¶
All security decisions MUST be based on the peer's authenticated identity, not on its transport layer identity. Since SCTP associations can use multiple IP addresses per endpoint, DTLS records may arrive from different source IP addresses than those originally authenticated.¶
Clients and servers MUST NOT accept a change of identity during the setup of a new TLS connection, but MAY accept negotiation of stronger algorithms and security parameters.¶
Implementations MUST have policies for how often to set up new TLS connections with ephemeral key exchange. Implementations SHOULD rekey at least every hour and every 100 GB of data, which is a common policy for IPsec [ANSSI-DAT-NT-003].¶
Implementations MUST set up a new TLS connection using a full handshake before any of the certificates expire.¶
The PSK key exchange mode psk_ke MUST NOT be used as it does not provide ephemeral key exchange. TLS Key Update MUST NOT be used.¶
TLS 1.3 tickets MAY be used for resumption (valid up to seven days). Resumption can be used to chain the connections, increasing security by forcing an adversary to break them in sequence [KTH-NCSA].¶
The endpoints MUST limit the number of simultaneous TLS connections to one.¶
TLS records and control messages for key-management are sent as SCTP user messages using reliable in-order delivery on stream 0 with the DTLS Key Management Messages PPID (4242) [I-D.ietf-tsvwg-sctp-dtls-chunk].¶
Each SCTP user message uses the format defined in Figure 2.¶
Indicates the type of payload carried in this user message. A value of 0 indicates that the payload contains TLS records. A value of 1 indicates that the payload is a control message (see Section 4.1).¶
The 7 lowest bits of the DTLS Key Context epoch that this message corresponds to — i.e., the DKC that will be created from this handshake, or that already exists. The receiver uses this field to associate incoming data with the correct key-management session.¶
When T=0, one or more complete TLS records. When T=1, a control message as defined in Section 4.1.¶
When the T bit is set to 1, the payload of the user message is a control message with the following format:¶
Identifies the control message type.¶
Type-specific data. May be empty.¶
The following control message type is defined:¶
| Ctrl Type | Name | Description |
|---|---|---|
| 0x01 | Protection Established | Signals that DTLS chunk protection has been enforced |
The Protection Established control message (Ctrl Type = 0x01) is sent by the Responder to the Initiator after the Responder has installed all keys and enforced DTLS chunk protection. This message carries no Control Data (the payload following the Ctrl Type byte is empty).¶
Upon receiving this message, the Initiator enforces DTLS chunk protection and informs the ULP that the association is protected.¶
Role determination and method selection follow the procedure defined in Section 5.1 of [I-D.ietf-tsvwg-sctp-dtls-chunk]. After the SCTP association is established, the key-management function retrieves from the SCTP stack's DTLS chunk API the assigned role (Initiator/client or Responder/server), the selected DTLS Key Management Method, and the downgrade prevention data (both endpoints' DTLS Key Management Parameters) used as input to key derivation.¶
DTLS Key Contexts are derived using the TLS Exporter as defined in Section 7.5 of [RFC8446]. The exporter context is constructed as the concatenation of the following fields:¶
| Field | Length | Value |
|---|---|---|
| Direction | 1 byte | 0x00 = Client, 0x01 = Server |
| Key role | 1 byte | 0x00 = primary/traffic, 0x01 = restart |
| Key type | 1 byte | 0x00 = Key, 0x01 = SN_KEY, 0x02 = IV |
| Initiator KM Param | variable | DTLS Key Management Parameter sent by the Initiator |
| Responder KM Param | variable | DTLS Key Management Parameter sent by the Responder |
Each DTLS Key Management Parameter (Section 4.1 of [I-D.ietf-tsvwg-sctp-dtls-chunk]) is included as the sequence of bytes sent on the wire, including the parameter header and excluding padding.¶
This construction ensures that any modification to the DTLS Key Management Parameter during the SCTP handshake (a downgrade attack) results in mismatched keys and association failure.¶
A single TLS Exporter label is used to derive all keying material:¶
EXPORTER_TLS_FOR_DTLS_IN_SCTP¶
The specific key material (direction, role, and type) is differentiated by the exporter context (Section 5.2). Each combination of Direction, Key role, and Key type values produces a distinct export, yielding 12 values in total (2 directions × 2 roles × 3 types).¶
The Initiator (TLS client) installs exports with Direction=Client as its write keys and Direction=Server as its read keys. The Responder does the reverse.¶
The length of exported material depends on the negotiated cipher suite.¶
Each successful TLS handshake produces two DKCs:¶
The first DKC established for any SCTP association MUST use DTLS epoch 3. Each subsequent Primary DKC uses the next consecutive epoch. After an SCTP restart, the epoch resets to 3.¶
The Restart DKC MUST be maintained in a well-defined state (initialized but never used for regular traffic) so that both endpoints have a consistent view of sequence numbers and replay window.¶
The diagram Figure 4 shows the case where SCTP Initiator is also resulting as Key Manager Client. The opposite case is identical but with inverted roles among Key Managers. In the following procedure we use Initiator and Responder referring to SCTP, Client and Server referring to Keymanager role, and implicitly TLS roles.¶
The procedure is as follows:¶
The Initiator sends INIT containing the DTLS Key Management Parameter (Section 4.1 of [I-D.ietf-tsvwg-sctp-dtls-chunk]) with this method's identifier (see Section 9.1) in its preference-ordered list.¶
The Responder enters ESTABLISHED state. It retrieves the agreed DTLS Key Management Method and role from the SCTP stack (e.g., using the "Get Agreed DTLS Key Management Method and Role" API defined in Section 7.2 of [I-D.ietf-tsvwg-sctp-dtls-chunk]) and verifies that the selected method matches the one defined in this document (see Section 9.1) and gets the assigned role as key manager client or server (in the example depicted in Figure 4 it is server).¶
The Initiator enters ESTABLISHED state. It performs the same retrieval and verification as the Responder, confirming the assigned role as key manager client or server (in the example depicted in Figure 4 it is client).¶
The client key manager starts a TLS 1.3 handshake, limiting offered cipher suites to those supported by the DTLS Chunk Protection Operator, and sends TLS ClientHello per Section 4.¶
The server key manager receives the TLS ClientHello. If a HelloRetryRequest is needed, an additional round-trip occurs before proceeding.¶
The server key manager uses the TLS Exporter to derive the client key material for both the Primary and Restart DKCs and installs it as the read (receive) key material, per Section 5.¶
The server key manager sends its TLS ServerHello through Finished messages.¶
The client key manager receives the TLS ServerHello message, exports all Primary and Restart DKC keys, and installs the client key material as its write (send) key and the server key material as its read (receive) key.¶
The client key manager sends its TLS Certificate/CertificateVerify/Finished, protected by the DTLS Chunk using the new Primary DKC.¶
The server key manager decrypts the DTLS-chunk-protected TLS messages, completes the handshake, exports the server key material for both the Primary and Restart DKCs, and installs it as its write (send) key.¶
The server key manager calls Require Protected SCTP Packets to enforce DTLS chunk protection for all future packets and informs the ULP that the association is protected.¶
The server key manager sends a Protection Established control message (Section 4.1.1) to the client key manager.¶
The client key manager receives the Protection Established control message, calls Require Protected SCTP Packets to enforce DTLS chunk protection for all future packets, and informs the ULP that the association is protected.¶
Application traffic can begin.¶
If the TLS handshake fails, the SCTP association MUST be aborted.¶
After key installation, the TLS connection SHOULD be closed promptly.¶
Rekeying is triggered by implementation-configurable criteria, including:¶
The diagram Figure 5 shows the case where SCTP Initiator is also resulting as Key Manager Client. The opposite case is identical but with inverted roles among Key Managers. In the following procedure we use Initiator and Responder referring to SCTP, Client and Server referring TLS roles. The Key manager roles are only used to handle in the case both sides initiate a rekey simultanously, see Section 6.2.4.¶
Either endpoint may initiate rekeying. The procedure is as follows:¶
The peer willing to rekey becomes the TLS client for this rekey procedure. It sends a TLS ClientHello in a key management message. TLS messages are carried inside DTLS chunks (the association is already protected).¶
The other peer becomes the TLS server for this rekey procedure. It receives and processes the ClientHello, exports the client key material for both the Primary and Restart DKCs, and installs it as its read (receive) key.¶
The server sends its TLS ServerHello through Finished messages to the client.¶
The client receives the TLS ServerHello message, exports all Primary and Restart DKC keys, and installs the client key material as its write (send) key and the server key material as its read (receive) key.¶
The client sends its TLS Certificate/CertificateVerify/Finished encrypted with the new keys and starts the drain timer to remove the old (epoch N) DKC. From now on the client uses new keys.¶
The server receives and verifies the Finished message, exports and installs the server key material for both the Primary and Restart DKCs as its write (send) key, and starts the drain timer to remove the old (epoch N) DKC. From now on the server uses new keys.¶
The new DKCs use epoch N+1 (where N is the current epoch). Both old (epoch N) and new (epoch N+1) DKCs coexist temporarily until the drain timer expires (see Section 6.2.3).¶
All rekeying MUST use ephemeral key exchange. TLS Key Update MUST NOT be used.¶
The drain timer determines how long old (epoch N) DKCs are retained after new (epoch N+1) DKCs have been activated. Its purpose is to allow in-flight packets protected with the old keys to be received and processed before those keys are removed.¶
The drain timer value depends on whether the delivery of the final rekeying message has been confirmed:¶
If delivery of the last rekeying message has been confirmed (e.g., through SCTP acknowledgment of the DATA chunk carrying the TLS Finished), the old DKC MAY be removed after a short drain timer. A value of 120 seconds (one Maximum Segment Lifetime) is RECOMMENDED in this case.¶
If delivery has not been confirmed, the drain timer MUST be set to at least the SCTP association failure time (T_fail). This ensures that if the final rekeying message is lost and requires retransmission, the old DKC remains available for as long as SCTP continues retransmission attempts. If the association fails (i.e., SCTP declares the peer unreachable), the DKCs are removed as part of association teardown.¶
The SCTP association failure time depends on the Retransmission Timeout (RTO) and the maximum number of retransmissions (Association.Max.Retrans, as defined in [RFC9260]). With the default values from [RFC9260] (RTO.Initial = 1s, RTO.Max = 60s, Association.Max.Retrans = 10), T_fail is approximately 303 seconds.¶
Implementations SHOULD set the drain timer to at least T_fail when delivery of the final rekeying message has not been confirmed.¶
As either endpoint can initiate a TLS handshake at the same time, either endpoint may receive a TLS ClientHello when it has already sent its own. In this case, the ClientHello from the Initiator (the endpoint with the keymanager client role) SHALL be processed, and the other SHALL be dropped.¶
This specification allows up to 2 Primary DKCs to be active at the same time. The following state machine governs the transition:¶
Initial state. Only event 1 (TLS handshake completed) transitions to YOUNG.¶
Only the Current DKC is populated. Event 2 (peer ClientHello) transitions to REMOTE OLD; event 3 (aging) transitions to LOCAL AGED.¶
A supervision timer runs. Event 5 (timeout) causes the key manager to check for local aging expire, in that case ABORT otherwise return to YOUNG. Event 4 (peer ClientHello with tie-break yielding server role) transitions to REMOTE OLD. Event 6 (ServerHello received) transitions to LOCAL OLD.¶
Both Old and Current DKCs exist. Old DKC is used for sending until the first packet encrypted with Current DKC is received from the peer. Event 7 (flush timer expires) transitions to YOUNG.¶
Both Old and Current DKCs exist. Current DKC is used for sending. Event 8 (flush timer expires) transitions to YOUNG.¶
In REMOTE OLD and LOCAL OLD, if a new ClientHello or Aging event arrives, the flushing timer is cleared and behavior is as in YOUNG.¶
For protected SCTP restart to succeed:¶
Both endpoints MUST have a valid Restart DKC.¶
The Restart DKC MUST be stored securely and persistently to survive crash events (see Section 10.4 of [I-D.ietf-tsvwg-sctp-dtls-chunk]).¶
Both endpoints MUST have indicated restart support (R bit) in the DTLS Key Management Parameter.¶
The restarting endpoint (Initiator) retrieves the restart key material from persistent secure storage and installs the Restart DKC for both send and receive directions.¶
The Initiator sends INIT (VTag=0).¶
The Responder replies INIT-ACK in plain text per [RFC9260]. Both include the DTLS Key Management Parameter with the same method list but a new random Tie Breaker.¶
The Initiator sends COOKIE ECHO in a DTLS chunk protected with the Restart DKC (R bit set).¶
The Responder replies COOKIE ACK in a DTLS chunk protected with the Restart DKC.¶
Both endpoints have a new established association. Each endpoint immediately calls Require Protected SCTP Packets to enforce DTLS chunk protection (using the Restart DKC), then retrieves the agreed DTLS Key Management Method and role from the SCTP stack (e.g., using the "Get Agreed DTLS Key Management Method and Role" API defined in Section 7.2 of [I-D.ietf-tsvwg-sctp-dtls-chunk]) and verifies that the selected method matches the one defined in this document (see Section 9.1) and that the assigned role is as expected.¶
The ULP MAY be informed that the association is protected at this point. ULP traffic MAY begin immediately using the Restart DKC.¶
The client key manager starts a TLS 1.3 handshake, limiting offered cipher suites to those supported by the DTLS Chunk Protection Operator, and sends TLS ClientHello per Section 4, protected by the Restart DKC.¶
The server key manager receives the TLS ClientHello, exports the client key material for the Primary DKC, and installs it as its read (receive) key.¶
The server key manager sends its TLS ServerHello through Finished messages.¶
The client key manager receives the TLS ServerHello message, exports all Primary DKC keys, and installs the client key material as its write (send) key and the server key material as its read (receive) key for the Primary DKC.¶
The client key manager sends its TLS Certificate/CertificateVerify/Finished, protected by the DTLS Chunk using the new Primary DKC.¶
The server key manager decrypts the DTLS-chunk-protected TLS messages, completes the handshake, exports the server key material for the Primary DKC, and installs it as its write (send) key.¶
The server key manager sends a Protection Established control message (Section 4.1.1) to the client key manager. The server endpoint export and install the new Restart DKC key material (both send and receive directions), remove the old Restart DKC, and commit the new Restart DKC to persistent secure storage.¶
The client key manager receives the Protection Established control message.¶
The client key manager export and install the new Restart DKC key material (both send and receive directions), remove the old Restart DKC, and commit the new Restart DKC to persistent secure storage.¶
Application traffic uses to the new Primary DKC.¶
After restart, the new Primary DKC MUST use epoch 3 (the epoch resets).¶
The Responder MUST NOT change the Restart DKC during the restart procedure. After the new Restart DKC is installed, the old one is removed.¶
It is RECOMMENDED to complete the TLS handshake and install new DKCs as soon as possible after restart, to minimize the window during which no Restart DKC is available for a subsequent restart.¶
Note: There MAY exist a short time gap after association establishment where no Restart DKC is yet installed. If an SCTP restart is initiated during that time, it will fail. However, this is unlikely as the restarting endpoint sends INIT multiple times with exponential back-off.¶
TLS has its own error reporting via TLS alert messages. When a TLS handshake error occurs, the TLS alert is sent in an SCTP user message (see Section 4) with the DTLS Key Management Messages PPID (4242).¶
If a TLS handshake fails during initial establishment, the SCTP association MUST be aborted.¶
If a TLS handshake fails during rekeying, and the current DKC has not yet reached its usage limits, the implementation SHOULD retry the handshake. If retry is not possible or the current DKC is aged beyond policy limits, the association MUST be aborted.¶
The security considerations given in [RFC8446], [RFC9147], and [RFC9260] also apply to this document. BCP 195 [RFC9325] [RFC8996] provides recommendations and requirements for improving the security of deployed services that use TLS. BCP 195 MUST be followed.¶
Although TLS for DTLS in SCTP provides privacy for user messages and almost all SCTP chunks, the SCTP common header, DTLS chunk header, and DTLS record header are not confidentiality protected. An attacker can correlate TLS connections over the same SCTP association using the SCTP common header.¶
To provide identity protection, it is RECOMMENDED to use certificate-based authentication in TLS 1.3 and to not reuse tickets. TLS 1.3 with external PSK authentication does not provide identity protection.¶
By mandating ephemeral key exchange and cipher suites with confidentiality, TLS for DTLS in SCTP effectively mitigates many forms of passive pervasive monitoring. Frequent rekeying forces attackers to perform dynamic key exfiltration and limits the amount of compromised data due to key compromise.¶
IANA is requested to assign one DTLS Key Management Method Identifier in the "DTLS Key Management Method" registry defined by [I-D.ietf-tsvwg-sctp-dtls-chunk] to identify the key-management method defined in this document.¶
| Identifier | Key Management Method Name | Reference | Contact |
|---|---|---|---|
| 192 | TLS for DTLS in SCTP | RFC-TBD | Draft Authors |
IANA is requested to register the following value in the TLS Exporter Label Registry [RFC5705] with Reference RFC-TBD and empty Comment.¶
| Value | DTLS-OK | Recommended |
|---|---|---|
| EXPORTER_TLS_FOR_DTLS_IN_SCTP | Y | N |