Skip to main content

4.1. Demultiplexing DTLS Records

4.1. Demultiplexing DTLS Records

DTLS 1.3's header format is more complicated to demux than DTLS 1.2, which always carried the content type as the first byte. As described in Figure 5, the first byte determines how an incoming DTLS record is demultiplexed. The first 3 bits of the first byte distinguish a DTLS 1.3 encrypted record from record types used in previous DTLS versions and plaintext DTLS 1.3 record types. Hence, the range 32 (0b0010 0000) to 63 (0b0011 1111) needs to be excluded from future allocations by IANA to avoid problems while demultiplexing; see Section 14. Implementations can demultiplex DTLS 1.3 records by examining the first byte as follows:

  • If the first byte is alert(21), handshake(22), or ack(proposed, 26), the record MUST be interpreted as a DTLSPlaintext record.

  • If the first byte is any other value, then receivers MUST check to see if the leading bits of the first byte are 001. If so, the implementation MUST process the record as DTLSCiphertext; the true content type will be inside the protected portion.

  • Otherwise, the record MUST be rejected as if it had failed deprotection, as described in Section 4.5.2.

Figure 5 shows this demultiplexing procedure graphically, taking DTLS 1.3 and earlier versions of DTLS into account.

            +----------------+
            | Outer Content  |
            |   Type (OCT)   |
            |                |
            |   OCT == 20   -+--> ChangeCipherSpec (DTLS <1.3)
            |   OCT == 21   -+--> Alert (Plaintext)
            |   OCT == 22   -+--> DTLSHandshake (Plaintext)
            |   OCT == 23   -+--> Application Data (DTLS <1.3)
            |   OCT == 24   -+--> Heartbeat (DTLS <1.3)
packet  --> |   OCT == 25   -+--> DTLSCiphertext with CID (DTLS 1.2)
            |   OCT == 26   -+--> ACK (DTLS 1.3, Plaintext)
            |                |
            |                |   /+----------------+\
            | 31 < OCT < 64 -+--> |DTLSCiphertext  |
            |                |    |(header bits    |
            |      else      |    | start with 001)|
            |       |        |   /+-------+--------+\
            +-------+--------+            |
                    |                     |
                    v          Decryption |
              +---------+          +------+
              |  Reject |          |
              +---------+          v
                           +----------------+
                           | Decrypted      |
                           | Content Type   |
                           | (DCT)          |
                           |                |
                           |     DCT == 21 -+--> Alert
                           |     DCT == 22 -+--> DTLSHandshake
                           |     DCT == 23 -+--> Application Data
                           |     DCT == 24 -+--> Heartbeat
                           |     DCT == 26 -+--> ACK
                           |     else ------+--> Error
                           +----------------+

Figure 5: Demultiplexing DTLS 1.2 and DTLS 1.3 Records

Last updated on