Back in June 2019, we added support for the experimental DTLS Connection ID extension in Mbed TLS 2.18.0. This extension makes it possible to keep a connection alive even when the client's connectivity changes (eg new IP address). Since this was based on a
draft rather than an established standard, it is disabled in the default config, and the option to enable it comes with a warning about us not being able to make any stability promises.
As it turns out, a couple of months ago an extension number was assigned by IANA for this extension, which is different from the one we picked up when implementing the draft, so we'll have to change that in a future version of Mbed TLS. This change is trivial
to do but would break compatibility in the following sense: and old client and a new server (or a new client and a new server) would no longer be able to negotiate this extension; only old-old and new-new would work. (Thanks to
Achim Kraus for bringing that to our attention by the way:
https://github.com/ARMmbed/mbedtls/issues/3892 )
One obvious solution to that issue would be to make sure all users upgrade all the clients and the servers
at the same time. This can probably be managed in a development/testing environment as well as some tightly controlled production environments, but is probably less suitable for large-scale deployments where clients and servers might not even be manged by
the same party.
So, before we plan this changed, we'll like to know if anyone already has a production deployment relying on Connection ID where updating all the clients and servers at the same time would not be an option.
If that is the case, we may consider implementing a compatibility mode that would allow a server to negotiate use of the extension with both old and new clients. However, such compatibility code would be non-standard and a testing burden (not to mention, significantly
more work that just updating the relevant #define), so that's something we'd like to avoid doing unless we know that there is an actual need for it.
Please let us know what you think by replying to this email either on-list, or privately if you'd rather not share deployment information publicly (in that case, please mention it explicitly so that we know you didn't just forget to Cc the list).
Thanks,
Manuel