u9n udp edge - WIP

An udp edge gateway written in go

• DTLS termination
• Revers Proxy
• Load Balancer
• Burst buffer
• CoAP edge

Background

For our metering platform Utilitarian we have a need to handle many types of UDP packets.

The main pain point have been DTLS. Support for DTLS in other languages are usually not good. It is either backed by OpenSSL which is buggy on DTLS or a solution only supports cert and not PSK.

Pion DTLS supports PSK and ConnectionID and give an opportunity to base this edge gateway on go and pion for efficient network operations and simple DTLS management.

This is a work in progress and we are testing different things out. This is not production ready.

Use cases

DTLS-termination

We handle MQTT-SN data via out MQTT-SN gateway written in Python. We have been forced to do this without DTLS support as there is no good alternative for DTLS in python.

Load balancing

We now use Nginx to load balance udp services but we could might as well use this edge gateway as go implementations are usually fast enough.

Burst buffer

On electricity meters there is usually a last gasp functionality. If there is a large outage many meters will send a last gasp message to the metering head end system. There is usually no need to respond to this message but if decryption takes time in the backend the network layer might drop messages. If we can receive as many messages as possible and queue them internally while not overloading the backend service we can have a simpler setup for these cases.

CoAP edge

We have in other project implemented a simple LwM2M Device Management system. This was done by grokking Leshan Java implementation to send messages to our Django Backend. Python implementation of CoAP is not the best and if this edge gateway also handles DTLS sessions we could make a CoAP-HTTP converter so that CoAP based protocols like LwM2M services could be built more simply using a HTTP request/response context.

Development plan

Stage 1

• DTLS Reverse Proxy
  • Listen to udp port and terminate DLTS sessions.
  • Load balance traffic to defined backends.
  • PSK provider interface.
    • Static
    • File
    • Utilitarian Platform KMS
    • Azure Key Vault?
  • Configurable timeouts to fit application

Server configuration

Configuration is YAML-only (see config.example.yaml). Key sections:

• server: general settings. log_level controls logging (debug logs dump the parsed config on startup).
• psk_providers: map of named PSK sources. type: static with identities (list of identity, hex_key). Cache TTL per provider.
• listeners: list of listeners (typically one). Fields:
  • address, port: listen endpoint.
  • backends: list of {name, address, port} targets.
  • lb_strategy: round_robin (default).
  • timeout: backend reply timeout.
  • allowed_cidrs: optional allowlist; connection attempts outside are rejected.
  • dtls: DTLS settings:
    • enabled: true/false.
    • psk_provider: name from psk_providers (required if DTLS is on).
    • use_connection_id + connection_id_length: enable DTLS CID, default length 8.
    • force_extended_master: require EMS (default requests only).
    • flight_interval_seconds: handshake flight interval (default 1s).
    • mtu: DTLS MTU (default 1200).
    • replay_window: packets window (default 64).
    • insecure_skip_hello_verify: skip HelloVerify (for testing only).
    • version: currently only dtls1.2 accepted.
    • ciphers: list of cipher names (all-caps, e.g. TLS_PSK_WITH_AES_128_GCM_SHA256); defaults to GCM+CCM8 PSK set.

Run the server:

go run ./cmd/udp-edge -c config.example.yaml