DTLS

Datagram Transport Layer Security

Protocol →
Introduced in Rel-12 Also in: Core Network, Security

DTLS is a security protocol that provides communications privacy for datagram protocols like UDP, securing delay-sensitive real-time services such as VoLTE and IoT data in 3GPP networks.

Category
Protocol
Introduced
Rel-12
Where
Services › Codecs
Also touches
2 segments
Specifications
22 specs
DTLS Description Purpose Related Classification Detected Changes Specifications

Description

Datagram Transport Layer Security (DTLS) is a communications protocol designed to secure datagram-based applications. It is derived from the Transport Layer Security (TLS) protocol but is adapted for the datagram transport model, primarily User Datagram Protocol (UDP), which does not guarantee delivery or order of packets. DTLS provides the same security guarantees as TLS—confidentiality, integrity, and authentication—while accounting for the inherent unreliability of the underlying transport. The protocol achieves this by adding sequence numbers and a retransmission timer for handshake messages, ensuring the cryptographic handshake completes even if packets are lost or reordered, without introducing any reliability for the application data itself.

Within the 3GPP architecture, DTLS is specified as a key protocol for securing various interfaces and services. It is a fundamental component for securing the WebRTC-based media path in the IP Multimedia Subsystem (IMS), as defined in TS 23.228 and related specifications. DTLS operates at the application layer, typically running over UDP/IP. The protocol handshake involves the exchange of certificates or pre-shared keys to mutually authenticate the client and server and to establish shared secret keys. These keys are then used with symmetric cryptography (e.g., AES) to encrypt the application data and with message authentication codes (e.g., HMAC-SHA256) to ensure integrity.

The role of DTLS in a 3GPP network is multifaceted. For IMS-based voice and video services (e.g., VoLTE, ViLTE), DTLS-SRTP uses DTLS to perform a key exchange for the Secure Real-time Transport Protocol (SRTP) media streams. In Machine Type Communication (MTC) and IoT scenarios, as outlined in specifications like TS 23.682 and TS 33.187, DTLS can secure CoAP (Constrained Application Protocol) messages between devices and network servers, providing a lightweight security solution suitable for constrained devices. Furthermore, DTLS is used in the control plane, for example, in the S14 interface for device management or within the architecture for proximity-based services (ProSe). Its ability to operate over UDP makes it ideal for real-time, low-latency applications where TCP's connection setup and congestion control would introduce unacceptable delay.

Purpose & Motivation

DTLS was created to extend the proven security model of TLS to datagram protocols, primarily UDP. TLS requires a reliable, in-order byte stream, which TCP provides, but many modern applications—especially real-time communication, gaming, and IoT—use UDP for its lower latency and lack of head-of-line blocking. The primary problem DTLS solves is providing strong authentication, encryption, and data integrity for these UDP-based applications without modifying the underlying unreliable transport.

Historically, applications using UDP either forewent security, implemented custom (and often vulnerable) security mechanisms, or were forced onto TCP, compromising performance. The development of DTLS, standardized by the IETF in RFC 4347 and updated in RFC 6347, filled this critical gap. 3GPP adopted DTLS starting in Release 12 to meet the security requirements of new service architectures. The motivation was driven by the rise of WebRTC, which mandates DTLS for media encryption, and the need for lightweight security in IoT/M2M communications where TCP overhead is prohibitive. DTLS allows 3GPP networks to offer secure, low-latency services end-to-end, aligning with the industry shift towards all-IP networks and encrypted media.

Classification

Part ofTLS
Specific typesDTLS-SRTP
Related approachesSRTPUDP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (6 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-12, normative work from Rel-17.

Rel-17 2 changes

In Release 17, the DTLS function was extended to support end-to-end security using DTLS-SRTP for non-WebRTC sessions. This enhancement also included security updates for algorithms and protocols within the specification for IMS media plane security. The release formalized procedures for establishing secure media connections, such as for SCTP over DTLS transport, aligning with referenced IETF standards.

  • Support of e2ae security using DTLS-SRTP for non WebRTC sessions TS 23.334CR0178
  • Security updates for algorithms and protocols for 33.328 TS 33.328CR0068
Rel-18 2 changes

In Release 18, the specification was updated to clarify security aspects for the Next Generation Real Time Communication (NG RTC) service, explicitly stating that the Datagram Transport Layer Security (DTLS) function for the CLUE data channel does not support the DTLS-over-TCP option. Furthermore, the release removed the redundant `securitySetup` parameter from the `DcMedia` interface to streamline the media security setup procedures.

  • Security aspects of NG RTC TS 33.328CR0071
  • Remove the redundant securitySetup in DcMedia TS 29.176CR0017
Rel-19 2 changes

In Release 19, the new DTLS-related enhancements specifically introduced support for securing the CLUE (Controlling Multiple Streams for Telepresence) protocol data channel using DTLS and SCTP, as defined by the new IETF RFCs 8841 and 8842. This enabled end-to-end media security for telepresence sessions without termination by intermediary nodes like the MRFP. Furthermore, the release clarified procedures for establishing and closing the DTLS bearer session, including the integrated SCTP shutdown process, while explicitly stating that the DTLS-over-TCP option is not supported for this data channel.

  • Security and privacy of IMS capability exposure TS 33.328CR0082
  • Security of IMS avatar communication TS 33.328CR0083

Explore further

Broader topics and technologies where DTLS plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityPrivacy (SUPI, SUCI)MEC (Edge Computing)LTE / LTE-Advanced
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference DTLS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.333 vj00 MRFC-MRFP Mp Interface Requirements Rel-19
TS 23.334 vj00 IMS-ALG to IMS-AGW Interface (Iq) Stage 2 Rel-19
TS 23.701 vc00 WebRTC Access to IMS Architecture Study Rel-12
TS 24.103 vj00 Telepresence Protocol for IMS Rel-19
TS 24.229 vj50 IMS call control protocol based on SIP and SDP Rel-19
TS 24.244 vj00 Wireless LAN Control Plane Protocol Rel-19
TS 24.803 vc00 Telepresence using IMS - Study Rel-12
TS 26.114 vj10 IMS Multimedia Telephony Media Handling Rel-19
TS 26.223 vj00 IMS Telepresence Client Specification Rel-19
TS 26.348 vj00 xMB Interface Specification Rel-19
TR 26.862 vh00 Immersive Teleconferencing & Telepresence for Remote Terminals Rel-17
TR 26.923 vj00 Study on IMS-based Telepresence Media Handling Rel-19
TR 26.998 vj00 5G AR/MR Glasses Integration Study Rel-19
TS 29.176 vj40 Nmf Service Based Interface for Media Function Rel-19
TS 29.333 vj00 MRFC-MRFP Mp Interface Protocol Rel-19
TS 29.468 vj00 MB2 Reference Point Protocol Definition Rel-19
TS 29.819 vd00 Diameter Base Protocol Update Analysis Rel-13
TS 29.890 vg00 CT3 5G System Technical Report Rel-16
TS 33.117 vk00 Catalogue of General Security Assurance Requirements Rel-20
TS 33.328 vj10 IMS Media Plane Security Specification Rel-19
TR 33.938 vj10 3GPP Cryptographic Inventory for 5G Rel-19
TS 45.820 vd10 CIoT for Internet of Things Rel-13