Richard pointed out that we should cover issues DTLS renegotiation.
Recently, as you may have been aware, there have been vulnerabilities
discovered with TLS renegotiation. In general, DTLS tends to be less
vulnerable to the attacks described, but there still can be issues.
During renegotiation new parameters can be renegotiated for the
connection and, with most libraries, the application does not know that
a change occurred. In general I think it would be best to avoid
renegotiation, however this means that in the case of extremely long
lived connections the connection will need to be broken and started
again at some point.
Below is the text I suggest adding to the security considerations of the
8.1 DTLS Renegotiation
TLS and DTLS renegotiation may be vulnerable to attacks described in RFC
5746. Although RFC 5746 provides a fix for some of the issues,
renegotiation can still cause problems for applications since connection
security parameters can change without the application knowing it.
There for it is RECOMMENDED that renegotiation be disabled for syslog
over DTLS. If, for some reason, renegotiation is allowed then the
specification in RFC 5746 MUST be followed and the implementation MUST
make sure that the connection security parameters do not change during
Syslog mailing list