draft-ietf-core-echo-request-tag-00.txt   draft-ietf-core-echo-request-tag-01.txt 
CoRE Working Group C. Amsuess CoRE Working Group C. Amsuess
Internet-Draft Energy Harvesting Solutions Internet-Draft
Updates: 7959 (if approved) J. Mattsson Updates: 7252, 7959 (if approved) J. Mattsson
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: May 3, 2018 Ericsson AB Expires: September 6, 2018 Ericsson AB
October 30, 2017 March 05, 2018
Echo and Request-Tag Echo and Request-Tag
draft-ietf-core-echo-request-tag-00 draft-ietf-core-echo-request-tag-01
Abstract Abstract
This document defines two optional extensions to the Constrained This document specifies several security enhancements to the
Application Protocol (CoAP): the Echo option and the Request-Tag Constrained Application Protocol (CoAP). Two optional extensions are
option. Each of these options when integrity protected, such as with defined: the Echo option and the Request-Tag option. Each of these
DTLS or OSCORE, protects against certain attacks on CoAP message options provide additional features to CoAP and protects against
exchanges. certain attacks. The document also updates the processing
requirements on the Block options and the Token. The updated Token
The Echo option enables a CoAP server to verify the freshness of a processing ensures secure binding of responses to requests.
request by requiring the CoAP client to make another request and
include a server-provided challenge. The Request-Tag option allows
the CoAP server to match message fragments belonging to the same
request message, fragmented using the CoAP Block-Wise Transfer
mechanism. This document also specifies additional processing
requirements on Block1 and Block2 options.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2018. This Internet-Draft will expire on September 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3
1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 5 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 6
2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 8
3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 8 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 9
3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 9 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 9
3.2. Request-Tag Processing . . . . . . . . . . . . . . . . . 10 3.2. Request-Tag Processing . . . . . . . . . . . . . . . . . 10
3.3. Applications . . . . . . . . . . . . . . . . . . . . . . 11 3.3. Applications . . . . . . . . . . . . . . . . . . . . . . 11
3.3.1. Body Integrity Based on Payload Integrity . . . . . . 11 3.3.1. Body Integrity Based on Payload Integrity . . . . . . 11
3.3.2. Multiple Concurrent Blockwise Operations . . . . . . 12 3.3.2. Multiple Concurrent Blockwise Operations . . . . . . 12
4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 13 3.4. Rationale for the option properties . . . . . . . . . . . 13
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 14
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 14
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
7.1. Normative References . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
Appendix A. Performance Impact When Using the Echo Option . . . 14 8.1. Normative References . . . . . . . . . . . . . . . . . . 15
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 16 Appendix A. Methods for Generating Echo Option Values . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 18
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
The initial CoAP suite of specifications ([RFC7252], [RFC7641], The initial Constrained Application Protocol (CoAP) suite of
[RFC7959]) was designed with the assumption that security could be specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed
provided on a separate layer, in particular by using DTLS with the assumption that security could be provided on a separate
([RFC6347]). However, for some use cases, additional functionality layer, in particular by using DTLS ([RFC6347]). However, for some
or extra processing is needed to support secure CoAP operations. use cases, additional functionality or extra processing is needed to
support secure CoAP operations. This document specifies several
security enhancements to the Constrained Application Protocol (CoAP).
This document specifies two server-oriented CoAP options, the Echo This document specifies two server-oriented CoAP options, the Echo
option and the Request-Tag option, addressing the security features option and the Request-Tag option, mainly addressing the security
request freshness and fragmented message body integrity, features request freshness and fragmented message body integrity,
respectively. These options in themselves do not replace the need respectively. The Echo option enables a CoAP server to verify the
for a security protocol; they specify the format and processing of freshness of a request, verify the aliveness of a client, synchronize
data which, when integrity protected in a message, e.g. using DTLS state, or force a client to demonstrate reachability at its apparent
([RFC6347]) or OSCORE ([I-D.ietf-core-object-security]), provide network address. The Request-Tag option allows the CoAP server to
those security features. The Request-Tag option and also the ETag match message fragments belonging to the same request, fragmented
option are mandatory to use with Block1 and Block2, respectively, to using the CoAP Block-Wise Transfer mechanism, which mitigates attacks
secure blockwise operations with multiple representations of a and enables concurrent blockwise operations. These options in
particular resource as is specified in this document. themselves do not replace the need for a security protocol; they
specify the format and processing of data which, when integrity
protected using e.g. DTLS ([RFC6347]), TLS ([RFC5246]), or OSCORE
([I-D.ietf-core-object-security]), provide the additional security
features.
Additional applications of the options are introduced. For example, The document also updates the processing requirements on the Block1
Echo can be used to mitigate amplification attacks. option, the Block2 option, and the Token. The updated blockwise
processing secure blockwise operations with multiple representations
of a particular resource. The updated Token processing ensures
secure binding of responses to requests.
1.1. Request Freshness 1.1. Request Freshness
A CoAP server receiving a request may not be able to verify when the A CoAP server receiving a request is in general not able to verify
request was sent by the CoAP client. This remains true even if the when the request was sent by the CoAP client. This remains true even
request was protected with a security protocol, such as DTLS. This if the request was protected with a security protocol, such as DTLS.
makes CoAP requests vulnerable to certain delay attacks which are This makes CoAP requests vulnerable to certain delay attacks which
particularly incriminating in the case of actuators are particularly incriminating in the case of actuators
([I-D.mattsson-core-coap-actuators]). Some attacks are possible to ([I-D.mattsson-core-coap-actuators]). Some attacks are possible to
mitigate by establishing fresh session keys (e.g. performing the DTLS mitigate by establishing fresh session keys (e.g. performing the DTLS
handshake) for each actuation, but in general this is not a solution handshake) for each actuation, but in general this is not a solution
suitable for constrained environments. suitable for constrained environments.
A straightforward mitigation of potential delayed requests is that A straightforward mitigation of potential delayed requests is that
the CoAP server rejects a request the first time it appears and asks the CoAP server rejects a request the first time it appears and asks
the CoAP client to prove that it intended to make the request at this the CoAP client to prove that it intended to make the request at this
point in time. The Echo option, defined in this document, specifies point in time. The Echo option, defined in this document, specifies
such a mechanism which thereby enables the CoAP server to verify the such a mechanism which thereby enables the CoAP server to verify the
freshness of a request. This mechanism is not only important in the freshness of a request. This mechanism is not only important in the
case of actuators, or other use cases where the CoAP operations case of actuators, or other use cases where the CoAP operations
require freshness of requests, but also in general for synchronizing require freshness of requests, but also in general for synchronizing
state between CoAP client and server. state between CoAP client and server and to verify aliveness of the
client.
1.2. Fragmented Message Body Integrity 1.2. Fragmented Message Body Integrity
CoAP was designed to work over unreliable transports, such as UDP, CoAP was designed to work over unreliable transports, such as UDP,
and include a lightweight reliability feature to handle messages and include a lightweight reliability feature to handle messages
which are lost or arrive out of order. In order for a security which are lost or arrive out of order. In order for a security
protocol to support CoAP operations over unreliable transports, it protocol to support CoAP operations over unreliable transports, it
must allow out-of-order delivery of messages using e.g. a sliding must allow out-of-order delivery of messages using e.g. a sliding
replay window such as described in Section 4.1.2.6 of DTLS replay window such as described in Section 4.1.2.6 of DTLS
([RFC6347]). ([RFC6347]).
The Block-Wise Transfer mechanism [RFC7959] extends CoAP by defining The Block-Wise Transfer mechanism [RFC7959] extends CoAP by defining
the transfer of a large resource representation (CoAP message body) the transfer of a large resource representation (CoAP message body)
as a sequence of blocks (CoAP message payloads). The mechanism uses as a sequence of blocks (CoAP message payloads). The mechanism uses
a pair of CoAP options, Block1 and Block2, pertaining to the request a pair of CoAP options, Block1 and Block2, pertaining to the request
and response payload, respectively. The blockwise functionality does and response payload, respectively. The blockwise functionality does
not support the detection of interchanged blocks between different not support the detection of interchanged blocks between different
message bodies to the same endpoint having the same block number. message bodies to the same resource having the same block number.
This remains true even when CoAP is used together with a security This remains true even when CoAP is used together with a security
protocol such as DTLS or OSCORE, within the replay window protocol such as DTLS or OSCORE, within the replay window
([I-D.amsuess-core-request-tag]), which is a vulnerability of CoAP ([I-D.mattsson-core-coap-actuators]), which is a vulnerability of
when using RFC7959. CoAP when using RFC7959.
A straightforward mitigation of mixing up blocks from different A straightforward mitigation of mixing up blocks from different
messages is to use unique identifiers for different message bodies, messages is to use unique identifiers for different message bodies,
which would provide equivalent protection to the case where the which would provide equivalent protection to the case where the
complete body fits into a single payload. The ETag option [RFC7252], complete body fits into a single payload. The ETag option [RFC7252],
set by the CoAP server, identifies a response body fragmented using set by the CoAP server, identifies a response body fragmented using
the Block2 option. This document defines the Request-Tag option for the Block2 option. This document defines the Request-Tag option for
identifying the request body fragmented using the Block1 option, identifying the request body fragmented using the Block1 option,
similar to ETag, but ephemeral and set by the CoAP client. similar to ETag, but ephemeral and set by the CoAP client.
1.3. Terminology 1.3. Request-Response Binding
A fundamental requirement of secure REST operations is that the
client can bind a response to a particular request. In HTTPS this is
assured by the ordered and reliable delivery as well as mandating
that the server sends responses in the same order that the requests
were received.
The same is not true for CoAP where the server can return responses
in any order. Concurrent requests are instead differentiated by
their Token. Unfortunately, CoAP [RFC7252] does not treat Token as a
cryptographically important value and does not give stricter
guidelines than that the tokens currently "in use" SHOULD (not SHALL)
be unique. If used with security protocol not providing bindings
between requests and responses (e.g. DTLS and TLS) token reuse may
result in situations where a client matches a response to the wrong
request (see e.g. Section 2.3 of
[I-D.mattsson-core-coap-actuators]). Note that mismatches can also
happen for other reasons than a malicious attacker, e.g. delayed
delivery or a server sending notifications to an uninterested client.
A straightforward mitigation is to mandate clients to never reuse
tokens until the traffic keys have been replaced. As there may be
any number of responses to a request (see e.g. [RFC7641]), the
easiest way to accomplish this is to implement the token as a counter
and never reuse any tokens at all. This document updates the Token
processing in [RFC7252] to always assure a cryptographically secure
binding of responses to requests.
1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Unless otherwise specified, the terms "client" and "server" refers to Unless otherwise specified, the terms "client" and "server" refers to
"CoAP client" and "CoAP server", respectively, as defined in "CoAP client" and "CoAP server", respectively, as defined in
[RFC7252]. [RFC7252].
The terms "payload" and "body" of a message are used as in [RFC7959]. The terms "payload" and "body" of a message are used as in [RFC7959].
skipping to change at page 5, line 15 skipping to change at page 5, line 44
exchange.). exchange.).
The Echo and Request-Tag options are defined in this document. The The Echo and Request-Tag options are defined in this document. The
concept of two messages being "Request-Tag-matchable" is defined in concept of two messages being "Request-Tag-matchable" is defined in
Section 3.1. Section 3.1.
2. The Echo Option 2. The Echo Option
The Echo option is a server-driven challenge-response mechanism for The Echo option is a server-driven challenge-response mechanism for
CoAP. The Echo option value is a challenge from the server to the CoAP. The Echo option value is a challenge from the server to the
client included in a CoAP response and echoed in a CoAP request. client included in a CoAP response and echoed in one or more CoAP
request.
2.1. Option Format 2.1. Option Format
The Echo Option is elective, safe-to-forward, not part of the cache- The Echo Option is elective, safe-to-forward, not part of the cache-
key, and not repeatable, see Figure 1. key, and not repeatable, see Figure 1.
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
| No. | C | U | N | R | Name | Format | Length | Default | E | | No. | C | U | N | R | Name | Format | Length | Default | E |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
| TBD | | | | | Echo | opaque | 8-40 | (none) | x | | TBD | | | x | | Echo | opaque | 4-40 | (none) | x |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E=Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 1: Echo Option Summary Figure 1: Echo Option Summary
The value of the Echo option MUST be a (pseudo-)random bit string of [Note to RFC editor: If this document is not released together with
a length of at least 64 bits. A new (pseudo-)random bit string MUST OSCORE but before it, the following paragraph and the "E" column
be generated by the server for each use of the Echo option. above need to move into OSCORE.]
The Echo option value is generated by the server, and its content and
structure are implementation specific. Different methods for
generating Echo option values are outlined in Appendix A. Clients
and intermediaries MUST treat an Echo option value as opaque and make
no assumptions about its content or structure.
When receiving an Echo option in a request, the server MUST be able
to verify that the Echo option value was generated by the server as
well as the point in time when the Echo option value was generated.
2.2. Echo Processing 2.2. Echo Processing
It is important to identify under what conditions a CoAP request to a The Echo option MAY be included in any request or response (see
Section 2.3 for different applications), but the Echo option MUST NOT
be used with empty CoAP requests (i.e. Code=0.00).
If the server receives a request which has freshness requirements,
the request does not contain a fresh Echo option value, and the
server cannot verify the freshness of the request in some other way,
the server MUST NOT process the request further and SHOULD send a
4.01 Unauthorized response with an Echo option.
The application decides under what conditions a CoAP request to a
resource is required to be fresh. These conditions can for example resource is required to be fresh. These conditions can for example
include what resource is requested, the request method and other data include what resource is requested, the request method and other data
in the request, and conditions in the environment such as the state in the request, and conditions in the environment such as the state
of the server or the time of the day. of the server or the time of the day.
A server MAY include the Echo option in a response. The Echo option The server may also include the Echo option in a response to verify
MUST NOT be used with empty CoAP requests (i.e. Code=0.00). If the the aliveness of a client, to synchronize state, or to force a client
server receives a request which has freshness requirements, and the to demonstrate reachability at their apparent network address.
request does not contain the Echo option, the server SHOULD send a
4.01 Unauthorized response with a Echo option. The server SHOULD
cache the transmitted Echo option value and the response transmit
time (here denoted t0).
Upon receiving a response with the Echo option within the
EXCHANGE_LIFETIME ([RFC7252]) of the original request, the client
SHOULD echo the Echo option with the same value in a new request to
the server. Upon receiving a 4.01 Unauthorized response with the
Echo option in response to a request within the EXCHANGE_LIFETIME of
the original request, the client SHOULD resend the original request.
The client MAY send a different request compared to the original
request.
If the server receives a request which has freshness requirements, Upon receiving a 4.01 Unauthorized response with the Echo option, the
and the request contains the Echo option, the server MUST verify that client SHOULD resend the original request with the addition of an
the option value equals a cached value; otherwise the request is not Echo option with the received Echo option value. The client MAY send
processed further. The server MUST calculate the round-trip time RTT a different request compared to the original request. Upon receiving
= (t1 - t0), where t1 is the request receive time. The server MUST any other response with the Echo option, the client SHOULD echo the
only accept requests with a round-trip time below a certain threshold Echo option value in a next request to the server. The client MAY
T, i.e. RTT < T, otherwise the request is not processed further, and include the same Echo option value in several different requests to
an error message MAY be sent. The threshold T is application the server.
specific, its value depends e.g. on the freshness requirements of the
request. An example message flow is illustrated in Figure 2.
When used to serve freshness requirements, CoAP messages containing Upon receiving a request with the Echo option, the server determines
the Echo option MUST be integrity protected, e.g. using DTLS or if the request has freshness requirement. If the request does not
OSCORE ([I-D.ietf-core-object-security]). have freshness requirements, the Echo option MAY be ignored. If the
request has freshness requirements and the server cannot verify the
freshness of the request in some other way, the server MUST verify
that the Echo option value was generated by the server; otherwise the
request is not processed further. The server MUST then calculate the
round-trip time RTT = (t1 - t0), where t1 is the request receive time
and t0 is the transmit time of the response that included the
specific Echo option value. The server MUST only accept requests
with a round-trip time below a certain threshold T, i.e. RTT < T,
otherwise the request is not processed further, and an error message
MAY be sent. The threshold T is application specific, its value
depends e.g. on the freshness requirements of the request. An
example message flow is illustrated in Figure 2.
If the server loses time synchronization, e.g. due to reboot, it MUST Client Server
delete all cached Echo option values and response transmission times. | |
+------>| Code: 0.03 (PUT)
| PUT | Token: 0x41
| | Uri-Path: lock
| | Payload: 0 (Unlock)
| |
|<------+ t0 Code: 4.01 (Unauthorized)
| 4.01 | Token: 0x41
| | Echo: 0x437468756c687521
| |
+------>| t1 Code: 0.03 (PUT)
| PUT | Token: 0x42
| | Uri-Path: lock
| | Echo: 0x437468756c687521
| | Payload: 0 (Unlock)
| |
|<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42
| |
Client Server Figure 2: Example Echo Option Message Flow
| |
+----->| Code: 0.03 (PUT)
| PUT | Token: 0x41
| | Uri-Path: lock
| | Payload: 0 (Unlock)
| |
|<-----+ t0 Code: 4.01 (Unauthorized)
| 4.03 | Token: 0x41
| | Echo: 0x6c880d41167ba807
| |
+----->| t1 Code: 0.03 (PUT)
| PUT | Token: 0x42
| | Uri-Path: lock
| | Echo: 0x6c880d41167ba807
| | Payload: 0 (Unlock)
| |
|<-----+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42
| |
Figure 2: Echo option message flow When used to serve freshness requirements (including client aliveness
and state synchronizing), CoAP requests containing the Echo option
MUST be integrity protected, e.g. using DTLS, TLS, or OSCORE
([I-D.ietf-core-object-security]). When used to demonstrate
reachability at their apparent network address, the Echo option MAY
be used without protection.
Constrained server implementations can use the mechanisms outlined in Note that the server does not have to synchronize the time used for
Appendix A to minimize the memory impact of having many unanswered the Echo timestamps with any other party. If the server loses time
Echo responses. synchronization, e.g. due to reboot, it MUST reject all Echo values
that was created before time synchronization was lost.
CoAP-CoAP proxies MUST relay the Echo option unmodified, and SHOULD CoAP-CoAP proxies MUST relay the Echo option unmodified. The CoAP
NOT cache responses when a Echo option is present in request or server side of CoAP-HTTP proxies MAY request freshness, especially if
response for more than the exchange. CoAP-HTTP proxies MAY request they have reason to assume that access may require it (e.g. because
freshness, especially if they have reason to assume that access may it is a PUT or POST); how this is determined is out of scope for this
require it (eg. because it is a PUT or POST); how this is determined document. The CoAP client side of HTTP-CoAP-Proxies SHOULD respond
is out of scope for this document. HTTP-CoAP-Proxies SHOULD respond
to Echo challenges themselves if they know from the recent to Echo challenges themselves if they know from the recent
establishing of the connection that the HTTP request is fresh. establishing of the connection that the HTTP request is fresh.
Otherwise, they SHOULD respond with 503 Service Unavailable, Retry- Otherwise, they SHOULD respond with 503 Service Unavailable, Retry-
After: 0 and terminate any underlying Keep-Alive connection. It MAY After: 0 and terminate any underlying Keep-Alive connection. They
also use other mechanisms to establish freshness of the HTTP request MAY also use other mechanisms to establish freshness of the HTTP
that are not specified here. request that are not specified here.
2.3. Applications 2.3. Applications
1. Actuation requests often require freshness guarantees to avoid 1. Actuation requests often require freshness guarantees to avoid
accidental or malicious delayed actuator actions. accidental or malicious delayed actuator actions. In general,
all non-safe methods (e.g. POST, PUT, DELETE) may require
freshness guarantees for secure operation.
2. To avoid additional roundtrips for applications with multiple 2. To avoid additional roundtrips for applications with multiple
actuator requests in rapid sequence between the same client and actuator requests in rapid sequence between the same client and
server, the server may use the Echo option (with a new value) in server, the server may use the Echo option (with a new value) in
response to a request containing the Echo option. The client response to a request containing the Echo option. The client
then uses the Echo option with the new value in the next then uses the Echo option with the new value in the next
actuation request, and the server compares the receive time actuation request, and the server compares the receive time
accordingly. accordingly.
3. If a server reboots during operation it may need to synchronize 3. If a server reboots during operation it may need to synchronize
state with requesting clients before continuing the interaction. state with requesting clients before continuing the interaction.
For example, with OSCORE it is possible to reuse a persistently For example, with OSCORE it is possible to reuse a partly
stored security context by synchronizing the Partial IV (sequence persistently stored security context by synchronizing the Partial
number) using the Echo option. IV (sequence number) using the Echo option.
4. When a device joins a multicast/broadcast group the device may 4. When a device joins a multicast/broadcast group the device may
need to synchronize state or time with the sender to ensure that need to synchronize state or time with the sender to ensure that
the received message is fresh. By synchronizing time with the the received message is fresh. By synchronizing time with the
broadcaster, time can be used for synchronizing subsequent broadcaster, time can be used for synchronizing subsequent
broadcast messages. A server MUST NOT synchronize state or time broadcast messages. A server MUST NOT synchronize state or time
with clients which are not the authority of the property being with clients which are not the authority of the property being
synchronized. E.g. if access to a server resource is dependent synchronized. E.g. if access to a server resource is dependent
on time, then the client MUST NOT set the time of the server. on time, then the client MUST NOT set the time of the server.
5. A server that sends large responses to unauthenticated peers 5. A server that sends large responses to unauthenticated peers
SHOULD mitigate amplification attacks such as described in SHOULD mitigate amplification attacks such as described in
Section 11.3 of [RFC7252] (where an attacker would put a victim's Section 11.3 of [RFC7252] (where an attacker would put a victim's
address in the source address of a CoAP request). For this address in the source address of a CoAP request). For this
purpose, the server MAY ask a client to Echo its request to purpose, the server MAY ask a client to Echo its request to
verify its source address. This needs to be done only once per verify its source address. This needs to be done only once per
peer, and limits the range of potential victims from the general peer and limits the range of potential victims from the general
Internet to endpoints that have been previously in contact with Internet to endpoints that have been previously in contact with
the server. For this application, the Echo option can be used in the server. For this application, the Echo option can be used in
messages that are not integrity protected, for example during messages that are not integrity protected, for example during
discovery. discovery.
6. A server may want to verify the aliveness of a client by
responding with an Echo option.
3. The Request-Tag Option 3. The Request-Tag Option
The Request-Tag is intended for use as a short-lived identifier for The Request-Tag is intended for use as a short-lived identifier for
keeping apart distinct blockwise request operations on one resource keeping apart distinct blockwise request operations on one resource
from one client. It enables the receiving server to reliably from one client. It enables the receiving server to reliably
assemble request payloads (blocks) to their message bodies, and, if assemble request payloads (blocks) to their message bodies, and, if
it chooses to support it, to reliably process simultaneous blockwise it chooses to support it, to reliably process simultaneous blockwise
request operations on a single resource. The requests must be request operations on a single resource. The requests must be
integrity protected in order to protect against interchange of blocks integrity protected in order to protect against interchange of blocks
between different message bodies. between different message bodies.
3.1. Option Format 3.1. Option Format
The Request-Tag option has the same properties as the Block1 option: The Request-Tag option is not critical, safe to forward, and part of
it is critical, unsafe, not part of the cache-key, and not the cache key as illustrated in Figure 3.
repeatable, see Figure 3.
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
| No. | C | U | N | R | Name | Format | Length | Default | E | | No. | C | U | N | R | Name | Format | Length | Default | E |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
| TBD | x | x | - | | Request-Tag | opaque | 0-8 | (none) | * | | TBD | | | | | Request-Tag | opaque | 0-8 | (none) | * |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E=Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 3: Request-Tag Option Summary Figure 3: Request-Tag Option Summary
[Note to RFC editor: If this document is not released together with [Note to RFC editor: If this document is not released together with
OSCORE but before it, the following paragraph and the "E" column OSCORE but before it, the following paragraph and the "E" column
above need to move into OSCORE.] above need to move into OSCORE.]
Request-Tag, like the Block1 option, is a special class E option in Request-Tag, like the block options, is a special class E option in
terms of OSCORE processing (see Section 4.3.1.2 of terms of OSCORE processing (see Section 4.3.1.2 of
[I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or [I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or
outer option. The inner option is encrypted and integrity protected outer option. The inner option is encrypted and integrity protected
between client and server, and provides message body identification between client and server, and provides message body identification
in case of end-to-end fragmentation of requests. The outer option is in case of end-to-end fragmentation of requests. The outer option is
visible to proxies and labels message bodies in case of hop-by-hop visible to proxies and labels message bodies in case of hop-by-hop
fragmentation of requests. fragmentation of requests.
The Request-Tag option is only used in request messages, and only in The Request-Tag option is only used in the request messages of
conjunction with the Block1 option. blockwise request operations.
Two messages are defined to be Request-Tag-matchable if and only if Two messages are defined to be Request-Tag-matchable if and only if
they are sent from and to the same end points (including security they are sent from and to the same end points (including security
associations), and target the same URI, and if either neither carries associations), and target the same URI (precisely: target the same
a Request-Tag option, or both carry exactly one Request-Tag option endpoint and cache-key except for cache-key options that are related
and the option values are of same length and content. to blockwise), and if either neither carries a Request-Tag option, or
both carry exactly one Request-Tag option and the option values are
of same length and content.
The Request-Tag mechanism is applied independently on the server and The Request-Tag mechanism is applied independently on the server and
client sides of CoAP-CoAP proxies. CoAP-HTTP proxies and HTTP-CoAP client sides of CoAP-CoAP proxies as are the block options, though
proxies can use Request-Tag on their CoAP sides; it is not applicable given it is safe to forward, a proxy is free to just forward it when
to HTTP requests. processing an operation. CoAP-HTTP proxies and HTTP-CoAP proxies can
use Request-Tag on their CoAP sides; it is not applicable to HTTP
requests.
For each separate blockwise request operation, the client can choose For each separate blockwise request operation, the client can choose
a Request-Tag value, or choose not to set a Request-Tag. Creating a a Request-Tag value, or choose not to set a Request-Tag. Creating a
new request operation whose messages are Request-Tag-matchable to a new request operation whose messages are Request-Tag-matchable to a
previous operation is called request tag recycling. Clients MUST NOT previous operation is called request tag recycling. Clients MUST NOT
recycle a request tag unless the first operation has concluded. What recycle a request tag unless the first operation has concluded. What
constitutes a concluded operation depends on the application, and is constitutes a concluded operation depends on the application, and is
outlined individually in Section 3.3. outlined individually in Section 3.3.
Clients are encouraged to generate compact messages. This means Clients are encouraged to generate compact messages. This means
sending messages without Request-Tag options whenever possible, and sending messages without Request-Tag options whenever possible, and
using short values when the absent option can not be recycled. using short values when the absent option can not be recycled.
3.2. Request-Tag Processing 3.2. Request-Tag Processing
A server MUST NOT act on any two blocks in the same blockwise request A server MUST NOT act on any two blocks in the same blockwise request
operation that are not Request-Tag-matchable. This rule applies operation that are not Request-Tag-matchable. This rule applies
independent of whether the request actually carries a Request-Tag independent of whether the request actually carries a Request-Tag
option (in this case, the request can only be acted on together with option (if not, the request can only be acted on together with other
other messages not carrying the option, as per matchability messages not carrying the option, as per matchability definition).
definition).
As not all messages from the same source can be combined any more, a As not all messages from the same source can be combined any more, a
block not matchable to the first Block1 cannot overwrite context kept block not matchable to the first Block1 cannot overwrite context kept
for an operation under a different tag (cf. [RFC7959] Section 2.5). for an operation under a different tag (cf. [RFC7959] Section 2.5).
The server is still under no obligation to keep state of more than The server is still under no obligation to keep state of more than
one transaction. When an operation is in progress and a second one one transaction. When an operation is in progress and a second one
cannot be served at the same time, the server MUST respond to the cannot be served at the same time, the server SHOULD respond to the
second request with a 5.03 (Service Unavailable) response code and second request with a 5.03 (Service Unavailable) response code and
SHOULD indicate the time it is willing to wait for additional blocks indicate the time it is willing to wait for additional blocks in the
in the first operation using the Max-Age option, as specified in first operation using the Max-Age option, as specified in
Section 5.9.3.4 of [RFC7252]. Section 5.9.3.4 of [RFC7252]. (Alternatively, the server can cancel
the original operation, especially if it is already likely to time
out. Cancelling it unconditionally is the behavior that could be
expected of a Request-Tag unaware server.)
A server receiving a Request-Tag MUST treat it as opaque and make no A server receiving a Request-Tag MUST treat it as opaque and make no
assumptions about its content or structure. assumptions about its content or structure.
Two messages being Request-Tag-matchable is a necessary but not Two messages being Request-Tag-matchable is a necessary but not
sufficient condition for being part of the same operation. They can sufficient condition for being part of the same operation. They can
still be treated as independent messages by the server (e.g. when it still be treated as independent messages by the server (e.g. when it
sends 2.01/2.04 responses for every block), or initiate a new sends 2.01/2.04 responses for every block), or initiate a new
operation (overwriting kept context) when the later message carries operation (overwriting kept context) when the later message carries
Block1 number 0. Block1 number 0.
If a request that uses Request-Tag is rejected with 4.02 Bad Option, Note that RFC 7959 already implies that the cache key is the element
the client MAY retry the operation without it, but then it MUST that binds exchanges together to operations (together with the
serialize all operations that affect the same resource. Security request's source endpoint), but is not explicit about it; therefore,
requirements can forbid dropping the use of Request-Tag mechanism. the above rules are spelt out here.
3.3. Applications 3.3. Applications
3.3.1. Body Integrity Based on Payload Integrity 3.3.1. Body Integrity Based on Payload Integrity
When a client fragments a request body into multiple message When a client fragments a request body into multiple message
payloads, even if the individual messages are integrity protected, it payloads, even if the individual messages are integrity protected, it
is still possible for a man-in-the-middle to maliciously replace is still possible for a man-in-the-middle to maliciously replace
later operation's blocks with earlier operation's blocks (see later operation's blocks with earlier operation's blocks (see
Section 3.2 of [I-D.amsuess-core-request-tag]). Therefore, the Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the
integrity protection of each block does not extend to the operation's integrity protection of each block does not extend to the operation's
request body. request body.
In order to gain that protection, use the Request-Tag mechanism as In order to gain that protection, use the Request-Tag mechanism as
follows: follows:
o The message payloads MUST be integrity protected end-to-end o The individual exchanges MUST be integrity protected end-to-end
between client and server. between client and server.
o The client MUST NOT recycle a request tag unless the previous o The client MUST NOT recycle a request tag unless the previous
blockwise request operation that used matchable Request-Tags has blockwise request operation that used matchable Request-Tags has
concluded. concluded.
o The client MUST NOT regard a blockwise request operation as o The client MUST NOT regard a blockwise request operation as
concluded unless all of the messages the client previously sent in concluded unless all of the messages the client previously sent in
the operation have been confirmed by the message integrity the operation have been confirmed by the message integrity
protection mechanism, or are considered invalid by the server if protection mechanism, or are considered invalid by the server if
skipping to change at page 11, line 42 skipping to change at page 12, line 27
Typically, in OSCORE, these confirmations can result either from Typically, in OSCORE, these confirmations can result either from
the client receiving an OSCORE response message matching the the client receiving an OSCORE response message matching the
request (an empty ACK is insufficient), or because the message's request (an empty ACK is insufficient), or because the message's
sequence number is old enough to be outside the server's receive sequence number is old enough to be outside the server's receive
window. window.
In DTLS, this can only be confirmed if the request message was not In DTLS, this can only be confirmed if the request message was not
retransmitted, and was responded to. retransmitted, and was responded to.
o The client MUST NOT fall back to not using the Request-Tag
mechanisms when receiving a 4.02 Bad Option response.
Authors of other documents (e.g. [I-D.ietf-core-object-security]) Authors of other documents (e.g. [I-D.ietf-core-object-security])
are invited to mandate this behavior for clients that execute are invited to mandate this behavior for clients that execute
blockwise interactions over secured transports. In this way, the blockwise interactions over secured transports. In this way, the
server can rely on a conforming client to set the Request-Tag option server can rely on a conforming client to set the Request-Tag option
when required, and thereby conclude on the integrity of the assembled when required, and thereby conclude on the integrity of the assembled
body. body.
Note that this mechanism is implicitly implemented when the security Note that this mechanism is implicitly implemented when the security
layer guarantees ordered delivery (e.g. CoAP over TLS layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]).
[I-D.tschofenig-core-coap-tcp-tls]). This is because with each This is because with each message, any earlier operation can be
message, any earlier operation can be regarded as concluded by the regarded as concluded by the client, so it never needs to set the
client, so it never needs to set the Request-Tag option unless it Request-Tag option unless it wants to perform concurrent operations.
wants to perform concurrent operations.
3.3.2. Multiple Concurrent Blockwise Operations 3.3.2. Multiple Concurrent Blockwise Operations
CoAP clients, especially CoAP proxies, may initiate a blockwise CoAP clients, especially CoAP proxies, may initiate a blockwise
request operation to a resource, to which a previous one is already request operation to a resource, to which a previous one is already
in progress, and which the new request should not cancel. One in progress, and which the new request should not cancel. A CoAP
example is when a CoAP proxy fragments an OSCORE messages using proxy would be in such a situation when it forwards operations with
blockwise (so-called "outer" blockwise, see Section 4.3.1. of the same cache-key options but possibly different payloads.
[I-D.ietf-core-object-security])), where the Uri-Path is hidden
inside the encrypted message, and all the proxy sees is the server's
"/" path.
When a client fragments a message as part of a blockwise request When a client fragments an initial message as part of a blockwise
operation, it can do so without a Request-Tag option set. For this request operation, it can do so without a Request-Tag option set.
application, an operation can be regarded as concluded when a final For this application, an operation can be regarded as concluded when
Block1 option has been sent and acknowledged, or when the client a final Block1 option has been sent and acknowledged, or when the
chose not to continue with the operation (e.g. by user choice, or in client chose not to continue with the operation (e.g. by user choice,
the case of a proxy when it decides not to take any further messages or in the case of a proxy when it decides not to take any further
in the operation due to a timeout). When another concurrent messages in the operation due to a timeout). When another concurrent
blockwise request operation is made (i.e. before the operation is blockwise request operation is made (i.e. before the operation is
concluded), the client can not recycle the request tag, and has to concluded), the client can not recycle the request tag, and has to
pick a new one. The possible outcomes are: pick a new one. The possible outcomes are:
o The server responds with a successful code. o The server responds with a successful code.
The concurrent blockwise operations can then continue. The second concurrent blockwise operations can then continue.
o The server responds 4.02 Bad Option.
This can indicate that the server does not support Request-Tag. The first operation might have been cancelled by that (typical of
The client should wait for the first operation to conclude, and servers that only support a single blockwise operation), in which
then try the same request without a Request-Tag option. case its resumption will result in a 4.08 Request Entity
Incomplete error.
o The server responds 5.03 Service Unavailable with a Max-Age option o The server responds 5.03 Service Unavailable with a Max-Age option
to indicate when it is likely to be available again. to indicate when it is likely to be available again.
This can indicate that the server supports Request-Tag, but still This can indicate that the server supports Request-Tag, but still
is not prepared to handle concurrent requests. The client should is not prepared to handle concurrent requests. The client should
wait for as long as the response is valid, and then retry the wait for as long as the response is valid, and then retry the
operation, which may not need to carry a Request-Tag option by operation, which may not need to carry a Request-Tag option by
then any more. then any more.
In the cases where a CoAP proxy receives an error code, it can In this, the proxy can indicate the anticipated delay by sending a
indicate the anticipated delay by sending a 5.03 Service Unavailable 5.03 Service Unavailable response itself.
response itself. Note that this behavior is no different from what a
CoAP proxy would need to do were it unaware of the Request-Tag Note that a correctly implemented Request-Tag unaware proxy in the
option. same situation would need to make a choice to either send a 5.03 with
Max-Age by itself (holding off the second operation), or to commence
the second operation and reject any further requests on the first
operation with 4.08 Request Entity Incompelte errors by itself
without forwarding them.
3.4. Rationale for the option properties
The Request-Tag option used to be critical and unsafe to forward in
earlier revisions of this draft.
Given that supporting it will be mandated for where it is used for
its security properties, the choice of whether it is mandatory or
safe to forward can be made as required for the multiple concurrent
operations use case. For those cases, Request-Tag is the proxy-safe
elective option suggested in [RFC7959] Section 2.4 last paragraph.
4. Block2 / ETag Processing 4. Block2 / ETag Processing
The same security properties as in Section 3.3.1 can be obtained for The same security properties as in Section 3.3.1 can be obtained for
blockwise response operations. The threat model here is not an blockwise response operations. The threat model here is not an
attacker (because the response is made sure to belong to the current attacker (because the response is made sure to belong to the current
request by the security layer), but blocks in the client's cache. request by the security layer), but blocks in the client's cache.
Analogous rules to Section 3.2 are already in place for assembling a Analogous rules to Section 3.2 are already in place for assembling a
response body in Section 2.4 of [RFC7959]. response body in Section 2.4 of [RFC7959].
To gain equivalent protection to Section 3.3.1, a server MUST use the To gain equivalent protection to Section 3.3.1, a server MUST use the
Block2 option in conjunction with the ETag option ([RFC7252], Block2 option in conjunction with the ETag option ([RFC7252],
Section 5.10.6), and MUST NOT use the same ETag value for different Section 5.10.6), and MUST NOT use the same ETag value for different
representations of a resource. representations of a resource.
5. IANA Considerations 5. Token Processing
[TBD: Fill out the option templates for Echo and Request-Tag] This section updates the Token processing in Section 5.3.1 of
[RFC7252] by adding the following text:
6. Security Considerations When CoAP is used with a security protocol not providing bindings
between requests and responses, the client MUST NOT reuse tokens
until the traffic keys have been replaced. The easiest way to
accomplish this is to implement the Token as a counter, this approach
SHOULD be followed.
Servers that store a Echo challenge per client can be attacked for 6. IANA Considerations
resource exhaustion, and should consider minimizing the state kept
per client, e.g. using a mechanism as described in Appendix A.
7. References This document adds the following option numbers to the "CoAP Option
Numbers" registry defined by [RFC7252]:
7.1. Normative References +--------+-------------+------------+
| Number | Name | Reference |
+--------+-------------+------------+
| TBD1 | Echo | [RFC XXXX] |
| | | |
| TBD2 | Request-Tag | [RFC XXXX] |
+--------+-------------+------------+
Figure 4: CoAP Option Numbers
7. Security Considerations
Servers SHOULD NOT put any privacy sensitive information in the Echo
or Request-Tag option values. Unencrypted timestamps MAY reveal
information about the server such as its wall clock time or location.
Servers MUST use a monotonic clock to generate timestamps and compute
round-trip times. Servers SHOULD NOT use wall clock time for
timestamps, as wall clock time is not monotonic, may reveal that the
server will accept expired certificates, or reveal the server's
location. Use of non-monotonic clocks is not secure as the server
will accept expired Echo option values if the clock is moved
backward. The server will also reject fresh Echo option values if
the clock is moved forward. An attacker may be able to affect the
server's wall clock time in various ways such as setting up a fake
NTP server or broadcasting false time signals to radio-controlled
clocks. Servers SHOULD use the time since reboot measured in some
unit of time. Servers MAY reset the timer periodically even when not
rebooting.
The availability of a secure pseudorandom number generator and truly
random seeds are essential for the security of the Echo option. If
no true random number generator is available, a truly random seed
must be provided from an external source.
An Echo value with 64 (pseudo-)random bits gives the same theoretical
security level against forgeries as a 64-bit MAC (as used in e.g.
AES_128_CCM_8). In practice, forgery of an Echo option value is much
harder as an attacker must also forge the MAC in the security
protocol. The Echo option value MUST contain 32 (pseudo-)random bits
that are not predictable for any other party than the server, and
SHOULD contain 64 (pseudo-)random bits. A server MAY use different
security levels for different uses cases (client aliveness, request
freshness, state synchronization, network address reachability,
etc.).
The security provided by the Echo and Request-Tag options depends on
the security protocol used. CoAP and HTTP proxies require (D)TLS to
be terminated at the proxies. The proxies are therefore able to
manipulate, inject, delete, or reorder options or packets. The
security claims in such architectures only hold under the assumption
that all intermediaries are fully trusted and have not been
compromised.
Servers that use the List of Cached Random Values and Timestamps
method described in Appendix A may be vulnerable to resource
exhaustion attacks. On way to minimizing state is to use the
Integrity Protected Timestamp method described in Appendix A.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in
the Constrained Application Protocol (CoAP)", RFC 7959, the Constrained Application Protocol (CoAP)", RFC 7959,
DOI 10.17487/RFC7959, August 2016, DOI 10.17487/RFC7959, August 2016,
<https://www.rfc-editor.org/info/rfc7959>. <https://www.rfc-editor.org/info/rfc7959>.
7.2. Informative References 8.2. Informative References
[I-D.amsuess-core-request-tag]
Amsuess, C., "Request-Tag option", draft-amsuess-core-
request-tag-00 (work in progress), March 2017.
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-06 (work in (OSCORE)", draft-ietf-core-object-security-09 (work in
progress), October 2017. progress), March 2018.
[I-D.mattsson-core-coap-actuators] [I-D.mattsson-core-coap-actuators]
Mattsson, J., Fornehed, J., Selander, G., and F. Mattsson, J., Fornehed, J., Selander, G., Palombini, F.,
Palombini, "Controlling Actuators with CoAP", draft- and C. Amsuess, "Controlling Actuators with CoAP", draft-
mattsson-core-coap-actuators-02 (work in progress), mattsson-core-coap-actuators-04 (work in progress), March
November 2016. 2018.
[I-D.tschofenig-core-coap-tcp-tls] [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
Bormann, C., Lemay, S., Technologies, Z., and H. (TLS) Protocol Version 1.2", RFC 5246,
Tschofenig, "A TCP and TLS Transport for the Constrained DOI 10.17487/RFC5246, August 2008,
Application Protocol (CoAP)", draft-tschofenig-core-coap- <https://www.rfc-editor.org/info/rfc5246>.
tcp-tls-05 (work in progress), November 2015.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC7641] Hartke, K., "Observing Resources in the Constrained [RFC7641] Hartke, K., "Observing Resources in the Constrained
Application Protocol (CoAP)", RFC 7641, Application Protocol (CoAP)", RFC 7641,
DOI 10.17487/RFC7641, September 2015, DOI 10.17487/RFC7641, September 2015,
<https://www.rfc-editor.org/info/rfc7641>. <https://www.rfc-editor.org/info/rfc7641>.
Appendix A. Performance Impact When Using the Echo Option [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
The Echo option requires the server to keep some state in order to Application Protocol) over TCP, TLS, and WebSockets",
later verify the echoed request. RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://www.rfc-editor.org/info/rfc8323>.
Instead of caching Echo option values and response transmission Appendix A. Methods for Generating Echo Option Values
times, the server MAY use the encryption of the response transmit
time t0 as Echo option value. Such a scheme needs to ensure that the
server can detect a replay of a previous encrypted response transmit
time.
For example, the server MAY encrypt t0 with AES-CCM-128-64-64 using a The content and structure of the Echo option value are implementation
(pseudo-)random secret key k generated and cached by the server. A specific and determined by the server. Use of one of the mechanisms
unique IV MUST be used with each encryption, e.g. using a sequence outlined in this section is RECOMMENDED.
number. If the server loses time synchronization, e.g. due to
reboot, then k MUST be deleted and replaced by a new random secret
key. When using encrypted response transmit times, the Echo
processing is modified in the following way: The verification of
cached option value in the server processing is replaced by the
verification of the integrity of the encrypted option value using the
cached key and IV (e.g. sequence number).
The two methods - (a) the list of cached values, and (b) the Different mechanisms have different tradeoffs between the size of the
encryption of transmit time - have different impact on the Echo option value, the amount of server state, the amount of
implementation: computation, and the security properties offered.
o size of cached data (list of cached values vs. key and IV) o Integrity Protected Timestamp. One method is to construct the
Echo option value as an integrity protected timestamp. The
timestamp can have different resolution and range. A 32-bit
timestamp can e.g. give a resolution of 1 second with a range of
136 years. The (pseudo-)random secret key is generated by the
server and not shared with any other party. The use of truncated
HMAC-SHA-256 is RECOMMENDED. With a 32-bit timestamp and a 64-bit
MAC, the size of the Echo option value is 12 bytes and the Server
state is small and constant. If the server loses time
synchronization, e.g. due to reboot, the old key MUST be deleted
and replaced by a new random secret key. A server MAY also want
to encrypt its timestamps, depending on the choice of encryption
algorithms, this may require a nonce to be included in the Echo
option value.
o size of message (typically larger with encrypted time) Echo option value: timestamp t0, MAC(k, t0)
Server State: secret key k
o computation (encryption + decryption vs. generation new nonce + o List of Cached Random Values and Timestamps. An alternative
cache + lookup) method is to construct the Echo option value as a (pseudo-)random
byte string. The server caches a list containing the random byte
strings and their transmission times. Assuming 64-bit random
values and 32-bit timestamps, the size of the Echo option value is
8 bytes and the amount of server state is 12n bytes, where n is
the number of active Echo Option values. If the server loses time
synchronization, e.g. due to reboot, the entries in the old list
MUST be deleted.
In general, the encryption of transmission times is most useful if Echo option value: random value r
the number of concurrent requests is high. Server State: random value r, timestamp t0
A hybrid scheme is also possible: the first Echo option values are A server MAY use different methods and security levels for different
cached, and if the number of concurrent requests reach a certain uses cases (client aliveness, request freshness, state
threshold, then encrypted times are used until there is space for synchronization, network address reachability, etc.).
storing new values in the list. In that case, the server may need to
make both verifications - either that the Echo value is in the list,
or that it verifies in decryption - and in either case that the
transmission time is valid.
Appendix B. Request-Tag Message Size Impact Appendix B. Request-Tag Message Size Impact
In absence of concurrent operations, the Request-Tag mechanism for In absence of concurrent operations, the Request-Tag mechanism for
body integrity (Section 3.3.1) incurs no overhead if no messages are body integrity (Section 3.3.1) incurs no overhead if no messages are
lost (more precisely: in OSCORE, if no operations are aborted due to lost (more precisely: in OSCORE, if no operations are aborted due to
repeated transmission failure; in DTLS, if no packages are lost), or repeated transmission failure; in DTLS, if no packages are lost), or
when blockwise request operations happen rarely (in OSCORE, if only when blockwise request operations happen rarely (in OSCORE, if only
one request operation with losses within the replay window). one request operation with losses within the replay window).
skipping to change at page 16, line 22 skipping to change at page 18, line 38
o In OSCORE, the sequence number can be artificially increased so o In OSCORE, the sequence number can be artificially increased so
that all lost messages are outside of the replay window by the that all lost messages are outside of the replay window by the
time the first request of the new operation gets processed, and time the first request of the new operation gets processed, and
all earlier operations can therefore be regarded as concluded. all earlier operations can therefore be regarded as concluded.
Appendix C. Change Log Appendix C. Change Log
[ The editor is asked to remove this section before publication. ] [ The editor is asked to remove this section before publication. ]
o Major changes since draft-ietf-core-echo-request-tag-00:
* Reworded the Echo section.
* Added rules for Token processing.
* Added security considerations.
* Added actual IANA section.
* Made Request-Tag optional and safe-to-forward, relying on
blockwise to treat it as part of the cache-key
* Dropped use case about OSCORE outer-blockwise (the case went
away when its Partial IV was moved into the Object-Security
option)
o Major changes since draft-amsuess-core-repeat-request-tag-00: o Major changes since draft-amsuess-core-repeat-request-tag-00:
* The option used for establishing freshness was renamed from * The option used for establishing freshness was renamed from
"Repeat" to "Echo" to reduce confusion about repeatable "Repeat" to "Echo" to reduce confusion about repeatable
options. options.
* The response code that goes with Echo was changed from 4.03 to * The response code that goes with Echo was changed from 4.03 to
4.01 because the client needs to provide better credentials. 4.01 because the client needs to provide better credentials.
* The interaction between the new option and (cross) proxies is * The interaction between the new option and (cross) proxies is
now covered. now covered.
* Two messages being "Request-Tag matchable" was introduced to * Two messages being "Request-Tag matchable" was introduced to
replace the older concept of having a request tag value with replace the older concept of having a request tag value with
its slightly awkward equivalence definition. its slightly awkward equivalence definition.
Authors' Addresses Authors' Addresses
Christian Amsuess Christian Amsuess
Energy Harvesting Solutions
Email: c.amsuess@energyharvesting.at Email: christian@amsuess.com
John Mattsson John Mattsson
Ericsson AB Ericsson AB
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Goeran Selander Goeran Selander
Ericsson AB Ericsson AB
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
 End of changes. 78 change blocks. 
259 lines changed or deleted 417 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/