--- 1/draft-ietf-core-echo-request-tag-01.txt 2018-06-29 10:13:46.224655840 -0700 +++ 2/draft-ietf-core-echo-request-tag-02.txt 2018-06-29 10:13:46.268656889 -0700 @@ -1,47 +1,47 @@ CoRE Working Group C. Amsuess Internet-Draft -Updates: 7252, 7959 (if approved) J. Mattsson +Updates: 7252 (if approved) J. Mattsson Intended status: Standards Track G. Selander -Expires: September 6, 2018 Ericsson AB - March 05, 2018 +Expires: December 31, 2018 Ericsson AB + June 29, 2018 Echo and Request-Tag - draft-ietf-core-echo-request-tag-01 + draft-ietf-core-echo-request-tag-02 Abstract This document specifies several security enhancements to the Constrained Application Protocol (CoAP). Two optional extensions are defined: the Echo option and the Request-Tag option. Each of these options provide additional features to CoAP and protects against certain attacks. The document also updates the processing - requirements on the Block options and the Token. The updated Token - processing ensures secure binding of responses to requests. + requirements on the Token of [RFC7252]. The updated Token processing + ensures secure binding of responses to requests. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 6, 2018. + This Internet-Draft will expire on December 31, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -52,41 +52,45 @@ described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5 - 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 5 + 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 6 - 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 8 - 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 9 - 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 9 - 3.2. Request-Tag Processing . . . . . . . . . . . . . . . . . 10 - 3.3. Applications . . . . . . . . . . . . . . . . . . . . . . 11 - 3.3.1. Body Integrity Based on Payload Integrity . . . . . . 11 - 3.3.2. Multiple Concurrent Blockwise Operations . . . . . . 12 - 3.4. Rationale for the option properties . . . . . . . . . . . 13 - 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 14 - 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 14 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 - 8.2. Informative References . . . . . . . . . . . . . . . . . 16 - Appendix A. Methods for Generating Echo Option Values . . . . . 17 - Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 18 - Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 18 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 + 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 9 + 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 10 + 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 10 + 3.2. Request-Tag processing by servers . . . . . . . . . . . . 11 + 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 12 + 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 12 + 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 12 + 3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 13 + 3.4.3. Simplified block-wise Handling for constrained + proxies . . . . . . . . . . . . . . . . . . . . . . . 14 + 3.5. Rationale for the option properties . . . . . . . . . . . 14 + 3.6. Rationale for introducing the option . . . . . . . . . . 15 + 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 15 + 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 15 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 17 + 8.2. Informative References . . . . . . . . . . . . . . . . . 17 + Appendix A. Methods for Generating Echo Option Values . . . . . 18 + Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 19 + Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 20 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 1. Introduction The initial Constrained Application Protocol (CoAP) suite of specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed with the assumption that security could be provided on a separate layer, in particular by using DTLS ([RFC6347]). However, for some use cases, additional functionality or extra processing is needed to support secure CoAP operations. This document specifies several security enhancements to the Constrained Application Protocol (CoAP). @@ -100,25 +104,23 @@ network address. The Request-Tag option allows the CoAP server to match message fragments belonging to the same request, fragmented using the CoAP Block-Wise Transfer mechanism, which mitigates attacks and enables concurrent blockwise operations. These options in themselves do not replace the need for a security protocol; they specify the format and processing of data which, when integrity protected using e.g. DTLS ([RFC6347]), TLS ([RFC5246]), or OSCORE ([I-D.ietf-core-object-security]), provide the additional security features. - The document also updates the processing requirements on the Block1 - option, the Block2 option, and the Token. The updated blockwise - processing secure blockwise operations with multiple representations - of a particular resource. The updated Token processing ensures - secure binding of responses to requests. + The document also updates the processing requirements on the Token. + The updated processing ensures secure binding of responses to + requests. 1.1. Request Freshness A CoAP server receiving a request is in general not able to verify when the request was sent by the CoAP client. This remains true even if the request was protected with a security protocol, such as DTLS. This makes CoAP requests vulnerable to certain delay attacks which are particularly incriminating in the case of actuators ([I-D.mattsson-core-coap-actuators]). Some attacks are possible to mitigate by establishing fresh session keys (e.g. performing the DTLS @@ -192,73 +194,79 @@ tokens until the traffic keys have been replaced. As there may be any number of responses to a request (see e.g. [RFC7641]), the easiest way to accomplish this is to implement the token as a counter and never reuse any tokens at all. This document updates the Token processing in [RFC7252] to always assure a cryptographically secure binding of responses to requests. 1.4. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119]. + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in BCP + 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. Unless otherwise specified, the terms "client" and "server" refers to "CoAP client" and "CoAP server", respectively, as defined in [RFC7252]. The terms "payload" and "body" of a message are used as in [RFC7959]. The complete interchange of a request and a response body is called a (REST) "operation". An operation fragmented using [RFC7959] is called a "blockwise operation". A blockwise operation which is fragmenting the request body is called a "blockwise request operation". A blockwise operation which is fragmenting the response body is called a "blockwise response operation". - Two blockwise operations between the same endpoint pair on the same - resource are said to be "concurrent" if a block of the second request - is exchanged even though the client still intends to exchange further - blocks in the first operation. (Concurrent blockwise request - operations are impossible with the options of [RFC7959] because the - second operation's block overwrites any state of the first - exchange.). + Two request messages are said to be "matchable" if they occur between + the same endpoint pair, have the same code and the same set of + options except for elective NoCacheKey options and options involved + in bock-wise transfer (Block1, Block2 and Request-Tag). Two + operations are said to be matchable if any of their messages are. - The Echo and Request-Tag options are defined in this document. The - concept of two messages being "Request-Tag-matchable" is defined in - Section 3.1. + Two matchable blockwise operations are said to be "concurrent" if a + block of the second request is exchanged even though the client still + intends to exchange further blocks in the first operation. + (Concurrent blockwise request operations are impossible with the + options of [RFC7959] because the second operation's block overwrites + any state of the first exchange.). + + The Echo and Request-Tag options are defined in this document. 2. The Echo Option The Echo option is a server-driven challenge-response mechanism for CoAP. The Echo option value is a challenge from the server to the client included in a CoAP response and echoed in one or more CoAP request. 2.1. Option Format The Echo Option is elective, safe-to-forward, not part of the cache- - key, and not repeatable, see Figure 1. + key, and not repeatable, see Figure 1, which extends Table 4 of + [RFC7252]). +-----+---+---+---+---+-------------+--------+--------+---------+---+ | No. | C | U | N | R | Name | Format | Length | Default | E | +-----+---+---+---+---+-------------+--------+--------+---------+---+ | TBD | | | x | | Echo | opaque | 4-40 | (none) | x | +-----+---+---+---+---+-------------+--------+--------+---------+---+ C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, E = Encrypt and Integrity Protect (when using OSCORE) Figure 1: Echo Option Summary - [Note to RFC editor: If this document is not released together with - OSCORE but before it, the following paragraph and the "E" column - above need to move into OSCORE.] + [ Note to RFC editor: If this document is released before core- + object-security, the following paragraph and the "E" column above + need to move into OSCORE. ] The Echo option value is generated by the server, and its content and structure are implementation specific. Different methods for generating Echo option values are outlined in Appendix A. Clients and intermediaries MUST treat an Echo option value as opaque and make no assumptions about its content or structure. When receiving an Echo option in a request, the server MUST be able to verify that the Echo option value was generated by the server as well as the point in time when the Echo option value was generated. @@ -283,21 +291,21 @@ The server may also include the Echo option in a response to verify the aliveness of a client, to synchronize state, or to force a client to demonstrate reachability at their apparent network address. Upon receiving a 4.01 Unauthorized response with the Echo option, the client SHOULD resend the original request with the addition of an Echo option with the received Echo option value. The client MAY send a different request compared to the original request. Upon receiving any other response with the Echo option, the client SHOULD echo the - Echo option value in a next request to the server. The client MAY + Echo option value in the next request to the server. The client MAY include the same Echo option value in several different requests to the server. Upon receiving a request with the Echo option, the server determines if the request has freshness requirement. If the request does not have freshness requirements, the Echo option MAY be ignored. If the request has freshness requirements and the server cannot verify the freshness of the request in some other way, the server MUST verify that the Echo option value was generated by the server; otherwise the request is not processed further. The server MUST then calculate the @@ -406,138 +414,160 @@ The Request-Tag is intended for use as a short-lived identifier for keeping apart distinct blockwise request operations on one resource from one client. It enables the receiving server to reliably assemble request payloads (blocks) to their message bodies, and, if it chooses to support it, to reliably process simultaneous blockwise request operations on a single resource. The requests must be integrity protected in order to protect against interchange of blocks between different message bodies. + In essence, it is an implementation of the "proxy-safe elective + option" used just to "vary the cache key" as suggested in [RFC7959] + Section 2.4. + 3.1. Option Format - The Request-Tag option is not critical, safe to forward, and part of - the cache key as illustrated in Figure 3. + The Request-Tag option is not critical, is safe to forward, + repeatable, and part of the cache key, see Figure 3, which extends + Table 4 of [RFC7252]). - +-----+---+---+---+---+-------------+--------+--------+---------+---+ - | No. | C | U | N | R | Name | Format | Length | Default | E | - +-----+---+---+---+---+-------------+--------+--------+---------+---+ - | TBD | | | | | Request-Tag | opaque | 0-8 | (none) | * | - +-----+---+---+---+---+-------------+--------+--------+---------+---+ ++-----+---+---+---+---+-------------+--------+--------+---------+---+---+ +| No. | C | U | N | R | Name | Format | Length | Default | E | U | ++-----+---+---+---+---+-------------+--------+--------+---------+---+---+ +| TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x | ++-----+---+---+---+---+-------------+--------+--------+---------+---+---+ C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, E = Encrypt and Integrity Protect (when using OSCORE) Figure 3: Request-Tag Option Summary - [Note to RFC editor: If this document is not released together with - OSCORE but before it, the following paragraph and the "E" column + [ Note to RFC editor: If this document is released before core- + object-security, the following paragraph and the "E"/"U" columns above need to move into OSCORE.] - Request-Tag, like the block options, is a special class E option in - terms of OSCORE processing (see Section 4.3.1.2 of + Request-Tag, like the block options, is both a class E and a class U + option in terms of OSCORE processing (see Section 4.1 of [I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or outer option. The inner option is encrypted and integrity protected between client and server, and provides message body identification in case of end-to-end fragmentation of requests. The outer option is visible to proxies and labels message bodies in case of hop-by-hop fragmentation of requests. The Request-Tag option is only used in the request messages of - blockwise request operations. - - Two messages are defined to be Request-Tag-matchable if and only if - they are sent from and to the same end points (including security - associations), and target the same URI (precisely: target the same - endpoint and cache-key except for cache-key options that are related - to blockwise), and if either neither carries a Request-Tag option, or - both carry exactly one Request-Tag option and the option values are - of same length and content. - - The Request-Tag mechanism is applied independently on the server and - client sides of CoAP-CoAP proxies as are the block options, though - given it is safe to forward, a proxy is free to just forward it when - processing an operation. CoAP-HTTP proxies and HTTP-CoAP proxies can - use Request-Tag on their CoAP sides; it is not applicable to HTTP - requests. - - For each separate blockwise request operation, the client can choose - a Request-Tag value, or choose not to set a Request-Tag. Creating a - new request operation whose messages are Request-Tag-matchable to a - previous operation is called request tag recycling. Clients MUST NOT - recycle a request tag unless the first operation has concluded. What - constitutes a concluded operation depends on the application, and is - outlined individually in Section 3.3. + blockwise operations. - Clients are encouraged to generate compact messages. This means - sending messages without Request-Tag options whenever possible, and - using short values when the absent option can not be recycled. + The Request-Tag mechanism can be applied independently on the server + and client sides of CoAP-CoAP proxies as are the block options, + though given it is safe to forward, a proxy is free to just forward + it when processing an operation. CoAP-HTTP proxies and HTTP-CoAP + proxies can use Request-Tag on their CoAP sides; it is not applicable + to HTTP requests. -3.2. Request-Tag Processing +3.2. Request-Tag processing by servers - A server MUST NOT act on any two blocks in the same blockwise request - operation that are not Request-Tag-matchable. This rule applies - independent of whether the request actually carries a Request-Tag - option (if not, the request can only be acted on together with other - messages not carrying the option, as per matchability definition). + The Request-Tag option does not require any particular processing on + the server side: As it varies the set of options that distinguish + blockwise operations (ie. is neither Block1 or Block2 nor elective + NoCacheKey), the server can not treat their messages as belonging to + the same operation. - As not all messages from the same source can be combined any more, a - block not matchable to the first Block1 cannot overwrite context kept - for an operation under a different tag (cf. [RFC7959] Section 2.5). - The server is still under no obligation to keep state of more than - one transaction. When an operation is in progress and a second one - cannot be served at the same time, the server SHOULD respond to the - second request with a 5.03 (Service Unavailable) response code and - indicate the time it is willing to wait for additional blocks in the - first operation using the Max-Age option, as specified in - Section 5.9.3.4 of [RFC7252]. (Alternatively, the server can cancel - the original operation, especially if it is already likely to time - out. Cancelling it unconditionally is the behavior that could be - expected of a Request-Tag unaware server.) + To keep utilizing the cache, a server (including proxies) MAY discard + the Request-Tag option from an assembled block-wise request when + consulting its cache, as the option describes the individual blocks + but not the operation as a whole. For example, a FETCH request with + the same body can have a fresh response even if they were requested + using different request tags. (This is similar to the situation + about ETag in that it is formally part of the cache key, but + implementations that are aware of its meaning can cache more + efficiently, see [RFC7252] Section 5.4.2). A server receiving a Request-Tag MUST treat it as opaque and make no assumptions about its content or structure. - Two messages being Request-Tag-matchable is a necessary but not + Two messages carrying the same Request-Tag is a necessary but not sufficient condition for being part of the same operation. They can still be treated as independent messages by the server (e.g. when it sends 2.01/2.04 responses for every block), or initiate a new operation (overwriting kept context) when the later message carries Block1 number 0. - Note that RFC 7959 already implies that the cache key is the element - that binds exchanges together to operations (together with the - request's source endpoint), but is not explicit about it; therefore, - the above rules are spelt out here. + [ The following paragraph might be better placed in lwig-coap, but + was left here until lwig-coap has decided on its fate there. ] -3.3. Applications + As it has always been, a server that can only serve a limited number + of block-wise operations at the same time can delay the start of the + operation by replying with 5.03 (Service unavailable) and a Max-Age + indicating how long it expects the existing operation to go on, or it + can forget about the state established with the older operation and + respond with 4.08 (Request Entity Incompelte) to later blocks on the + first operation. -3.3.1. Body Integrity Based on Payload Integrity + Especially, that is the case for any correctly implemented proxy that + does not know how to use Request-Tag in requests and has only one + client endpoint. When it receives concurrent incoming requests on + the same resource, it needs to make that very choice: either send a + 5.03 with Max-Age (holding off the second operation), or to commence + the second operation and reject any further requests on the first + operation with 4.08 Request Entity Incompelte errors without + forwarding them. (Alternatively, it could spool the second request, + but the unpredictable nature of the timeouts involved often makes + that an unsuitable choice.) + +3.3. Setting the Request-Tag + + For each separate blockwise request operation, the client can choose + a Request-Tag value, or choose not to set a Request-Tag. Starting a + request operation matchable to a previous operation and even using + the same Request-Tag value is called request tag recycling. Clients + MUST NOT recycle a request tag unless the first operation has + concluded. What constitutes a concluded operation depends on the + application, and is outlined individually in Section 3.4. + + When Block1 and Block2 are combined in an operation, the Request-Tag + of the Block1 phase is set in the Block2 phase as well for otherwise + the request would have a different set of options and would not be + recognized any more. + + Clients are encouraged to generate compact messages. This means + sending messages without Request-Tag options whenever possible, and + using short values when the absent option can not be recycled. + +3.4. Applications + +3.4.1. Body Integrity Based on Payload Integrity When a client fragments a request body into multiple message payloads, even if the individual messages are integrity protected, it - is still possible for a man-in-the-middle to maliciously replace - later operation's blocks with earlier operation's blocks (see + is still possible for a man-in-the-middle to maliciously replace a + later operation's blocks with an earlier operation's blocks (see Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the integrity protection of each block does not extend to the operation's request body. In order to gain that protection, use the Request-Tag mechanism as follows: o The individual exchanges MUST be integrity protected end-to-end between client and server. - o The client MUST NOT recycle a request tag unless the previous - blockwise request operation that used matchable Request-Tags has + o The client MUST NOT recycle a request tag in a new operation + unless the previous operation matchable to the new one has concluded. + When considering previous operations in protocols where the + security association is not tightly bound to an end point (eg. + OSCORE), the client MUST consider messages sent to _any_ endpoint + with the new operation's security context. + o The client MUST NOT regard a blockwise request operation as concluded unless all of the messages the client previously sent in the operation have been confirmed by the message integrity protection mechanism, or are considered invalid by the server if replayed. Typically, in OSCORE, these confirmations can result either from the client receiving an OSCORE response message matching the request (an empty ACK is insufficient), or because the message's sequence number is old enough to be outside the server's receive @@ -548,93 +578,109 @@ Authors of other documents (e.g. [I-D.ietf-core-object-security]) are invited to mandate this behavior for clients that execute blockwise interactions over secured transports. In this way, the server can rely on a conforming client to set the Request-Tag option when required, and thereby conclude on the integrity of the assembled body. Note that this mechanism is implicitly implemented when the security layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]). - This is because with each message, any earlier operation can be - regarded as concluded by the client, so it never needs to set the - Request-Tag option unless it wants to perform concurrent operations. + This is because with each message, any earlier message can not be + replayed any more, so the client never needs to set the Request-Tag + option unless it wants to perform concurrent operations. -3.3.2. Multiple Concurrent Blockwise Operations +3.4.2. Multiple Concurrent Blockwise Operations CoAP clients, especially CoAP proxies, may initiate a blockwise request operation to a resource, to which a previous one is already - in progress, and which the new request should not cancel. A CoAP - proxy would be in such a situation when it forwards operations with - the same cache-key options but possibly different payloads. + in progress, which the new request should not cancel. A CoAP proxy + would be in such a situation when it forwards operations with the + same cache-key options but possibly different payloads. - When a client fragments an initial message as part of a blockwise - request operation, it can do so without a Request-Tag option set. - For this application, an operation can be regarded as concluded when - a final Block1 option has been sent and acknowledged, or when the - client chose not to continue with the operation (e.g. by user choice, - or in the case of a proxy when it decides not to take any further - messages in the operation due to a timeout). When another concurrent - blockwise request operation is made (i.e. before the operation is - concluded), the client can not recycle the request tag, and has to - pick a new one. The possible outcomes are: + For those cases, Request-Tag is the proxy-safe elective option + suggested in [RFC7959] Section 2.4 last paragraph. - o The server responds with a successful code. + When initializing a new blockwise operation, a client has to look at + other active operations: - The second concurrent blockwise operations can then continue. + o If any of them is matchable to the new one, and the client neither + wants to cancel the old one nor postpone the new one, it can pick + a Request-Tag value that is not in use by the other matchable + operations for the new operation. - The first operation might have been cancelled by that (typical of - servers that only support a single blockwise operation), in which - case its resumption will result in a 4.08 Request Entity - Incomplete error. + o Otherwise, it can start the new operation without setting the + Request-Tag option on it. - o The server responds 5.03 Service Unavailable with a Max-Age option - to indicate when it is likely to be available again. +3.4.3. Simplified block-wise Handling for constrained proxies - This can indicate that the server supports Request-Tag, but still - is not prepared to handle concurrent requests. The client should - wait for as long as the response is valid, and then retry the - operation, which may not need to carry a Request-Tag option by - then any more. + The Block options were defined to be unsafe to forward because a + proxy that woud forward blocks as plain messages would risk mixing up + clients' requests. - In this, the proxy can indicate the anticipated delay by sending a - 5.03 Service Unavailable response itself. + The Request-Tag option provides a very simple way for a proxy to keep + them separate: if it appends a Request-Tag that is particular to the + requesting endpoint to all request carrying any Block option, it does + not need to keep track of any further block state. + [I-D.ietf-lwig-coap] Section TBD provides further details. - Note that a correctly implemented Request-Tag unaware proxy in the - same situation would need to make a choice to either send a 5.03 with - Max-Age by itself (holding off the second operation), or to commence - the second operation and reject any further requests on the first - operation with 4.08 Request Entity Incompelte errors by itself - without forwarding them. + [ Note to reviewers and co-authors: That section was so far only + syggested in input for lwig-coap. If it does not get into the + document, we should drop it here (for I don't want to explain all + this case's details and security considerations here), but if the + reference works, this section shows why Request-Tag has become + repeatable. ] -3.4. Rationale for the option properties +3.5. Rationale for the option properties - The Request-Tag option used to be critical and unsafe to forward in - earlier revisions of this draft. + [ This section needs to be reworked after assuming our RFC7959 + interpretation. ] - Given that supporting it will be mandated for where it is used for - its security properties, the choice of whether it is mandatory or - safe to forward can be made as required for the multiple concurrent - operations use case. For those cases, Request-Tag is the proxy-safe - elective option suggested in [RFC7959] Section 2.4 last paragraph. + The Request-Tag option can be elective, because to servers unaware of + the Request-Tag option, operations with differing request tags will + not be matchable. + + The Request-Tag option can be safe to forward but part of the cache + key, because to proxies unaware of the Request-Tag option will + consider operations with differing request tags unmatchable but can + still forward them. + + In earlier versions of this draft, the Request-Tag option used to be + critical and unsafe to forward. That design was based on an + erroneous understanding of which blocks could be composed according + to [RFC7959]. + +3.6. Rationale for introducing the option + + An alternative that was considered to the Request-Tag option for + coping with the problem of fragmented message body integrity + (Section 3.4.1) was to update [RFC7959] to say that blocks could only + be assembled if their fragments' order corresponded to the sequence + numbers. + + That approach would have been difficult to roll out reliably on DTLS + where many implementations do not expose sequence numbers, and would + still not prevent attacks like in [I-D.mattsson-core-coap-actuators] + Section 2.5.2. 4. Block2 / ETag Processing - The same security properties as in Section 3.3.1 can be obtained for + The same security properties as in Section 3.4.1 can be obtained for blockwise response operations. The threat model here is not an attacker (because the response is made sure to belong to the current request by the security layer), but blocks in the client's cache. - Analogous rules to Section 3.2 are already in place for assembling a - response body in Section 2.4 of [RFC7959]. + Rules stating that response body reassembly is conditional on + matching ETag values are already in place from Section 2.4 of + [RFC7959]. - To gain equivalent protection to Section 3.3.1, a server MUST use the + To gain equivalent protection to Section 3.4.1, a server MUST use the Block2 option in conjunction with the ETag option ([RFC7252], Section 5.10.6), and MUST NOT use the same ETag value for different representations of a resource. 5. Token Processing This section updates the Token processing in Section 5.3.1 of [RFC7252] by adding the following text: When CoAP is used with a security protocol not providing bindings @@ -653,36 +699,37 @@ +--------+-------------+------------+ | TBD1 | Echo | [RFC XXXX] | | | | | | TBD2 | Request-Tag | [RFC XXXX] | +--------+-------------+------------+ Figure 4: CoAP Option Numbers 7. Security Considerations - Servers SHOULD NOT put any privacy sensitive information in the Echo - or Request-Tag option values. Unencrypted timestamps MAY reveal - information about the server such as its wall clock time or location. - Servers MUST use a monotonic clock to generate timestamps and compute - round-trip times. Servers SHOULD NOT use wall clock time for - timestamps, as wall clock time is not monotonic, may reveal that the - server will accept expired certificates, or reveal the server's + Implementations SHOULD NOT put any privacy sensitive information in + the Echo or Request-Tag option values. Unencrypted timestamps MAY + reveal information about the server such as its wall clock time or + location. Servers MUST use a monotonic clock to generate timestamps + and compute round-trip times. Servers SHOULD NOT use wall clock time + for timestamps, as wall clock time is not monotonic, may reveal that + the server will accept expired certificates, or reveal the server's location. Use of non-monotonic clocks is not secure as the server will accept expired Echo option values if the clock is moved backward. The server will also reject fresh Echo option values if the clock is moved forward. An attacker may be able to affect the server's wall clock time in various ways such as setting up a fake NTP server or broadcasting false time signals to radio-controlled - clocks. Servers SHOULD use the time since reboot measured in some - unit of time. Servers MAY reset the timer periodically even when not - rebooting. + clocks. Servers MAY use the time since reboot measured in some unit + of time. Servers MAY reset the timer periodically. When resetting + the timer, the server MUST reject all Echo values that was created + before the reset. The availability of a secure pseudorandom number generator and truly random seeds are essential for the security of the Echo option. If no true random number generator is available, a truly random seed must be provided from an external source. An Echo value with 64 (pseudo-)random bits gives the same theoretical security level against forgeries as a 64-bit MAC (as used in e.g. AES_128_CCM_8). In practice, forgery of an Echo option value is much harder as an attacker must also forge the MAC in the security @@ -718,32 +765,41 @@ [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, . [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in the Constrained Application Protocol (CoAP)", RFC 7959, DOI 10.17487/RFC7959, August 2016, . + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + 8.2. Informative References [I-D.ietf-core-object-security] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments - (OSCORE)", draft-ietf-core-object-security-09 (work in - progress), March 2018. + (OSCORE)", draft-ietf-core-object-security-13 (work in + progress), June 2018. + + [I-D.ietf-lwig-coap] + Kovatsch, M., Bergmann, O., and C. Bormann, "CoAP + Implementation Guidance", draft-ietf-lwig-coap-05 (work in + progress), October 2017. [I-D.mattsson-core-coap-actuators] Mattsson, J., Fornehed, J., Selander, G., Palombini, F., and C. Amsuess, "Controlling Actuators with CoAP", draft- - mattsson-core-coap-actuators-04 (work in progress), March + mattsson-core-coap-actuators-05 (work in progress), March 2018. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, . @@ -800,25 +856,25 @@ Echo option value: random value r Server State: random value r, timestamp t0 A server MAY use different methods and security levels for different uses cases (client aliveness, request freshness, state synchronization, network address reachability, etc.). Appendix B. Request-Tag Message Size Impact In absence of concurrent operations, the Request-Tag mechanism for - body integrity (Section 3.3.1) incurs no overhead if no messages are + body integrity (Section 3.4.1) incurs no overhead if no messages are lost (more precisely: in OSCORE, if no operations are aborted due to repeated transmission failure; in DTLS, if no packages are lost), or - when blockwise request operations happen rarely (in OSCORE, if only - one request operation with losses within the replay window). + when blockwise request operations happen rarely (in OSCORE, if there + is always only one request blockwise operation in the replay window). In those situations, no message has any Request-Tag option set, and that can be recycled indefinitely. When the absence of a Request-Tag option can not be recycled any more within a security context, the messages with a present but empty Request-Tag option can be used (1 Byte overhead), and when that is used-up, 256 values from one byte long options (2 Bytes overhead) are available. @@ -830,20 +886,33 @@ o In OSCORE, the sequence number can be artificially increased so that all lost messages are outside of the replay window by the time the first request of the new operation gets processed, and all earlier operations can therefore be regarded as concluded. Appendix C. Change Log [ The editor is asked to remove this section before publication. ] + o Major changes since draft-ietf-core-echo-request-tag-01: + + * Follow-up changes after the "relying on blockwise" change in + -01: + + + Simplify the description of Request-Tag and matchability + + + Do not update RFC7959 any more + + * Make Request-Tag repeatable. + + * Add rationale on not relying purely on sequence numbers. + o Major changes since draft-ietf-core-echo-request-tag-00: * Reworded the Echo section. * Added rules for Token processing. * Added security considerations. * Added actual IANA section.