--- 1/draft-ietf-core-echo-request-tag-02.txt 2018-10-22 15:13:29.834461390 -0700 +++ 2/draft-ietf-core-echo-request-tag-03.txt 2018-10-22 15:13:29.886462646 -0700 @@ -1,144 +1,149 @@ CoRE Working Group C. Amsuess Internet-Draft Updates: 7252 (if approved) J. Mattsson Intended status: Standards Track G. Selander -Expires: December 31, 2018 Ericsson AB - June 29, 2018 +Expires: April 25, 2019 Ericsson AB + October 22, 2018 Echo and Request-Tag - draft-ietf-core-echo-request-tag-02 + draft-ietf-core-echo-request-tag-03 Abstract - This document specifies several security enhancements to the - Constrained Application Protocol (CoAP). Two optional extensions are - defined: the Echo option and the Request-Tag option. Each of these - options provide additional features to CoAP and protects against - certain attacks. The document also updates the processing - requirements on the Token of [RFC7252]. The updated Token processing - ensures secure binding of responses to requests. + This document specifies security enhancements to the Constrained + Application Protocol (CoAP). Two optional extensions are defined: + the Echo option and the Request-Tag option. Each of these options + provide additional features to CoAP and protects against certain + attacks. The document also updates the processing requirements on + the Token of RFC 7252. The updated Token processing ensures secure + binding of responses to requests. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 31, 2018. + This Internet-Draft will expire on April 25, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 - 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3 + 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 - 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5 + 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6 - 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 6 + 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 7 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 9 - 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 10 - 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 10 - 3.2. Request-Tag processing by servers . . . . . . . . . . . . 11 - 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 12 - 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 12 - 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 12 - 3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 13 - 3.4.3. Simplified block-wise Handling for constrained - proxies . . . . . . . . . . . . . . . . . . . . . . . 14 - 3.5. Rationale for the option properties . . . . . . . . . . . 14 - 3.6. Rationale for introducing the option . . . . . . . . . . 15 - 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 15 - 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 15 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 17 - 8.2. Informative References . . . . . . . . . . . . . . . . . 17 - Appendix A. Methods for Generating Echo Option Values . . . . . 18 - Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 19 - Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 20 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 + 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11 + 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 11 + 3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12 + 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13 + 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 13 + 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 13 + 3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 14 + 3.4.3. Simplified Block-Wise Handling for Constrained + Proxies . . . . . . . . . . . . . . . . . . . . . . . 15 + 3.5. Rationale for the Option Properties . . . . . . . . . . . 15 + 3.6. Rationale for Introducing the Option . . . . . . . . . . 16 + 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 16 + 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 16 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 + 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 18 + 9.2. Informative References . . . . . . . . . . . . . . . . . 18 + Appendix A. Methods for Generating Echo Option Values . . . . . 20 + Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 21 + Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 21 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 22 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 1. Introduction The initial Constrained Application Protocol (CoAP) suite of specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed with the assumption that security could be provided on a separate layer, in particular by using DTLS ([RFC6347]). However, for some use cases, additional functionality or extra processing is needed to - support secure CoAP operations. This document specifies several - security enhancements to the Constrained Application Protocol (CoAP). + support secure CoAP operations. This document specifies security + enhancements to the Constrained Application Protocol (CoAP). This document specifies two server-oriented CoAP options, the Echo - option and the Request-Tag option, mainly addressing the security - features request freshness and fragmented message body integrity, - respectively. The Echo option enables a CoAP server to verify the - freshness of a request, verify the aliveness of a client, synchronize - state, or force a client to demonstrate reachability at its apparent - network address. The Request-Tag option allows the CoAP server to - match message fragments belonging to the same request, fragmented - using the CoAP Block-Wise Transfer mechanism, which mitigates attacks - and enables concurrent blockwise operations. These options in - themselves do not replace the need for a security protocol; they - specify the format and processing of data which, when integrity - protected using e.g. DTLS ([RFC6347]), TLS ([RFC5246]), or OSCORE + option and the Request-Tag option: The Echo option enables a CoAP + server to verify the freshness of a request, synchronize state, or + force a client to demonstrate reachability at its apparent network + address. The Request-Tag option allows the CoAP server to match + message fragments belonging to the same request, fragmented using the + CoAP Block-Wise Transfer mechanism, which mitigates attacks and + enables concurrent blockwise operations. These options in themselves + do not replace the need for a security protocol; they specify the + format and processing of data which, when integrity protected using + e.g. DTLS ([RFC6347]), TLS ([RFC8446]), or OSCORE ([I-D.ietf-core-object-security]), provide the additional security features. The document also updates the processing requirements on the Token. The updated processing ensures secure binding of responses to - requests. + requests, thus mitigating error cases and attacks where the client + may erroneously associate the wrong response to a request. 1.1. Request Freshness A CoAP server receiving a request is in general not able to verify when the request was sent by the CoAP client. This remains true even if the request was protected with a security protocol, such as DTLS. This makes CoAP requests vulnerable to certain delay attacks which are particularly incriminating in the case of actuators ([I-D.mattsson-core-coap-actuators]). Some attacks are possible to - mitigate by establishing fresh session keys (e.g. performing the DTLS - handshake) for each actuation, but in general this is not a solution - suitable for constrained environments. + mitigate by establishing fresh session keys, e.g. performing a DTLS + handshake for each actuation, but in general this is not a solution + suitable for constrained environments, for example, due to increased + message overhead and latency. Additionally, if there are proxies, + fresh DTLS session keys between server and proxy does not say + anything about when the client made the request. In a general hop- + by-hop setting, freshness may need to be verified in each hop. A straightforward mitigation of potential delayed requests is that the CoAP server rejects a request the first time it appears and asks the CoAP client to prove that it intended to make the request at this point in time. The Echo option, defined in this document, specifies - such a mechanism which thereby enables the CoAP server to verify the + such a mechanism which thereby enables a CoAP server to verify the freshness of a request. This mechanism is not only important in the case of actuators, or other use cases where the CoAP operations require freshness of requests, but also in general for synchronizing state between CoAP client and server and to verify aliveness of the client. 1.2. Fragmented Message Body Integrity CoAP was designed to work over unreliable transports, such as UDP, and include a lightweight reliability feature to handle messages @@ -165,163 +170,195 @@ which would provide equivalent protection to the case where the complete body fits into a single payload. The ETag option [RFC7252], set by the CoAP server, identifies a response body fragmented using the Block2 option. This document defines the Request-Tag option for identifying the request body fragmented using the Block1 option, similar to ETag, but ephemeral and set by the CoAP client. 1.3. Request-Response Binding A fundamental requirement of secure REST operations is that the - client can bind a response to a particular request. In HTTPS this is - assured by the ordered and reliable delivery as well as mandating - that the server sends responses in the same order that the requests - were received. + client can bind a response to a particular request. If this is not + valid a client may erroneously associate the wrong response to a + request. The wrong response may be an old response for the same + resource or for a completely different resource (see e.g. + Section 2.3 of [I-D.mattsson-core-coap-actuators]). For example a + request for the alarm status "GET /status" may be associated to a + prior response "on", instead of the correct response "off". - The same is not true for CoAP where the server can return responses - in any order. Concurrent requests are instead differentiated by - their Token. Unfortunately, CoAP [RFC7252] does not treat Token as a + In HTTPS, binding is assured by the ordered and reliable delivery as + well as mandating that the server sends responses in the same order + that the requests were received. The same is not true for CoAP where + the server (or an attacker) can return responses in any order. + Concurrent requests are instead differentiated by their Token. Note + that the CoAP Message ID cannot be used for this purpose since those + are typically different for REST request and corresponding response + in case of "separate response", see Section 2.2 of [RFC7252]. + + Unfortunately, CoAP [RFC7252] does not treat Token as a cryptographically important value and does not give stricter guidelines than that the tokens currently "in use" SHOULD (not SHALL) be unique. If used with security protocol not providing bindings between requests and responses (e.g. DTLS and TLS) token reuse may result in situations where a client matches a response to the wrong - request (see e.g. Section 2.3 of - [I-D.mattsson-core-coap-actuators]). Note that mismatches can also - happen for other reasons than a malicious attacker, e.g. delayed - delivery or a server sending notifications to an uninterested client. + request. Note that mismatches can also happen for other reasons than + a malicious attacker, e.g. delayed delivery or a server sending + notifications to an uninterested client. A straightforward mitigation is to mandate clients to never reuse - tokens until the traffic keys have been replaced. As there may be - any number of responses to a request (see e.g. [RFC7641]), the - easiest way to accomplish this is to implement the token as a counter - and never reuse any tokens at all. This document updates the Token + tokens until the AEAD keys have been replaced. As there may be any + number of responses to a request (see e.g. [RFC7641]), the easiest + way to accomplish this is to implement the token as a counter and + never reuse any tokens at all. This document updates the Token processing in [RFC7252] to always assure a cryptographically secure binding of responses to requests. 1.4. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Unless otherwise specified, the terms "client" and "server" refers to "CoAP client" and "CoAP server", respectively, as defined in - [RFC7252]. + [RFC7252]. The term "origin server" is used as in [RFC7252]. The + term "origin client" is used in this document to denote the client + from which a request originates; to distinguish from clients in + proxies. The terms "payload" and "body" of a message are used as in [RFC7959]. The complete interchange of a request and a response body is called a (REST) "operation". An operation fragmented using [RFC7959] is called a "blockwise operation". A blockwise operation which is fragmenting the request body is called a "blockwise request operation". A blockwise operation which is fragmenting the response body is called a "blockwise response operation". Two request messages are said to be "matchable" if they occur between the same endpoint pair, have the same code and the same set of options except for elective NoCacheKey options and options involved - in bock-wise transfer (Block1, Block2 and Request-Tag). Two + in block-wise transfer (Block1, Block2 and Request-Tag). Two operations are said to be matchable if any of their messages are. Two matchable blockwise operations are said to be "concurrent" if a block of the second request is exchanged even though the client still intends to exchange further blocks in the first operation. (Concurrent blockwise request operations are impossible with the options of [RFC7959] because the second operation's block overwrites any state of the first exchange.). The Echo and Request-Tag options are defined in this document. 2. The Echo Option - The Echo option is a server-driven challenge-response mechanism for - CoAP. The Echo option value is a challenge from the server to the - client included in a CoAP response and echoed in one or more CoAP - request. + The Echo option is a lightweight server-driven challenge-response + mechanism for CoAP, motivated by the need for a server to verify + freshness of a request as described in Section 1.1. With request + freshness we mean that the server can determine that the client (or + in the case of hop-by-hop security the proxy) sent the request + recently. The time threshold for being fresh is application + specific. The Echo option value is a challenge from the server to + the client included in a CoAP response and echoed back to the server + in one or more CoAP requests. 2.1. Option Format The Echo Option is elective, safe-to-forward, not part of the cache- key, and not repeatable, see Figure 1, which extends Table 4 of [RFC7252]). - +-----+---+---+---+---+-------------+--------+--------+---------+---+ - | No. | C | U | N | R | Name | Format | Length | Default | E | - +-----+---+---+---+---+-------------+--------+--------+---------+---+ - | TBD | | | x | | Echo | opaque | 4-40 | (none) | x | - +-----+---+---+---+---+-------------+--------+--------+---------+---+ + +-----+---+---+---+---+-------------+--------+------+---------+---+---+ + | No. | C | U | N | R | Name | Format | Len. | Default | E | U | + +-----+---+---+---+---+-------------+--------+------+---------+---+---+ + | TBD | | | x | | Echo | opaque | 4-40 | (none) | x | x | + +-----+---+---+---+---+-------------+--------+------+---------+---+---+ C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, E = Encrypt and Integrity Protect (when using OSCORE) Figure 1: Echo Option Summary [ Note to RFC editor: If this document is released before core- - object-security, the following paragraph and the "E" column above - need to move into OSCORE. ] + object-security, then the following paragraph and the "E"/"U" columns + above need to move into core-object-security, as they are defined in + that draft. ] - The Echo option value is generated by the server, and its content and + The Echo option MAY be an Inner or Outer option + [I-D.ietf-core-object-security], and the Inner and Outer values are + independent. The Inner option is encrypted and integrity protected + between the endpoints, whereas the Outer option is not protected by + OSCORE and visible between the endpoints to the extent it is not + protected by some other security protocol. E.g. in the case of DTLS + hop-by-hop between the endpoints, the Outer option is visible to + proxies along the path. + + The Echo option value is generated by a server, and its content and structure are implementation specific. Different methods for generating Echo option values are outlined in Appendix A. Clients and intermediaries MUST treat an Echo option value as opaque and make no assumptions about its content or structure. When receiving an Echo option in a request, the server MUST be able to verify that the Echo option value was generated by the server as well as the point in time when the Echo option value was generated. 2.2. Echo Processing The Echo option MAY be included in any request or response (see Section 2.3 for different applications), but the Echo option MUST NOT be used with empty CoAP requests (i.e. Code=0.00). - If the server receives a request which has freshness requirements, - the request does not contain a fresh Echo option value, and the - server cannot verify the freshness of the request in some other way, - the server MUST NOT process the request further and SHOULD send a - 4.01 Unauthorized response with an Echo option. + If a server receives a request which has freshness requirements, the + request does not contain a fresh Echo option value, and the server + cannot verify the freshness of the request in some other way, the + server MUST NOT process the request further and SHOULD send a 4.01 + Unauthorized response with an Echo option. The server MAY include + the same Echo option value in several different responses and to + different clients. The application decides under what conditions a CoAP request to a resource is required to be fresh. These conditions can for example include what resource is requested, the request method and other data in the request, and conditions in the environment such as the state of the server or the time of the day. - The server may also include the Echo option in a response to verify - the aliveness of a client, to synchronize state, or to force a client - to demonstrate reachability at their apparent network address. + The server may use request freshness provided by the Echo option to + verify the aliveness of a client or to synchronize state. The server + may also include the Echo option in a response to force a client to + demonstrate reachability at their apparent network address. Upon receiving a 4.01 Unauthorized response with the Echo option, the client SHOULD resend the original request with the addition of an Echo option with the received Echo option value. The client MAY send a different request compared to the original request. Upon receiving any other response with the Echo option, the client SHOULD echo the Echo option value in the next request to the server. The client MAY include the same Echo option value in several different requests to the server. Upon receiving a request with the Echo option, the server determines - if the request has freshness requirement. If the request does not + if the request has freshness requirements. If the request does not have freshness requirements, the Echo option MAY be ignored. If the request has freshness requirements and the server cannot verify the freshness of the request in some other way, the server MUST verify that the Echo option value was generated by the server; otherwise the request is not processed further. The server MUST then calculate the round-trip time RTT = (t1 - t0), where t1 is the request receive time - and t0 is the transmit time of the response that included the - specific Echo option value. The server MUST only accept requests - with a round-trip time below a certain threshold T, i.e. RTT < T, - otherwise the request is not processed further, and an error message - MAY be sent. The threshold T is application specific, its value + and t0 is the time when the Echo option value was generated. The + server MUST only accept requests with a round-trip time below a + certain threshold T, i.e. RTT < T. If the server cannot verify that + the Echo option value was generated by the server or the round-trip + time is not below the threshold the request is not processed further, + and an error message MAY be sent. The error message SHOULD include a + new Echo option. The threshold T is application specific, its value depends e.g. on the freshness requirements of the request. An example message flow is illustrated in Figure 2. Client Server | | +------>| Code: 0.03 (PUT) | PUT | Token: 0x41 | | Uri-Path: lock | | Payload: 0 (Unlock) | | @@ -334,201 +371,233 @@ | | Uri-Path: lock | | Echo: 0x437468756c687521 | | Payload: 0 (Unlock) | | |<------+ Code: 2.04 (Changed) | 2.04 | Token: 0x42 | | Figure 2: Example Echo Option Message Flow + Note that the server does not have to synchronize the time used for + the Echo timestamps with any other party. However, if the server + loses time continuity, e.g. due to reboot, it MUST reject all Echo + values that was created before time continuity was lost. + When used to serve freshness requirements (including client aliveness - and state synchronizing), CoAP requests containing the Echo option - MUST be integrity protected, e.g. using DTLS, TLS, or OSCORE + and state synchronizing), CoAP messages containing the Echo option + MUST be integrity protected between the intended endpoints, e.g. + using DTLS, TLS, or an OSCORE Inner option ([I-D.ietf-core-object-security]). When used to demonstrate reachability at their apparent network address, the Echo option MAY - be used without protection. + be unprotected. - Note that the server does not have to synchronize the time used for - the Echo timestamps with any other party. If the server loses time - synchronization, e.g. due to reboot, it MUST reject all Echo values - that was created before time synchronization was lost. + A CoAP-to-CoAP proxy MAY respond to requests with 4.01 with an Echo + option to ensure the client's reachability at its apparent address, + and MUST remove the Echo option it recognizes as one generated by + itself on follow-up requests. However, it MUST relay the Echo option + of responses unmodified, and MUST relay the Echo option of requests + it does not recognize as generated by itself unmodified. - CoAP-CoAP proxies MUST relay the Echo option unmodified. The CoAP - server side of CoAP-HTTP proxies MAY request freshness, especially if - they have reason to assume that access may require it (e.g. because - it is a PUT or POST); how this is determined is out of scope for this - document. The CoAP client side of HTTP-CoAP-Proxies SHOULD respond - to Echo challenges themselves if they know from the recent - establishing of the connection that the HTTP request is fresh. - Otherwise, they SHOULD respond with 503 Service Unavailable, Retry- - After: 0 and terminate any underlying Keep-Alive connection. They - MAY also use other mechanisms to establish freshness of the HTTP - request that are not specified here. + The CoAP server side of CoAP-to-HTTP proxies MAY request freshness, + especially if they have reason to assume that access may require it + (e.g. because it is a PUT or POST); how this is determined is out of + scope for this document. The CoAP client side of HTTP-to-CoAP + proxies SHOULD respond to Echo challenges themselves if they know + from the recent establishing of the connection that the HTTP request + is fresh. Otherwise, they SHOULD respond with 503 Service + Unavailable, Retry-After: 0 and terminate any underlying Keep-Alive + connection. They MAY also use other mechanisms to establish + freshness of the HTTP request that are not specified here. 2.3. Applications 1. Actuation requests often require freshness guarantees to avoid accidental or malicious delayed actuator actions. In general, all non-safe methods (e.g. POST, PUT, DELETE) may require freshness guarantees for secure operation. - 2. To avoid additional roundtrips for applications with multiple - actuator requests in rapid sequence between the same client and - server, the server may use the Echo option (with a new value) in - response to a request containing the Echo option. The client - then uses the Echo option with the new value in the next - actuation request, and the server compares the receive time - accordingly. + * The same Echo value may be used for multiple actuation + requests to the same server, as long as the total round-trip + time since the Echo option value was generated is below the + freshness threshold. - 3. If a server reboots during operation it may need to synchronize - state with requesting clients before continuing the interaction. + * For actuator applications with low delay tolerance, to avoid + additional round-trips for multiple requests in rapid + sequence, the server may include the Echo option with a new + value in response to a request containing the Echo option. + The client then uses the Echo option with the new value in the + next actuation request, and the server compares the receive + time accordingly. + + 2. A server may use the Echo option to synchronize state or time + with a requesting client. A server MUST NOT synchronize state or + time with clients which are not the authority of the property + being synchronized. E.g. if access to a server resource is + dependent on time, then the client MUST NOT set the time of the + server. + + * If a server reboots during operation it may need to + synchronize state or time before continuing the interaction. For example, with OSCORE it is possible to reuse a partly - persistently stored security context by synchronizing the Partial - IV (sequence number) using the Echo option. + persistently stored security context by synchronizing the + Partial IV (sequence number) using the Echo option, see + Section 7.5 of [I-D.ietf-core-object-security]. - 4. When a device joins a multicast/broadcast group the device may - need to synchronize state or time with the sender to ensure that - the received message is fresh. By synchronizing time with the - broadcaster, time can be used for synchronizing subsequent - broadcast messages. A server MUST NOT synchronize state or time - with clients which are not the authority of the property being - synchronized. E.g. if access to a server resource is dependent - on time, then the client MUST NOT set the time of the server. + * A device joining a CoAP group communication [RFC7390] + protected with OSCORE [I-D.ietf-core-oscore-groupcomm] may be + required to initially verify freshness and synchronize state + or time with a client by using the Echo option in a unicast + response to a multicast request. The client receiving the + response with the Echo option includes the Echo option with + the same value in a request, either in a unicast request to + the responding server, or in a subsequent group request. In + the latter case, the Echo option will be ignored expect by + responding server. - 5. A server that sends large responses to unauthenticated peers + 3. A server that sends large responses to unauthenticated peers SHOULD mitigate amplification attacks such as described in Section 11.3 of [RFC7252] (where an attacker would put a victim's address in the source address of a CoAP request). For this - purpose, the server MAY ask a client to Echo its request to - verify its source address. This needs to be done only once per - peer and limits the range of potential victims from the general - Internet to endpoints that have been previously in contact with - the server. For this application, the Echo option can be used in + purpose, a server MAY ask a client to Echo its request to verify + its source address. This needs to be done only once per peer and + limits the range of potential victims from the general Internet + to endpoints that have been previously in contact with the + server. For this application, the Echo option can be used in messages that are not integrity protected, for example during discovery. - 6. A server may want to verify the aliveness of a client by - responding with an Echo option. + * In the presence of a proxy, a server will not be able to + distiguish different origin client endpoints. Following from + the recommendation above, a proxy that sends large responses + to unauthenticatied peers SHOULD mitigate amplification + attacks. The proxy MAY use Echo to verify origin reachability + as described in Section 2.2. The proxy MAY forward idempotent + requests immediately to have a cached result available when + the client's Echoed request arrives. + + 4. A server may want to use the request freshness provided by the + Echo to verify the aliveness of a client. Note that in a + deployment with hop-by-hop security and proxies, the server can + only verify aliveness of the closest proxy. 3. The Request-Tag Option The Request-Tag is intended for use as a short-lived identifier for keeping apart distinct blockwise request operations on one resource - from one client. It enables the receiving server to reliably - assemble request payloads (blocks) to their message bodies, and, if - it chooses to support it, to reliably process simultaneous blockwise - request operations on a single resource. The requests must be - integrity protected in order to protect against interchange of blocks - between different message bodies. + from one client, addressing the issue described in Section 1.2. It + enables the receiving server to reliably assemble request payloads + (blocks) to their message bodies, and, if it chooses to support it, + to reliably process simultaneous blockwise request operations on a + single resource. The requests must be integrity protected in order + to protect against interchange of blocks between different message + bodies. In essence, it is an implementation of the "proxy-safe elective option" used just to "vary the cache key" as suggested in [RFC7959] Section 2.4. 3.1. Option Format The Request-Tag option is not critical, is safe to forward, repeatable, and part of the cache key, see Figure 3, which extends Table 4 of [RFC7252]). -+-----+---+---+---+---+-------------+--------+--------+---------+---+---+ -| No. | C | U | N | R | Name | Format | Length | Default | E | U | -+-----+---+---+---+---+-------------+--------+--------+---------+---+---+ + +-----+---+---+---+---+-------------+--------+------+---------+---+---+ + | No. | C | U | N | R | Name | Format | Len. | Default | E | U | + +-----+---+---+---+---+-------------+--------+------+---------+---+---+ | TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x | -+-----+---+---+---+---+-------------+--------+--------+---------+---+---+ + +-----+---+---+---+---+-------------+--------+------+---------+---+---+ C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, E = Encrypt and Integrity Protect (when using OSCORE) Figure 3: Request-Tag Option Summary [ Note to RFC editor: If this document is released before core- - object-security, the following paragraph and the "E"/"U" columns - above need to move into OSCORE. ] + object-security, then the following paragraph and the "E"/"U" columns + above need to move into core-object-security, as they are defined in + that draft. ] Request-Tag, like the block options, is both a class E and a class U option in terms of OSCORE processing (see Section 4.1 of [I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or - outer option. The inner option is encrypted and integrity protected + outer option. It influences the inner or outer block operation, + respectively. The inner and outer values are therefore independent + of each other. The inner option is encrypted and integrity protected between client and server, and provides message body identification in case of end-to-end fragmentation of requests. The outer option is visible to proxies and labels message bodies in case of hop-by-hop fragmentation of requests. The Request-Tag option is only used in the request messages of blockwise operations. The Request-Tag mechanism can be applied independently on the server - and client sides of CoAP-CoAP proxies as are the block options, + and client sides of CoAP-to-CoAP proxies as are the block options, though given it is safe to forward, a proxy is free to just forward - it when processing an operation. CoAP-HTTP proxies and HTTP-CoAP - proxies can use Request-Tag on their CoAP sides; it is not applicable - to HTTP requests. + it when processing an operation. CoAP-to-HTTP proxies and HTTP-to- + CoAP proxies can use Request-Tag on their CoAP sides; it is not + applicable to HTTP requests. -3.2. Request-Tag processing by servers +3.2. Request-Tag Processing by Servers The Request-Tag option does not require any particular processing on - the server side: As it varies the set of options that distinguish - blockwise operations (ie. is neither Block1 or Block2 nor elective - NoCacheKey), the server can not treat their messages as belonging to - the same operation. + the server side outside of the processing already necessary for any + unknown elective proxy-safe cache-key option: The option varies the + properties that distinguish blockwise operations (which includes all + options except elective NoCacheKey and except Block1/2), and thus the + server can not treat messages with a different list of Request-Tag + options as belonging to the same operation. To keep utilizing the cache, a server (including proxies) MAY discard the Request-Tag option from an assembled block-wise request when - consulting its cache, as the option describes the individual blocks - but not the operation as a whole. For example, a FETCH request with - the same body can have a fresh response even if they were requested - using different request tags. (This is similar to the situation + consulting its cache, as the option relates to the operation-on-the- + wire and not its semantics. For example, a FETCH request with the + same body as an older one can be served from the cache if the older's + Max-Age has not expired yet, even if the second operation uses a + Request-Tag and the first did not. (This is similar to the situation about ETag in that it is formally part of the cache key, but implementations that are aware of its meaning can cache more efficiently, see [RFC7252] Section 5.4.2). A server receiving a Request-Tag MUST treat it as opaque and make no assumptions about its content or structure. Two messages carrying the same Request-Tag is a necessary but not sufficient condition for being part of the same operation. They can still be treated as independent messages by the server (e.g. when it sends 2.01/2.04 responses for every block), or initiate a new operation (overwriting kept context) when the later message carries Block1 number 0. - [ The following paragraph might be better placed in lwig-coap, but - was left here until lwig-coap has decided on its fate there. ] - As it has always been, a server that can only serve a limited number of block-wise operations at the same time can delay the start of the operation by replying with 5.03 (Service unavailable) and a Max-Age indicating how long it expects the existing operation to go on, or it can forget about the state established with the older operation and - respond with 4.08 (Request Entity Incompelte) to later blocks on the + respond with 4.08 (Request Entity Incomplete) to later blocks on the first operation. - Especially, that is the case for any correctly implemented proxy that - does not know how to use Request-Tag in requests and has only one - client endpoint. When it receives concurrent incoming requests on - the same resource, it needs to make that very choice: either send a - 5.03 with Max-Age (holding off the second operation), or to commence - the second operation and reject any further requests on the first - operation with 4.08 Request Entity Incompelte errors without - forwarding them. (Alternatively, it could spool the second request, - but the unpredictable nature of the timeouts involved often makes - that an unsuitable choice.) - 3.3. Setting the Request-Tag For each separate blockwise request operation, the client can choose a Request-Tag value, or choose not to set a Request-Tag. Starting a request operation matchable to a previous operation and even using - the same Request-Tag value is called request tag recycling. Clients - MUST NOT recycle a request tag unless the first operation has + the same Request-Tag value is called request tag recycling. The + absence of a Request-Tag option is viewed as a value distinct from + all values with a single Request-Tag option set; starting a request + operation matchable to a previous operation where neither has a + Request-Tag option therefore constitutes request tag recycling just + as well (also called "recycling the absent option"). + + Clients MUST NOT recycle a request tag unless the first operation has concluded. What constitutes a concluded operation depends on the application, and is outlined individually in Section 3.4. When Block1 and Block2 are combined in an operation, the Request-Tag of the Block1 phase is set in the Block2 phase as well for otherwise the request would have a different set of options and would not be recognized any more. Clients are encouraged to generate compact messages. This means sending messages without Request-Tag options whenever possible, and @@ -549,24 +618,24 @@ In order to gain that protection, use the Request-Tag mechanism as follows: o The individual exchanges MUST be integrity protected end-to-end between client and server. o The client MUST NOT recycle a request tag in a new operation unless the previous operation matchable to the new one has concluded. - When considering previous operations in protocols where the - security association is not tightly bound to an end point (eg. - OSCORE), the client MUST consider messages sent to _any_ endpoint - with the new operation's security context. + If any future security mechanisms allow a block-wise transfer to + continue after an endpoint's details (like the IP address) have + changed, then the client MUST consider messages sent to _any_ + endpoint address within the new operation's security context. o The client MUST NOT regard a blockwise request operation as concluded unless all of the messages the client previously sent in the operation have been confirmed by the message integrity protection mechanism, or are considered invalid by the server if replayed. Typically, in OSCORE, these confirmations can result either from the client receiving an OSCORE response message matching the request (an empty ACK is insufficient), or because the message's @@ -604,59 +673,57 @@ other active operations: o If any of them is matchable to the new one, and the client neither wants to cancel the old one nor postpone the new one, it can pick a Request-Tag value that is not in use by the other matchable operations for the new operation. o Otherwise, it can start the new operation without setting the Request-Tag option on it. -3.4.3. Simplified block-wise Handling for constrained proxies +3.4.3. Simplified Block-Wise Handling for Constrained Proxies The Block options were defined to be unsafe to forward because a - proxy that woud forward blocks as plain messages would risk mixing up - clients' requests. + proxy that would forward blocks as plain messages would risk mixing + up clients' requests. The Request-Tag option provides a very simple way for a proxy to keep them separate: if it appends a Request-Tag that is particular to the requesting endpoint to all request carrying any Block option, it does not need to keep track of any further block state. - [I-D.ietf-lwig-coap] Section TBD provides further details. - [ Note to reviewers and co-authors: That section was so far only - syggested in input for lwig-coap. If it does not get into the - document, we should drop it here (for I don't want to explain all - this case's details and security considerations here), but if the - reference works, this section shows why Request-Tag has become - repeatable. ] - -3.5. Rationale for the option properties + This is particularly useful to proxies that strive for stateless + operation as described in [I-D.hartke-core-stateless] Section 3.1. - [ This section needs to be reworked after assuming our RFC7959 - interpretation. ] +3.5. Rationale for the Option Properties The Request-Tag option can be elective, because to servers unaware of the Request-Tag option, operations with differing request tags will not be matchable. The Request-Tag option can be safe to forward but part of the cache key, because to proxies unaware of the Request-Tag option will consider operations with differing request tags unmatchable but can still forward them. + The Request-Tag option is repeatable because this easily allows + stateless proxies to "chain" their origin address. Were it a single + option, they would need to employ some length/value scheme to avoid + confusing requests without a Request-Tag option with requests that + carry a zero-length request tag. + In earlier versions of this draft, the Request-Tag option used to be critical and unsafe to forward. That design was based on an erroneous understanding of which blocks could be composed according to [RFC7959]. -3.6. Rationale for introducing the option +3.6. Rationale for Introducing the Option An alternative that was considered to the Request-Tag option for coping with the problem of fragmented message body integrity (Section 3.4.1) was to update [RFC7959] to say that blocks could only be assembled if their fragments' order corresponded to the sequence numbers. That approach would have been difficult to roll out reliably on DTLS where many implementations do not expose sequence numbers, and would still not prevent attacks like in [I-D.mattsson-core-coap-actuators] @@ -673,63 +740,32 @@ matching ETag values are already in place from Section 2.4 of [RFC7959]. To gain equivalent protection to Section 3.4.1, a server MUST use the Block2 option in conjunction with the ETag option ([RFC7252], Section 5.10.6), and MUST NOT use the same ETag value for different representations of a resource. 5. Token Processing - This section updates the Token processing in Section 5.3.1 of - [RFC7252] by adding the following text: + As described in Section 1.3, the client must be able to verify that a + response corresponds to a particular request. This section updates + the Token processing in Section 5.3.1 of [RFC7252] by adding the + following text: When CoAP is used with a security protocol not providing bindings between requests and responses, the client MUST NOT reuse tokens until the traffic keys have been replaced. The easiest way to accomplish this is to implement the Token as a counter, this approach SHOULD be followed. -6. IANA Considerations - - This document adds the following option numbers to the "CoAP Option - Numbers" registry defined by [RFC7252]: - - +--------+-------------+------------+ - | Number | Name | Reference | - +--------+-------------+------------+ - | TBD1 | Echo | [RFC XXXX] | - | | | | - | TBD2 | Request-Tag | [RFC XXXX] | - +--------+-------------+------------+ - - Figure 4: CoAP Option Numbers - -7. Security Considerations - - Implementations SHOULD NOT put any privacy sensitive information in - the Echo or Request-Tag option values. Unencrypted timestamps MAY - reveal information about the server such as its wall clock time or - location. Servers MUST use a monotonic clock to generate timestamps - and compute round-trip times. Servers SHOULD NOT use wall clock time - for timestamps, as wall clock time is not monotonic, may reveal that - the server will accept expired certificates, or reveal the server's - location. Use of non-monotonic clocks is not secure as the server - will accept expired Echo option values if the clock is moved - backward. The server will also reject fresh Echo option values if - the clock is moved forward. An attacker may be able to affect the - server's wall clock time in various ways such as setting up a fake - NTP server or broadcasting false time signals to radio-controlled - clocks. Servers MAY use the time since reboot measured in some unit - of time. Servers MAY reset the timer periodically. When resetting - the timer, the server MUST reject all Echo values that was created - before the reset. +6. Security Considerations The availability of a secure pseudorandom number generator and truly random seeds are essential for the security of the Echo option. If no true random number generator is available, a truly random seed must be provided from an external source. An Echo value with 64 (pseudo-)random bits gives the same theoretical security level against forgeries as a 64-bit MAC (as used in e.g. AES_128_CCM_8). In practice, forgery of an Echo option value is much harder as an attacker must also forge the MAC in the security @@ -741,131 +777,192 @@ etc.). The security provided by the Echo and Request-Tag options depends on the security protocol used. CoAP and HTTP proxies require (D)TLS to be terminated at the proxies. The proxies are therefore able to manipulate, inject, delete, or reorder options or packets. The security claims in such architectures only hold under the assumption that all intermediaries are fully trusted and have not been compromised. + Servers MUST use a monotonic clock to generate timestamps and compute + round-trip times. Use of non-monotonic clocks is not secure as the + server will accept expired Echo option values if the clock is moved + backward. The server will also reject fresh Echo option values if + the clock is moved forward. + + Servers are not allowed to use wall clock time for timestamps, as + wall clock time is not monotonic. Furthermore, an attacker may be + able to affect the server's wall clock time in various ways such as + setting up a fake NTP server or broadcasting false time signals to + radio-controlled clocks. + + Servers MAY use the time since reboot measured in some unit of time. + Servers MAY reset the timer at certain times and MAY generate a + random offset applied to all timestamps. When resetting the timer, + the server MUST reject all Echo values that was created before the + reset. + Servers that use the List of Cached Random Values and Timestamps method described in Appendix A may be vulnerable to resource - exhaustion attacks. On way to minimizing state is to use the + exhaustion attacks. One way to minimize state is to use the Integrity Protected Timestamp method described in Appendix A. -8. References +7. Privacy Considerations -8.1. Normative References + Implementations SHOULD NOT put any privacy sensitive information in + the Echo or Request-Tag option values. Unencrypted timestamps MAY + reveal information about the server such as location or time since + reboot. The use of wall clock time is not allowed (see Section 6) + and there also privacy reasons, e.g. it may reveal that the server + will accept expired certificates. Timestamps MAY be used if Echo is + encrypted between the client and the server, e.g. in the case of DTLS + without proxies or when using OSCORE with an Inner Echo option. + +8. IANA Considerations + + This document adds the following option numbers to the "CoAP Option + Numbers" registry defined by [RFC7252]: + + +--------+-------------+-------------------+ + | Number | Name | Reference | + +--------+-------------+-------------------+ + | TBD1 | Echo | [[this document]] | + | | | | + | TBD2 | Request-Tag | [[this document]] | + +--------+-------------+-------------------+ + + Figure 4: CoAP Option Numbers + +9. References + +9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, . [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in the Constrained Application Protocol (CoAP)", RFC 7959, DOI 10.17487/RFC7959, August 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . -8.2. Informative References +9.2. Informative References + + [I-D.hartke-core-stateless] + Hartke, K., "Extended Tokens and Stateless Clients in the + Constrained Application Protocol (CoAP)", draft-hartke- + core-stateless-01 (work in progress), September 2018. [I-D.ietf-core-object-security] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments - (OSCORE)", draft-ietf-core-object-security-13 (work in - progress), June 2018. + (OSCORE)", draft-ietf-core-object-security-15 (work in + progress), August 2018. - [I-D.ietf-lwig-coap] - Kovatsch, M., Bergmann, O., and C. Bormann, "CoAP - Implementation Guidance", draft-ietf-lwig-coap-05 (work in - progress), October 2017. + [I-D.ietf-core-oscore-groupcomm] + Tiloca, M., Selander, G., Palombini, F., and J. Park, + "Group OSCORE - Secure Group Communication for CoAP", + draft-ietf-core-oscore-groupcomm-03 (work in progress), + October 2018. [I-D.mattsson-core-coap-actuators] Mattsson, J., Fornehed, J., Selander, G., Palombini, F., and C. Amsuess, "Controlling Actuators with CoAP", draft- - mattsson-core-coap-actuators-05 (work in progress), March - 2018. - - [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security - (TLS) Protocol Version 1.2", RFC 5246, - DOI 10.17487/RFC5246, August 2008, - . + mattsson-core-coap-actuators-06 (work in progress), + September 2018. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, . + [RFC7390] Rahman, A., Ed. and E. Dijk, Ed., "Group Communication for + the Constrained Application Protocol (CoAP)", RFC 7390, + DOI 10.17487/RFC7390, October 2014, + . + [RFC7641] Hartke, K., "Observing Resources in the Constrained Application Protocol (CoAP)", RFC 7641, DOI 10.17487/RFC7641, September 2015, . [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets", RFC 8323, DOI 10.17487/RFC8323, February 2018, . + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + . + Appendix A. Methods for Generating Echo Option Values The content and structure of the Echo option value are implementation - specific and determined by the server. Use of one of the mechanisms - outlined in this section is RECOMMENDED. + specific and determined by the server. Two simple mechanisms are + outlined in this section, the first is RECOMMENDED in general, and + the second is RECOMMENDED in case the Echo option is encrypted + between the client and the server. Different mechanisms have different tradeoffs between the size of the Echo option value, the amount of server state, the amount of - computation, and the security properties offered. - - o Integrity Protected Timestamp. One method is to construct the - Echo option value as an integrity protected timestamp. The - timestamp can have different resolution and range. A 32-bit - timestamp can e.g. give a resolution of 1 second with a range of - 136 years. The (pseudo-)random secret key is generated by the - server and not shared with any other party. The use of truncated - HMAC-SHA-256 is RECOMMENDED. With a 32-bit timestamp and a 64-bit - MAC, the size of the Echo option value is 12 bytes and the Server - state is small and constant. If the server loses time - synchronization, e.g. due to reboot, the old key MUST be deleted - and replaced by a new random secret key. A server MAY also want - to encrypt its timestamps, depending on the choice of encryption - algorithms, this may require a nonce to be included in the Echo - option value. - - Echo option value: timestamp t0, MAC(k, t0) - Server State: secret key k + computation, and the security properties offered. A server MAY use + different methods and security levels for different uses cases + (client aliveness, request freshness, state synchronization, network + address reachability, etc.). - o List of Cached Random Values and Timestamps. An alternative - method is to construct the Echo option value as a (pseudo-)random - byte string. The server caches a list containing the random byte - strings and their transmission times. Assuming 64-bit random - values and 32-bit timestamps, the size of the Echo option value is - 8 bytes and the amount of server state is 12n bytes, where n is - the number of active Echo Option values. If the server loses time - synchronization, e.g. due to reboot, the entries in the old list - MUST be deleted. + 1. List of Cached Random Values and Timestamps. The Echo option + value is a (pseudo-)random byte string. The server caches a list + containing the random byte strings and their transmission times. + Assuming 64-bit random values and 32-bit timestamps, the size of the + Echo option value is 8 bytes and the amount of server state is 12n + bytes, where n is the number of active Echo Option values. If the + server loses time continuity, e.g. due to reboot, the entries in the + old list MUST be deleted. Echo option value: random value r Server State: random value r, timestamp t0 - A server MAY use different methods and security levels for different - uses cases (client aliveness, request freshness, state - synchronization, network address reachability, etc.). + 2. Integrity Protected Timestamp. The Echo option value is an + integrity protected timestamp. The timestamp can have different + resolution and range. A 32-bit timestamp can e.g. give a resolution + of 1 second with a range of 136 years. The (pseudo-)random secret + key is generated by the server and not shared with any other party. + The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit + timestamp and a 64-bit MAC, the size of the Echo option value is 12 + bytes and the Server state is small and constant. If the server + loses time continuity, e.g. due to reboot, the old key MUST be + deleted and replaced by a new random secret key. Note that the + privacy considerations in Section 7 may apply to the timestamp. A + server MAY want to encrypt its timestamps, and, depending on the + choice of encryption algorithms, this may require a nonce to be + included in the Echo option value. + + Echo option value: timestamp t0, MAC(k, t0) + Server State: secret key k + + Other mechanisms complying with the security and privacy + considerations may be used. The use of encrypted timestamps in the + Echo option typically requires an IV to be included in the Echo + option value, which adds overhead and makes the specification of such + a mechanims slightly more complicated than the two mechanisms + specified here. Appendix B. Request-Tag Message Size Impact In absence of concurrent operations, the Request-Tag mechanism for body integrity (Section 3.4.1) incurs no overhead if no messages are lost (more precisely: in OSCORE, if no operations are aborted due to repeated transmission failure; in DTLS, if no packages are lost), or when blockwise request operations happen rarely (in OSCORE, if there is always only one request blockwise operation in the replay window). @@ -932,25 +1029,29 @@ * The response code that goes with Echo was changed from 4.03 to 4.01 because the client needs to provide better credentials. * The interaction between the new option and (cross) proxies is now covered. * Two messages being "Request-Tag matchable" was introduced to replace the older concept of having a request tag value with its slightly awkward equivalence definition. +Acknowledgments + + The authors want to thank Jim Schaad for providing valuable input to + the draft. + Authors' Addresses Christian Amsuess Email: christian@amsuess.com - John Mattsson Ericsson AB Email: john.mattsson@ericsson.com Goeran Selander Ericsson AB Email: goran.selander@ericsson.com