draft-ietf-core-resource-directory-25.txt   draft-ietf-core-resource-directory-26.txt 
CoRE Z. Shelby CoRE C. Amsüss, Ed.
Internet-Draft ARM Internet-Draft
Intended status: Standards Track M. Koster Intended status: Standards Track Z. Shelby
Expires: 14 January 2021 SmartThings Expires: 6 May 2021 ARM
M. Koster
SmartThings
C. Bormann C. Bormann
Universitaet Bremen TZI Universitaet Bremen TZI
P. van der Stok P. van der Stok
consultant consultant
C. Amsüss, Ed. 2 November 2020
13 July 2020
CoRE Resource Directory CoRE Resource Directory
draft-ietf-core-resource-directory-25 draft-ietf-core-resource-directory-26
Abstract Abstract
In many IoT applications, direct discovery of resources is not In many IoT applications, direct discovery of resources is not
practical due to sleeping nodes, disperse networks, or networks where practical due to sleeping nodes, or networks where multicast traffic
multicast traffic is inefficient. These problems can be solved by is inefficient. These problems can be solved by employing an entity
employing an entity called a Resource Directory (RD), which contains called a Resource Directory (RD), which contains information about
information about resources held on other servers, allowing lookups resources held on other servers, allowing lookups to be performed for
to be performed for those resources. The input to an RD is composed those resources. The input to an RD is composed of links and the
of links and the output is composed of links constructed from the output is composed of links constructed from the information stored
information stored in the RD. This document specifies the web in the RD. This document specifies the web interfaces that an RD
interfaces that an RD supports for web servers to discover the RD and supports for web servers to discover the RD and to register,
to register, maintain, lookup and remove information on resources. maintain, lookup and remove information on resources. Furthermore,
Furthermore, new target attributes useful in conjunction with an RD new target attributes useful in conjunction with an RD are defined.
are defined.
Note to Readers Note to Readers
Discussion of this document takes place on the CORE Working Group Discussion of this document takes place on the CORE Working Group
mailing list (core@ietf.org), which is archived at mailing list (core@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/core/ https://mailarchive.ietf.org/arch/browse/core/
(https://mailarchive.ietf.org/arch/browse/core/). (https://mailarchive.ietf.org/arch/browse/core/).
Source for this draft and an issue tracker can be found at Source for this draft and an issue tracker can be found at
https://github.com/core-wg/resource-directory (https://github.com/ https://github.com/core-wg/resource-directory (https://github.com/
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 14 January 2021. This Internet-Draft will expire on 6 May 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 50 skipping to change at page 2, line 50
3.5. Use Case: Cellular M2M . . . . . . . . . . . . . . . . . 12 3.5. Use Case: Cellular M2M . . . . . . . . . . . . . . . . . 12
3.6. Use Case: Home and Building Automation . . . . . . . . . 13 3.6. Use Case: Home and Building Automation . . . . . . . . . 13
3.7. Use Case: Link Catalogues . . . . . . . . . . . . . . . . 14 3.7. Use Case: Link Catalogues . . . . . . . . . . . . . . . . 14
4. RD discovery and other interface-independent components . . . 14 4. RD discovery and other interface-independent components . . . 14
4.1. Finding a Resource Directory . . . . . . . . . . . . . . 15 4.1. Finding a Resource Directory . . . . . . . . . . . . . . 15
4.1.1. Resource Directory Address Option (RDAO) . . . . . . 17 4.1.1. Resource Directory Address Option (RDAO) . . . . . . 17
4.1.2. Using DNS-SD to discover a Resource Directory . . . . 19 4.1.2. Using DNS-SD to discover a Resource Directory . . . . 19
4.2. Payload Content Formats . . . . . . . . . . . . . . . . . 19 4.2. Payload Content Formats . . . . . . . . . . . . . . . . . 19
4.3. URI Discovery . . . . . . . . . . . . . . . . . . . . . . 19 4.3. URI Discovery . . . . . . . . . . . . . . . . . . . . . . 19
5. Registration . . . . . . . . . . . . . . . . . . . . . . . . 22 5. Registration . . . . . . . . . . . . . . . . . . . . . . . . 22
5.1. Simple Registration . . . . . . . . . . . . . . . . . . . 26 5.1. Simple Registration . . . . . . . . . . . . . . . . . . . 27
5.2. Third-party registration . . . . . . . . . . . . . . . . 29 5.2. Third-party registration . . . . . . . . . . . . . . . . 29
5.3. Operations on the Registration Resource . . . . . . . . . 29 5.3. Operations on the Registration Resource . . . . . . . . . 30
5.3.1. Registration Update . . . . . . . . . . . . . . . . . 30 5.3.1. Registration Update . . . . . . . . . . . . . . . . . 30
5.3.2. Registration Removal . . . . . . . . . . . . . . . . 33 5.3.2. Registration Removal . . . . . . . . . . . . . . . . 33
5.3.3. Further operations . . . . . . . . . . . . . . . . . 34 5.3.3. Further operations . . . . . . . . . . . . . . . . . 34
6. RD Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6. RD Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.1. Resource lookup . . . . . . . . . . . . . . . . . . . . . 35 6.1. Resource lookup . . . . . . . . . . . . . . . . . . . . . 35
6.2. Lookup filtering . . . . . . . . . . . . . . . . . . . . 35 6.2. Lookup filtering . . . . . . . . . . . . . . . . . . . . 36
6.3. Resource lookup examples . . . . . . . . . . . . . . . . 37 6.3. Resource lookup examples . . . . . . . . . . . . . . . . 38
6.4. Endpoint lookup . . . . . . . . . . . . . . . . . . . . . 40 6.4. Endpoint lookup . . . . . . . . . . . . . . . . . . . . . 40
7. Security policies . . . . . . . . . . . . . . . . . . . . . . 41 7. Security policies . . . . . . . . . . . . . . . . . . . . . . 41
7.1. Endpoint name . . . . . . . . . . . . . . . . . . . . . . 42 7.1. Endpoint name . . . . . . . . . . . . . . . . . . . . . . 42
7.1.1. Random endpoint names . . . . . . . . . . . . . . . . 42 7.1.1. Random endpoint names . . . . . . . . . . . . . . . . 42
7.2. Entered resources . . . . . . . . . . . . . . . . . . . . 42 7.2. Entered resources . . . . . . . . . . . . . . . . . . . . 42
7.3. Link confidentiality . . . . . . . . . . . . . . . . . . 43 7.3. Link confidentiality . . . . . . . . . . . . . . . . . . 43
7.4. Segmentation . . . . . . . . . . . . . . . . . . . . . . 43 7.4. Segmentation . . . . . . . . . . . . . . . . . . . . . . 43
8. Security Considerations . . . . . . . . . . . . . . . . . . . 44 7.5. First-Come-First-Remembered: A default policy . . . . . . 44
8.1. Endpoint Identification and Authentication . . . . . . . 44 8. Security Considerations . . . . . . . . . . . . . . . . . . . 45
8.2. Access Control . . . . . . . . . . . . . . . . . . . . . 45 8.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 46
8.3. Denial of Service Attacks . . . . . . . . . . . . . . . . 45 8.2. Endpoint Identification and Authentication . . . . . . . 46
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 8.3. Access Control . . . . . . . . . . . . . . . . . . . . . 47
9.1. Resource Types . . . . . . . . . . . . . . . . . . . . . 46 8.4. Denial of Service Attacks . . . . . . . . . . . . . . . . 47
9.2. IPv6 ND Resource Directory Address Option . . . . . . . . 46 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
9.3. RD Parameter Registry . . . . . . . . . . . . . . . . . . 46 9.1. Resource Types . . . . . . . . . . . . . . . . . . . . . 48
9.3.1. Full description of the "Endpoint Type" Registration 9.2. IPv6 ND Resource Directory Address Option . . . . . . . . 48
Parameter . . . . . . . . . . . . . . . . . . . . . . 49 9.3. RD Parameter Registry . . . . . . . . . . . . . . . . . . 48
9.4. "Endpoint Type" (et=) RD Parameter values . . . . . . . . 49 9.3.1. Full description of the "Endpoint Type" RD
9.5. Multicast Address Registration . . . . . . . . . . . . . 50 Parameter . . . . . . . . . . . . . . . . . . . . . . 51
9.6. Well-Known URIs . . . . . . . . . . . . . . . . . . . . . 50 9.4. "Endpoint Type" (et=) RD Parameter values . . . . . . . . 51
9.5. Multicast Address Registration . . . . . . . . . . . . . 52
9.6. Well-Known URIs . . . . . . . . . . . . . . . . . . . . . 52
9.7. Service Names and Transport Protocol Port Number 9.7. Service Names and Transport Protocol Port Number
Registry . . . . . . . . . . . . . . . . . . . . . . . . 50 Registry . . . . . . . . . . . . . . . . . . . . . . . . 52
10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 51 10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 53
10.1. Lighting Installation . . . . . . . . . . . . . . . . . 51 10.1. Lighting Installation . . . . . . . . . . . . . . . . . 53
10.1.1. Installation Characteristics . . . . . . . . . . . . 51 10.1.1. Installation Characteristics . . . . . . . . . . . . 53
10.1.2. RD entries . . . . . . . . . . . . . . . . . . . . . 52 10.1.2. RD entries . . . . . . . . . . . . . . . . . . . . . 54
10.2. OMA Lightweight M2M (LWM2M) Example . . . . . . . . . . 56 10.2. OMA Lightweight M2M (LwM2M) . . . . . . . . . . . . . . 57
10.2.1. The LWM2M Object Model . . . . . . . . . . . . . . . 56 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58
10.2.2. LWM2M Register Endpoint . . . . . . . . . . . . . . 58 12. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 58
10.2.3. LWM2M Update Endpoint Registration . . . . . . . . . 59 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 72
10.2.4. LWM2M De-Register Endpoint . . . . . . . . . . . . . 60 13.1. Normative References . . . . . . . . . . . . . . . . . . 72
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 60 13.2. Informative References . . . . . . . . . . . . . . . . . 73
12. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Appendix A. Groups Registration and Lookup . . . . . . . . . . . 76
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 71 Appendix B. Web links and the Resource Directory . . . . . . . . 78
13.1. Normative References . . . . . . . . . . . . . . . . . . 71 B.1. A simple example . . . . . . . . . . . . . . . . . . . . 78
13.2. Informative References . . . . . . . . . . . . . . . . . 72 B.1.1. Resolving the URIs . . . . . . . . . . . . . . . . . 79
Appendix A. Groups Registration and Lookup . . . . . . . . . . . 75 B.1.2. Interpreting attributes and relations . . . . . . . . 79
Appendix B. Web links and the Resource Directory . . . . . . . . 76 B.2. A slightly more complex example . . . . . . . . . . . . . 79
B.1. A simple example . . . . . . . . . . . . . . . . . . . . 77 B.3. Enter the Resource Directory . . . . . . . . . . . . . . 80
B.1.1. Resolving the URIs . . . . . . . . . . . . . . . . . 77
B.1.2. Interpreting attributes and relations . . . . . . . . 78
B.2. A slightly more complex example . . . . . . . . . . . . . 78
B.3. Enter the Resource Directory . . . . . . . . . . . . . . 79
B.4. A note on differences between link-format and Link header B.4. A note on differences between link-format and Link header
fields . . . . . . . . . . . . . . . . . . . . . . . . . 80 fields . . . . . . . . . . . . . . . . . . . . . . . . . 82
Appendix C. Limited Link Format . . . . . . . . . . . . . . . . 81 Appendix C. Limited Link Format . . . . . . . . . . . . . . . . 83
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 83
1. Introduction 1. Introduction
In the work on Constrained RESTful Environments (CoRE), a REST In the work on Constrained RESTful Environments (CoRE), a REST
architecture suitable for constrained nodes (e.g. with limited RAM architecture suitable for constrained nodes (e.g. with limited RAM
and ROM [RFC7228]) and networks (e.g. 6LoWPAN [RFC4944]) has been and ROM [RFC7228]) and networks (e.g. 6LoWPAN [RFC4944]) has been
established and is used in Internet-of-Things (IoT) or machine-to- established and is used in Internet-of-Things (IoT) or machine-to-
machine (M2M) applications such as smart energy and building machine (M2M) applications such as smart energy and building
automation. automation.
The discovery of resources offered by a constrained server is very The discovery of resources offered by a constrained server is very
important in machine-to-machine applications where there are no important in machine-to-machine applications where there are no
humans in the loop and static interfaces result in fragility. The humans in the loop and static interfaces result in fragility. The
discovery of resources provided by an HTTP Web Server is typically discovery of resources provided by an HTTP Web Server is typically
called Web Linking [RFC8288]. The use of Web Linking for the called Web Linking [RFC8288]. The use of Web Linking for the
description and discovery of resources hosted by constrained web description and discovery of resources hosted by constrained web
servers is specified by the CoRE Link Format [RFC6690]. However, servers is specified by the CoRE Link Format [RFC6690]. However,
[RFC6690] only describes how to discover resources from the web [RFC6690] only describes how to discover resources from the web
server that hosts them by querying "/.well-known/core". In many server that hosts them by querying "/.well-known/core". In many
constrained scenarios, direct discovery of resources is not practical constrained scenarios, direct discovery of resources is not practical
due to sleeping nodes, disperse networks, or networks where multicast due to sleeping nodes, or networks where multicast traffic is
traffic is inefficient. These problems can be solved by employing an inefficient. These problems can be solved by employing an entity
entity called a Resource Directory (RD), which contains information called a Resource Directory (RD), which contains information about
about resources held on other servers, allowing lookups to be resources held on other servers, allowing lookups to be performed for
performed for those resources. those resources.
This document specifies the web interfaces that an RD supports for This document specifies the web interfaces that an RD supports for
web servers to discover the RD and to register, maintain, lookup and web servers to discover the RD and to register, maintain, lookup and
remove information on resources. Furthermore, new target attributes remove information on resources. Furthermore, new target attributes
useful in conjunction with an RD are defined. Although the examples useful in conjunction with an RD are defined. Although the examples
in this document show the use of these interfaces with CoAP in this document show the use of these interfaces with CoAP
[RFC7252], they can be applied in an equivalent manner to HTTP [RFC7252], they can be applied in an equivalent manner to HTTP
[RFC7230]. [RFC7230].
2. Terminology 2. Terminology
skipping to change at page 6, line 31 skipping to change at page 6, line 31
the term. the term.
Directory Resource Directory Resource
A resource in the RD containing registration resources. A resource in the RD containing registration resources.
Registration Resource Registration Resource
A resource in the RD that contains information about an Endpoint A resource in the RD that contains information about an Endpoint
and its links. and its links.
Commissioning Tool Commissioning Tool
Commissioning Tool (CT) is a device that assists during the Commissioning Tool (CT) is a device that assists during
installation of the network by assigning values to parameters, installation events by assigning values to parameters, naming
naming endpoints and groups, or adapting the installation to the endpoints and groups, or adapting the installation to the needs of
needs of the applications. the applications.
Registrant-ep Registrant-ep
Registrant-ep is the endpoint that is registered into the RD. The Registrant-ep is the endpoint that is registered into the RD. The
registrant-ep can register itself, or a CT registers the registrant-ep can register itself, or a CT registers the
registrant-ep. registrant-ep.
RDAO RDAO
Resource Directory Address Option. A new IPv6 Neighbor Discovery Resource Directory Address Option. A new IPv6 Neighbor Discovery
option defined for announcing an RD's address. option defined for announcing an RD's address.
3. Architecture and Use Cases 3. Architecture and Use Cases
3.1. Principles 3.1. Principles
The RD is primarily a tool to make discovery operations more The RD is primarily a tool to make discovery operations more
efficient than querying /.well-known/core on all connected devices, efficient than querying /.well-known/core on all connected devices,
or across boundaries that would be limiting those operations. or across boundaries that would limit those operations.
It provides information about resources hosted by other devices that It provides information about resources hosted by other devices that
could otherwise only be obtained by directly querying the /.well- could otherwise only be obtained by directly querying the /.well-
known/core resource on these other devices, either by a unicast known/core resource on these other devices, either by a unicast
request or a multicast request. request or a multicast request.
Information SHOULD only be stored in the RD if it can be obtained by Information SHOULD only be stored in the RD if it can be obtained by
querying the described device's /.well-known/core resource directly. querying the described device's /.well-known/core resource directly.
Data in the RD can only be provided by the device which hosts those Data in the RD can only be provided by the device which hosts those
data or a dedicated Commissioning Tool (CT). These CTs are thought data or a dedicated Commissioning Tool (CT). These CTs act on behalf
to act on behalf of endpoints too constrained, or generally unable, of endpoints too constrained, or generally unable, to present that
to present that information themselves. No other client can modify information themselves. No other client can modify data in the RD.
data in the RD. Changes to the information in the RD do not Changes to the information in the RD do not propagate automatically
propagate automatically back to the web servers from where the back to the web servers from where the information originated.
information originated.
3.2. Architecture 3.2. Architecture
The RD architecture is illustrated in Figure 1. An RD is used as a The RD architecture is illustrated in Figure 1. An RD is used as a
repository of registrations describing resources hosted on other web repository of registrations describing resources hosted on other web
servers, also called endpoints (EP). An endpoint is a web server servers, also called endpoints (EP). An endpoint is a web server
associated with a scheme, IP address and port. A physical node may associated with a scheme, IP address and port. A physical node may
host one or more endpoints. The RD implements a set of REST host one or more endpoints. The RD implements a set of REST
interfaces for endpoints to register and maintain RD registrations, interfaces for endpoints to register and maintain RD registrations,
and for endpoints to lookup resources from the RD. An RD can be and for endpoints to lookup resources from the RD. An RD can be
skipping to change at page 9, line 40 skipping to change at page 9, line 40
ooooooooo ooooooooo
Figure 2: ER Model of the content of /.well-known/core Figure 2: ER Model of the content of /.well-known/core
The model shown in Figure 2 models the contents of /.well-known/core The model shown in Figure 2 models the contents of /.well-known/core
which contains: which contains:
* a set of links belonging to the hosting web server * a set of links belonging to the hosting web server
The web server is free to choose links it deems appropriate to be The web server is free to choose links it deems appropriate to be
exposed in its ".well-known/core". Typically, the links describe exposed in its "/.well-known/core". Typically, the links describe
resources that are served by the host, but the set can also contain resources that are served by the host, but the set can also contain
links to resources on other servers (see examples in [RFC6690] page links to resources on other servers (see examples in [RFC6690] page
14). The set does not necessarily contain links to all resources 14). The set does not necessarily contain links to all resources
served by the host. served by the host.
A link has the following attributes (see [RFC8288]): A link has the following attributes (see [RFC8288]):
* Zero or more link relations: They describe relations between the * Zero or more link relations: They describe relations between the
link context and the link target. link context and the link target.
skipping to change at page 12, line 32 skipping to change at page 12, line 32
invited to extend the RD specification to support multiple values invited to extend the RD specification to support multiple values
(e.g. [I-D.silverajan-core-coap-protocol-negotiation]). Its value (e.g. [I-D.silverajan-core-coap-protocol-negotiation]). Its value
is used as a Base URI when resolving URIs in the links contained in is used as a Base URI when resolving URIs in the links contained in
the endpoint. the endpoint.
Links are modelled as they are in Figure 2. Links are modelled as they are in Figure 2.
3.4. Link-local addresses and zone identifiers 3.4. Link-local addresses and zone identifiers
Registration Base URIs can contain link-local IP addresses. To be Registration Base URIs can contain link-local IP addresses. To be
usable across hosts, those can not be serialized to contain zone usable across hosts, those cannot be serialized to contain zone
identifiers (see [RFC6874] Section 1). identifiers (see [RFC6874] Section 1).
Link-local addresses can only be used on a single link (therefore RD Link-local addresses can only be used on a single link (therefore RD
servers can not announce them when queried on a different link), and servers cannot announce them when queried on a different link), and
lookup clients using them need to keep track of which interface they lookup clients using them need to keep track of which interface they
got them from. got them from.
Therefore, it is advisable in many scenarios to use addresses with Therefore, it is advisable in many scenarios to use addresses with
larger scope if available. larger scope if available.
3.5. Use Case: Cellular M2M 3.5. Use Case: Cellular M2M
Over the last few years, mobile operators around the world have Over the last few years, mobile operators around the world have
focused on development of M2M solutions in order to expand the focused on development of M2M solutions in order to expand the
business to the new type of users: machines. The machines are business to the new type of users: machines. The machines are
connected directly to a mobile network using an appropriate embedded connected directly to a mobile network using an appropriate embedded
wireless interface (GSM/GPRS, WCDMA, LTE) or via a gateway providing wireless interface (GSM/GPRS, WCDMA, LTE) or via a gateway providing
short and wide range wireless interfaces. From the system design short and wide range wireless interfaces. The ambition in such
point of view, the ambition is to design horizontal solutions that systems is to build them from reusable components. These speed up
can enable utilization of machines in different applications development and deployment, and enable shared use of machines across
depending on their current availability and capabilities as well as different applications. One crucial component of such systems is the
application requirements, thus avoiding silo like solutions. One of discovery of resources (and thus the endpoints they are hosted on)
the crucial enablers of such design is the ability to discover capable of providing required information at a given time or acting
resources (and thus the endpoints they are hosted on) capable of on instructions from the end users.
providing required information at a given time or acting on
instructions from the end users.
Imagine a scenario where endpoints installed on vehicles enable Imagine a scenario where endpoints installed on vehicles enable
tracking of the position of these vehicles for fleet management tracking of the position of these vehicles for fleet management
purposes and allow monitoring of environment parameters. During the purposes and allow monitoring of environment parameters. During the
boot-up process endpoints register with an RD, which is hosted by the boot-up process endpoints register with an RD, which is hosted by the
mobile operator or somewhere in the cloud. Periodically, these mobile operator or somewhere in the cloud. Periodically, these
endpoints update their registration and may modify resources they endpoints update their registration and may modify resources they
offer. offer.
When endpoints are not always connected, for example because they When endpoints are not always connected, for example because they
skipping to change at page 13, line 35 skipping to change at page 13, line 33
set of link parameters, obtain information on how to contact them set of link parameters, obtain information on how to contact them
(URLs of the proxy server), and then initiate interaction to obtain (URLs of the proxy server), and then initiate interaction to obtain
information that is finally processed, displayed on the screen and information that is finally processed, displayed on the screen and
usually stored in a database. Similarly, fleet management systems usually stored in a database. Similarly, fleet management systems
provide the appropriate link parameters to the RD to look up for EPs provide the appropriate link parameters to the RD to look up for EPs
deployed on the vehicles the application is responsible for. deployed on the vehicles the application is responsible for.
3.6. Use Case: Home and Building Automation 3.6. Use Case: Home and Building Automation
Home and commercial building automation systems can benefit from the Home and commercial building automation systems can benefit from the
use of M2M web services. The discovery requirements of these use of IoT web services. The discovery requirements of these
applications are demanding. Home automation usually relies on run- applications are demanding. Home automation usually relies on run-
time discovery to commission the system, whereas in building time discovery to commission the system, whereas in building
automation a combination of professional commissioning and run-time automation a combination of professional commissioning and run-time
discovery is used. Both home and building automation involve peer- discovery is used. Both home and building automation involve peer-
to-peer interactions between endpoints, and involve battery-powered to-peer interactions between endpoints, and involve battery-powered
sleeping devices. sleeping devices. Both can use the common RD infrastructure to
establish device interactions efficiently, but can pick security
policies suitable for their needs.
Two phases can be discerned for a network servicing the system: (1) Two phases can be discerned for a network servicing the system: (1)
installation and (2) operation. During the operational phase, the installation and (2) operation. During the operational phase, the
network is connected to the Internet with a Border router (6LBR) and network is connected to the Internet with a Border Router (e.g. a
the nodes connected to the network can use the Internet services that 6LoWPAN Border Router (6LBR), see {{RFC6775}) and the nodes connected
are provided by the Internet Provider or the network administrator. to the network can use the Internet services that are provided by the
During the installation phase, the network is completely stand-alone, Internet Provider or the network administrator. During the
no 6LBR is connected, and the network only supports the IP installation phase, the network is completely stand-alone, no Border
Router is connected, and the network only supports the IP
communication between the connected nodes. The installation phase is communication between the connected nodes. The installation phase is
usually followed by the operational phase. usually followed by the operational phase. As an RD's operations
work without hard dependencies on names or addresses, it can be used
for discovery across both phases.
3.7. Use Case: Link Catalogues 3.7. Use Case: Link Catalogues
Resources may be shared through data brokers that have no knowledge Resources may be shared through data brokers that have no knowledge
beforehand of who is going to consume the data. An RD can be used to beforehand of who is going to consume the data. An RD can be used to
hold links about resources and services hosted anywhere to make them hold links about resources and services hosted anywhere to make them
discoverable by a general class of applications. discoverable by a general class of applications.
For example, environmental and weather sensors that generate data for For example, environmental and weather sensors that generate data for
public consumption may provide data to an intermediary server, or public consumption may provide data to an intermediary server, or
skipping to change at page 14, line 42 skipping to change at page 14, line 45
enable access to a particular set of resources from particular enable access to a particular set of resources from particular
applications. This provides isolation and protection of sensitive applications. This provides isolation and protection of sensitive
data when needed. Application groups with multicast addresses may be data when needed. Application groups with multicast addresses may be
defined to support efficient data transport. defined to support efficient data transport.
4. RD discovery and other interface-independent components 4. RD discovery and other interface-independent components
This and the following sections define the required set of REST This and the following sections define the required set of REST
interfaces between an RD, endpoints and lookup clients. Although the interfaces between an RD, endpoints and lookup clients. Although the
examples throughout these sections assume the use of CoAP [RFC7252], examples throughout these sections assume the use of CoAP [RFC7252],
these REST interfaces can also be realized using HTTP [RFC7230]. these REST interfaces can also be realized using HTTP [RFC7230]. The
Only multicast discovery operations are not possible on HTTP, and multicast discovery and simple registration operations are exceptions
Simple Registration can not be executed as base attribute (which is to that, as they rely on mechanisms unavailable in HTTP. In all
mandatory for HTTP) can not be used there. In all definitions in definitions in these sections, both CoAP response codes (with dot
these sections, both CoAP response codes (with dot notation) and HTTP notation) and HTTP response codes (without dot notation) are shown.
response codes (without dot notation) are shown. An RD implementing An RD implementing this specification MUST support the discovery,
this specification MUST support the discovery, registration, update, registration, update, lookup, and removal interfaces.
lookup, and removal interfaces.
All operations on the contents of the RD MUST be atomic and All operations on the contents of the RD MUST be atomic and
idempotent. idempotent.
For several operations, interface templates are given in list form; For several operations, interface templates are given in list form;
those describe the operation participants, request codes, URIs, those describe the operation participants, request codes, URIs,
content formats and outcomes. Sections of those templates contain content formats and outcomes. Sections of those templates contain
normative content about Interaction, Method, URI Template and URI normative content about Interaction, Method, URI Template and URI
Template Variables as well as the details of the Success condition. Template Variables as well as the details of the Success condition.
The additional sections on options like Content-Format and on Failure The additional sections on options like Content-Format and on Failure
codes give typical cases that an implementation of the RD should deal codes give typical cases that an implementation of the RD should deal
with. Those serve to illustrate the typical responses to readers who with. Those serve to illustrate the typical responses to readers who
are not yet familiar with all the details of CoAP based interfaces; are not yet familiar with all the details of CoAP based interfaces;
they do not limit what a server may respond under atypical they do not limit what a server may respond under atypical
circumstances. circumstances.
REST clients (registrant-EPs and CTs during registration and REST clients (registrant-EPs and CTs during registration and
maintenance, lookup clients, RD servers during simple registrations) maintenance, lookup clients, RD servers during simple registrations)
MUST be prepared to receive any unsuccessful code and act upon it must be prepared to receive any unsuccessful code and act upon it
according to its definition, options and/or payload to the best of according to its definition, options and/or payload to the best of
their capabilities, falling back to failing the operation if recovery their capabilities, falling back to failing the operation if recovery
is not possible. In particular, they should retry the request upon is not possible. In particular, they SHOULD retry the request upon
5.03 (Service Unavailable; 503 in HTTP) according to the Max-Age 5.03 (Service Unavailable; 503 in HTTP) according to the Max-Age
(Retry-After in HTTP) option, and fall back to link-format when (Retry-After in HTTP) option, and SHOULD fall back to link-format
receiving 4.15 (Unsupported Content-Format; 415 in HTTP). when receiving 4.15 (Unsupported Content-Format; 415 in HTTP).
An RD MAY make the information submitted to it available to further An RD MAY make the information submitted to it available to further
directories, if it can ensure that a loop does not form. The directories (subject to security policies on link confidentiality),
protocol used between directories to ensure loop-free operation is if it can ensure that a loop does not form. The protocol used
outside the scope of this document. between directories to ensure loop-free operation is outside the
scope of this document.
4.1. Finding a Resource Directory 4.1. Finding a Resource Directory
A (re-)starting device may want to find one or more RDs for discovery A (re-)starting device may want to find one or more RDs before it can
purposes. Dependent on the operational conditions, one or more of discover their URIs. Dependent on the operational conditions, one or
the techniques below apply. more of the techniques below apply.
The device may be pre-configured to exercise specific mechanisms for The device may be pre-configured to exercise specific mechanisms for
finding the RD: finding the RD:
1. It may be configured with a specific IP address for the RD. That 1. It may be configured with a specific IP address for the RD. That
IP address may also be an anycast address, allowing the network IP address may also be an anycast address, allowing the network
to forward RD requests to an RD that is topologically close; each to forward RD requests to an RD that is topologically close; each
target network environment in which some of these preconfigured target network environment in which some of these preconfigured
nodes are to be brought up is then configured with a route for nodes are to be brought up is then configured with a route for
this anycast address that leads to an appropriate RD. (Instead this anycast address that leads to an appropriate RD. (Instead
skipping to change at page 16, line 16 skipping to change at page 16, line 26
return the IP address of the RD; it can find a DNS server to return the IP address of the RD; it can find a DNS server to
perform the lookup using the usual mechanisms for finding DNS perform the lookup using the usual mechanisms for finding DNS
servers. servers.
3. It may be configured to use a service discovery mechanism such as 3. It may be configured to use a service discovery mechanism such as
DNS-SD, as outlined in Section 4.1.2. DNS-SD, as outlined in Section 4.1.2.
For cases where the device is not specifically configured with a way For cases where the device is not specifically configured with a way
to find an RD, the network may want to provide a suitable default. to find an RD, the network may want to provide a suitable default.
1. If the address configuration of the network is performed via 1. The IPv6 Neighbor Discovery option RDAO Section 4.1.1 can do
SLAAC, this is provided by the RDAO option Section 4.1.1. that.
2. If the address configuration of the network is performed via 2. When DHCP is in use, this could be provided via a DHCP option (no
DHCP, this could be provided via a DHCP option (no such option is such option is defined at the time of writing).
defined at the time of writing).
Finally, if neither the device nor the network offers any specific Finally, if neither the device nor the network offers any specific
configuration, the device may want to employ heuristics to find a configuration, the device may want to employ heuristics to find a
suitable RD. suitable RD.
The present specification does not fully define these heuristics, but The present specification does not fully define these heuristics, but
suggests a number of candidates: suggests a number of candidates:
1. In a 6LoWPAN, just assume the Border Router (6LBR) can act as an 1. In a 6LoWPAN, just assume the Border Router (6LBR) can act as an
RD (using the ABRO option to find that [RFC6775]). Confirmation RD (using the ABRO option to find that [RFC6775]). Confirmation
can be obtained by sending a Unicast to "coap://[6LBR]/.well- can be obtained by sending a unicast to "coap://[6LBR]/.well-
known/core?rt=core.rd*". known/core?rt=core.rd*".
2. In a network that supports multicast well, discovering the RD 2. In a network that supports multicast well, discovering the RD
using a multicast query for /.well-known/core as specified in using a multicast query for /.well-known/core as specified in
CoRE Link Format [RFC6690]: Sending a Multicast GET to CoRE Link Format [RFC6690]: Sending a Multicast GET to
"coap://[MCD1]/.well-known/core?rt=core.rd*". RDs within the "coap://[MCD1]/.well-known/core?rt=core.rd*". RDs within the
multicast scope will answer the query. multicast scope will answer the query.
When answering a multicast request directed at a link-local address, When answering a multicast request directed at a link-local group,
the RD may want to respond from a routable address; this makes it the RD may want to respond from a routable address; this makes it
easier for registrants to use one of their own routable addresses for easier for registrants to use one of their own routable addresses for
registration. registration. When [RFC6724] is used for source address selection,
this can be achieved by applying the changes of its Section 10.4,
picking public addresses in its Section 5 Rule 7, and superseding
rule 8 with preferring the source address's precedence.
As some of the RD addresses obtained by the methods listed here are As some of the RD addresses obtained by the methods listed here are
just (more or less educated) guesses, endpoints MUST make use of any just (more or less educated) guesses, endpoints MUST make use of any
error messages to very strictly rate-limit requests to candidate IP error messages to very strictly rate-limit requests to candidate IP
addresses that don't work out. For example, an ICMP Destination addresses that don't work out. For example, an ICMP Destination
Unreachable message (and, in particular, the port unreachable code Unreachable message (and, in particular, the port unreachable code
for this message) may indicate the lack of a CoAP server on the for this message) may indicate the lack of a CoAP server on the
candidate host, or a CoAP error response code such as 4.05 "Method candidate host, or a CoAP error response code such as 4.05 "Method
Not Allowed" may indicate unwillingness of a CoAP server to act as a Not Allowed" may indicate unwillingness of a CoAP server to act as a
directory server. directory server.
skipping to change at page 17, line 28 skipping to change at page 17, line 32
operation, the RDAO option is recommended (e.g. operational phase operation, the RDAO option is recommended (e.g. operational phase
described in Section 3.6). described in Section 3.6).
* In managed networks without border router (no Internet services * In managed networks without border router (no Internet services
available), the use of a preconfigured anycast address is available), the use of a preconfigured anycast address is
recommended (e.g. installation phase described in Section 3.6). recommended (e.g. installation phase described in Section 3.6).
* In networks managed using DNS-SD, the use of DNS-SD for discovery * In networks managed using DNS-SD, the use of DNS-SD for discovery
as described in Section 4.1.2 is recommended. as described in Section 4.1.2 is recommended.
The use of multicast discovery in mesh networks is NOT recommended. The use of multicast discovery in mesh networks is NOT RECOMMENDED.
4.1.1. Resource Directory Address Option (RDAO) 4.1.1. Resource Directory Address Option (RDAO)
The Resource Directory Address Option (RDAO) using IPv6 Neighbor The Resource Directory Address Option (RDAO) carries information
Discovery (ND) carries information about the address of the RD. This about the address of the RD in RAs (Router Advertisements) of IPv6
information is needed when endpoints cannot discover the RD with a Neighbor Discovery (ND), similar to how RDNSS options [RFC8106] are
link-local or realm-local scope multicast address, for instance sent. This information is needed when endpoints cannot discover the
because the endpoint and the RD are separated by a Border Router RD with a link-local or realm-local scope multicast address, for
(6LBR). In many circumstances the availability of DHCP cannot be instance because the endpoint and the RD are separated by a Border
guaranteed either during commissioning of the network. The presence Router (6LBR). In many circumstances the availability of DHCP cannot
and the use of the RD is essential during commissioning. be guaranteed either during commissioning of the network. The
presence and the use of the RD is essential during commissioning.
It is possible to send multiple RDAO options in one message, It is possible to send multiple RDAO options in one message,
indicating as many RD addresses. indicating as many RD addresses.
The RDAO format is: The RDAO format is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length = 3 | Valid Lifetime | | Type | Length = 3 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | | Valid Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ + + +
| | | |
+ RD Address + + RD Address +
| | | |
+ + + +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Type: TBD38 Type: TBD38
Length: 8-bit unsigned integer. The length of Length: 8-bit unsigned integer. The length of
the option in units of 8 bytes. the option in units of 8 bytes.
Always 3. Always 3.
Valid Lifetime: 16-bit unsigned integer. The length of Reserved: This field is unused. It MUST be
time in units of 60 seconds (relative to initialized to zero by the sender and
MUST be ignored by the receiver.
Valid Lifetime: 32-bit unsigned integer. The length of
time in seconds (relative to
the time the packet is received) that the time the packet is received) that
this RD address is valid. this RD address is valid.
A value of all zero bits (0x0) indicates A value of all zero bits (0x0) indicates
that this RD address that this RD address
is not valid anymore. is not valid anymore.
Reserved: This field is unused. It MUST be
initialized to zero by the sender and
MUST be ignored by the receiver.
RD Address: IPv6 address of the RD. RD Address: IPv6 address of the RD.
Figure 4: Resource Directory Address Option Figure 4: Resource Directory Address Option
4.1.2. Using DNS-SD to discover a Resource Directory 4.1.2. Using DNS-SD to discover a Resource Directory
An RD can advertise its presence in DNS-SD [RFC6763] using the An RD can advertise its presence in DNS-SD [RFC6763] using the
service name "_core-rd._udp" (for CoAP), "_core-rd-dtls._udp" (for service name "_core-rd._udp" (for CoAP), "_core-rd-dtls._udp" (for
CoAP over DTLS), "_core-rd._tcp" (for CoAP over TCP) or "_core-rd- CoAP over DTLS), "_core-rd._tcp" (for CoAP over TCP) or "_core-rd-
tls._tcp" (for CoAP over TLS) defined in this document. (For the tls._tcp" (for CoAP over TLS) defined in this document. (For the
skipping to change at page 19, line 44 skipping to change at page 19, line 44
avoided where possible. avoided where possible.
4.3. URI Discovery 4.3. URI Discovery
Before an endpoint can make use of an RD, it must first know the RD's Before an endpoint can make use of an RD, it must first know the RD's
address and port, and the URI path information for its REST APIs. address and port, and the URI path information for its REST APIs.
This section defines discovery of the RD and its URIs using the well- This section defines discovery of the RD and its URIs using the well-
known interface of the CoRE Link Format [RFC6690] after having known interface of the CoRE Link Format [RFC6690] after having
discovered a host as described in Section 4.1. discovered a host as described in Section 4.1.
Discovery of the RD registration URI path is performed by sending Discovery of the RD registration URI is performed by sending either a
either a multicast or unicast GET request to "/.well-known/core" and multicast or unicast GET request to "/.well-known/core" and including
including a Resource Type (rt) parameter [RFC6690] with the value a Resource Type (rt) parameter [RFC6690] with the value "core.rd" in
"core.rd" in the query string. Likewise, a Resource Type parameter the query string. Likewise, a Resource Type parameter value of
value of "core.rd-lookup*" is used to discover the URIs for RD Lookup "core.rd-lookup*" is used to discover the URIs for RD Lookup
operations, core.rd* is used to discover all URI paths for RD operations, core.rd* is used to discover all URIs for RD operations.
operations. Upon success, the response will contain a payload with a Upon success, the response will contain a payload with a link format
link format entry for each RD function discovered, indicating the URI entry for each RD function discovered, indicating the URI of the RD
of the RD function returned and the corresponding Resource Type. function returned and the corresponding Resource Type. When
performing multicast discovery, the multicast IP address used will
When performing multicast discovery, the multicast IP address used depend on the scope required and the multicast capabilities of the
will depend on the scope required and the multicast capabilities of network (see Section 9.5).
the network (see Section 9.5).
An RD MAY provide hints about the content-formats it supports in the An RD MAY provide hints about the content-formats it supports in the
links it exposes or registers, using the "ct" target attribute, as links it exposes or registers, using the "ct" target attribute, as
shown in the example below. Clients MAY use these hints to select shown in the example below. Clients MAY use these hints to select
alternate content-formats for interaction with the RD. alternate content-formats for interaction with the RD.
HTTP does not support multicast and consequently only unicast HTTP does not support multicast and consequently only unicast
discovery can be supported at the using the HTTP "/.well-known/core" discovery can be supported at the using the HTTP "/.well-known/core"
resource. resource.
RDs implementing this specification MUST support query filtering for RDs implementing this specification MUST support query filtering for
the rt parameter as defined in [RFC6690]. the rt parameter as defined in [RFC6690].
While the link targets in this discovery step are often expressed in While the link targets in this discovery step are often expressed in
path-absolute form, this is not a requirement. Clients of the RD path-absolute form, this is not a requirement. Clients of the RD
SHOULD therefore accept URIs of all schemes they support, both as SHOULD therefore accept URIs of all schemes they support, both as
URIs and relative references, and not limit the set of discovered URIs and relative references, and not limit the set of discovered
URIs to those hosted at the address used for URI discovery. URIs to those hosted at the address used for URI discovery.
With security policies where the client requires the RD to be
authorized to act as an RD, that authorization may be limited to
resources on which the authorized RD advertises the adequate resource
types. Clients that have obtained links they can not rely on yet can
repeat the URI discovery step at the /.well-known/core resource of
the indicated host to obtain the resource type information from an
authorized source.
The URI Discovery operation can yield multiple URIs of a given The URI Discovery operation can yield multiple URIs of a given
resource type. The client of the RD can use any of the discovered resource type. The client of the RD can use any of the discovered
addresses initially. addresses initially.
The discovery request interface is specified as follows (this is The discovery request interface is specified as follows (this is
exactly the Well-Known Interface of [RFC6690] Section 4, with the exactly the Well-Known Interface of [RFC6690] Section 4, with the
additional requirement that the server MUST support query filtering): additional requirement that the server MUST support query filtering):
Interaction: EP and Client -> RD Interaction: EP, CT or Client -> RD
Method: GET Method: GET
URI Template: /.well-known/core{?rt} URI Template: /.well-known/core{?rt}
URI Template Variables: rt := Resource Type. SHOULD contain one of URI Template Variables: rt := Resource Type. SHOULD contain one of
the values "core.rd", "core.rd-lookup*", "core.rd-lookup-res", the values "core.rd", "core.rd-lookup*", "core.rd-lookup-res",
"core.rd-lookup-ep", or "core.rd*" "core.rd-lookup-ep", or "core.rd*"
Accept: absent, application/link-format or any other media type Accept: absent, application/link-format or any other media type
skipping to change at page 21, line 46 skipping to change at page 22, line 9
</rd-lookup/res>;rt="core.rd-lookup-res";ct="40 TBD64 TBD504";obs, </rd-lookup/res>;rt="core.rd-lookup-res";ct="40 TBD64 TBD504";obs,
</rd-lookup/ep>;rt="core.rd-lookup-ep";ct="40 TBD64 TBD504" </rd-lookup/ep>;rt="core.rd-lookup-ep";ct="40 TBD64 TBD504"
Figure 6: Example discovery exchange indicating additional Figure 6: Example discovery exchange indicating additional
content-formats content-formats
From a management and maintenance perspective, it is necessary to From a management and maintenance perspective, it is necessary to
identify the components that constitute the RD server. The identify the components that constitute the RD server. The
identification refers to information about for example client-server identification refers to information about for example client-server
incompatibilities, supported features, required updates and other incompatibilities, supported features, required updates and other
aspects. The URI discovery address, a described in section 4 of aspects. The URI discovery address, as described in section 4 of
[RFC6690] can be used to find the identification. [RFC6690] can be used to find the identification.
It would typically be stored in an implementation information link It would typically be stored in an implementation information link
(as described in [I-D.bormann-t2trg-rel-impl]): (as described in [I-D.bormann-t2trg-rel-impl]):
Req: GET /.well-known/core?rel=impl-info Req: GET /.well-known/core?rel=impl-info
Res: 2.05 Content Res: 2.05 Content
<http://software.example.com/shiny-resource-directory/1.0beta1>; <http://software.example.com/shiny-resource-directory/1.0beta1>;
rel="impl-info" rel="impl-info"
Figure 7: Example exchange of obtaining implementation information Figure 7: Example exchange of obtaining implementation
information, using the relation type currently proposed in the
work-in-progress document
Note that depending on the particular server's architecture, such a Note that depending on the particular server's architecture, such a
link could be anchored at the RD server's root, at the discovery site link could be anchored at the RD server's root, at the discovery site
(as in this example) or at individual RD components. The latter is (as in this example) or at individual RD components. The latter is
to be expected when different applications are run on the same to be expected when different applications are run on the same
server. server.
5. Registration 5. Registration
After discovering the location of an RD, a registrant-ep or CT MAY After discovering the location of an RD, a registrant-ep or CT MAY
skipping to change at page 22, line 51 skipping to change at page 23, line 15
The following rules apply for a registration request targeting a The following rules apply for a registration request targeting a
given (ep, d) value pair: given (ep, d) value pair:
* When the (ep, d) value pair of the registration-request is * When the (ep, d) value pair of the registration-request is
different from any existing registration, a new registration is different from any existing registration, a new registration is
generated. generated.
* When the (ep, d) value pair of the registration-request is equal * When the (ep, d) value pair of the registration-request is equal
to an existing registration, the content and parameters of the to an existing registration, the content and parameters of the
existing registration are replaced with the content of the existing registration are replaced with the content of the
registration request. registration request. Like the later changes to registration
resources, security policies (Section 7) usually require such
requests to come from the same device.
The posted link-format document can (and typically does) contain The posted link-format document can (and typically does) contain
relative references both in its link targets and in its anchors, or relative references both in its link targets and in its anchors, or
contain empty anchors. The RD server needs to resolve these contain empty anchors. The RD server needs to resolve these
references in order to faithfully represent them in lookups. They references in order to faithfully represent them in lookups. They
are resolved against the base URI of the registration, which is are resolved against the base URI of the registration, which is
provided either explicitly in the "base" parameter or constructed provided either explicitly in the "base" parameter or constructed
implicitly from the requester's URI as constructed from its network implicitly from the requester's URI as constructed from its network
address and scheme. address and scheme.
For media types to which Appendix C applies (i.e. documents in For media types to which Appendix C applies (i.e. documents in
application/link-format), the RD only needs to accept representations application/link-format), the RD only needs to accept representations
in Limited Link Format as described there. Its behavior with in Limited Link Format as described there. Its behavior with
representations outside that subset is implementation defined. representations outside that subset is implementation defined.
The registration request interface is specified as follows: The registration request interface is specified as follows:
Interaction: EP -> RD Interaction: EP or CT -> RD
Method: POST Method: POST
URI Template: {+rd}{?ep,d,lt,base,extra-attrs*} URI Template: {+rd}{?ep,d,lt,base,extra-attrs*}
URI Template Variables: rd := RD registration URI (mandatory). URI Template Variables: rd := RD registration URI (mandatory).
This is the location of the RD, as obtained from discovery. This is the location of the RD, as obtained from discovery.
ep := Endpoint name (mostly mandatory). ep := Endpoint name (mostly mandatory).
The endpoint name is an identifier that MUST be unique within a The endpoint name is an identifier that MUST be unique within a
sector. As the endpoint name is a Unicode string, it is sector. As the endpoint name is a Unicode string, it is
encoded in UTF-8 (and possibly pct-encoded) during variable encoded in UTF-8 (and possibly pct-encoded) during variable
expansion (see [RFC6570] Section 3.2.1). The endpoint name expansion (see [RFC6570] Section 3.2.1). The endpoint name
MUST NOT contain any character in the inclusive ranges 0-31 or MUST NOT contain any character in the inclusive ranges 0-31 or
127-159. The maximum length of this parameter is 63 UTF-8 127-159. The maximum length of this parameter is 63 UTF-8
encoded bytes. If the RD is configured to recognize the encoded bytes. If the RD is configured to recognize the
endpoint (e.g. based on its security context), the RD assigns endpoint to be authorized to use exactly one endpoint name, the
an endpoint name based on a set of configuration parameter RD assigns that name. In that case, giving the endpoint name
values. becomes optional for the client; if the client gives any other
endpoint name, it is not authorized to perform the
registration.
d := Sector (optional). The sector to d := Sector (optional). The sector to
which this endpoint belongs. When this parameter is not which this endpoint belongs. When this parameter is not
present, the RD MAY associate the endpoint with a configured present, the RD MAY associate the endpoint with a configured
default sector or leave it empty. The sector is encoded like default sector (possibly based on the endpoint's authorization)
the ep parameter, and is limited to 63 UTF-8 encoded bytes as or leave it empty. The sector is encoded like the ep
well. The endpoint name and sector name are not set when one parameter, and is limited to 63 UTF-8 encoded bytes as well.
or both are set in an accompanying authorization token.
lt := Lifetime (optional). Lifetime of the lt := Lifetime (optional). Lifetime of the
registration in seconds. Range of 1-4294967295. If no registration in seconds. Range of 1-4294967295. If no
lifetime is included in the initial registration, a default lifetime is included in the initial registration, a default
value of 90000 (25 hours) SHOULD be assumed. value of 90000 (25 hours) SHOULD be assumed.
base := Base URI (optional). This base := Base URI (optional). This
parameter sets the base URI of the registration, under which parameter sets the base URI of the registration, under which
the relative links in the payload are to be interpreted. The the relative links in the payload are to be interpreted. The
specified URI typically does not have a path component of its specified URI typically does not have a path component of its
own, and MUST be suitable as a base URI to resolve any relative own, and MUST be suitable as a base URI to resolve any relative
references given in the registration. The parameter is references given in the registration. The parameter is
skipping to change at page 24, line 35 skipping to change at page 24, line 47
":" followed by its port (if it was not the protocol's default ":" followed by its port (if it was not the protocol's default
one) in analogy to [RFC7252] Section 6.5. one) in analogy to [RFC7252] Section 6.5.
This parameter is mandatory when the directory is filled by a This parameter is mandatory when the directory is filled by a
third party such as an commissioning tool. third party such as an commissioning tool.
If the registrant-ep uses an ephemeral port to register with, If the registrant-ep uses an ephemeral port to register with,
it MUST include the base parameter in the registration to it MUST include the base parameter in the registration to
provide a valid network path. provide a valid network path.
A registrant that can not be reached by potential lookup A registrant that cannot be reached by potential lookup clients
clients at the address it registers from (e.g. because it is at the address it registers from (e.g. because it is behind
behind some form of Network Address Translation (NAT)) MUST some form of Network Address Translation (NAT)) MUST provide a
provide a reachable base address with its registration. reachable base address with its registration.
If the Base URI contains a link-local IP literal, it MUST NOT If the Base URI contains a link-local IP literal, it MUST NOT
contain a Zone Identifier, and MUST be local to the link on contain a Zone Identifier, and MUST be local to the link on
which the registration request is received. which the registration request is received.
Endpoints that register with a base that contains a path Endpoints that register with a base that contains a path
component can not meaningfully use [RFC6690] Link Format due to component cannot meaningfully use [RFC6690] Link Format due to
its prevalence of the Origin concept in relative reference its prevalence of the Origin concept in relative reference
resolution. Those applications should use different resolution. Those applications should use different
representations of links to which Appendix C is not applicable representations of links to which Appendix C is not applicable
(e.g. [I-D.hartke-t2trg-coral]). (e.g. [I-D.hartke-t2trg-coral]).
extra-attrs := Additional registration extra-attrs := Additional registration
attributes (optional). The endpoint can pass any parameter attributes (optional). The endpoint can pass any parameter
registered at Section 9.3 to the directory. If the RD is aware registered at Section 9.3 to the directory. If the RD is aware
of the parameter's specified semantics, it processes it of the parameter's specified semantics, it processes it
accordingly. Otherwise, it MUST store the unknown key and its accordingly. Otherwise, it MUST store the unknown key and its
value(s) as an endpoint attribute for further lookup. value(s) as an endpoint attribute for further lookup.
Content-Format: application/link-format or any other indicated media Content-Format: application/link-format or any other indicated media
type representing web links type representing web links
The following response is expected on this interface: The following response is expected on this interface:
skipping to change at page 26, line 8 skipping to change at page 26, line 18
the whole registration time, not only for a single operation. the whole registration time, not only for a single operation.
The following example shows a registrant-ep with the name "node1" The following example shows a registrant-ep with the name "node1"
registering two resources to an RD using this interface. The registering two resources to an RD using this interface. The
location "/rd" is an example RD location discovered in a request location "/rd" is an example RD location discovered in a request
similar to Figure 5. similar to Figure 5.
Req: POST coap://rd.example.com/rd?ep=node1 Req: POST coap://rd.example.com/rd?ep=node1
Content-Format: 40 Content-Format: 40
Payload: Payload:
</sensors/temp>;ct=41;rt="temperature-c";if="sensor", </sensors/temp>;rt="temperature-c";if="sensor",
<http://www.example.com/sensors/temp>; <http://www.example.com/sensors/temp>;
anchor="/sensors/temp";rel="describedby" anchor="/sensors/temp";rel="describedby"
Res: 2.01 Created Res: 2.01 Created
Location-Path: /rd/4521 Location-Path: /rd/4521
Figure 8: Example registration payload Figure 8: Example registration payload
An RD may optionally support HTTP. Here is an example of almost the An RD may optionally support HTTP. Here is an example of almost the
same registration operation above, when done using HTTP. same registration operation above, when done using HTTP.
Req: Req:
POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1 POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1
Host: example.com Host: rd.example.com
Content-Type: application/link-format Content-Type: application/link-format
</sensors/temp>;ct=41;rt="temperature-c";if="sensor", </sensors/temp>;rt="temperature-c";if="sensor",
<http://www.example.com/sensors/temp>; <http://www.example.com/sensors/temp>;
anchor="/sensors/temp";rel="describedby" anchor="/sensors/temp";rel="describedby"
Res: Res:
HTTP/1.1 201 Created HTTP/1.1 201 Created
Location: /rd/4521 Location: /rd/4521
Figure 9: Example registration payload as expressed using HTTP Figure 9: Example registration payload as expressed using HTTP
5.1. Simple Registration 5.1. Simple Registration
skipping to change at page 27, line 6 skipping to change at page 27, line 24
This approach requires that the registrant-ep makes available the This approach requires that the registrant-ep makes available the
hosted resources that it wants to be discovered, as links on its hosted resources that it wants to be discovered, as links on its
"/.well-known/core" interface as specified in [RFC6690]. The links "/.well-known/core" interface as specified in [RFC6690]. The links
in that document are subject to the same limitations as the payload in that document are subject to the same limitations as the payload
of a registration (with respect to Appendix C). of a registration (with respect to Appendix C).
* The registrant-ep finds one or more addresses of the directory * The registrant-ep finds one or more addresses of the directory
server as described in Section 4.1. server as described in Section 4.1.
* The registrant-ep sends (and regularly refreshes with) a POST * The registrant-ep sends (and regularly refreshes with) a POST
request to the "/.well-known/core" URI of the directory server of request to the "/.well-known/rd" URI of the directory server of
choice. The body of the POST request is empty, and triggers the choice. The body of the POST request is empty, and triggers the
resource directory server to perform GET requests at the resource directory server to perform GET requests at the
requesting registrant-ep's /.well-known/core to obtain the link- requesting registrant-ep's /.well-known/core to obtain the link-
format payload to register. format payload to register.
The registrant-ep includes the same registration parameters in the The registrant-ep includes the same registration parameters in the
POST request as it would per Section 5. The registration base URI POST request as it would per Section 5. The registration base URI
of the registration is taken from the registrant-ep's network of the registration is taken from the registrant-ep's network
address (as is default with regular registrations). address (as is default with regular registrations).
Example request from registrant-EP to RD (unanswered until the Example request from registrant-EP to RD (unanswered until the
next step): next step):
Req: POST /.well-known/core?lt=6000&ep=node1 Req: POST /.well-known/rd?lt=6000&ep=node1
(No payload) (No payload)
Figure 10: First half example exchange of a simple registration Figure 10: First half example exchange of a simple registration
* The RD queries the registrant-ep's discovery resource to determine * The RD queries the registrant-ep's discovery resource to determine
the success of the operation. It SHOULD keep a cache of the the success of the operation. It SHOULD keep a cache of the
discovery resource and not query it again as long as it is fresh. discovery resource and not query it again as long as it is fresh.
Example request from the RD to the registrant-EP: Example request from the RD to the registrant-EP:
skipping to change at page 27, line 49 skipping to change at page 28, line 23
Figure 11: Example exchange of the RD querying the simple endpoint Figure 11: Example exchange of the RD querying the simple endpoint
With this response, the RD would answer the previous step's request: With this response, the RD would answer the previous step's request:
Res: 2.04 Changed Res: 2.04 Changed
Figure 12: Second half example exchange of a simple registration Figure 12: Second half example exchange of a simple registration
The sequence of fetching the registration content before sending a The sequence of fetching the registration content before sending a
successful response was chosen to make responses reliable, and the successful response was chosen to make responses reliable, and the
caching item was chosen to still allow very constrained registrants. point about caching was chosen to still allow very constrained
Registrants MUST be able to serve a GET request to "/.well-known/ registrants. Registrants MUST be able to serve a GET request to
core" after having requested registration. Constrained devices MAY "/.well-known/core" after having requested registration. Constrained
regard the initial request as temporarily failed when they need RAM devices MAY regard the initial request as temporarily failed when
occupied by their own request to serve the RD's GET, and retry later they need RAM occupied by their own request to serve the RD's GET,
when the RD already has a cached representation of their discovery and retry later when the RD already has a cached representation of
resources. Then, the RD can reply immediately and the registrant can their discovery resources. Then, the RD can reply immediately and
receive the response. the registrant can receive the response.
The simple registration request interface is specified as follows: The simple registration request interface is specified as follows:
Interaction: EP -> RD Interaction: EP -> RD
Method: POST Method: POST
URI Template: /.well-known/core{?ep,d,lt,extra-attrs*} URI Template: /.well-known/rd{?ep,d,lt,extra-attrs*}
URI Template Variables are as they are for registration in Section 5. URI Template Variables are as they are for registration in Section 5.
The base attribute is not accepted to keep the registration interface The base attribute is not accepted to keep the registration interface
simple; that rules out registration over CoAP-over-TCP or HTTP that simple; that rules out registration over CoAP-over-TCP or HTTP that
would need to specify one. would need to specify one. For some time during this document's
development, the URI template "/.well-known/core{?ep,...}" has been
in use instead.
The following response is expected on this interface: The following response is expected on this interface:
Success: 2.04 "Changed". Success: 2.04 "Changed".
For the second interaction triggered by the above, the registrant-ep For the second interaction triggered by the above, the registrant-ep
takes the role of server and the RD the role of client. (Note that takes the role of server and the RD the role of client. (Note that
this is exactly the Well-Known Interface of [RFC6690] Section 4): this is exactly the Well-Known Interface of [RFC6690] Section 4):
Interaction: RD -> EP Interaction: RD -> EP
skipping to change at page 30, line 9 skipping to change at page 30, line 33
occurs in order to enable the registering endpoint to eventually occurs in order to enable the registering endpoint to eventually
refresh the registration. The RD MAY eventually remove the refresh the registration. The RD MAY eventually remove the
registration resource for the purpose of garbage collection. If the registration resource for the purpose of garbage collection. If the
Registration Resource is removed, the corresponding endpoint will Registration Resource is removed, the corresponding endpoint will
need to be re-registered. need to be re-registered.
The Registration Resource may also be used cancel the registration The Registration Resource may also be used cancel the registration
using DELETE, and to perform further operations beyond the scope of using DELETE, and to perform further operations beyond the scope of
this specification. this specification.
These operations are described below. The operations on the Registration Resource are described below.
5.3.1. Registration Update 5.3.1. Registration Update
The update interface is used by the registering endpoint to refresh The update interface is used by the registering endpoint to refresh
or update its registration with an RD. To use the interface, the or update its registration with an RD. To use the interface, the
registering endpoint sends a POST request to the registration registering endpoint sends a POST request to the registration
resource returned by the initial registration operation. resource returned by the initial registration operation.
An update MAY update the lifetime or the base URI registration An update MAY update registration parameters like lifetime, base URI
parameters "lt", "base" as in Section 5. Parameters that are not or others. Parameters that are not being changed should not be
being changed SHOULD NOT be included in an update. Adding parameters included in an update. Adding parameters that have not changed
that have not changed increases the size of the message but does not increases the size of the message but does not have any other
have any other implications. Parameters MUST be included as query implications. Parameters are included as query parameters in an
parameters in an update operation as in Section 5. update operation as in Section 5.
A registration update resets the timeout of the registration to the A registration update resets the timeout of the registration to the
(possibly updated) lifetime of the registration, independent of (possibly updated) lifetime of the registration, independent of
whether a "lt" parameter was given. whether a "lt" parameter was given.
If the base URI of the registration is changed in an update, relative If the base URI of the registration is changed in an update, relative
references submitted in the original registration or later updates references submitted in the original registration or later updates
are resolved anew against the new base. are resolved anew against the new base.
The registration update operation only describes the use of POST with The registration update operation only describes the use of POST with
an empty payload. Future standards might describe the semantics of an empty payload. Future standards might describe the semantics of
using content formats and payloads with the POST method to update the using content formats and payloads with the POST method to update the
links of a registration (see Section 5.3.3). links of a registration (see Section 5.3.3).
The update registration request interface is specified as follows: The update registration request interface is specified as follows:
Interaction: EP -> RD Interaction: EP or CT -> RD
Method: POST Method: POST
URI Template: {+location}{?lt,base,extra-attrs*} URI Template: {+location}{?lt,base,extra-attrs*}
URI Template Variables: location := This is the Location returned URI Template Variables: location := This is the Location returned
by the RD as a result of a successful earlier registration. by the RD as a result of a successful earlier registration.
lt := Lifetime (optional). Lifetime of the lt := Lifetime (optional). Lifetime of the
registration in seconds. Range of 1-4294967295. If no registration in seconds. Range of 1-4294967295. If no
lifetime is included, the previous last lifetime set on a lifetime is included, the previous last lifetime set on a
previous update or the original registration (falling back to previous update or the original registration (falling back to
90000) SHOULD be used. 90000) SHOULD be used.
base := Base URI (optional). This base := Base URI (optional). This
parameter updates the Base URI established in the original parameter updates the Base URI established in the original
registration to a new value. If the parameter is set in an registration to a new value, and is subject to the same
update, it is stored by the RD as the new Base URI under which restrictions as in the registration. If the parameter is set
to interpret the relative links present in the payload of the in an update, it is stored by the RD as the new Base URI under
original registration, following the same restrictions as in which to interpret the relative links present in the payload of
the registration. If the parameter is not set in the request the original registration. If the parameter is not set in the
but was set before, the previous Base URI value is kept request but was set before, the previous Base URI value is kept
unmodified. If the parameter is not set in the request and was unmodified. If the parameter is not set in the request and was
not set before either, the source address and source port of not set before either, the source address and source port of
the update request are stored as the Base URI. the update request are stored as the Base URI.
extra-attrs := Additional registration extra-attrs := Additional registration
attributes (optional). As with the registration, the RD attributes (optional). As with the registration, the RD
processes them if it knows their semantics. Otherwise, unknown processes them if it knows their semantics. Otherwise, unknown
attributes are stored as endpoint attributes, overriding any attributes are stored as endpoint attributes, overriding any
previously stored endpoint attributes of the same key. previously stored endpoint attributes of the same key.
skipping to change at page 31, line 48 skipping to change at page 32, line 20
Content-Format: none (no payload) Content-Format: none (no payload)
The following responses are expected on this interface: The following responses are expected on this interface:
Success: 2.04 "Changed" or 204 "No Content" if the update was Success: 2.04 "Changed" or 204 "No Content" if the update was
successfully processed. successfully processed.
Failure: 4.04 "Not Found" or 404 "Not Found". Registration does not Failure: 4.04 "Not Found" or 404 "Not Found". Registration does not
exist (e.g. may have been removed). exist (e.g. may have been removed).
If the registration fails in any way, including "Not Found" and If the registration update fails in any way, including "Not Found"
request timeouts, or if the time indicated in a Service Unavailable and request timeouts, or if the time indicated in a Service
Max-Age/Retry-After exceeds the remaining lifetime, the registering Unavailable Max-Age/Retry-After exceeds the remaining lifetime, the
endpoint SHOULD attempt registration again. registering endpoint SHOULD attempt registration again.
The following example shows how the registering endpoint updates its The following example shows how the registering endpoint resets the
registration resource at an RD using this interface with the example timeout on its registration resource at an RD using this interface
location value: /rd/4521. with the example location value: /rd/4521.
Req: POST /rd/4521 Req: POST /rd/4521
Res: 2.04 Changed Res: 2.04 Changed
Figure 13: Example update of a registration Figure 13: Example update of a registration
The following example shows the registering endpoint updating its The following example shows the registering endpoint updating its
registration resource at an RD using this interface with the example registration resource at an RD using this interface with the example
location value: /rd/4521. The initial registration by the location value: /rd/4521. The initial registration by the
skipping to change at page 32, line 34 skipping to change at page 33, line 9
* Base URI (base)=coap://local-proxy-old.example.com:5683 * Base URI (base)=coap://local-proxy-old.example.com:5683
* payload of Figure 8 * payload of Figure 8
The initial state of the RD is reflected in the following request: The initial state of the RD is reflected in the following request:
Req: GET /rd-lookup/res?ep=endpoint1 Req: GET /rd-lookup/res?ep=endpoint1
Res: 2.05 Content Res: 2.05 Content
Payload: Payload:
<coap://local-proxy-old.example.com:5683/sensors/temp>;ct=41; <coap://local-proxy-old.example.com:5683/sensors/temp>;
rt="temperature-c";if="sensor"; rt="temperature-c";if="sensor";
anchor="coap://local-proxy-old.example.com:5683/", anchor="coap://local-proxy-old.example.com:5683/",
<http://www.example.com/sensors/temp>; <http://www.example.com/sensors/temp>;
anchor="coap://local-proxy-old.example.com:5683/sensors/temp"; anchor="coap://local-proxy-old.example.com:5683/sensors/temp";
rel="describedby" rel="describedby"
Figure 14: Example lookup before a change to the base address Figure 14: Example lookup before a change to the base address
The following example shows the registering endpoint changing the The following example shows the registering endpoint changing the
Base URI to "coaps://new.example.com:5684": Base URI to "coaps://new.example.com:5684":
skipping to change at page 33, line 9 skipping to change at page 33, line 33
Res: 2.04 Changed Res: 2.04 Changed
Figure 15: Example registration update that changes the base address Figure 15: Example registration update that changes the base address
The consecutive query returns: The consecutive query returns:
Req: GET /rd-lookup/res?ep=endpoint1 Req: GET /rd-lookup/res?ep=endpoint1
Res: 2.05 Content Res: 2.05 Content
Payload: Payload:
<coap://new.example.com:5684/sensors/temp>;ct=41; <coap://new.example.com:5684/sensors/temp>;
rt="temperature-c";if="sensor"; rt="temperature-c";if="sensor";
anchor="coap://new.example.com:5684/", anchor="coap://new.example.com:5684/",
<http://www.example.com/sensors/temp>; <http://www.example.com/sensors/temp>;
anchor="coap://new.example.com:5684/sensors/temp"; anchor="coap://new.example.com:5684/sensors/temp";
rel="describedby" rel="describedby"
Figure 16: Example lookup after a change to the base address Figure 16: Example lookup after a change to the base address
5.3.2. Registration Removal 5.3.2. Registration Removal
Although RD registrations have soft state and will eventually timeout Although RD registrations have soft state and will eventually timeout
after their lifetime, the registering endpoint SHOULD explicitly after their lifetime, the registering endpoint SHOULD explicitly
remove an entry from the RD if it knows it will no longer be remove an entry from the RD if it knows it will no longer be
available (for example on shut-down). This is accomplished using a available (for example on shut-down). This is accomplished using a
removal interface on the RD by performing a DELETE on the endpoint removal interface on the RD by performing a DELETE on the endpoint
resource. resource.
The removal request interface is specified as follows: The removal request interface is specified as follows:
Interaction: EP -> RD Interaction: EP or CT -> RD
Method: DELETE Method: DELETE
URI Template: {+location} URI Template: {+location}
URI Template Variables: location := This is the Location returned URI Template Variables: location := This is the Location returned
by the RD as a result of a successful earlier registration. by the RD as a result of a successful earlier registration.
The following responses are expected on this interface: The following responses are expected on this interface:
skipping to change at page 35, line 8 skipping to change at page 35, line 28
| Resource | core.rd-lookup-res | Mandatory | | Resource | core.rd-lookup-res | Mandatory |
+-------------+--------------------+-----------+ +-------------+--------------------+-----------+
| Endpoint | core.rd-lookup-ep | Mandatory | | Endpoint | core.rd-lookup-ep | Mandatory |
+-------------+--------------------+-----------+ +-------------+--------------------+-----------+
Table 1: Lookup Types Table 1: Lookup Types
6.1. Resource lookup 6.1. Resource lookup
Resource lookup results in links that are semantically equivalent to Resource lookup results in links that are semantically equivalent to
the links submitted to the RD. The links and link parameters the links submitted to the RD by the registrant. The links and link
returned by the lookup are equal to the submitted ones, except that parameters returned by the lookup are equal to the originally
the target and anchor references are fully resolved. submitted ones, except that the target and anchor references are
fully resolved.
Links that did not have an anchor attribute are therefore returned Links that did not have an anchor attribute are therefore returned
with the base URI of the registration as the anchor. Links of which with the base URI of the registration as the anchor. Links of which
href or anchor was submitted as a (full) URI are returned with these href or anchor was submitted as a (full) URI are returned with these
attributes unmodified. attributes unmodified.
Above rules allow the client to interpret the response as links The above rules allow the client to interpret the response as links
without any further knowledge of the storage conventions of the RD. without any further knowledge of the storage conventions of the RD.
The RD MAY replace the registration base URIs with a configured The RD MAY replace the registration base URIs with a configured
intermediate proxy, e.g. in the case of an HTTP lookup interface for intermediate proxy, e.g. in the case of an HTTP lookup interface for
CoAP endpoints. CoAP endpoints.
If the base URI of a registration contains a link-local address, the If the base URI of a registration contains a link-local address, the
RD MUST NOT show its links unless the lookup was made from the same RD MUST NOT show its links unless the lookup was made from the link
link. The RD MUST NOT include zone identifiers in the resolved URIs. on which the registered endpoint can be reached. The RD MUST NOT
include zone identifiers in the resolved URIs.
6.2. Lookup filtering 6.2. Lookup filtering
Using the Accept Option, the requester can control whether the Using the Accept Option, the requester can control whether the
returned list is returned in CoRE Link Format ("application/link- returned list is returned in CoRE Link Format ("application/link-
format", default) or in alternate content-formats (e.g. from format", default) or in alternate content-formats (e.g. from
[I-D.ietf-core-links-json]). [I-D.ietf-core-links-json]).
The page and count parameters are used to obtain lookup results in
specified increments using pagination, where count specifies how many
links to return and page specifies which subset of links organized in
sequential pages, each containing 'count' links, starting with link
zero and page zero. Thus, specifying count of 10 and page of 0 will
return the first 10 links in the result set (links 0-9). Count = 10
and page = 1 will return the next 'page' containing links 10-19, and
so on.
Multiple search criteria MAY be included in a lookup. All included Multiple search criteria MAY be included in a lookup. All included
criteria MUST match for a link to be returned. The RD MUST support criteria MUST match for a link to be returned. The RD MUST support
matching with multiple search criteria. matching with multiple search criteria.
A link matches a search criterion if it has an attribute of the same A link matches a search criterion if it has an attribute of the same
name and the same value, allowing for a trailing "*" wildcard name and the same value, allowing for a trailing "*" wildcard
operator as in Section 4.1 of [RFC6690]. Attributes that are defined operator as in Section 4.1 of [RFC6690]. Attributes that are defined
as "link-type" match if the search value matches any of their values as "relation-types" (in the link-format ABNF) match if the search
(see Section 4.1 of [RFC6690]; e.g. "?if=core.s" matches ";if="abc value matches any of their values (see Section 4.1 of [RFC6690]; e.g.
core.s";"). A resource link also matches a search criterion if its "?if=tag:example.net,2020:sensor" matches ";if="example.regname
endpoint would match the criterion, and vice versa, an endpoint link tag:example.net,2020:sensor";"). A resource link also matches a
matches a search criterion if any of its resource links matches it. search criterion if its endpoint would match the criterion, and vice
versa, an endpoint link matches a search criterion if any of its
resource links matches it.
Note that "href" is a valid search criterion and matches target Note that "href" is a valid search criterion and matches target
references. Like all search criteria, on a resource lookup it can references. Like all search criteria, on a resource lookup it can
match the target reference of the resource link itself, but also the match the target reference of the resource link itself, but also the
registration resource of the endpoint that registered it. Queries registration resource of the endpoint that registered it. Queries
for resource link targets MUST be in URI form (i.e. not relative for resource link targets MUST be in URI form (i.e. not relative
references) and are matched against a resolved link target. Queries references) and are matched against a resolved link target. Queries
for endpoints SHOULD be expressed in path-absolute form if possible for endpoints SHOULD be expressed in path-absolute form if possible
and MUST be expressed in URI form otherwise; the RD SHOULD recognize and MUST be expressed in URI form otherwise; the RD SHOULD recognize
either. The "anchor" attribute is usable for resource lookups, and, either. The "anchor" attribute is usable for resource lookups, and,
if queried, MUST be for in URI form as well. if queried, MUST be in URI form as well.
Additional query parameters "page" and "count" are used to obtain
lookup results in specified increments using pagination, where count
specifies how many links to return and page specifies which subset of
links organized in sequential pages, each containing 'count' links,
starting with link zero and page zero. Thus, specifying count of 10
and page of 0 will return the first 10 links in the result set (links
0-9). Count = 10 and page = 1 will return the next 'page' containing
links 10-19, and so on.
Endpoints that are interested in a lookup result repeatedly or Endpoints that are interested in a lookup result repeatedly or
continuously can use mechanisms like ETag caching, resource continuously can use mechanisms like ETag caching, resource
observation ([RFC7641]), or any future mechanism that might allow observation ([RFC7641]), or any future mechanism that might allow
more efficient observations of collections. These are advertised, more efficient observations of collections. These are advertised,
detected and used according to their own specifications and can be detected and used according to their own specifications and can be
used with the lookup interface as with any other resource. used with the lookup interface as with any other resource.
When resource observation is used, every time the set of matching When resource observation is used, every time the set of matching
links changes, or the content of a matching link changes, the RD links changes, or the content of a matching link changes, the RD
skipping to change at page 37, line 42 skipping to change at page 38, line 18
6.3. Resource lookup examples 6.3. Resource lookup examples
The examples in this section assume the existence of CoAP hosts with The examples in this section assume the existence of CoAP hosts with
a default CoAP port 61616. HTTP hosts are possible and do not change a default CoAP port 61616. HTTP hosts are possible and do not change
the nature of the examples. the nature of the examples.
The following example shows a client performing a resource lookup The following example shows a client performing a resource lookup
with the example resource look-up locations discovered in Figure 5: with the example resource look-up locations discovered in Figure 5:
Req: GET /rd-lookup/res?rt=temperature Req: GET /rd-lookup/res?rt=tag:example.org,2020:temperature
Res: 2.05 Content Res: 2.05 Content
<coap://[2001:db8:3::123]:61616/temp>;rt="temperature"; <coap://[2001:db8:3::123]:61616/temp>;
anchor="coap://[2001:db8:3::123]:61616" rt="tag:example.org,2020:temperature";
anchor="coap://[2001:db8:3::123]:61616"
Figure 18: Example a resource lookup Figure 18: Example a resource lookup
A client that wants to be notified of new resources as they show up A client that wants to be notified of new resources as they show up
can use observation: can use observation:
Req: GET /rd-lookup/res?rt=light Req: GET /rd-lookup/res?rt=tag:example.org,2020:light
Observe: 0 Observe: 0
Res: 2.05 Content Res: 2.05 Content
Observe: 23 Observe: 23
Payload: empty Payload: empty
(at a later point in time) (at a later point in time)
Res: 2.05 Content Res: 2.05 Content
Observe: 24 Observe: 24
Payload: Payload:
<coap://[2001:db8:3::124]/west>;rt="light"; <coap://[2001:db8:3::124]/west>;rt="tag:example.org,2020:light";
anchor="coap://[2001:db8:3::124]", anchor="coap://[2001:db8:3::124]",
<coap://[2001:db8:3::124]/south>;rt="light"; <coap://[2001:db8:3::124]/south>;rt="tag:example.org,2020:light";
anchor="coap://[2001:db8:3::124]", anchor="coap://[2001:db8:3::124]",
<coap://[2001:db8:3::124]/east>;rt="light"; <coap://[2001:db8:3::124]/east>;rt="tag:example.org,2020:light";
anchor="coap://[2001:db8:3::124]" anchor="coap://[2001:db8:3::124]"
Figure 19: Example an observing resource lookup Figure 19: Example an observing resource lookup
The following example shows a client performing a paginated resource The following example shows a client performing a paginated resource
lookup lookup
Req: GET /rd-lookup/res?page=0&count=5 Req: GET /rd-lookup/res?page=0&count=5
Res: 2.05 Content Res: 2.05 Content
<coap://[2001:db8:3::123]:61616/res/0>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/0>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/1>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/1>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/2>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/2>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/3>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/3>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/4>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/4>;ct=60;
anchor="coap://[2001:db8:3::123]:61616" anchor="coap://[2001:db8:3::123]:61616"
Req: GET /rd-lookup/res?page=1&count=5 Req: GET /rd-lookup/res?page=1&count=5
Res: 2.05 Content Res: 2.05 Content
<coap://[2001:db8:3::123]:61616/res/5>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/5>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/6>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/6>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/7>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/7>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/8>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/8>;ct=60;
anchor="coap://[2001:db8:3::123]:61616", anchor="coap://[2001:db8:3::123]:61616",
<coap://[2001:db8:3::123]:61616/res/9>;rt=sensor;ct=60; <coap://[2001:db8:3::123]:61616/res/9>;ct=60;
anchor="coap://[2001:db8:3::123]:61616" anchor="coap://[2001:db8:3::123]:61616"
Figure 20: Examples of paginated resource lookup Figure 20: Examples of paginated resource lookup
The following example shows a client performing a lookup of all The following example shows a client performing a lookup of all
resources of all endpoints of a given endpoint type. It assumes that resources of all endpoints of a given endpoint type. It assumes that
two endpoints (with endpoint names "sensor1" and "sensor2") have two endpoints (with endpoint names "sensor1" and "sensor2") have
previously registered with their respective addresses previously registered with their respective addresses
"coap://sensor1.example.com" and "coap://sensor2.example.com", and "coap://sensor1.example.com" and "coap://sensor2.example.com", and
posted the very payload of the 6th request of section 5 of [RFC6690]. posted the very payload of the 6th response of section 5 of
[RFC6690].
It demonstrates how absolute link targets stay unmodified, while It demonstrates how absolute link targets stay unmodified, while
relative ones are resolved: relative ones are resolved:
Req: GET /rd-lookup/res?et=oic.d.sensor Req: GET /rd-lookup/res?et=tag:example.com,2020:platform
<coap://sensor1.example.com/sensors>;ct=40;title="Sensor Index"; <coap://sensor1.example.com/sensors>;ct=40;title="Sensor Index";
anchor="coap://sensor1.example.com", anchor="coap://sensor1.example.com",
<coap://sensor1.example.com/sensors/temp>;rt="temperature-c"; <coap://sensor1.example.com/sensors/temp>;rt="temperature-c";
if="sensor"; anchor="coap://sensor1.example.com", if="sensor"; anchor="coap://sensor1.example.com",
<coap://sensor1.example.com/sensors/light>;rt="light-lux"; <coap://sensor1.example.com/sensors/light>;rt="light-lux";
if="sensor"; anchor="coap://sensor1.example.com", if="sensor"; anchor="coap://sensor1.example.com",
<http://www.example.com/sensors/t123>;rel="describedby"; <http://www.example.com/sensors/t123>;rel="describedby";
anchor="coap://sensor1.example.com/sensors/temp", anchor="coap://sensor1.example.com/sensors/temp",
<coap://sensor1.example.com/t>;rel="alternate"; <coap://sensor1.example.com/t>;rel="alternate";
skipping to change at page 40, line 32 skipping to change at page 40, line 32
if="sensor"; anchor="coap://sensor2.example.com", if="sensor"; anchor="coap://sensor2.example.com",
<http://www.example.com/sensors/t123>;rel="describedby"; <http://www.example.com/sensors/t123>;rel="describedby";
anchor="coap://sensor2.example.com/sensors/temp", anchor="coap://sensor2.example.com/sensors/temp",
<coap://sensor2.example.com/t>;rel="alternate"; <coap://sensor2.example.com/t>;rel="alternate";
anchor="coap://sensor2.example.com/sensors/temp" anchor="coap://sensor2.example.com/sensors/temp"
Figure 21: Example of resource lookup from multiple endpoints Figure 21: Example of resource lookup from multiple endpoints
6.4. Endpoint lookup 6.4. Endpoint lookup
The endpoint lookup returns registration resources which can only be The endpoint lookup returns links to and information about
manipulated by the registering endpoint. registration resources, which themselves can only be manipulated by
the registering endpoint.
Endpoint registration resources are annotated with their endpoint Endpoint registration resources are annotated with their endpoint
names (ep), sectors (d, if present) and registration base URI (base; names (ep), sectors (d, if present) and registration base URI (base;
reports the registrant-ep's address if no explicit base was given) as reports the registrant-ep's address if no explicit base was given) as
well as a constant resource type (rt="core.rd-ep"); the lifetime (lt) well as a constant resource type (rt="core.rd-ep"); the lifetime (lt)
is not reported. Additional endpoint attributes are added as target is not reported. Additional endpoint attributes are added as target
attributes to their endpoint link unless their specification says attributes to their endpoint link unless their specification says
otherwise. otherwise.
Links to endpoints SHOULD be presented in path-absolute form or, if Links to endpoints SHOULD be presented in path-absolute form or, if
skipping to change at page 41, line 9 skipping to change at page 41, line 9
Base addresses that contain link-local addresses MUST NOT include Base addresses that contain link-local addresses MUST NOT include
zone identifiers, and such registrations MUST NOT be shown unless the zone identifiers, and such registrations MUST NOT be shown unless the
lookup was made from the same link from which the registration was lookup was made from the same link from which the registration was
made. made.
While Endpoint Lookup does expose the registration resources, the RD While Endpoint Lookup does expose the registration resources, the RD
does not need to make them accessible to clients. Clients SHOULD NOT does not need to make them accessible to clients. Clients SHOULD NOT
attempt to dereference or manipulate them. attempt to dereference or manipulate them.
An RD can report endpoints in lookup that are not hosted at the same An RD can report registrations in lookup whose URI scheme and
address. Lookup clients MUST be prepared to see arbitrary URIs as authority differ from the lookup resource's. Lookup clients MUST be
registration resources in the results and treat them as opaque prepared to see arbitrary URIs as registration resources in the
identifiers; the precise semantics of such links are left to future results and treat them as opaque identifiers; the precise semantics
specifications. of such links are left to future specifications.
The following example shows a client performing an endpoint type (et) The following example shows a client performing an endpoint lookup
lookup with the value oic.d.sensor (which is currently a registered limited to endpoints of endpoint type
rt value): "tag:example.com,2020:platform":
Req: GET /rd-lookup/ep?et=oic.d.sensor Req: GET /rd-lookup/ep?et=tag:example.com,2020:platform
Res: 2.05 Content Res: 2.05 Content
</rd/1234>;base="coap://[2001:db8:3::127]:61616";ep="node5"; </rd/1234>;base="coap://[2001:db8:3::127]:61616";ep="node5";
et="oic.d.sensor";ct="40";rt="core.rd-ep", et="tag:example.com,2020:platform";ct="40";rt="core.rd-ep",
</rd/4521>;base="coap://[2001:db8:3::129]:61616";ep="node7"; </rd/4521>;base="coap://[2001:db8:3::129]:61616";ep="node7";
et="oic.d.sensor";ct="40";d="floor-3";rt="core.rd-ep" et="tag:example.com,2020:platform";ct="40";d="floor-3";
rt="core.rd-ep"
Figure 22: Examples of endpoint lookup Figure 22: Examples of endpoint lookup
7. Security policies 7. Security policies
The security policies that are applicable to an RD strongly depend on The security policies that are applicable to an RD strongly depend on
the application, and are not set out normatively here. the application, and are not set out normatively here.
This section provides a list of aspects that applications should This section provides a list of aspects that applications should
consider when describing their use of the RD, without claiming to consider when describing their use of the RD, without claiming to
cover all cases. It is using terminology of cover all cases. It is using terminology of
[I-D.ietf-ace-oauth-authz], in which the RD acts as the Resource [I-D.ietf-ace-oauth-authz], in which the RD acts as the Resource
Server (RS), and both registrant-eps and lookup clients act as Server (RS), and both registrant-eps and lookup clients act as
Clients (C) with support from an Authorization Server (AS), without Clients (C) with support from an Authorization Server (AS), without
the intention of ruling out other (e.g. certificate / public-key the intention of ruling out other (e.g. certificate / public-key
infrastructure (PKI) based) schemes. infrastructure (PKI) based) schemes.
Any, all or none of the below can apply to an application. Which are Any, all or none of the below can apply to an application. Which are
relevant depends on its protection objectives. relevant depends on its protection objectives.
Security policies are set by configuration of the RD, or by choice of
the implementation. Lookup clients (and, where relevant, endpoints)
can only trust an RD to uphold them if it is authenticated, and
authorized to serve as an RD according to the application's
requirements.
7.1. Endpoint name 7.1. Endpoint name
Whenever an RD needs to provide trustworthy results to clients doing Whenever an RD needs to provide trustworthy results to clients doing
endpoint lookup, or resource lookup with filtering on the endpoint endpoint lookup, or resource lookup with filtering on the endpoint
name, the RD must ensure that the registrant is authorized to use the name, the RD must ensure that the registrant is authorized to use the
given endpoint name. This applies both to registration and later to given endpoint name. This applies both to registration and later to
operations on the registration resource. It is immaterial there operations on the registration resource. It is immaterial whether
whether the client is the registrant-ep itself or a CT is doing the the client is the registrant-ep itself or a CT is doing the
registration: The RD can not tell the difference, and CTs may use registration: The RD cannot tell the difference, and CTs may use
authorization credentials authorizing only operations on that authorization credentials authorizing only operations on that
particular endpoint name, or a wider range of endpoint names. particular endpoint name, or a wider range of endpoint names.
When certificates are used as authorization credentials, the It is up to the concrete security policy to describe how endpoint
sector(s) and endpoint name(s) can be transported in the subject. In name and sector are transported when certificates are used. For
an ACE context, those are typically transported in a scope claim. example, it may describe how SubjectAltName dNSName entries are
mapped to endpoint and domain names.
7.1.1. Random endpoint names 7.1.1. Random endpoint names
Conversely, in applications where the RD does not check the endpoint Conversely, in applications where the RD does not check the endpoint
name, the authorized registering endpoint can generate a random name, the authorized registering endpoint can generate a random
number (or string) that identifies the endpoint. The RD should then number (or string) that identifies the endpoint. The RD should then
remember unique properties of the registrant, associate them with the remember unique properties of the registrant, associate them with the
registration for as long as its registration resource is active registration for as long as its registration resource is active
(which may be longer than the registration's lifetime), and require (which may be longer than the registration's lifetime), and require
the same properties for operations on the registration resource. the same properties for operations on the registration resource.
Registrants that are prepared to pick a different identifier when Registrants that are prepared to pick a different identifier when
their initial attempt at registration is unauthorized should pick an their initial attempt (or attempts, in the unlikely case of two
subsequent collisions) at registration is unauthorized should pick an
identifier at least twice as long as the expected number of identifier at least twice as long as the expected number of
registrants; registrants without such a recovery options should pick registrants; registrants without such a recovery options should pick
significantly longer endpoint names (e.g. using UUID URNs [RFC4122]). significantly longer endpoint names (e.g. using UUID URNs [RFC4122]).
7.2. Entered resources 7.2. Entered resources
When lookup clients expect that certain types of links can only When lookup clients expect that certain types of links can only
originate from certain endpoints, then the RD needs to apply originate from certain endpoints, then the RD needs to apply
filtering to the links an endpoint may register. filtering to the links an endpoint may register.
skipping to change at page 43, line 13 skipping to change at page 43, line 9
credentials to do so, independently of its endpoint name. credentials to do so, independently of its endpoint name.
Note that the impact of having undesirable links in the RD depends on Note that the impact of having undesirable links in the RD depends on
the application: if the client requires the firmware server to the application: if the client requires the firmware server to
present credentials as a firmware server, a fraudulent link's impact present credentials as a firmware server, a fraudulent link's impact
is limited to the client revealing its intention to obtain updates is limited to the client revealing its intention to obtain updates
and slowing down the client until it finds a legitimate firmware and slowing down the client until it finds a legitimate firmware
server; if the client accepts any credentials from the server as long server; if the client accepts any credentials from the server as long
as they fit the provided URI, the impact is larger. as they fit the provided URI, the impact is larger.
An RD may also require that only links are registered on whose anchor An RD may also require that links are only registered if the
(or even target) the RD recognizes as authoritative of. One way to registrant is authorized to publish information about the anchor (or
do this is to demand that the registrant present the same credentials even target) of the link. One way to do this is to demand that the
as a client that they'd need to present if contacted as a server at registrant present the same credentials as a client that they'd need
the resources' URI, which may include using the address and port that to present if contacted as a server at the resources' URI, which may
are part of the URI. Such a restriction places severe practical include using the address and port that are part of the URI. Such a
limitations on the links that can be registered. restriction places severe practical limitations on the links that can
be registered.
As above, the impact of undesirable links depends on the extent to As above, the impact of undesirable links depends on the extent to
which the lookup client relies on the RD. To avoid the limitations, which the lookup client relies on the RD. To avoid the limitations,
RD applications should consider prescribe that lookup clients only RD applications should consider prescribing that lookup clients only
use the discovered information as hints, and describe which pieces of use the discovered information as hints, and describe which pieces of
information need to be verified with the server because they impact information need to be verified because they impact the application's
the application's security. security. A straightforward way to verify such information is to
request it again from an authorized server, typically the one that
hosts the target resource. That similar to what happens in
Section 4.3 when the URI discovery step is repeated.
7.3. Link confidentiality 7.3. Link confidentiality
When registrants publish information in the RD that is not available When registrants publish information in the RD that is not available
to any client that would query the registrant's .well-known/core to any client that would query the registrant's /.well-known/core
interface, or when lookups to that interface are subject so stricter interface, or when lookups to that interface are subject so stricter
firewalling than lookups to the RD, the RD may need to limit which firewalling than lookups to the RD, the RD may need to limit which
lookup clients may access the information. lookup clients may access the information.
In those situations, the registrant needs to be careful to In this case, the endpoint (and not the lookup clients) needs to be
authenticate the RD as well. The registrant needs to know in advance careful to check the RD's authorization.
which AS, audience and scope values indicate an RD it may trust for
this purpose, and can not rely on the RD to provide AS address and
token details. (In contrast, in the other scenarios it may try to
register, and follow the pointers the RD gives it as to which
credentials it needs to provide in order to perform its
registration).
7.4. Segmentation 7.4. Segmentation
Within a single RD, different security policies can apply. Within a single RD, different security policies can apply.
One example of this are multi-tenant deployments separated by the One example of this are multi-tenant deployments separated by the
sector (d) parameter. Some sectors might apply limitations on the sector (d) parameter. Some sectors might apply limitations on the
endpoint names available, while others use a random identifier endpoint names available, while others use a random identifier
approach to endpoint names and place limits on the entered links approach to endpoint names and place limits on the entered links
based on their attributes instead. based on their attributes instead.
Care must be taken in such setups to determine the applicable access Care must be taken in such setups to determine the applicable access
control measures to each operation. One easy way to do that is to control measures to each operation. One easy way to do that is to
mandate the use of the sector parameter on all operations, as no mandate the use of the sector parameter on all operations, as no
credentials are suitable for operations across sector borders anyway. credentials are suitable for operations across sector borders anyway.
7.5. First-Come-First-Remembered: A default policy
The First-Come-First-Remembered policy is provided both as a
reference example for a security policy definition, and as a policy
that implementations may choose to use as default policy in absence
of other configuration. It is designed to enable efficient discovery
operations even in ad-hoc settings.
Under this policy, the RD accepts registrations for any endpoint name
that is not assigned to an active registration resource, and only
accepts registration updates from the same endpoint. The policy is
minimal in that towards lookup clients it does not make any of the
claims of Section 7.2 and Section 7.3, and its claims on Section 7.1
are limited to the lifetime of that endpoint's registration. It
does, however, guarantee towards any endpoint that for the duration
of its registration, its links will be discoverable on the RD.
When a registration or operation is attempted, the RD MUST determine
the client's subject name or public key:
* If the client's credentials indicate any subject name that is
certified by any authority which the RD recognizes (which may be
the system's trust anchor store), all those subject names are
stored. With CWT or JWT based credentials (as common with ACE),
the Subject (sub) claim is stored as a single name, if it exists.
With X.509 certificates, the Common Name (CN) and the complete
list of SubjectAltName entries are stored. In both cases, the
authority that certified the claim is stored along with the
subject, as the latter may only be locally unique.
* Otherwise, if the client proves possession of a private key, the
matching public key is stored. This applies both to raw public
keys and to the public keys indicated in certificates that failed
the above authority check.
* If neither is present, a reference to the security session itself
is stored. With (D)TLS, that is the connection itself, or the
session resumption information if available. With OSCORE, that is
the security context.
As part of the registration operation, that information is stored
along with the registration resource.
The RD MUST accept all registrations whose registration resource is
not already active, as long as they are made using a security layer
supported by the RD.
Any operation on a registration resource, including registrations
that lead to an existing registration resource, MUST be rejected by
the RD unless all the stored information is found in the new
request's credentials.
Note that even though subject names are compared in this policy, they
are never directly compared to endpoint names, and an endpoint can
not expect to "own" any particular endpoint name outside of an active
registration - even if a certificate says so. It is an accepted
shortcoming of this approach that the endpoint has no indication of
whether the RD remembers it by its subject name or public key;
recognition by subject happens on a best-effort base (given the RD
may not recognize any authority). Clients MUST be prepared to pick a
different endpoint name when rejected by the RD initially or after a
change in their credentials; picking an endpoint name as per
Section 7.1.1 is an easy option for that.
For this policy to be usable without configuration, clients should
not set a sector name in their registrations. An RD can set a
default sector name for registrations accepted under this policy,
which is useful especially in a segmented setup where different
policies apply to different sectors. The configuration of such a
behavior, as well as any other configuration applicable to such an RD
(i.e. the set of recognized authorities) is out of scope for this
document.
8. Security Considerations 8. Security Considerations
The security considerations as described in Section 5 of [RFC8288] The security considerations as described in Section 5 of [RFC8288]
and Section 6 of [RFC6690] apply. The "/.well-known/core" resource and Section 6 of [RFC6690] apply. The "/.well-known/core" resource
may be protected e.g. using DTLS when hosted on a CoAP server as may be protected e.g. using DTLS when hosted on a CoAP server as
described in [RFC7252]. DTLS or TLS based security SHOULD be used on described in [RFC7252].
all resource directory interfaces defined in this document.
8.1. Endpoint Identification and Authentication Access that is limited or affects sensitive data SHOULD be protected,
e.g. using (D)TLS or OSCORE ([RFC8613]; which aspects of the RD this
affects depends on the security policies of the application (see
Section 7).
8.1. Discovery
Most steps in discovery of the RD, and possibly its resources, are
not covered by CoAP's security mechanisms. This will not endanger
the security properties of the registrations and lookup itself (where
the client requires authorization of the RD if it expects any
security properties of the operation), but may leak the client's
intention to third parties, and allow them to slow down the process.
To mitigate that, clients can retain the RD's address, use secure
discovery options like configured addresses, and send queries for RDs
in a very general form ("?rt=core.rd*" rather than "?rt=core.rd-
lookup-ep").
8.2. Endpoint Identification and Authentication
An Endpoint (name, sector) pair is unique within the set of endpoints An Endpoint (name, sector) pair is unique within the set of endpoints
registered by the RD. An Endpoint MUST NOT be identified by its registered by the RD. An Endpoint MUST NOT be identified by its
protocol, port or IP address as these may change over the lifetime of protocol, port or IP address as these may change over the lifetime of
an Endpoint. an Endpoint.
Every operation performed by an Endpoint on an RD SHOULD be mutually Every operation performed by an Endpoint on an RD SHOULD be mutually
authenticated using Pre-Shared Key, Raw Public Key or Certificate authenticated using Pre-Shared Key, Raw Public Key or Certificate
based security. based security.
skipping to change at page 44, line 48 skipping to change at page 46, line 43
to access A or B can do so. to access A or B can do so.
Now, imagine that a malicious device A wants to sabotage the device Now, imagine that a malicious device A wants to sabotage the device
B. It uses its credentials during the DTLS exchange. Then, it B. It uses its credentials during the DTLS exchange. Then, it
specifies the endpoint name of device B as the name of its own specifies the endpoint name of device B as the name of its own
endpoint in device A. If the server does not check whether the endpoint in device A. If the server does not check whether the
identifier provided in the DTLS handshake matches the identifier used identifier provided in the DTLS handshake matches the identifier used
at the CoAP layer then it may be inclined to use the endpoint name at the CoAP layer then it may be inclined to use the endpoint name
for looking up what information to provision to the malicious device. for looking up what information to provision to the malicious device.
Endpoint authentication needs to be checked independently of whether Endpoint authorization needs to be checked on registration and
there are configured requirements on the credentials for a given registration resource operations independently of whether there are
endpoint name (Section 7.1) or whether arbitrary names are accepted configured requirements on the credentials for a given endpoint name
(and sector; Section 7.1) or whether arbitrary names are accepted
(Section 7.1.1). (Section 7.1.1).
Simple registration could be used to circumvent address based access Simple registration could be used to circumvent address-based access
control: An attacker would send a simple registration request with control: An attacker would send a simple registration request with
the victim's address as source address, and later look up the the victim's address as source address, and later look up the
victim's .well-known/core content in the RD. Mitigation for this is victim's /.well-known/core content in the RD. Mitigation for this is
recommended in Section 5.1. recommended in Section 5.1.
8.2. Access Control The Registration Resource path is visible to any client that is
allowed endpoint lookup, and can be extracted by resource lookup
clients as well. The same goes for registration attributes that are
shown as target attributes or lookup attributes. The RD needs to
consider this in the choice of Registration Resource paths, and
administrators or endpoint in their choice of attributes.
8.3. Access Control
Access control SHOULD be performed separately for the RD registration Access control SHOULD be performed separately for the RD registration
and Lookup API paths, as different endpoints may be authorized to and Lookup API paths, as different endpoints may be authorized to
register with an RD from those authorized to lookup endpoints from register with an RD from those authorized to lookup endpoints from
the RD. Such access control SHOULD be performed in as fine-grained a the RD. Such access control SHOULD be performed in as fine-grained a
level as possible. For example access control for lookups could be level as possible. For example access control for lookups could be
performed either at the sector, endpoint or resource level. performed either at the sector, endpoint or resource level.
8.3. Denial of Service Attacks The precise access controls necessary (and the consequences of
failure to enforce them) depend on the protection objectives of the
application and the security policies (Section 7) derived from them.
8.4. Denial of Service Attacks
Services that run over UDP unprotected are vulnerable to unknowingly Services that run over UDP unprotected are vulnerable to unknowingly
become part of a DDoS attack as UDP does not require return amplify and distribute a DoS attack as UDP does not require return
routability check. Therefore, an attacker can easily spoof the routability check. Since RD lookup responses can be significantly
source IP of the target entity and send requests to such a service larger than requests, RDs are prone to this.
which would then respond to the target entity. This can be used for
large-scale DDoS attacks on the target. Especially, if the service
returns a response that is order of magnitudes larger than the
request, the situation becomes even worse as now the attack can be
amplified. DNS servers have been widely used for DDoS amplification
attacks. There is also a danger that NTP Servers could become
implicated in denial-of-service (DoS) attacks since they run on
unprotected UDP, there is no return routability check, and they can
have a large amplification factor. The responses from the NTP server
were found to be 19 times larger than the request. An RD which
responds to wild-card lookups is potentially vulnerable if run with
CoAP over UDP. Since there is no return routability check and the
responses can be significantly larger than requests, RDs can
unknowingly become part of a DDoS amplification attack.
[RFC7252] describes this at length in its Section 11.3, including [RFC7252] describes this at length in its Section 11.3, including
some mitigation by using small block sizes in responses. The some mitigation by using small block sizes in responses. The
upcoming [I-D.ietf-core-echo-request-tag] updates that by describing upcoming [I-D.ietf-core-echo-request-tag] updates that by describing
a source address verification mechanism using the Echo option. a source address verification mechanism using the Echo option.
[ If this document is published together with or after I-D.ietf-core- [ If this document is published together with or after I-D.ietf-core-
echo-request-tag, the above paragraph is replaced with the following: echo-request-tag, the above paragraph is replaced with the following:
[RFC7252] describes this at length in its Section 11.3, and [RFC7252] describes this at length in its Section 11.3, and
skipping to change at page 46, line 36 skipping to change at page 48, line 34
+--------------------+-----------------------------+-------------+ +--------------------+-----------------------------+-------------+
| core.rd-ep | Endpoint resource of an RD | RFCTHIS | | core.rd-ep | Endpoint resource of an RD | RFCTHIS |
| | | Section 6 | | | | Section 6 |
+--------------------+-----------------------------+-------------+ +--------------------+-----------------------------+-------------+
Table 2 Table 2
9.2. IPv6 ND Resource Directory Address Option 9.2. IPv6 ND Resource Directory Address Option
This document registers one new ND option type under the sub-registry This document registers one new ND option type under the sub-registry
"IPv6 Neighbor Discovery Option Formats": "IPv6 Neighbor Discovery Option Formats" of the "Internet Control
Message Protocol version 6 (ICMPv6) Parameters" registry:
* Resource Directory Address Option (TBD38) * Resource Directory Address Option (TBD38)
[ The RFC editor is asked to replace TBD38 with the assigned number [ The RFC editor is asked to replace TBD38 with the assigned number
in the document; the value 38 is suggested. ] in the document; the value 38 is suggested. ]
9.3. RD Parameter Registry 9.3. RD Parameter Registry
This specification defines a new sub-registry for registration and This specification defines a new sub-registry for registration and
lookup parameters called "RD Parameters" under "CoRE Parameters". lookup parameters called "RD Parameters" under "CoRE Parameters".
Although this specification defines a basic set of parameters, it is Although this specification defines a basic set of parameters, it is
expected that other standards that make use of this interface will expected that other standards that make use of this interface will
define new ones. define new ones.
Each entry in the registry must include Each entry in the registry must include
* the human readable name of the parameter,
* the human readable name of the parameter,
* the short name as used in query parameters or target attributes, * the short name as used in query parameters or target attributes,
* indication of whether it can be passed as a query parameter at * indication of whether it can be passed as a query parameter at
registration of endpoints, as a query parameter in lookups, or be registration of endpoints, as a query parameter in lookups, or be
expressed as a target attribute, expressed as a target attribute,
* syntax and validity requirements if any, * syntax and validity requirements if any,
* a description, * a description,
skipping to change at page 48, line 38 skipping to change at page 50, line 38
| Endpoint | et | Section | RLA | Semantic type of | | Endpoint | et | Section | RLA | Semantic type of |
| Type | | 9.3.1 | | the endpoint (see | | Type | | 9.3.1 | | the endpoint (see |
| | | | | Section 9.4) | | | | | | Section 9.4) |
+--------------+-------+--------------+-----+---------------------+ +--------------+-------+--------------+-----+---------------------+
Table 3: RD Parameters Table 3: RD Parameters
(Short: Short name used in query parameters or target attributes. (Short: Short name used in query parameters or target attributes.
Validity: Unicode* = 63 Bytes of UTF-8 encoded Unicode, with no Validity: Unicode* = 63 Bytes of UTF-8 encoded Unicode, with no
control characters as per Section 5. Use: R = used at registration, control characters as per Section 5. Use: R = used at registration,
L = used at lookup, A = expressed in target attribute L = used at lookup, A = expressed in target attribute.)
The descriptions for the options defined in this document are only The descriptions for the options defined in this document are only
summarized here. To which registrations they apply and when they are summarized here. To which registrations they apply and when they are
to be shown is described in the respective sections of this document. to be shown is described in the respective sections of this document.
All their reference documentation entries point to this document. All their reference documentation entries point to this document.
The IANA policy for future additions to the sub-registry is "Expert The IANA policy for future additions to the sub-registry is "Expert
Review" as described in [RFC8126]. The evaluation should consider Review" as described in [RFC8126]. The evaluation should consider
formal criteria, duplication of functionality (Is the new entry formal criteria, duplication of functionality (Is the new entry
redundant with an existing one?), topical suitability (E.g. is the redundant with an existing one?), topical suitability (E.g. is the
described property actually a property of the endpoint and not a described property actually a property of the endpoint and not a
property of a particular resource, in which case it should go into property of a particular resource, in which case it should go into
the payload of the registration and need not be registered?), and the the payload of the registration and need not be registered?), and the
potential for conflict with commonly used target attributes (For potential for conflict with commonly used target attributes (For
example, "if" could be used as a parameter for conditional example, "if" could be used as a parameter for conditional
registration if it were not to be used in lookup or attributes, but registration if it were not to be used in lookup or attributes, but
would make a bad parameter for lookup, because a resource lookup with would make a bad parameter for lookup, because a resource lookup with
an "if" query parameter could ambiguously filter by the registered an "if" query parameter could ambiguously filter by the registered
endpoint property or the [RFC6690] target attribute). endpoint property or the [RFC6690] target attribute).
9.3.1. Full description of the "Endpoint Type" Registration Parameter 9.3.1. Full description of the "Endpoint Type" RD Parameter
An endpoint registering at an RD can describe itself with endpoint An endpoint registering at an RD can describe itself with endpoint
types, similar to how resources are described with Resource Types in types, similar to how resources are described with Resource Types in
[RFC6690]. An endpoint type is expressed as a string, which can be [RFC6690]. An endpoint type is expressed as a string, which can be
either a URI or one of the values defined in the Endpoint Type sub- either a URI or one of the values defined in the Endpoint Type sub-
registry. Endpoint types can be passed in the "et" query parameter registry. Endpoint types can be passed in the "et" query parameter
as part of extra-attrs at the Registration step, are shown on as part of extra-attrs at the Registration step, are shown on
endpoint lookups using the "et" target attribute, and can be filtered endpoint lookups using the "et" target attribute, and can be filtered
for using "et" as a search criterion in resource and endpoint lookup. for using "et" as a search criterion in resource and endpoint lookup.
Multiple endpoint types are given as separate query parameters or Multiple endpoint types are given as separate query parameters or
skipping to change at page 50, line 30 skipping to change at page 52, line 30
"Variable Scope Multicast Addresses" space (RFC 3307). Note that "Variable Scope Multicast Addresses" space (RFC 3307). Note that
there is a distinct multicast address for each scope that interested there is a distinct multicast address for each scope that interested
CoAP nodes should listen to; CoAP needs the Link-Local and Site-Local CoAP nodes should listen to; CoAP needs the Link-Local and Site-Local
scopes only. scopes only.
[ The RFC editor is asked to replace MCD1 and MCD2 with the assigned [ The RFC editor is asked to replace MCD1 and MCD2 with the assigned
addresses throughout the document. ] addresses throughout the document. ]
9.6. Well-Known URIs 9.6. Well-Known URIs
IANA is asked to extend the reference for the "core" URI suffix in IANA is asked to permanently register the URI suffix "rd" in the
the "Well-Known URIs" registry to reference this document next to "Well-Known URIs" registry. The change controller is the IETF, this
[RFC6690], as this defines the resource's behavior for POST requests. document is the reference.
9.7. Service Names and Transport Protocol Port Number Registry 9.7. Service Names and Transport Protocol Port Number Registry
IANA is asked to enter four new items into the Service Names and IANA is asked to enter four new items into the Service Names and
Transport Protocol Port Number Registry: Transport Protocol Port Number Registry:
* Service name: "core-rd", Protocol: "udp", Description: "Resource * Service name: "core-rd", Protocol: "udp", Description: "Resource
Directory accessed using CoAP" Directory accessed using CoAP"
* Service name "core-rd-dtls", Protocol: "udp", Description: * Service name "core-rd-dtls", Protocol: "udp", Description:
skipping to change at page 51, line 8 skipping to change at page 53, line 8
Directory accessed using CoAP over TCP" Directory accessed using CoAP over TCP"
* Service name "core-rd-tls", Protocol: "tcp", Description: * Service name "core-rd-tls", Protocol: "tcp", Description:
"Resource Directory accessed using CoAP over TLS" "Resource Directory accessed using CoAP over TLS"
All in common have this document as their reference. All in common have this document as their reference.
10. Examples 10. Examples
Two examples are presented: a Lighting Installation example in Two examples are presented: a Lighting Installation example in
Section 10.1 and a LWM2M example in Section 10.2. Section 10.1 and a LwM2M example in Section 10.2.
10.1. Lighting Installation 10.1. Lighting Installation
This example shows a simplified lighting installation which makes use This example shows a simplified lighting installation which makes use
of the RD with a CoAP interface to facilitate the installation and of the RD with a CoAP interface to facilitate the installation and
start-up of the application code in the lights and sensors. In start-up of the application code in the lights and sensors. In
particular, the example leads to the definition of a group and the particular, the example leads to the definition of a group and the
enabling of the corresponding multicast address as described in enabling of the corresponding multicast address as described in
Appendix A. No conclusions must be drawn on the realization of Appendix A. No conclusions must be drawn on the realization of
actual installation or naming procedures, because the example only actual installation or naming procedures, because the example only
skipping to change at page 52, line 6 skipping to change at page 54, line 6
luminary. The purpose of the installation is that the presence luminary. The purpose of the installation is that the presence
sensor notifies the presence of persons to a group of lamps. The sensor notifies the presence of persons to a group of lamps. The
group of lamps consists of: middle and left lamps of luminary1 and group of lamps consists of: middle and left lamps of luminary1 and
right lamp of luminary2. right lamp of luminary2.
Before commissioning by the lighting manager, the network is Before commissioning by the lighting manager, the network is
installed and access to the interfaces is proven to work by the installed and access to the interfaces is proven to work by the
network manager. network manager.
At the moment of installation, the network under installation is not At the moment of installation, the network under installation is not
necessarily connected to the DNS infra structure. Therefore, SLAAC necessarily connected to the DNS infrastructure. Therefore, SLAAC
IPv6 addresses are assigned to CT, RD, luminaries and sensor shown in IPv6 addresses are assigned to CT, RD, luminaries and the sensor.
Table 4 below: The addresses shown in Table 4 below stand in for these in the
following examples.
+=================+================+ +=================+================+
| Name | IPv6 address | | Name | IPv6 address |
+=================+================+ +=================+================+
| luminary1 | 2001:db8:4::1 | | luminary1 | 2001:db8:4::1 |
+-----------------+----------------+ +-----------------+----------------+
| luminary2 | 2001:db8:4::2 | | luminary2 | 2001:db8:4::2 |
+-----------------+----------------+ +-----------------+----------------+
| Presence sensor | 2001:db8:4::3 | | Presence sensor | 2001:db8:4::3 |
+-----------------+----------------+ +-----------------+----------------+
| RD | 2001:db8:4::ff | | RD | 2001:db8:4::ff |
+-----------------+----------------+ +-----------------+----------------+
Table 4: interface SLAAC addresses Table 4: Addresses used in the
examples
In Section 10.1.2 the use of RD during installation is presented. In Section 10.1.2 the use of RD during installation is presented.
10.1.2. RD entries 10.1.2. RD entries
It is assumed that access to the DNS infrastructure is not always It is assumed that access to the DNS infrastructure is not always
possible during installation. Therefore, the SLAAC addresses are possible during installation. Therefore, the SLAAC addresses are
used in this section. used in this section.
For discovery, the resource types (rt) of the devices are important. For discovery, the resource types (rt) of the devices are important.
The lamps in the luminaries have rt: light, and the presence sensor The lamps in the luminaries have rt=tag:example.com,2020:light, and
has rt: p-sensor. The endpoints have names which are relevant to the the presence sensor has rt=tag:example.com,2020:p-sensor. The
light installation manager. In this case luminary1, luminary2, and endpoints have names which are relevant to the light installation
the presence sensor are located in room 2-4-015, where luminary1 is manager. In this case luminary1, luminary2, and the presence sensor
located at the window and luminary2 and the presence sensor are are located in room 2-4-015, where luminary1 is located at the window
located at the door. The endpoint names reflect this physical and luminary2 and the presence sensor are located at the door. The
location. The middle, left and right lamps are accessed via path endpoint names reflect this physical location. The middle, left and
/light/middle, /light/left, and /light/right respectively. The right lamps are accessed via path /light/middle, /light/left, and
identifiers relevant to the RD are shown in Table 5 below: /light/right respectively. The identifiers relevant to the RD are
shown in Table 5 below:
+===========+==================+===============+===============+ +=========+================+========+===============================+
| Name | endpoint | resource path | resource type | |Name |endpoint |resource| resource type |
+===========+==================+===============+===============+ | | |path | |
| luminary1 | lm_R2-4-015_wndw | /light/left | light | +=========+================+========+===============================+
+-----------+------------------+---------------+---------------+ |luminary1|lm_R2-4-015_wndw|/light/ | tag:example.com,2020:light |
| luminary1 | lm_R2-4-015_wndw | /light/middle | light | | | |left | |
+-----------+------------------+---------------+---------------+ +---------+----------------+--------+-------------------------------+
| luminary1 | lm_R2-4-015_wndw | /light/right | light | |luminary1|lm_R2-4-015_wndw|/light/ | tag:example.com,2020:light |
+-----------+------------------+---------------+---------------+ | | |middle | |
| luminary2 | lm_R2-4-015_door | /light/left | light | +---------+----------------+--------+-------------------------------+
+-----------+------------------+---------------+---------------+ |luminary1|lm_R2-4-015_wndw|/light/ | tag:example.com,2020:light |
| luminary2 | lm_R2-4-015_door | /light/middle | light | | | |right | |
+-----------+------------------+---------------+---------------+ +---------+----------------+--------+-------------------------------+
| luminary2 | lm_R2-4-015_door | /light/right | light | |luminary2|lm_R2-4-015_door|/light/ | tag:example.com,2020:light |
+-----------+------------------+---------------+---------------+ | | |left | |
| Presence | ps_R2-4-015_door | /ps | p-sensor | +---------+----------------+--------+-------------------------------+
| sensor | | | | |luminary2|lm_R2-4-015_door|/light/ | tag:example.com,2020:light |
+-----------+------------------+---------------+---------------+ | | |middle | |
+---------+----------------+--------+-------------------------------+
|luminary2|lm_R2-4-015_door|/light/ | tag:example.com,2020:light |
| | |right | |
+---------+----------------+--------+-------------------------------+
|Presence |ps_R2-4-015_door|/ps | tag:example.com,2020:p-sensor |
|sensor | | | |
+---------+----------------+--------+-------------------------------+
Table 5: RD identifiers Table 5: RD identifiers
It is assumed that the CT knows the RD's address, and has performed It is assumed that the CT has performed RD discovery and has received
URI discovery on it that returned a response like the one in the a response like the one in the Section 4.3 example.
Section 4.3 example.
The CT inserts the endpoints of the luminaries and the sensor in the The CT inserts the endpoints of the luminaries and the sensor in the
RD using the registration base URI parameter (base) to specify the RD using the registration base URI parameter (base) to specify the
interface address: interface address:
Req: POST coap://[2001:db8:4::ff]/rd Req: POST coap://[2001:db8:4::ff]/rd
?ep=lm_R2-4-015_wndw&base=coap://[2001:db8:4::1]&d=R2-4-015 ?ep=lm_R2-4-015_wndw&base=coap://[2001:db8:4::1]&d=R2-4-015
Payload: Payload:
</light/left>;rt="light", </light/left>;rt="tag:example.com,2020:light",
</light/middle>;rt="light", </light/middle>;rt="tag:example.com,2020:light",
</light/right>;rt="light" </light/right>;rt="tag:example.com,2020:light"
Res: 2.01 Created Res: 2.01 Created
Location-Path: /rd/4521 Location-Path: /rd/4521
Req: POST coap://[2001:db8:4::ff]/rd Req: POST coap://[2001:db8:4::ff]/rd
?ep=lm_R2-4-015_door&base=coap://[2001:db8:4::2]&d=R2-4-015 ?ep=lm_R2-4-015_door&base=coap://[2001:db8:4::2]&d=R2-4-015
Payload: Payload:
</light/left>;rt="light", </light/left>;rt="tag:example.com,2020:light",
</light/middle>;rt="light", </light/middle>;rt="tag:example.com,2020:light",
</light/right>;rt="light" </light/right>;rt="tag:example.com,2020:light"
Res: 2.01 Created Res: 2.01 Created
Location-Path: /rd/4522 Location-Path: /rd/4522
Req: POST coap://[2001:db8:4::ff]/rd Req: POST coap://[2001:db8:4::ff]/rd
?ep=ps_R2-4-015_door&base=coap://[2001:db8:4::3]d&d=R2-4-015 ?ep=ps_R2-4-015_door&base=coap://[2001:db8:4::3]&d=R2-4-015
Payload: Payload:
</ps>;rt="p-sensor" </ps>;rt="tag:example.com,2020:p-sensor"
Res: 2.01 Created Res: 2.01 Created
Location-Path: /rd/4523 Location-Path: /rd/4523
Figure 23: Example of registrations a CT enters into an RD Figure 23: Example of registrations a CT enters into an RD
The sector name d=R2-4-015 has been added for an efficient lookup The sector name d=R2-4-015 has been added for an efficient lookup
because filtering on "ep" name is more awkward. The same sector name because filtering on "ep" name is more awkward. The same sector name
is communicated to the two luminaries and the presence sensor by the is communicated to the two luminaries and the presence sensor by the
CT. CT.
The group is specified in the RD. The base parameter is set to the The group is specified in the RD. The base parameter is set to the
site-local multicast address allocated to the group. In the POST in site-local multicast address allocated to the group. In the POST in
the example below, the resources supported by all group members are the example below, the resources supported by all group members are
published. published.
Req: POST coap://[2001:db8:4::ff]/rd Req: POST coap://[2001:db8:4::ff]/rd
?ep=grp_R2-4-015&et=core.rd-group&base=coap://[ff05::1] ?ep=grp_R2-4-015&et=core.rd-group&base=coap://[ff05::1]
Payload: Payload:
</light/left>;rt="light", </light/left>;rt="tag:example.com,2020:light",
</light/middle>;rt="light", </light/middle>;rt="tag:example.com,2020:light",
</light/right>;rt="light" </light/right>;rt="tag:example.com,2020:light"
Res: 2.01 Created Res: 2.01 Created
Location-Path: /rd/501 Location-Path: /rd/501
Figure 24: Example of a multicast group a CT enters into an RD Figure 24: Example of a multicast group a CT enters into an RD
After the filling of the RD by the CT, the application in the After the filling of the RD by the CT, the application in the
luminaries can learn to which groups they belong, and enable their luminaries can learn to which groups they belong, and enable their
interface for the multicast address. interface for the multicast address.
skipping to change at page 55, line 38 skipping to change at page 57, line 38
Res: 2.05 Content Res: 2.05 Content
</rd/501>;ep="grp_R2-4-015";et="core.rd-group"; </rd/501>;ep="grp_R2-4-015";et="core.rd-group";
base="coap://[ff05::1]";rt="core.rd-ep" base="coap://[ff05::1]";rt="core.rd-ep"
Figure 25: Example of a lookup exchange to find suitable Figure 25: Example of a lookup exchange to find suitable
multicast addresses multicast addresses
From the returned base parameter value, the luminary learns the From the returned base parameter value, the luminary learns the
multicast address of the multicast group. multicast address of the multicast group.
Alternatively, the CT can communicate the multicast address directly The presence sensor can learn the presence of groups that support
to the luminaries by using the "coap-group" resource specified in resources with rt=tag:example.com,2020:light in its own sector by
[RFC7390]. sending the same request, as used by the luminary. The presence
sensor learns the multicast address to use for sending messages to
the luminaries.
Req: POST coap://[2001:db8:4::1]/coap-group 10.2. OMA Lightweight M2M (LwM2M)
Content-Format: application/coap-group+json
Payload:
{ "a": "[ff05::1]", "n": "grp_R2-4-015"}
Res: 2.01 Created OMA LwM2M is a profile for device services based on CoAP, providing
Location-Path: /coap-group/1 interfaces and operations for device management and device service
enablement.
Figure 26: Example use of direct multicast address configuration An LwM2M server is an instance of an LwM2M middleware service layer,
containing an RD ([LwM2M] page 36f).
Dependent on the situation, only the address, "a", or the name, "n", That RD only implements the registration interface, and no lookup is
is specified in the coap-group resource. implemented. Instead, the LwM2M server provides access to the
registered resources, in a similar way to a reverse proxy.
The presence sensor can learn the presence of groups that support The location of the LwM2M Server and RD URI path is provided by the
resources with rt=light in its own sector by sending the same LwM2M Bootstrap process, so no dynamic discovery of the RD is used.
request, as used by the luminary. The presence sensor learns the LwM2M Servers and endpoints are not required to implement the /.well-
multicast address to use for sending messages to the luminaries. known/core resource.
10.2. OMA Lightweight M2M (LWM2M) Example 11. Acknowledgments
This example shows how the OMA LWM2M specification makes use of RDs. Oscar Novo, Srdjan Krco, Szymon Sasin, Kerry Lynn, Esko Dijk, Anders
Brandt, Matthieu Vial, Jim Schaad, Mohit Sethi, Hauke Petersen,
Hannes Tschofenig, Sampo Ukkola, Linyi Tian, Jan Newmarch, Matthias
Kovatsch, Jaime Jimenez and Ted Lemon have provided helpful comments,
discussions and ideas to improve and shape this document. Zach would
also like to thank his colleagues from the EU FP7 SENSEI project,
where many of the RD concepts were originally developed.
OMA LWM2M is a profile for device services based on CoAP(OMA Name 12. Changelog
Authority). LWM2M defines a simple object model and a number of
abstract interfaces and operations for device management and device
service enablement.
An LWM2M server is an instance of an LWM2M middleware service layer, changes from -25 to -26
containing an RD along with other LWM2M interfaces defined by the
LWM2M specification.
The registration interface of this specification is used to provide * Security policies:
the LWM2M Registration interface.
LWM2M does not provide for registration sectors and does not - The First-Come-First-Remembered policy is added as an example
currently use the rd-lookup interface. and a potential default behavior.
The LWM2M specification describes a set of interfaces and a resource - Clarify that the mapping between endpoint names and subject
model used between a LWM2M device and an LWM2M server. Other fields is up to a policy that defines reliance on names, and
interfaces, proxies, and applications are currently out of scope for give an example.
LWM2M.
The location of the LWM2M Server and RD URI path is provided by the - Random EP names: Point that multiple collisions are possible
LWM2M Bootstrap process, so no dynamic discovery of the RD is used. but unlikely.
LWM2M Servers and endpoints are not required to implement the /.well-
known/core resource.
10.2.1. The LWM2M Object Model - Add pointers to policies:
The OMA LWM2M object model is based on a simple 2 level class o RD replication: Point out that policies may limit that.
hierarchy consisting of Objects and Resources.
An LWM2M Resource is a REST endpoint, allowed to be a single value or o Registration: Reword (ep, d) mapping to a previous
an array of values of the same data type. registration's resource that could have been read as another
endpoint taking over an existing registration.
An LWM2M Object is a resource template and container type that - Clarify that the security policy is a property of the RD the
encapsulates a set of related resources. An LWM2M Object represents any client may need to verify by checking the RD's
a specific type of information source; for example, there is a LWM2M authorization.
Device Management object that represents a network connection,
containing resources that represent individual properties like radio
signal strength.
Since there may potentially be more than one of a given type object, - Clarify how information from an untrusted RD can be verified
for example more than one network connection, LWM2M defines instances - Remove speculation about how in detail ACE scopes are obtained.
of objects that contain the resources that represent a specific
physical thing.
The URI template for LWM2M consists of a base URI followed by Object, * Security considerations:
Instance, and Resource IDs:
{/base-uri}{/object-id}{/object-instance}{/resource-id}{/resource- - Generalize to all current options for security layers usable
instance} with CoAP (OSCORE was missing as the text predated RFC8613)
The five variables given here are strings. base-uri can also have - Relax the previous SHOULD on secure access to SHOULD where
the special value "undefined" (sometimes called "null" in RFC 6570). protection is indicated by security policies (bringing the text
Each of the variables object-instance, resource-id, and resource- in line with the -25 changes)
instance can be the special value "undefined" only if the values
behind it in this sequence also are "undefined". As a special case,
object-instance can be "empty" (which is different from "undefined")
if resource-id is not "undefined".
base-uri := Base URI for LWM2M resources or "undefined" for default - Point out that failure to follow the security considerations
(empty) base URI has implications depending on the protection objective
described with the security policies
object-id := OMNA (OMA Name Authority) registered object ID (0-65535) - Shorten amplification mitigation
object-instance := Object instance identifier (0-65535) or - Add note about information in Registration Resource path.
"undefined"/"empty" (see above)) to refer to all instances of an
object ID
resource-id := OMNA (OMA Name Authority) registered resource ID - Acknowledge that most host discovery operations are not
(0-65535) or "undefined" to refer to all resources within an instance secured; mention consequences and mitigation.
resource-instance := Resource instance identifier or "undefined" to * Abstract, introduction: removed "or disperse networks"
refer to single instance of a resource
LWM2M IDs are 16 bit unsigned integers represented in decimal (no * RD discovery:
leading zeroes except for the value 0) by URI format strings. For
example, a LWM2M URI might be:
/1/0/1 - Drop the previously stated assumption that RDAO and any DHCP
The base URI is empty, the Object ID is 1, the instance ID is 0, the options would only be used together with SLAAC and DHCP for
resource ID is 1, and the resource instance is "undefined". This address configuration, respectivly.
example URI points to internal resource 1, which represents the
registration lifetime configured, in instance 0 of a type 1 object
(LWM2M Server Object).
10.2.2. LWM2M Register Endpoint - Give concrete guidance for address selection based on RFC6724
when responding to multicasts
LWM2M defines a registration interface based on the REST API, - RDAO:
described in Section 5. The RD registration URI path of the LWM2M RD
is specified to be "/rd".
LWM2M endpoints register object IDs, for example </1>, to indicate o Clarify that it is an option for RAs and not other ND
that a particular object type is supported, and register object messages.
instances, for example </1/0>, to indicate that a particular instance
of that object type exists.
Resources within the LWM2M object instance are not registered with o Change Lifetime from 16-bit minutes to 32-bit seconds and
the RD, but may be discovered by reading the resource links from the swap it with Reserved (aligning it with RDNSS which it
object instance using GET with a CoAP Content-Format of application/ shares other properties as well).
link-format. Resources may also be read as a structured object by
performing a GET to the object instance with a Content-Format of
senml+json.
When an LWM2M object or instance is registered, this indicates to the - Point out that clients may need to check RD authorization
LWM2M server that the object and its resources are available for already in last discovery step
management and service enablement (REST API) operations.
LWM2M endpoints may use the following RD registration parameters as * Registration:
defined in Table 3 :
ep - Endpoint Name - Wording around "mostly mandatory" has been improved, conflicts
lt - registration lifetime clarified and sector default selection adjusted.
Endpoint Name, Lifetime, and LWM2M Version are mandatory parameters * Simple registration: Rather than coopting POSTs to /.well-known/
for the register operation, all other registration parameters are core, a new resource /.well-known/rd is registered. A historical
optional. note in the text documents the change.
Additional optional LWM2M registration parameters are defined: * Examples:
+=========+=======+===============================+=============+ - Use example URIs rather than unclear reg names (unless it's
| Name | Query | Validity | Description | RFC6690 examples, which were kept for continuity)
+=========+=======+===============================+=============+
| Binding | b | {"U",UQ","S","SQ","US","UQS"} | Available |
| Mode | | | Protocols |
+---------+-------+-------------------------------+-------------+
+---------+-------+-------------------------------+-------------+
| LWM2M | ver | 1.0 | Spec |
| Version | | | Version |
+---------+-------+-------------------------------+-------------+
+---------+-------+-------------------------------+-------------+
| SMS | sms | | MSISDN |
| Number | | | |
+---------+-------+-------------------------------+-------------+
Table 6: LWM2M Additional Registration Parameters - The LwM2M example was reduced from an outdated explanation of
the complete LwM2M model to a summary of how RD is used in
there, with a reference to the current specification.
The following RD registration parameters are not currently specified - Luminary example: Explain example addresses
for use in LWM2M:
et - Endpoint Type - Luminary example: Drop reference to coap-group mechanism that's
base - Registration Base URI becoming obsolete, and thus also to RFC7390
The endpoint registration must include a payload containing links to - Multicast addresses in the examples were changed from
all supported objects and existing object instances, optionally ff35:30:2001:db8::x to ff35:30:2001:db8:f1::8000:x; the 8000 is
including the appropriate link-format relations. to follow RFC 3307, and the f1 is for consistency with all the
other example addresses where 2001:db8::/32 is subnetted to
2001:db8:x::/48 by groups of internally consistent examples.
Here is an example LWM2M registration payload: * Use case text enhancements
</1>,</1/0>,</3/0>,</5> - Home and building automation: Tie in with RD
This link format payload indicates that object ID 1 (LWM2M Server - M2M: Move system design paragraph towards the topic of
Object) is supported, with a single instance 0 existing, object ID 3 reusability.
(LWM2M Device object) is supported, with a single instance 0
existing, and object 5 (LWM2M Firmware Object) is supported, with no
existing instances.
10.2.3. LWM2M Update Endpoint Registration * Various editorial fixes in response to Gen-ART and IESG reviews.
The LwM2M update is really very similar to the registration update as * Rename 'Full description of the "Endpoint Type" Registration
described in Section 5.3.1, with the only difference that there are Parameter' section to '... RD Parameter'
more parameters defined and available. All the parameters listed in
that section are also available with the initial registration but are
all optional:
lt - Registration Lifetime * Error handling: Place a SHOULD around the likely cases, and make
b - Protocol Binding the previous "MUST to the best of their capabilities" a "must".
sms - MSISDN
link payload - new or modified links
A Registration update is also specified to be used to update the * impl-info: Add note about the type being WIP
LWM2M server whenever the endpoint's UDP port or IP address are
changed.
10.2.4. LWM2M De-Register Endpoint * Interaction tables: list CTs as possible initiators where
applicable
LWM2M allows for de-registration using the delete method on the * Registration update: Relax requirement to not send parameters
returned location from the initial registration operation. LWM2M de- needlessly
registration proceeds as described in Section 5.3.2.
11. Acknowledgments * Terminology: Clarify that the CTs' installation events can occur
multiple times.
Oscar Novo, Srdjan Krco, Szymon Sasin, Kerry Lynn, Esko Dijk, Anders * Promote RFCs 7252, 7230 and 8288 to normative references
Brandt, Matthieu Vial, Jim Schaad, Mohit Sethi, Hauke Petersen,
Hannes Tschofenig, Sampo Ukkola, Linyi Tian, Jan Newmarch, Matthias
Kovatsch, Jaime Jimenez and Ted Lemon have provided helpful comments,
discussions and ideas to improve and shape this document. Zach would
also like to thank his colleagues from the EU FP7 SENSEI project,
where many of the RD concepts were originally developed.
12. Changelog * Moved Christian Amsuess to first author
changes from -24 to -25 changes from -24 to -25
* Large rework of section 7 (Security policies) * Large rework of section 7 (Security policies)
Rather than prescribing which data in the RD _is_ authenticated Rather than prescribing which data in the RD _is_ authenticated
(and how), it now describes what applications built on an RD _can_ (and how), it now describes what applications built on an RD _can_
choose to authenticate, show possibilities on how to do it and choose to authenticate, show possibilities on how to do it and
outline what it means for clients. outline what it means for clients.
skipping to change at page 72, line 13 skipping to change at page 72, line 45
<https://www.rfc-editor.org/info/rfc6570>. <https://www.rfc-editor.org/info/rfc6570>.
[RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link
Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
<https://www.rfc-editor.org/info/rfc6690>. <https://www.rfc-editor.org/info/rfc6690>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>. <https://www.rfc-editor.org/info/rfc6763>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8288] Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017,
<https://www.rfc-editor.org/info/rfc8288>.
13.2. Informative References 13.2. Informative References
[ER] Chen, P., "The entity-relationship model--toward a unified [ER] Chen, P., "The entity-relationship model--toward a unified
view of data", DOI 10.1145/320434.320440, ACM Transactions view of data", DOI 10.1145/320434.320440, ACM Transactions
on Database Systems Vol. 1, pp. 9-36, March 1976, on Database Systems Vol. 1, pp. 9-36, March 1976,
<https://doi.org/10.1145/320434.320440>. <https://doi.org/10.1145/320434.320440>.
[I-D.bormann-t2trg-rel-impl] [I-D.bormann-t2trg-rel-impl]
Bormann, C., "impl-info: A link relation type for Bormann, C., "impl-info: A link relation type for
disclosing implementation information", Work in Progress, disclosing implementation information", Work in Progress,
Internet-Draft, draft-bormann-t2trg-rel-impl-01, 27 March Internet-Draft, draft-bormann-t2trg-rel-impl-02, 27
2020, <http://www.ietf.org/internet-drafts/draft-bormann- September 2020, <http://www.ietf.org/internet-drafts/
t2trg-rel-impl-01.txt>. draft-bormann-t2trg-rel-impl-02.txt>.
[I-D.hartke-t2trg-coral] [I-D.hartke-t2trg-coral]
Hartke, K., "The Constrained RESTful Application Language Hartke, K., "The Constrained RESTful Application Language
(CoRAL)", Work in Progress, Internet-Draft, draft-hartke- (CoRAL)", Work in Progress, Internet-Draft, draft-hartke-
t2trg-coral-09, 8 July 2019, <http://www.ietf.org/ t2trg-coral-09, 8 July 2019, <http://www.ietf.org/
internet-drafts/draft-hartke-t2trg-coral-09.txt>. internet-drafts/draft-hartke-t2trg-coral-09.txt>.
[I-D.ietf-ace-oauth-authz] [I-D.ietf-ace-oauth-authz]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
H. Tschofenig, "Authentication and Authorization for H. Tschofenig, "Authentication and Authorization for
Constrained Environments (ACE) using the OAuth 2.0 Constrained Environments (ACE) using the OAuth 2.0
Framework (ACE-OAuth)", Work in Progress, Internet-Draft, Framework (ACE-OAuth)", Work in Progress, Internet-Draft,
draft-ietf-ace-oauth-authz-35, 24 June 2020, draft-ietf-ace-oauth-authz-35, 24 June 2020,
<http://www.ietf.org/internet-drafts/draft-ietf-ace-oauth- <http://www.ietf.org/internet-drafts/draft-ietf-ace-oauth-
authz-35.txt>. authz-35.txt>.
[I-D.ietf-core-echo-request-tag] [I-D.ietf-core-echo-request-tag]
Amsuess, C., Mattsson, J., and G. Selander, "CoAP: Echo, Amsuess, C., Mattsson, J., and G. Selander, "CoAP: Echo,
Request-Tag, and Token Processing", Work in Progress, Request-Tag, and Token Processing", Work in Progress,
Internet-Draft, draft-ietf-core-echo-request-tag-09, 9 Internet-Draft, draft-ietf-core-echo-request-tag-10, 13
March 2020, <http://www.ietf.org/internet-drafts/draft- July 2020, <http://www.ietf.org/internet-drafts/draft-
ietf-core-echo-request-tag-09.txt>. ietf-core-echo-request-tag-10.txt>.
[I-D.ietf-core-links-json] [I-D.ietf-core-links-json]
Li, K., Rahman, A., and C. Bormann, "Representing Li, K., Rahman, A., and C. Bormann, "Representing
Constrained RESTful Environments (CoRE) Link Format in Constrained RESTful Environments (CoRE) Link Format in
JSON and CBOR", Work in Progress, Internet-Draft, draft- JSON and CBOR", Work in Progress, Internet-Draft, draft-
ietf-core-links-json-10, 26 February 2018, ietf-core-links-json-10, 26 February 2018,
<http://www.ietf.org/internet-drafts/draft-ietf-core- <http://www.ietf.org/internet-drafts/draft-ietf-core-
links-json-10.txt>. links-json-10.txt>.
[I-D.ietf-core-rd-dns-sd] [I-D.ietf-core-rd-dns-sd]
skipping to change at page 73, line 34 skipping to change at page 74, line 34
<http://www.ietf.org/internet-drafts/draft-ietf-core-rd- <http://www.ietf.org/internet-drafts/draft-ietf-core-rd-
dns-sd-05.txt>. dns-sd-05.txt>.
[I-D.silverajan-core-coap-protocol-negotiation] [I-D.silverajan-core-coap-protocol-negotiation]
Silverajan, B. and M. Ocak, "CoAP Protocol Negotiation", Silverajan, B. and M. Ocak, "CoAP Protocol Negotiation",
Work in Progress, Internet-Draft, draft-silverajan-core- Work in Progress, Internet-Draft, draft-silverajan-core-
coap-protocol-negotiation-09, 2 July 2018, coap-protocol-negotiation-09, 2 July 2018,
<http://www.ietf.org/internet-drafts/draft-silverajan- <http://www.ietf.org/internet-drafts/draft-silverajan-
core-coap-protocol-negotiation-09.txt>. core-coap-protocol-negotiation-09.txt>.
[LwM2M] Open Mobile Alliance, "Lightweight Machine to Machine
Technical Specification: Transport Bindings (Candidate
Version 1.1)", 12 June 2018,
<https://openmobilealliance.org/RELEASE/LightweightM2M/
V1_1-20180612-C/OMA-TS-LightweightM2M_Transport-
V1_1-20180612-C.pdf>.
[RFC3306] Haberman, B. and D. Thaler, "Unicast-Prefix-based IPv6 [RFC3306] Haberman, B. and D. Thaler, "Unicast-Prefix-based IPv6
Multicast Addresses", RFC 3306, DOI 10.17487/RFC3306, Multicast Addresses", RFC 3306, DOI 10.17487/RFC3306,
August 2002, <https://www.rfc-editor.org/info/rfc3306>. August 2002, <https://www.rfc-editor.org/info/rfc3306>.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849, Reserved for Documentation", RFC 3849,
DOI 10.17487/RFC3849, July 2004, DOI 10.17487/RFC3849, July 2004,
<https://www.rfc-editor.org/info/rfc3849>. <https://www.rfc-editor.org/info/rfc3849>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
skipping to change at page 74, line 10 skipping to change at page 75, line 20
[RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, [RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
"Transmission of IPv6 Packets over IEEE 802.15.4 "Transmission of IPv6 Packets over IEEE 802.15.4
Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007, Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007,
<https://www.rfc-editor.org/info/rfc4944>. <https://www.rfc-editor.org/info/rfc4944>.
[RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for [RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for
IPv4 Multicast Address Assignments", BCP 51, RFC 5771, IPv4 Multicast Address Assignments", BCP 51, RFC 5771,
DOI 10.17487/RFC5771, March 2010, DOI 10.17487/RFC5771, March 2010,
<https://www.rfc-editor.org/info/rfc5771>. <https://www.rfc-editor.org/info/rfc5771>.
[RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown,
"Default Address Selection for Internet Protocol Version 6
(IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012,
<https://www.rfc-editor.org/info/rfc6724>.
[RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C. [RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C.
Bormann, "Neighbor Discovery Optimization for IPv6 over Bormann, "Neighbor Discovery Optimization for IPv6 over
Low-Power Wireless Personal Area Networks (6LoWPANs)", Low-Power Wireless Personal Area Networks (6LoWPANs)",
RFC 6775, DOI 10.17487/RFC6775, November 2012, RFC 6775, DOI 10.17487/RFC6775, November 2012,
<https://www.rfc-editor.org/info/rfc6775>. <https://www.rfc-editor.org/info/rfc6775>.
[RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing
IPv6 Zone Identifiers in Address Literals and Uniform IPv6 Zone Identifiers in Address Literals and Uniform
Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874, Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
February 2013, <https://www.rfc-editor.org/info/rfc6874>. February 2013, <https://www.rfc-editor.org/info/rfc6874>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228, Constrained-Node Networks", RFC 7228,
DOI 10.17487/RFC7228, May 2014, DOI 10.17487/RFC7228, May 2014,
<https://www.rfc-editor.org/info/rfc7228>. <https://www.rfc-editor.org/info/rfc7228>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>.
[RFC7390] Rahman, A., Ed. and E. Dijk, Ed., "Group Communication for
the Constrained Application Protocol (CoAP)", RFC 7390,
DOI 10.17487/RFC7390, October 2014,
<https://www.rfc-editor.org/info/rfc7390>.
[RFC7641] Hartke, K., "Observing Resources in the Constrained [RFC7641] Hartke, K., "Observing Resources in the Constrained
Application Protocol (CoAP)", RFC 7641, Application Protocol (CoAP)", RFC 7641,
DOI 10.17487/RFC7641, September 2015, DOI 10.17487/RFC7641, September 2015,
<https://www.rfc-editor.org/info/rfc7641>. <https://www.rfc-editor.org/info/rfc7641>.
[RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS Configuration",
RFC 8106, DOI 10.17487/RFC8106, March 2017,
<https://www.rfc-editor.org/info/rfc8106>.
[RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and [RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and
FETCH Methods for the Constrained Application Protocol FETCH Methods for the Constrained Application Protocol
(CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017,
<https://www.rfc-editor.org/info/rfc8132>. <https://www.rfc-editor.org/info/rfc8132>.
[RFC8141] Saint-Andre, P. and J. Klensin, "Uniform Resource Names [RFC8141] Saint-Andre, P. and J. Klensin, "Uniform Resource Names
(URNs)", RFC 8141, DOI 10.17487/RFC8141, April 2017, (URNs)", RFC 8141, DOI 10.17487/RFC8141, April 2017,
<https://www.rfc-editor.org/info/rfc8141>. <https://www.rfc-editor.org/info/rfc8141>.
[RFC8288] Nottingham, M., "Web Linking", RFC 8288, [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
DOI 10.17487/RFC8288, October 2017, "Object Security for Constrained RESTful Environments
<https://www.rfc-editor.org/info/rfc8288>. (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
<https://www.rfc-editor.org/info/rfc8613>.
Appendix A. Groups Registration and Lookup Appendix A. Groups Registration and Lookup
The RD-Groups usage pattern allows announcing application groups The RD-Groups usage pattern allows announcing application groups
inside an RD. inside an RD.
Groups are represented by endpoint registrations. Their base address Groups are represented by endpoint registrations. Their base address
is a multicast address, and they SHOULD be entered with the endpoint is a multicast address, and they SHOULD be entered with the endpoint
type "core.rd-group". The endpoint name can also be referred to as a type "core.rd-group". The endpoint name can also be referred to as a
group name in this context. group name in this context.
skipping to change at page 75, line 39 skipping to change at page 77, line 6
resource MAY be permissible if requests to them fail gracefully. resource MAY be permissible if requests to them fail gracefully.
The following example shows a CT registering a group with the name The following example shows a CT registering a group with the name
"lights" which provides two resources. The directory resource path "lights" which provides two resources. The directory resource path
/rd is an example RD location discovered in a request similar to /rd is an example RD location discovered in a request similar to
Figure 5. The group address in the example is constructed from Figure 5. The group address in the example is constructed from
[RFC3849]'s reserved 2001:db8:: prefix as a unicast-prefix based [RFC3849]'s reserved 2001:db8:: prefix as a unicast-prefix based
site-local address (see [RFC3306]. site-local address (see [RFC3306].
Req: POST coap://rd.example.com/rd?ep=lights&et=core.rd-group Req: POST coap://rd.example.com/rd?ep=lights&et=core.rd-group
&base=coap://[ff35:30:2001:db8::1] &base=coap://[ff35:30:2001:db8:f1::8000:1]
Content-Format: 40 Content-Format: 40
Payload: Payload:
</light>;rt="light";if="core.a", </light>;rt="tag:example.com,2020:light";
</color-temperature>;if="core.p";u="K" if="tag:example.net,2020:actuator",
</color-temperature>;if="tag:example.net,2020:parameter";u="K"
Res: 2.01 Created Res: 2.01 Created
Location-Path: /rd/12 Location-Path: /rd/12
Figure 27: Example registration of a group Figure 26: Example registration of a group
In this example, the group manager can easily permit devices that In this example, the group manager can easily permit devices that
have no writable color-temperature to join, as they would still have no writable color-temperature to join, as they would still
respond to brightness changing commands. Had the group instead respond to brightness changing commands. Had the group instead
contained a single resource that sets brightness and color contained a single resource that sets brightness and color
temperature atomically, endpoints would need to support both temperature atomically, endpoints would need to support both
properties. properties.
The resources of a group can be looked up like any other resource, The resources of a group can be looked up like any other resource,
and the group registrations (along with any additional registration and the group registrations (along with any additional registration
parameters) can be looked up using the endpoint lookup interface. parameters) can be looked up using the endpoint lookup interface.
The following example shows a client performing and endpoint lookup The following example shows a client performing an endpoint lookup
for all groups. for all groups.
Req: GET /rd-lookup/ep?et=core.rd-group Req: GET /rd-lookup/ep?et=core.rd-group
Res: 2.05 Content Res: 2.05 Content
Payload: Payload:
</rd/501>;ep="GRP_R2-4-015";et="core.rd-group"; </rd/501>;ep="grp_R2-4-015";et="core.rd-group";
base="coap://[ff05::1]", base="coap://[ff05::1]",
</rd/12>;ep=lights&et=core.rd-group; </rd/12>;ep=lights&et=core.rd-group;
base="coap://[ff35:30:2001:db8::1]";rt="core.rd-ep" base="coap://[ff35:30:2001:f1:db8::8000:1]";rt="core.rd-ep"
Figure 28: Example lookup of groups Figure 27: Example lookup of groups
The following example shows a client performing a lookup of all The following example shows a client performing a lookup of all
resources of all endpoints (groups) with et=core.rd-group. resources of all endpoints (groups) with et=core.rd-group.
Req: GET /rd-lookup/res?et=core.rd-group Req: GET /rd-lookup/res?et=core.rd-group
<coap://[ff35:30:2001:db8::1]/light>;rt="light";if="core.a"; <coap://[ff35:30:2001:db8:f1::8000:1]/light>;
et="core.rd-group";anchor="coap://[ff35:30:2001:db8::1]", rt="tag:example.com,2020:light";
<coap://[ff35:30:2001:db8::1]/color-temperature>;if="core.p";u="K"; if="tag:example.net,2020:actuator";
et="core.rd-group"; anchor="coap://[ff35:30:2001:db8:f1::8000:1]",
anchor="coap://[ff35:30:2001:db8::1]" <coap://[ff35:30:2001:db8:f1::8000:1]/color-temperature>;
if="tag:example.net,2020:parameter";u="K";
anchor="coap://[ff35:30:2001:db8:f1::8000:1]"
Figure 29: Example lookup of resources inside groups Figure 28: Example lookup of resources inside groups
Appendix B. Web links and the Resource Directory Appendix B. Web links and the Resource Directory
Understanding the semantics of a link-format document and its URI Understanding the semantics of a link-format document and its URI
references is a journey through different documents ([RFC3986] references is a journey through different documents ([RFC3986]
defining URIs, [RFC6690] defining link-format documents based on defining URIs, [RFC6690] defining link-format documents based on
[RFC8288] which defines Link header fields, and [RFC7252] providing [RFC8288] which defines Link header fields, and [RFC7252] providing
the transport). This appendix summarizes the mechanisms and the transport). This appendix summarizes the mechanisms and
semantics at play from an entry in ".well-known/core" to a resource semantics at play from an entry in "/.well-known/core" to a resource
lookup. lookup.
This text is primarily aimed at people entering the field of This text is primarily aimed at people entering the field of
Constrained Restful Environments from applications that previously Constrained Restful Environments from applications that previously
did not use web mechanisms. did not use web mechanisms.
The explanation of the steps makes some shortcuts in the more The explanation of the steps makes some shortcuts in the more
confusing details of [RFC6690], which are justified as all examples confusing details of [RFC6690], which are justified as all examples
being in Limited Link Format. being in Limited Link Format.
skipping to change at page 77, line 23 skipping to change at page 78, line 49
sends the following multicast request to learn about neighbours sends the following multicast request to learn about neighbours
supporting resources with resource-type "temperature". supporting resources with resource-type "temperature".
The client sends a link-local multicast: The client sends a link-local multicast:
GET coap://[ff02::fd]:5683/.well-known/core?rt=temperature GET coap://[ff02::fd]:5683/.well-known/core?rt=temperature
RES 2.05 Content RES 2.05 Content
</temp>;rt=temperature;ct=0 </temp>;rt=temperature;ct=0
Figure 30: Example of direct resource discovery Figure 29: Example of direct resource discovery
where the response is sent by the server, "[2001:db8:f0::1]:5683". where the response is sent by the server, "[2001:db8:f0::1]:5683".
While the client - on the practical or implementation side - can just While the client - on the practical or implementation side - can just
go ahead and create a new request to "[2001:db8:f0::1]:5683" with go ahead and create a new request to "[2001:db8:f0::1]:5683" with
Uri-Path: "temp", the full resolution steps for insertion into and Uri-Path: "temp", the full resolution steps for insertion into and
retrieval from the RD without any shortcuts are: retrieval from the RD without any shortcuts are:
B.1.1. Resolving the URIs B.1.1. Resolving the URIs
skipping to change at page 78, line 40 skipping to change at page 80, line 14
GET coap://[ff02::fd]:5683/.well-known/core GET coap://[ff02::fd]:5683/.well-known/core
RES 2.05 Content RES 2.05 Content
</temp>;rt=temperature;ct=0, </temp>;rt=temperature;ct=0,
</light>;rt=light-lux;ct=0, </light>;rt=light-lux;ct=0,
</t>;anchor="/sensors/temp";rel=alternate, </t>;anchor="/sensors/temp";rel=alternate,
<http://www.example.com/sensors/t123>;anchor="/temp"; <http://www.example.com/sensors/t123>;anchor="/temp";
rel="describedby" rel="describedby"
Figure 31: Extended example of direct resource discovery Figure 30: Extended example of direct resource discovery
Parsing the third record, the client encounters the "anchor" Parsing the third record, the client encounters the "anchor"
parameter. It is a URI relative to the Base URI of the request and parameter. It is a URI relative to the Base URI of the request and
is thus resolved to ""coap://[2001:db8:f0::1]/sensors/temp"". That is thus resolved to ""coap://[2001:db8:f0::1]/sensors/temp"". That
is the context resource of the link, so the "rel" statement is not is the context resource of the link, so the "rel" statement is not
about the target and the Base URI any more, but about the target and about the target and the Base URI any more, but about the target and
the resolved URI. Thus, the third record could be read as the resolved URI. Thus, the third record could be read as
""coap://[2001:db8:f0::1]/sensors/temp" has an alternate ""coap://[2001:db8:f0::1]/sensors/temp" has an alternate
representation at "coap://[2001:db8:f0::1]/t"". representation at "coap://[2001:db8:f0::1]/t"".
skipping to change at page 79, line 19 skipping to change at page 80, line 39
B.3. Enter the Resource Directory B.3. Enter the Resource Directory
The RD tries to carry the semantics obtainable by classical CoAP The RD tries to carry the semantics obtainable by classical CoAP
discovery over to the resource lookup interface as faithfully as discovery over to the resource lookup interface as faithfully as
possible. possible.
For the following queries, we will assume that the simple host has For the following queries, we will assume that the simple host has
used Simple Registration to register at the RD that was announced to used Simple Registration to register at the RD that was announced to
it, sending this request from its UDP port "[2001:db8:f0::1]:6553": it, sending this request from its UDP port "[2001:db8:f0::1]:6553":
POST coap://[2001:db8:f01::ff]/.well-known/core?ep=simple-host1 POST coap://[2001:db8:f01::ff]/.well-known/rd?ep=simple-host1
Figure 32: Example request starting a simple registration Figure 31: Example request starting a simple registration
The RD would have accepted the registration, and queried the simple The RD would have accepted the registration, and queried the simple
host's ".well-known/core" by itself. As a result, the host is host's "/.well-known/core" by itself. As a result, the host is
registered as an endpoint in the RD with the name "simple-host1". registered as an endpoint in the RD with the name "simple-host1".
The registration is active for 90000 seconds, and the endpoint The registration is active for 90000 seconds, and the endpoint
registration Base URI is ""coap://[2001:db8:f0::1]"" following the registration Base URI is ""coap://[2001:db8:f0::1]"" following the
resolution steps described in Appendix B.1.1. It should be remarked resolution steps described in Appendix B.1.1. It should be remarked
that the Base URI constructed that way always yields a URI of the that the Base URI constructed that way always yields a URI of the
form: scheme://authority without path suffix. form: scheme://authority without path suffix.
If the client now queries the RD as it would previously have issued a If the client now queries the RD as it would previously have issued a
multicast request, it would go through the RD discovery steps by multicast request, it would go through the RD discovery steps by
fetching "coap://[2001:db8:f0::ff]/.well-known/core?rt=core.rd- fetching "coap://[2001:db8:f0::ff]/.well-known/core?rt=core.rd-
lookup-res", obtain "coap://[2001:db8:f0::ff]/rd-lookup/res" as the lookup-res", obtain "coap://[2001:db8:f0::ff]/rd-lookup/res" as the
resource lookup endpoint, and issue a request to resource lookup endpoint, and issue a request to
"coap://[2001:db8:f0::ff]/rd-lookup/res?rt=temperature" to receive "coap://[2001:db8:f0::ff]/rd-lookup/res?rt=temperature" to receive
the following data: the following data:
<coap://[2001:db8:f0::1]/temp>;rt=temperature;ct=0; <coap://[2001:db8:f0::1]/temp>;rt=temperature;ct=0;
anchor="coap://[2001:db8:f0::1]" anchor="coap://[2001:db8:f0::1]"
Figure 33: Example payload of a response to a resource lookup Figure 32: Example payload of a response to a resource lookup
This is not _literally_ the same response that it would have received This is not _literally_ the same response that it would have received
from a multicast request, but it contains the equivalent statement: from a multicast request, but it contains the equivalent statement:
'"coap://[2001:db8:f0::1]" is hosting the resource '"coap://[2001:db8:f0::1]" is hosting the resource
"coap://[2001:db8:f0::1]/temp", which is of the resource type "coap://[2001:db8:f0::1]/temp", which is of the resource type
"temperature" and can be accessed using the text/plain content "temperature" and can be accessed using the text/plain content
format.' format.'
(The difference is whether "/" or "/.well-known/core" hosts the (The difference is whether "/" or "/.well-known/core" hosts the
resources, which does not matter in this application; if it did, the resources, which does not matter in this application; if it did, the
endpoint would have been more explicit. Actually, /.well-known/core endpoint would have been more explicit. Actually, /.well-known/core
does NOT host the resource but stores a URI reference to the does NOT host the resource but stores a URI reference to the
resource.) resource.)
To complete the examples, the client could also query all resources To complete the examples, the client could also query all resources
hosted at the endpoint with the known endpoint name "simple-host1". hosted at the endpoint with the known endpoint name "simple-host1".
A request to "coap://[2001:db8:f0::ff]/rd-lookup/res?ep=simple-host1" A request to "coap://[2001:db8:f0::ff]/rd-lookup/res?ep=simple-host1"
would return would return
skipping to change at page 80, line 24 skipping to change at page 81, line 46
<coap://[2001:db8:f0::1]/temp>;rt=temperature;ct=0; <coap://[2001:db8:f0::1]/temp>;rt=temperature;ct=0;
anchor="coap://[2001:db8:f0::1]", anchor="coap://[2001:db8:f0::1]",
<coap://[2001:db8:f0::1]/light>;rt=light-lux;ct=0; <coap://[2001:db8:f0::1]/light>;rt=light-lux;ct=0;
anchor="coap://[2001:db8:f0::1]", anchor="coap://[2001:db8:f0::1]",
<coap://[2001:db8:f0::1]/t>; <coap://[2001:db8:f0::1]/t>;
anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=alternate, anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=alternate,
<http://www.example.com/sensors/t123>; <http://www.example.com/sensors/t123>;
anchor="coap://[2001:db8:f0::1]/sensors/temp";rel="describedby" anchor="coap://[2001:db8:f0::1]/sensors/temp";rel="describedby"
Figure 34: Extended example payload of a response to a resource Figure 33: Extended example payload of a response to a resource
lookup lookup
All the target and anchor references are already in absolute form All the target and anchor references are already in absolute form
there, which don't need to be resolved any further. there, which don't need to be resolved any further.
Had the simple host done an equivalent full registration with a base= Had the simple host done an equivalent full registration with a base=
parameter (e.g. "?ep=simple-host1&base=coap+tcp://simple- parameter (e.g. "?ep=simple-host1&base=coap+tcp://simple-
host1.example.com"), that context would have been used to resolve the host1.example.com"), that context would have been used to resolve the
relative anchor values instead, giving relative anchor values instead, giving
<coap+tcp://simple-host1.example.com/temp>;rt=temperature;ct=0; <coap+tcp://simple-host1.example.com/temp>;rt=temperature;ct=0;
anchor="coap+tcp://simple-host1.example.com" anchor="coap+tcp://simple-host1.example.com"
Figure 35: Example payload of a response to a resource lookup Figure 34: Example payload of a response to a resource lookup
with a dedicated base URI with a dedicated base URI
and analogous records. and analogous records.
B.4. A note on differences between link-format and Link header fields B.4. A note on differences between link-format and Link header fields
While link-format and Link header fields look very similar and are While link-format and Link header fields look very similar and are
based on the same model of typed links, there are some differences based on the same model of typed links, there are some differences
between [RFC6690] and [RFC8288], which are dealt with differently: between [RFC6690] and [RFC8288], which are dealt with differently:
skipping to change at page 82, line 26 skipping to change at page 83, line 47
* if the anchor reference starts with a scheme, the target reference * if the anchor reference starts with a scheme, the target reference
starts with a scheme as well (i.e. relative references in target starts with a scheme as well (i.e. relative references in target
cannot be used when the anchor is a full URI), and cannot be used when the anchor is a full URI), and
* the application does not care whether links without an explicitly * the application does not care whether links without an explicitly
given anchor have the origin's "/" or "/.well-known/core" resource given anchor have the origin's "/" or "/.well-known/core" resource
as their link context. as their link context.
Authors' Addresses Authors' Addresses
Christian Amsüss (editor)
Hollandstr. 12/4
1020
Austria
Phone: +43-664-9790639
Email: christian@amsuess.com
Zach Shelby Zach Shelby
ARM ARM
150 Rose Orchard 150 Rose Orchard
San Jose, 95134 San Jose, 95134
United States of America United States of America
Phone: +1-408-203-9434 Phone: +1-408-203-9434
Email: zach.shelby@arm.com Email: zach.shelby@arm.com
Michael Koster Michael Koster
skipping to change at page 83, line 12 skipping to change at line 3838
Phone: +49-421-218-63921 Phone: +49-421-218-63921
Email: cabo@tzi.org Email: cabo@tzi.org
Peter van der Stok Peter van der Stok
consultant consultant
Phone: +31-492474673 (Netherlands), +33-966015248 (France) Phone: +31-492474673 (Netherlands), +33-966015248 (France)
Email: consultancy@vanderstok.org Email: consultancy@vanderstok.org
URI: www.vanderstok.org URI: www.vanderstok.org
Christian Amsüss (editor)
Hollandstr. 12/4
1020
Austria
Phone: +43-664-9790639
Email: christian@amsuess.com
 End of changes. 223 change blocks. 
582 lines changed or deleted 687 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/