[Docs] [txt|pdf|xml] [Tracker] [Email] [Nits]
Versions: 00
Internet Engineering Task Force T. Fossati
Internet-Draft Nokia
Intended status: Informational H. Tschofenig
Expires: January 9, 2017 ARM
N. Mavrogiannopoulos
Red Hat
July 8, 2016
TLS/DTLS Optimizations for Internet of Things Deployments
draft-fossati-tls-iot-optimizations-00
Abstract
Internet protocols work well in a variety of environments, including
Internet of Things (IoT) deployments. While there are some
optimization possibilities to reduce code size, bandwidth
utilization, and to improve battery lifetime, in general most
Internet protocols are also applicable to constrained environments.
TLS and DTLS are two such security protocols that can be used by many
IoT devices since DTLS/TLS provide lot of flexiblity in terms
credential choice, ciphersuite usage, etc. The DICE working group
has developed a specification that profiles the use of TLS and DTLS
for IoT environments, without changing the TLS/DTLS specifications.
This memo goes a step further and proposes changes to the DTLS/TLS
protocol to introduce further optimizations. Since the ongoing work
on TLS/DTLS 1.3 already offers several improvements (compared to
previous versions) this document focuses on the use of version 1.3
and suggests further optimizations.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017.
Fossati, et al. Expires January 9, 2017 [Page 1]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Selective Fragment Retransmission . . . . . . . . . . . . . . 3
3.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 3
3.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Transport Agnostic Security Associations . . . . . . . . . . 4
4.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 4
4.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Reducing the DTLS Record Layer Header Overhead . . . . . . . 6
5.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 6
5.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Reducing Buffers . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 6
6.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Internet protocols work well in a variety of environments, including
Internet of Things (IoT) deployments. While there are some
optimization possibilities to reduce code size, bandwidth
utilization, and to improve battery lifetime, in general most
Internet protocols are also applicable to constrained environments.
TLS and DTLS are two such security protocols that can be used by many
IoT devices since DTLS/TLS provide lot of flexiblity in terms
credential choice, ciphersuite usage, etc. The DICE working group
Fossati, et al. Expires January 9, 2017 [Page 2]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
has developed a specification that profiles the use of TLS and DTLS
for IoT environments, without changing the TLS/DTLS specifications.
This memo goes a step further and proposes changes to the DTLS/TLS
protocol to introduce further optimizations. Since the ongoing work
on TLS/DTLS 1.3 [I-D.ietf-tls-tls13] already offers several
improvements (compared to previous versions) this document focuses on
the use of version 1.3 and suggests further optimizations.
This document discusses four extensions, namely:
Selective Fragment Retransmission: This extension improves
retransmissions of lost handshake packets.
Transport Agnostic Security Associations: Changes to a connection
(such as an IP address change) requires a new handshake. This
extension introduces a transport independent identifier.
Reducing the DTLS Record Layer Header Overhead: This extension
changes the record layer format to reduce the overhead.
Reducing Buffers: This extension allows a DTLS/TLS server running on
a constrained node to indicate its buffer size.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Selective Fragment Retransmission
3.1. Problem Statement
The unit of retransmission used by the DTLS handshake is a whole
flight (see Section 4.2.4 of [RFC6347]. If the underlying media is
inherently lossy, or shows high latency variance that might fire
spurious retransmission, a single fragment that gets lost or is
excessively delayed will force the whole flight to be retransmitted.
This is further exacerbated when the effective MTU is very low and
therefore handshake messages have higher probability to be
fragmented. For example, IEEE 802.15.4 networks have a 128-byte MTU
size. In such an environment a very "ordinary"
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA negotiation can take up to 30
individual fragments, 2/3 of which are sent in flight 4. The loss of
a single fragment in flight 4 implies a retransmission that is 20x
the magnitude of the original loss.
Fossati, et al. Expires January 9, 2017 [Page 3]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
The retransmission timer settings suggested in Section 11 of
[I-D.ietf-dice-profile] offer mitigation for the spurious retransmit
issue and, in general, help with congestion. However, they do not
solve the retransmission of the entire flight.
3.2. Proposal
A potential solution is to add a NACK-based retransmission scheme to
the DTLS handshake and the granularity of retransmission would be a
message fragment. We note that each fragment in a DTLS handshake is
effectively associated to a unique identifier defined by the tuple
Handshake.{message_seq,fragment_offset,fragment_length} that can be
used in the NACK report to identify the exact geometry of the missing
data in the current flight, together with the right-most received
byte.
4. Transport Agnostic Security Associations
4.1. Problem Statement
In DTLS, the security context demultiplexing is done via the 5-tuple.
This implies that the associated DTLS context needs to be re-
negotiated from scratch whenever the IP address changes. For
example, when moving the network attachment from WLAN to a cellular
connection, or when the IP address of the IoT devices changes during
a sleep cyle. A NAT device may also modify the source UDP port after
an idle period. In such situations, there is not enough information
in the DTLS record header for a DTLS server, which handles multiple
clients, to associate the changed address to an existing client.
4.2. Proposal
A potential solution is to add the ability to negotiate, at handshake
time, a transport independent identifier that is unique per security
association. We call this identifier the 'Connection ID (CID)' in
Figure 1. It decouples the DTLS session from the underlying
transport protocol allowing the same DTLS security association to be
migrated across different transport sessions.
Fossati, et al. Expires January 9, 2017 [Page 4]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
00
/\
:
IP UDP : DTLS Record Header
+-----+-----+-------+ +-----+-----+ : +---------+-------+------
| src | dst | proto | | src | dst | : | Seq#i | CID | ...
+-----+-----+-------+ +-----+-----+ : +---------+-------+------
`----------------+----------------' : ^
`................ : .............'
<Handover event> :
GSM-SMS : DTLS Record Header
+-------+-------+ : +---------+-------+-----
| tp-oa | tp-da | : | Seq#i+1 | CID | ...
+-------+-------+ : +---------+-------+-----
:
\/
00
Figure 1: Transparent Handover of DTLS Session
That approach modifies the DTLS record layer header to the format
described in Figure 2.
struct {
ContentType type;
ProtocolVersion version;
uint16 epoch;
uint48 sequence_number;
uint32 connection_id; // New field
uint16 length;
opaque fragment[DTLSPlaintext.length];
} DTLSPlaintext;
Figure 2: Modified DTLS Record Format
A similar approach to support transparent handover of a DTLS session
has been described in [I-D.barrett-mobile-dtls] and [Seggelmann].
The privacy issue associated with the use of a long-term identifier
must be taken into consideration. For example, client and server
could use a hash chain [Lamport] derived from the shared secret and
pick the next unused id on handover.
Fossati, et al. Expires January 9, 2017 [Page 5]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
5. Reducing the DTLS Record Layer Header Overhead
5.1. Problem Statement
The DTLS record layer header adds 13 bytes of overhead, as described
in Appendix B of [I-D.ietf-dice-profile]. While some of the
information carried in the header is unavoidable, other parameters
are redundant and included for backwards compatibility reasons. This
burden becomes quite substantial in networks with small frame sizes
(e.g., low power wide area networks).
Overhead that is not strictly needed could be removed to allow
applications to transmit more data in a single packet or to make
space for other DTLS features, such as the proposal described in
Section 4.
5.2. Proposal
It is possible to at least remove the following parameters in the
header:
o Protocol Version (2 bytes)
o The sequence number component of the nonce_explicit field at the
AES-CCM layer is an exact copy of the sequence number in the
record layer header field. This leads to a duplication of 8-bytes
per record.
6. Reducing Buffers
6.1. Problem Statement
The Maximum Fragment Length extension [RFC6066] allows a client with
limited buffer space to specify a different (smaller) maximum size
for fragments that the server is allowed to send. The mechanism is
not symmetrical: a server cannot state their buffer size. The
assumption made in [RFC6066] is that the server is never going to be
a constrained device, and therefore does not need such a capability.
This may be true for many IoT deployments where the TLS client is
implemented in an IoT device that connects to a server on the
Internet that does not have memory limitations, such as a server in
the cloud. However, with the desire to also deploy CoAPS and HTTPS-
based servers in IoT devices, a constrained node may also need to run
a DTLS/TLS server. In such a scenario, allowing a constrained server
to advertise its Maximum Fragment Length helps to lower memory
requirements.
Fossati, et al. Expires January 9, 2017 [Page 6]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
6.2. Proposal
The semantics of the max_fragment_length extension could be modified
to allow the server as well as the client to express their buffer
sizes.
7. Acknowledgements
We would like to thank Stephen Farrell for suggesting the use of hash
chains to implement a privacy-friendly connection id.
8. Security Considerations
This document suggests various extensions to DTLS/TLS and each of
them comes with their own security and privacy considerations. Since
this version of the document only suggests strawman proposals further
discussions are needed to specify the details.
9. References
9.1. Normative References
[I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-13 (work in progress),
May 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", RFC 6066,
DOI 10.17487/RFC6066, January 2011,
<http://www.rfc-editor.org/info/rfc6066>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <http://www.rfc-editor.org/info/rfc6347>.
9.2. Informative References
[I-D.barrett-mobile-dtls]
Williams, M. and J. Barrett, "Mobile DTLS", draft-barrett-
mobile-dtls-00 (work in progress), March 2009.
Fossati, et al. Expires January 9, 2017 [Page 7]
Internet-Draft DTLS/TLS Optimizations for IoT July 2016
[I-D.ietf-dice-profile]
Tschofenig, H. and T. Fossati, "TLS/DTLS Profiles for the
Internet of Things", draft-ietf-dice-profile-17 (work in
progress), October 2015.
[Lamport] Lamport, L., "Password Authentication with Insecure
Communication", Commun. ACM, 1981.
[Seggelmann]
Seggelmann, R., Tuexen, M., and E. Rathgeb, "DTLS
Mobility", ICDCN 12, 2012.
Authors' Addresses
Thomas Fossati
Nokia
Cambridge
UK
Email: thomas.fossati@nokia.com
Hannes Tschofenig
ARM
Cambridge
UK
Email: hannes.tschofenig@arm.com
Nikos Mavrogiannopoulos
Red Hat
Brno
Czech Republic
Email: nmav@redhat.com
Fossati, et al. Expires January 9, 2017 [Page 8]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/