[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-mattsson-lwig-security-protocol-comparison) 00 01 02 03

Network Working Group                                        J. Mattsson
Internet-Draft                                              F. Palombini
Intended status: Informational                               Ericsson AB
Expires: July 6, 2019                                    January 2, 2019


                 Comparison of CoAP Security Protocols
            draft-ietf-lwig-security-protocol-comparison-02

Abstract

   This document analyzes and compares per-packet message size overheads
   when using different security protocols to secure CoAP.  The analyzed
   security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and
   OSCORE.  DTLS and TLS are analyzed with and without 6LoWPAN-GHC
   compression.  DTLS is analyzed with and without Connection ID.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 6, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Mattsson & Palombini      Expires July 6, 2019                  [Page 1]


Internet-Draft           CoAP Security Overhead             January 2019


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Overhead of Security Protocols  . . . . . . . . . . . . . . .   2
     2.1.  DTLS 1.2  . . . . . . . . . . . . . . . . . . . . . . . .   3
       2.1.1.  DTLS 1.2  . . . . . . . . . . . . . . . . . . . . . .   3
       2.1.2.  DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . .   3
       2.1.3.  DTLS 1.2 with Connection ID . . . . . . . . . . . . .   4
       2.1.4.  DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . .   5
     2.2.  DTLS 1.3  . . . . . . . . . . . . . . . . . . . . . . . .   5
       2.2.1.  DTLS 1.3  . . . . . . . . . . . . . . . . . . . . . .   5
       2.2.2.  DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . .   6
       2.2.3.  DTLS 1.3 with Connection ID . . . . . . . . . . . . .   6
       2.2.4.  DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . .   7
     2.3.  TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . .   7
       2.3.1.  TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . .   7
       2.3.2.  TLS 1.2 with 6LoWPAN-GHC  . . . . . . . . . . . . . .   8
     2.4.  TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . .   8
       2.4.1.  TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . .   8
       2.4.2.  TLS 1.3 with 6LoWPAN-GHC  . . . . . . . . . . . . . .   9
     2.5.  OSCORE  . . . . . . . . . . . . . . . . . . . . . . . . .   9
   3.  Overhead with Different Parameters  . . . . . . . . . . . . .  11
   4.  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .  13
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   7.  Informative References  . . . . . . . . . . . . . . . . . . .  13
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   This document analyzes and compares per-packet message size overheads
   when using different security protocols to secure CoAP over UPD
   [RFC7252] and TCP [RFC8323].  The analyzed security protocols are
   DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2
   [RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE
   [I-D.ietf-core-object-security].  The DTLS and TLS record layers are
   analyzed with and without compression.  DTLS is anlyzed with and
   without Connection ID [I-D.ietf-tls-dtls-connection-id].  Readers are
   expected to be familiar with some of the terms described in RFC 7925
   [RFC7925], such as ICV.

2.  Overhead of Security Protocols

   To enable comparison, all the overhead calculations in this section
   use AES-CCM with a tag length of 8 bytes (e.g.  AES_128_CCM_8 or AES-
   CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'.
   This follows the example in [RFC7400], Figure 16.



Mattsson & Palombini      Expires July 6, 2019                  [Page 2]


Internet-Draft           CoAP Security Overhead             January 2019


   Note that the compressed overhead calculations for DLTS 1.2, DTLS
   1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch,
   sequence number, and length, and all the overhead calculations are
   dependent on the parameter Connection ID when used.  Note that the
   OSCORE overhead calculations are dependent on the CoAP option
   numbers, as well as the length of the OSCORE parameters Sender ID and
   Sequence Number.  The following are only examples.

2.1.  DTLS 1.2

2.1.1.  DTLS 1.2

   This section analyzes the overhead of DTLS 1.2 [RFC6347].  The nonce
   follow the strict profiling given in [RFC7925].  This example is
   taken directly from [RFC7400], Figure 16.

   DTLS 1.2 record layer (35 bytes, 29 bytes overhead):
   17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00
   00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4
   cb 35 b9

   Content type:
   17
   Version:
   fe fd
   Epoch:
   00 01
   Sequence number:
   00 00 00 00 00 05
   Length:
   00 16
   Nonce:
   00 01 00 00 00 00 00 05
   Ciphertext:
   ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   DTLS 1.2 gives 29 bytes overhead.

2.1.2.  DTLS 1.2 with 6LoWPAN-GHC

   This section analyzes the overhead of DTLS 1.2 [RFC6347] when
   compressed with 6LoWPAN-GHC [RFC7400].  The compression was done with
   [OlegHahm-ghc].

   Note that the sequence number '01' used in [RFC7400], Figure 15 gives
   an exceptionally small overhead that is not representative.



Mattsson & Palombini      Expires July 6, 2019                  [Page 3]


Internet-Draft           CoAP Security Overhead             January 2019


   Note that this header compression is not available when DTLS is used
   over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.

   Compressed DTLS 1.2 record layer (22 bytes, 16 bytes overhead):
   b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff
   8a 24 e4 cb 35 b9

   Compressed DTLS 1.2 record layer header and nonce:
   b0 c3 03 05 00 16 f2 0e
   Ciphertext:
   ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
   (epoch, sequence number, length) gives 16 bytes overhead.

2.1.3.  DTLS 1.2 with Connection ID

   This section analyzes the overhead of DTLS 1.2 [RFC6347] with
   Connection ID [I-D.ietf-tls-dtls-connection-id].  The overhead
   calculations in this section uses Connection ID = '42'.  DTLS recored
   layer with a Connection ID = '' (the empty string) is equal to DTLS
   without Connection ID.

   DTLS 1.2 record layer (36 bytes, 30 bytes overhead):
   17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01
   00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24
   e4 cb 35 b9

   Content type:
   17
   Version:
   fe fd
   Epoch:
   00 01
   Sequence number:
   00 00 00 00 00 05
   Connection ID:
   42
   Length:
   00 16
   Nonce:
   00 01 00 00 00 00 00 05
   Ciphertext:
   ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9



Mattsson & Palombini      Expires July 6, 2019                  [Page 4]


Internet-Draft           CoAP Security Overhead             January 2019


   DTLS 1.2 with Connection ID gives 30 bytes overhead.

2.1.4.  DTLS 1.2 with Connection ID and 6LoWPAN-GHC

   This section analyzes the overhead of DTLS 1.2 [RFC6347] with
   Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with
   6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].

   Note that the sequence number '01' used in [RFC7400], Figure 15 gives
   an exceptionally small overhead that is not representative.

   Note that this header compression is not available when DTLS is used
   over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.

   Compressed DTLS 1.2 record layer (23 bytes, 17 bytes overhead):
   b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d
   ff 8a 24 e4 cb 35 b9

   Compressed DTLS 1.2 record layer header and nonce:
   b0 c3 04 05 42 00 16 f2 0e
   Ciphertext:
   ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
   (epoch, sequence number, Connection ID, length) gives 17 bytes
   overhead.

2.2.  DTLS 1.3

2.2.1.  DTLS 1.3

   This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13].
   The changes compared to DTLS 1.2 are: omission of version number,
   merging of epoch into the first byte containing signalling bits,
   optional omission of length, reduction of sequence number into a 1 or
   2-bytes field.

   In this example, the length field is omitted, and the 1-byte field is
   used for the sequence number.  The minimal DTLSCiphertext structure
   is used (see Figure 4 of [I-D.ietf-tls-dtls13]).









Mattsson & Palombini      Expires July 6, 2019                  [Page 5]


Internet-Draft           CoAP Security Overhead             January 2019


   DTLS 1.3 record layer (17 bytes, 11 bytes overhead):
   21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9

   First byte (including epoch):
   21
   Sequence number:
   05
   Ciphertext (including encrypted content type):
   ae a0 15 56 67 92 ec
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   DTLS 1.3 gives 11 bytes overhead.

2.2.2.  DTLS 1.3 with 6LoWPAN-GHC

   This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
   when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].

   Note that this header compression is not available when DTLS is used
   over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.

   Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead):
   11 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb
   35 b9

   Compressed DTLS 1.3 record layer header and nonce:
   11 21 05
   Ciphertext (including encrypted content type):
   ae a0 15 56 67 92 ec
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
   (epoch, sequence number, no length) gives 12 bytes overhead.

2.2.3.  DTLS 1.3 with Connection ID

   This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
   with Connection ID [I-D.ietf-tls-dtls-connection-id].

   In this example, the length field is omitted, and the 1-byte field is
   used for the sequence number.  The minimal DTLSCiphertext structure
   is used (see Figure 4 of [I-D.ietf-tls-dtls13]), with the addition of
   the Connection ID field.






Mattsson & Palombini      Expires July 6, 2019                  [Page 6]


Internet-Draft           CoAP Security Overhead             January 2019


   DTLS 1.3 record layer (18 bytes, 12 bytes overhead):
   31 42 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9

   First byte (including epoch):
   31
   Connection ID:
   42
   Sequence number:
   05
   Ciphertext (including encrypted content type):
   ae a0 15 56 67 92 ec
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   DTLS 1.3 with Connection ID gives 12 bytes overhead.

2.2.4.  DTLS 1.3 with Connection ID and 6LoWPAN-GHC

   This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
   with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed
   with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].

   Note that this header compression is not available when DTLS is used
   over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.

   Compressed DTLS 1.3 record layer (19 bytes, 13 bytes overhead):
   12 31 05 42 ae a0 15 56 67 92 ec 4d ff 8a 24 e4
   cb 35 b9

   Compressed DTLS 1.3 record layer header and nonce:
   12 31 05 42
   Ciphertext (including encrypted content type):
   ae a0 15 56 67 92 ec
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
   (epoch, sequence number, Connection ID, no length) gives 13 bytes
   overhead.

2.3.  TLS 1.2

2.3.1.  TLS 1.2

   This section analyzes the overhead of TLS 1.2 [RFC5246].  The changes
   compared to DTLS 1.2 is that the TLS 1.2 record layer does not have
   epoch and sequence number, and that the version is different.




Mattsson & Palombini      Expires July 6, 2019                  [Page 7]


Internet-Draft           CoAP Security Overhead             January 2019


   TLS 1.2 Record Layer (27 bytes, 21 bytes overhead):
   17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15
   56 67 92 4d ff 8a 24 e4 cb 35 b9

   Content type:
   17
   Version:
   03 03
   Length:
   00 16
   Nonce:
   00 00 00 00 00 00 00 05
   Ciphertext:
   ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   TLS 1.2 gives 21 bytes overhead.

2.3.2.  TLS 1.2 with 6LoWPAN-GHC

   This section analyzes the overhead of TLS 1.2 [RFC5246] when
   compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].

   Note that this header compression is not available when TLS is used
   over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.

   Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead):
   05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d
   ff 8a 24 e4 cb 35 b9

   Compressed TLS 1.2 record layer header and nonce:
   05 17 03 03 00 16 85 0f 05
   Ciphertext:
   ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters
   (epoch, sequence number, length) gives 17 bytes overhead.

2.4.  TLS 1.3

2.4.1.  TLS 1.3

   This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13].
   The change compared to TLS 1.2 is that the TLS 1.3 record layer uses
   a different version.



Mattsson & Palombini      Expires July 6, 2019                  [Page 8]


Internet-Draft           CoAP Security Overhead             January 2019


   TLS 1.3 Record Layer (20 bytes, 14 bytes overhead):
   17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24
   e4 cb 35 b9

   Content type:
   17
   Legacy version:
   03 03
   Length:
   00 0f
   Ciphertext (including encrypted content type):
   ae a0 15 56 67 92 ec
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   TLS 1.3 gives 14 bytes overhead.

2.4.2.  TLS 1.3 with 6LoWPAN-GHC

   This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]
   when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].

   Note that this header compression is not available when TLS is used
   over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.

   Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead):
   14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a
   24 e4 cb 35 b9

   Compressed TLS 1.3 record layer header and nonce:
   14 17 03 03 00 0f
   Ciphertext (including encrypted content type):
   ae a0 15 56 67 92 ec
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters
   (epoch, sequence number, length) gives 15 bytes overhead.

2.5.  OSCORE

   This section analyzes the overhead of OSCORE
   [I-D.ietf-core-object-security].

   The below calculation Option Delta = '9', Sender ID = '' (empty
   string), and Sequence Number = '05', and is only an example.  Note
   that Sender ID = '' (empty string) can only be used by one client per
   server.



Mattsson & Palombini      Expires July 6, 2019                  [Page 9]


Internet-Draft           CoAP Security Overhead             January 2019


   OSCORE request (19 bytes, 13 bytes overhead):
   92 09 05
   ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9

   CoAP option delta and length:
   92
   Option value (flag byte and sequence number):
   09 05
   Payload marker:
   ff
   Ciphertext (including encrypted code):
   ec ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   The below calculation Option Delta = '9', Sender ID = '42', and
   Sequence Number = '05', and is only an example.

   OSCORE request (20 bytes, 14 bytes overhead):
   93 09 05 42
   ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9

   CoAP option delta and length:
   93
   Option Value (flag byte, sequence number, and Sender ID):
   09 05 42
   Payload marker:
   ff
   Ciphertext (including encrypted code):
   ec ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   The below calculation uses Option Delta = '9'.

















Mattsson & Palombini      Expires July 6, 2019                 [Page 10]


Internet-Draft           CoAP Security Overhead             January 2019


   OSCORE response (17 bytes, 11 bytes overhead):
   90
   ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9

   CoAP delta and option length:
   90
   Option value:
   -
   Payload marker:
   ff
   Ciphertext (including encrypted code):
   ec ae a0 15 56 67 92
   ICV:
   4d ff 8a 24 e4 cb 35 b9

   OSCORE with the above parameters gives 13-14 bytes overhead for
   requests and 11 bytes overhead for responses.

   Unlike DTLS and TLS, OSCORE has much smaller overhead for responses
   than requests.

3.  Overhead with Different Parameters

   The DTLS overhead is dependent on the parameter Connection ID.  The
   following overheads apply for all Connection IDs with the same
   length.

   The compression overhead (GHC) is dependent on the parameters epoch,
   sequence number, Connection ID, and length (where applicable).  The
   following overheads should be representative for sequence numbers and
   Connection IDs with the same length.

   The OSCORE overhead is dependent on the included CoAP Option numbers
   as well as the length of the OSCORE parameters Sender ID and sequence
   number.  The following overheads apply for all sequence numbers and
   Sender IDs with the same length.















Mattsson & Palombini      Expires July 6, 2019                 [Page 11]


Internet-Draft           CoAP Security Overhead             January 2019


       Sequence Number                '05'       '1005'     '100005'
       -------------------------------------------------------------
       DTLS 1.2                        29          29          29
       DTLS 1.3                        11          12          12
       -------------------------------------------------------------
       DTLS 1.2 (GHC)                  16          16          16
       DTLS 1.3 (GHC)                  12          13          13
       -------------------------------------------------------------
       TLS  1.2                        21          21          21
       TLS  1.3                        14          14          14
       -------------------------------------------------------------
       TLS  1.2 (GHC)                  17          18          19
       TLS  1.3 (GHC)                  15          16          17
       -------------------------------------------------------------
       OSCORE request                  13          14          15
       OSCORE response                 11          11          11

       Figure 1: Overhead in bytes as a function of sequence number
                        (Connection/Sender ID = '')


       Connection/Sender ID            ''         '42'       '4002'
       -------------------------------------------------------------
       DTLS 1.2                        29          30          31
       DTLS 1.3                        11          12          13
       -------------------------------------------------------------
       DTLS 1.2 (GHC)                  16          17          18
       DTLS 1.3 (GHC)                  12          13          14
       -------------------------------------------------------------
       OSCORE request                  13          14          15
       OSCORE response                 11          11          11

     Figure 2: Overhead in bytes as a function of Connection/Sender ID
                            (Sequence Number = '05')

       Protocol                     Overhead      Overhead (GHC)
       -------------------------------------------------------------
       DTLS 1.2                        21               8
       DTLS 1.3                         3               4
       -------------------------------------------------------------
       TLS  1.2                        13               9
       TLS  1.3                         6               7
       -------------------------------------------------------------
       OSCORE request                   5
       OSCORE response                  3

                Figure 3: Overhead (excluding ICV) in bytes
            (Connection/Sender ID = '', Sequence Number = '05')



Mattsson & Palombini      Expires July 6, 2019                 [Page 12]


Internet-Draft           CoAP Security Overhead             January 2019


4.  Summary

   DTLS 1.2 has quite a large overhead as it uses an explicit sequence
   number and an explicit nonce.  TLS 1.2 has significantly less (but
   not small) overhead.  TLS 1.3 has quite a small overhead.  OSCORE and
   DTLS 1.3 (using the minimal structure) format have very small
   overhead.

   The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS
   1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID.  The Generic
   Header Compression (6LoWPAN-GHC) works very well for Connection ID
   and the overhead seems to increase exactly with the length of the
   Connection ID (which is optimal).  The compression of TLS 1.2 is not
   as good as the compression of DTLS 1.2 (as the static dictionary only
   contains the DTLS 1.2 version number).  Similar compression levels as
   for DTLS could be achieved also for TLS 1.2, but this would require
   different static dictionaries.  For TLS 1.3 and DTLS 1.3, GHC
   increases the overhead.  The 6LoWPAN-GHC header compression is not
   available when (D)TLS is used over transports that do not use 6LoWPAN
   together with 6LoWPAN-GHC.

   Only the minimal header format for DTLS 1.3 was considered, which
   reduces the header of 3 bytes compared to the full header, by
   omitting the 2-byte-long length value and sending 1 byte of sequence
   number instead of 2.  This may create problems reconstructing the
   full sequence number, if ~2000 datagrams in sequence are lost.

   OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2.  The
   overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN
   with compression, and this small overhead is achieved even on
   deployments without 6LoWPAN or 6LoWPAN without DTLS compression.
   OSCORE is lightweight because it makes use of CoAP, CBOR, and COSE,
   which were designed to have as low overhead as possible.

5.  Security Considerations

   This document is purely informational.

6.  IANA Considerations

   This document has no actions for IANA.

7.  Informative References








Mattsson & Palombini      Expires July 6, 2019                 [Page 13]


Internet-Draft           CoAP Security Overhead             January 2019


   [I-D.ietf-core-object-security]
              Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
              "Object Security for Constrained RESTful Environments
              (OSCORE)", draft-ietf-core-object-security-15 (work in
              progress), August 2018.

   [I-D.ietf-tls-dtls-connection-id]
              Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom,
              "Connection Identifiers for DTLS 1.2", draft-ietf-tls-
              dtls-connection-id-02 (work in progress), October 2018.

   [I-D.ietf-tls-dtls13]
              Rescorla, E., Tschofenig, H., and N. Modadugu, "The
              Datagram Transport Layer Security (DTLS) Protocol Version
              1.3", draft-ietf-tls-dtls13-30 (work in progress),
              November 2018.

   [I-D.ietf-tls-tls13]
              Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-28 (work in progress),
              March 2018.

   [OlegHahm-ghc]
              Hahm, O., "Generic Header Compression", July 2016,
              <https://github.com/OlegHahm/ghc>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
              January 2012, <https://www.rfc-editor.org/info/rfc6347>.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252,
              DOI 10.17487/RFC7252, June 2014,
              <https://www.rfc-editor.org/info/rfc7252>.

   [RFC7400]  Bormann, C., "6LoWPAN-GHC: Generic Header Compression for
              IPv6 over Low-Power Wireless Personal Area Networks
              (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November
              2014, <https://www.rfc-editor.org/info/rfc7400>.







Mattsson & Palombini      Expires July 6, 2019                 [Page 14]


Internet-Draft           CoAP Security Overhead             January 2019


   [RFC7925]  Tschofenig, H., Ed. and T. Fossati, "Transport Layer
              Security (TLS) / Datagram Transport Layer Security (DTLS)
              Profiles for the Internet of Things", RFC 7925,
              DOI 10.17487/RFC7925, July 2016,
              <https://www.rfc-editor.org/info/rfc7925>.

   [RFC8323]  Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
              Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
              Application Protocol) over TCP, TLS, and WebSockets",
              RFC 8323, DOI 10.17487/RFC8323, February 2018,
              <https://www.rfc-editor.org/info/rfc8323>.

Acknowledgments

   The authors want to thank Ari Keraenen, Carsten Bormann, Goeran
   Selander, and Hannes Tschofenig for comments and suggestions on
   previous versions of the draft.

   All 6LoWPAN-GHC compression was done with [OlegHahm-ghc].

Authors' Addresses

   John Mattsson
   Ericsson AB

   Email: john.mattsson@ericsson.com


   Francesca Palombini
   Ericsson AB

   Email: francesca.palombini@ericsson.com



















Mattsson & Palombini      Expires July 6, 2019                 [Page 15]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/