draft-ietf-core-echo-request-tag-01.txt   draft-ietf-core-echo-request-tag-02.txt 
CoRE Working Group C. Amsuess CoRE Working Group C. Amsuess
Internet-Draft Internet-Draft
Updates: 7252, 7959 (if approved) J. Mattsson Updates: 7252 (if approved) J. Mattsson
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: September 6, 2018 Ericsson AB Expires: December 31, 2018 Ericsson AB
March 05, 2018 June 29, 2018
Echo and Request-Tag Echo and Request-Tag
draft-ietf-core-echo-request-tag-01 draft-ietf-core-echo-request-tag-02
Abstract Abstract
This document specifies several security enhancements to the This document specifies several security enhancements to the
Constrained Application Protocol (CoAP). Two optional extensions are Constrained Application Protocol (CoAP). Two optional extensions are
defined: the Echo option and the Request-Tag option. Each of these defined: the Echo option and the Request-Tag option. Each of these
options provide additional features to CoAP and protects against options provide additional features to CoAP and protects against
certain attacks. The document also updates the processing certain attacks. The document also updates the processing
requirements on the Block options and the Token. The updated Token requirements on the Token of [RFC7252]. The updated Token processing
processing ensures secure binding of responses to requests. ensures secure binding of responses to requests.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2018. This Internet-Draft will expire on December 31, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3
1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3
1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 6 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 6
2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 8 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 9
3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 9 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 10
3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 9 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 10
3.2. Request-Tag Processing . . . . . . . . . . . . . . . . . 10 3.2. Request-Tag processing by servers . . . . . . . . . . . . 11
3.3. Applications . . . . . . . . . . . . . . . . . . . . . . 11 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 12
3.3.1. Body Integrity Based on Payload Integrity . . . . . . 11 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 12
3.3.2. Multiple Concurrent Blockwise Operations . . . . . . 12 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 12
3.4. Rationale for the option properties . . . . . . . . . . . 13 3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 13
4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 14 3.4.3. Simplified block-wise Handling for constrained
5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 14 proxies . . . . . . . . . . . . . . . . . . . . . . . 14
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 3.5. Rationale for the option properties . . . . . . . . . . . 14
7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 3.6. Rationale for introducing the option . . . . . . . . . . 15
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 15
8.1. Normative References . . . . . . . . . . . . . . . . . . 15 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 15
8.2. Informative References . . . . . . . . . . . . . . . . . 16 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
Appendix A. Methods for Generating Echo Option Values . . . . . 17 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 18 8.1. Normative References . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 8.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Methods for Generating Echo Option Values . . . . . 18
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 19
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
The initial Constrained Application Protocol (CoAP) suite of The initial Constrained Application Protocol (CoAP) suite of
specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed
with the assumption that security could be provided on a separate with the assumption that security could be provided on a separate
layer, in particular by using DTLS ([RFC6347]). However, for some layer, in particular by using DTLS ([RFC6347]). However, for some
use cases, additional functionality or extra processing is needed to use cases, additional functionality or extra processing is needed to
support secure CoAP operations. This document specifies several support secure CoAP operations. This document specifies several
security enhancements to the Constrained Application Protocol (CoAP). security enhancements to the Constrained Application Protocol (CoAP).
skipping to change at page 3, line 17 skipping to change at page 3, line 21
network address. The Request-Tag option allows the CoAP server to network address. The Request-Tag option allows the CoAP server to
match message fragments belonging to the same request, fragmented match message fragments belonging to the same request, fragmented
using the CoAP Block-Wise Transfer mechanism, which mitigates attacks using the CoAP Block-Wise Transfer mechanism, which mitigates attacks
and enables concurrent blockwise operations. These options in and enables concurrent blockwise operations. These options in
themselves do not replace the need for a security protocol; they themselves do not replace the need for a security protocol; they
specify the format and processing of data which, when integrity specify the format and processing of data which, when integrity
protected using e.g. DTLS ([RFC6347]), TLS ([RFC5246]), or OSCORE protected using e.g. DTLS ([RFC6347]), TLS ([RFC5246]), or OSCORE
([I-D.ietf-core-object-security]), provide the additional security ([I-D.ietf-core-object-security]), provide the additional security
features. features.
The document also updates the processing requirements on the Block1 The document also updates the processing requirements on the Token.
option, the Block2 option, and the Token. The updated blockwise The updated processing ensures secure binding of responses to
processing secure blockwise operations with multiple representations requests.
of a particular resource. The updated Token processing ensures
secure binding of responses to requests.
1.1. Request Freshness 1.1. Request Freshness
A CoAP server receiving a request is in general not able to verify A CoAP server receiving a request is in general not able to verify
when the request was sent by the CoAP client. This remains true even when the request was sent by the CoAP client. This remains true even
if the request was protected with a security protocol, such as DTLS. if the request was protected with a security protocol, such as DTLS.
This makes CoAP requests vulnerable to certain delay attacks which This makes CoAP requests vulnerable to certain delay attacks which
are particularly incriminating in the case of actuators are particularly incriminating in the case of actuators
([I-D.mattsson-core-coap-actuators]). Some attacks are possible to ([I-D.mattsson-core-coap-actuators]). Some attacks are possible to
mitigate by establishing fresh session keys (e.g. performing the DTLS mitigate by establishing fresh session keys (e.g. performing the DTLS
skipping to change at page 5, line 13 skipping to change at page 5, line 16
tokens until the traffic keys have been replaced. As there may be tokens until the traffic keys have been replaced. As there may be
any number of responses to a request (see e.g. [RFC7641]), the any number of responses to a request (see e.g. [RFC7641]), the
easiest way to accomplish this is to implement the token as a counter easiest way to accomplish this is to implement the token as a counter
and never reuse any tokens at all. This document updates the Token and never reuse any tokens at all. This document updates the Token
processing in [RFC7252] to always assure a cryptographically secure processing in [RFC7252] to always assure a cryptographically secure
binding of responses to requests. binding of responses to requests.
1.4. Terminology 1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Unless otherwise specified, the terms "client" and "server" refers to Unless otherwise specified, the terms "client" and "server" refers to
"CoAP client" and "CoAP server", respectively, as defined in "CoAP client" and "CoAP server", respectively, as defined in
[RFC7252]. [RFC7252].
The terms "payload" and "body" of a message are used as in [RFC7959]. The terms "payload" and "body" of a message are used as in [RFC7959].
The complete interchange of a request and a response body is called a The complete interchange of a request and a response body is called a
(REST) "operation". An operation fragmented using [RFC7959] is (REST) "operation". An operation fragmented using [RFC7959] is
called a "blockwise operation". A blockwise operation which is called a "blockwise operation". A blockwise operation which is
fragmenting the request body is called a "blockwise request fragmenting the request body is called a "blockwise request
operation". A blockwise operation which is fragmenting the response operation". A blockwise operation which is fragmenting the response
body is called a "blockwise response operation". body is called a "blockwise response operation".
Two blockwise operations between the same endpoint pair on the same Two request messages are said to be "matchable" if they occur between
resource are said to be "concurrent" if a block of the second request the same endpoint pair, have the same code and the same set of
is exchanged even though the client still intends to exchange further options except for elective NoCacheKey options and options involved
blocks in the first operation. (Concurrent blockwise request in bock-wise transfer (Block1, Block2 and Request-Tag). Two
operations are impossible with the options of [RFC7959] because the operations are said to be matchable if any of their messages are.
second operation's block overwrites any state of the first
exchange.).
The Echo and Request-Tag options are defined in this document. The Two matchable blockwise operations are said to be "concurrent" if a
concept of two messages being "Request-Tag-matchable" is defined in block of the second request is exchanged even though the client still
Section 3.1. intends to exchange further blocks in the first operation.
(Concurrent blockwise request operations are impossible with the
options of [RFC7959] because the second operation's block overwrites
any state of the first exchange.).
The Echo and Request-Tag options are defined in this document.
2. The Echo Option 2. The Echo Option
The Echo option is a server-driven challenge-response mechanism for The Echo option is a server-driven challenge-response mechanism for
CoAP. The Echo option value is a challenge from the server to the CoAP. The Echo option value is a challenge from the server to the
client included in a CoAP response and echoed in one or more CoAP client included in a CoAP response and echoed in one or more CoAP
request. request.
2.1. Option Format 2.1. Option Format
The Echo Option is elective, safe-to-forward, not part of the cache- The Echo Option is elective, safe-to-forward, not part of the cache-
key, and not repeatable, see Figure 1. key, and not repeatable, see Figure 1, which extends Table 4 of
[RFC7252]).
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
| No. | C | U | N | R | Name | Format | Length | Default | E | | No. | C | U | N | R | Name | Format | Length | Default | E |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
| TBD | | | x | | Echo | opaque | 4-40 | (none) | x | | TBD | | | x | | Echo | opaque | 4-40 | (none) | x |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 1: Echo Option Summary Figure 1: Echo Option Summary
[Note to RFC editor: If this document is not released together with [ Note to RFC editor: If this document is released before core-
OSCORE but before it, the following paragraph and the "E" column object-security, the following paragraph and the "E" column above
above need to move into OSCORE.] need to move into OSCORE. ]
The Echo option value is generated by the server, and its content and The Echo option value is generated by the server, and its content and
structure are implementation specific. Different methods for structure are implementation specific. Different methods for
generating Echo option values are outlined in Appendix A. Clients generating Echo option values are outlined in Appendix A. Clients
and intermediaries MUST treat an Echo option value as opaque and make and intermediaries MUST treat an Echo option value as opaque and make
no assumptions about its content or structure. no assumptions about its content or structure.
When receiving an Echo option in a request, the server MUST be able When receiving an Echo option in a request, the server MUST be able
to verify that the Echo option value was generated by the server as to verify that the Echo option value was generated by the server as
well as the point in time when the Echo option value was generated. well as the point in time when the Echo option value was generated.
skipping to change at page 7, line 10 skipping to change at page 7, line 17
The server may also include the Echo option in a response to verify The server may also include the Echo option in a response to verify
the aliveness of a client, to synchronize state, or to force a client the aliveness of a client, to synchronize state, or to force a client
to demonstrate reachability at their apparent network address. to demonstrate reachability at their apparent network address.
Upon receiving a 4.01 Unauthorized response with the Echo option, the Upon receiving a 4.01 Unauthorized response with the Echo option, the
client SHOULD resend the original request with the addition of an client SHOULD resend the original request with the addition of an
Echo option with the received Echo option value. The client MAY send Echo option with the received Echo option value. The client MAY send
a different request compared to the original request. Upon receiving a different request compared to the original request. Upon receiving
any other response with the Echo option, the client SHOULD echo the any other response with the Echo option, the client SHOULD echo the
Echo option value in a next request to the server. The client MAY Echo option value in the next request to the server. The client MAY
include the same Echo option value in several different requests to include the same Echo option value in several different requests to
the server. the server.
Upon receiving a request with the Echo option, the server determines Upon receiving a request with the Echo option, the server determines
if the request has freshness requirement. If the request does not if the request has freshness requirement. If the request does not
have freshness requirements, the Echo option MAY be ignored. If the have freshness requirements, the Echo option MAY be ignored. If the
request has freshness requirements and the server cannot verify the request has freshness requirements and the server cannot verify the
freshness of the request in some other way, the server MUST verify freshness of the request in some other way, the server MUST verify
that the Echo option value was generated by the server; otherwise the that the Echo option value was generated by the server; otherwise the
request is not processed further. The server MUST then calculate the request is not processed further. The server MUST then calculate the
skipping to change at page 9, line 36 skipping to change at page 10, line 16
The Request-Tag is intended for use as a short-lived identifier for The Request-Tag is intended for use as a short-lived identifier for
keeping apart distinct blockwise request operations on one resource keeping apart distinct blockwise request operations on one resource
from one client. It enables the receiving server to reliably from one client. It enables the receiving server to reliably
assemble request payloads (blocks) to their message bodies, and, if assemble request payloads (blocks) to their message bodies, and, if
it chooses to support it, to reliably process simultaneous blockwise it chooses to support it, to reliably process simultaneous blockwise
request operations on a single resource. The requests must be request operations on a single resource. The requests must be
integrity protected in order to protect against interchange of blocks integrity protected in order to protect against interchange of blocks
between different message bodies. between different message bodies.
In essence, it is an implementation of the "proxy-safe elective
option" used just to "vary the cache key" as suggested in [RFC7959]
Section 2.4.
3.1. Option Format 3.1. Option Format
The Request-Tag option is not critical, safe to forward, and part of The Request-Tag option is not critical, is safe to forward,
the cache key as illustrated in Figure 3. repeatable, and part of the cache key, see Figure 3, which extends
Table 4 of [RFC7252]).
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+---+
| No. | C | U | N | R | Name | Format | Length | Default | E | | No. | C | U | N | R | Name | Format | Length | Default | E | U |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+---+
| TBD | | | | | Request-Tag | opaque | 0-8 | (none) | * | | TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+--------+---------+---+---+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 3: Request-Tag Option Summary Figure 3: Request-Tag Option Summary
[Note to RFC editor: If this document is not released together with [ Note to RFC editor: If this document is released before core-
OSCORE but before it, the following paragraph and the "E" column object-security, the following paragraph and the "E"/"U" columns
above need to move into OSCORE.] above need to move into OSCORE. ]
Request-Tag, like the block options, is a special class E option in Request-Tag, like the block options, is both a class E and a class U
terms of OSCORE processing (see Section 4.3.1.2 of option in terms of OSCORE processing (see Section 4.1 of
[I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or [I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or
outer option. The inner option is encrypted and integrity protected outer option. The inner option is encrypted and integrity protected
between client and server, and provides message body identification between client and server, and provides message body identification
in case of end-to-end fragmentation of requests. The outer option is in case of end-to-end fragmentation of requests. The outer option is
visible to proxies and labels message bodies in case of hop-by-hop visible to proxies and labels message bodies in case of hop-by-hop
fragmentation of requests. fragmentation of requests.
The Request-Tag option is only used in the request messages of The Request-Tag option is only used in the request messages of
blockwise request operations. blockwise operations.
Two messages are defined to be Request-Tag-matchable if and only if
they are sent from and to the same end points (including security
associations), and target the same URI (precisely: target the same
endpoint and cache-key except for cache-key options that are related
to blockwise), and if either neither carries a Request-Tag option, or
both carry exactly one Request-Tag option and the option values are
of same length and content.
The Request-Tag mechanism is applied independently on the server and
client sides of CoAP-CoAP proxies as are the block options, though
given it is safe to forward, a proxy is free to just forward it when
processing an operation. CoAP-HTTP proxies and HTTP-CoAP proxies can
use Request-Tag on their CoAP sides; it is not applicable to HTTP
requests.
For each separate blockwise request operation, the client can choose
a Request-Tag value, or choose not to set a Request-Tag. Creating a
new request operation whose messages are Request-Tag-matchable to a
previous operation is called request tag recycling. Clients MUST NOT
recycle a request tag unless the first operation has concluded. What
constitutes a concluded operation depends on the application, and is
outlined individually in Section 3.3.
Clients are encouraged to generate compact messages. This means The Request-Tag mechanism can be applied independently on the server
sending messages without Request-Tag options whenever possible, and and client sides of CoAP-CoAP proxies as are the block options,
using short values when the absent option can not be recycled. though given it is safe to forward, a proxy is free to just forward
it when processing an operation. CoAP-HTTP proxies and HTTP-CoAP
proxies can use Request-Tag on their CoAP sides; it is not applicable
to HTTP requests.
3.2. Request-Tag Processing 3.2. Request-Tag processing by servers
A server MUST NOT act on any two blocks in the same blockwise request The Request-Tag option does not require any particular processing on
operation that are not Request-Tag-matchable. This rule applies the server side: As it varies the set of options that distinguish
independent of whether the request actually carries a Request-Tag blockwise operations (ie. is neither Block1 or Block2 nor elective
option (if not, the request can only be acted on together with other NoCacheKey), the server can not treat their messages as belonging to
messages not carrying the option, as per matchability definition). the same operation.
As not all messages from the same source can be combined any more, a To keep utilizing the cache, a server (including proxies) MAY discard
block not matchable to the first Block1 cannot overwrite context kept the Request-Tag option from an assembled block-wise request when
for an operation under a different tag (cf. [RFC7959] Section 2.5). consulting its cache, as the option describes the individual blocks
The server is still under no obligation to keep state of more than but not the operation as a whole. For example, a FETCH request with
one transaction. When an operation is in progress and a second one the same body can have a fresh response even if they were requested
cannot be served at the same time, the server SHOULD respond to the using different request tags. (This is similar to the situation
second request with a 5.03 (Service Unavailable) response code and about ETag in that it is formally part of the cache key, but
indicate the time it is willing to wait for additional blocks in the implementations that are aware of its meaning can cache more
first operation using the Max-Age option, as specified in efficiently, see [RFC7252] Section 5.4.2).
Section 5.9.3.4 of [RFC7252]. (Alternatively, the server can cancel
the original operation, especially if it is already likely to time
out. Cancelling it unconditionally is the behavior that could be
expected of a Request-Tag unaware server.)
A server receiving a Request-Tag MUST treat it as opaque and make no A server receiving a Request-Tag MUST treat it as opaque and make no
assumptions about its content or structure. assumptions about its content or structure.
Two messages being Request-Tag-matchable is a necessary but not Two messages carrying the same Request-Tag is a necessary but not
sufficient condition for being part of the same operation. They can sufficient condition for being part of the same operation. They can
still be treated as independent messages by the server (e.g. when it still be treated as independent messages by the server (e.g. when it
sends 2.01/2.04 responses for every block), or initiate a new sends 2.01/2.04 responses for every block), or initiate a new
operation (overwriting kept context) when the later message carries operation (overwriting kept context) when the later message carries
Block1 number 0. Block1 number 0.
Note that RFC 7959 already implies that the cache key is the element [ The following paragraph might be better placed in lwig-coap, but
that binds exchanges together to operations (together with the was left here until lwig-coap has decided on its fate there. ]
request's source endpoint), but is not explicit about it; therefore,
the above rules are spelt out here.
3.3. Applications As it has always been, a server that can only serve a limited number
of block-wise operations at the same time can delay the start of the
operation by replying with 5.03 (Service unavailable) and a Max-Age
indicating how long it expects the existing operation to go on, or it
can forget about the state established with the older operation and
respond with 4.08 (Request Entity Incompelte) to later blocks on the
first operation.
3.3.1. Body Integrity Based on Payload Integrity Especially, that is the case for any correctly implemented proxy that
does not know how to use Request-Tag in requests and has only one
client endpoint. When it receives concurrent incoming requests on
the same resource, it needs to make that very choice: either send a
5.03 with Max-Age (holding off the second operation), or to commence
the second operation and reject any further requests on the first
operation with 4.08 Request Entity Incompelte errors without
forwarding them. (Alternatively, it could spool the second request,
but the unpredictable nature of the timeouts involved often makes
that an unsuitable choice.)
3.3. Setting the Request-Tag
For each separate blockwise request operation, the client can choose
a Request-Tag value, or choose not to set a Request-Tag. Starting a
request operation matchable to a previous operation and even using
the same Request-Tag value is called request tag recycling. Clients
MUST NOT recycle a request tag unless the first operation has
concluded. What constitutes a concluded operation depends on the
application, and is outlined individually in Section 3.4.
When Block1 and Block2 are combined in an operation, the Request-Tag
of the Block1 phase is set in the Block2 phase as well for otherwise
the request would have a different set of options and would not be
recognized any more.
Clients are encouraged to generate compact messages. This means
sending messages without Request-Tag options whenever possible, and
using short values when the absent option can not be recycled.
3.4. Applications
3.4.1. Body Integrity Based on Payload Integrity
When a client fragments a request body into multiple message When a client fragments a request body into multiple message
payloads, even if the individual messages are integrity protected, it payloads, even if the individual messages are integrity protected, it
is still possible for a man-in-the-middle to maliciously replace is still possible for a man-in-the-middle to maliciously replace a
later operation's blocks with earlier operation's blocks (see later operation's blocks with an earlier operation's blocks (see
Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the
integrity protection of each block does not extend to the operation's integrity protection of each block does not extend to the operation's
request body. request body.
In order to gain that protection, use the Request-Tag mechanism as In order to gain that protection, use the Request-Tag mechanism as
follows: follows:
o The individual exchanges MUST be integrity protected end-to-end o The individual exchanges MUST be integrity protected end-to-end
between client and server. between client and server.
o The client MUST NOT recycle a request tag unless the previous o The client MUST NOT recycle a request tag in a new operation
blockwise request operation that used matchable Request-Tags has unless the previous operation matchable to the new one has
concluded. concluded.
When considering previous operations in protocols where the
security association is not tightly bound to an end point (eg.
OSCORE), the client MUST consider messages sent to _any_ endpoint
with the new operation's security context.
o The client MUST NOT regard a blockwise request operation as o The client MUST NOT regard a blockwise request operation as
concluded unless all of the messages the client previously sent in concluded unless all of the messages the client previously sent in
the operation have been confirmed by the message integrity the operation have been confirmed by the message integrity
protection mechanism, or are considered invalid by the server if protection mechanism, or are considered invalid by the server if
replayed. replayed.
Typically, in OSCORE, these confirmations can result either from Typically, in OSCORE, these confirmations can result either from
the client receiving an OSCORE response message matching the the client receiving an OSCORE response message matching the
request (an empty ACK is insufficient), or because the message's request (an empty ACK is insufficient), or because the message's
sequence number is old enough to be outside the server's receive sequence number is old enough to be outside the server's receive
skipping to change at page 12, line 36 skipping to change at page 13, line 38
Authors of other documents (e.g. [I-D.ietf-core-object-security]) Authors of other documents (e.g. [I-D.ietf-core-object-security])
are invited to mandate this behavior for clients that execute are invited to mandate this behavior for clients that execute
blockwise interactions over secured transports. In this way, the blockwise interactions over secured transports. In this way, the
server can rely on a conforming client to set the Request-Tag option server can rely on a conforming client to set the Request-Tag option
when required, and thereby conclude on the integrity of the assembled when required, and thereby conclude on the integrity of the assembled
body. body.
Note that this mechanism is implicitly implemented when the security Note that this mechanism is implicitly implemented when the security
layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]). layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]).
This is because with each message, any earlier operation can be This is because with each message, any earlier message can not be
regarded as concluded by the client, so it never needs to set the replayed any more, so the client never needs to set the Request-Tag
Request-Tag option unless it wants to perform concurrent operations. option unless it wants to perform concurrent operations.
3.3.2. Multiple Concurrent Blockwise Operations 3.4.2. Multiple Concurrent Blockwise Operations
CoAP clients, especially CoAP proxies, may initiate a blockwise CoAP clients, especially CoAP proxies, may initiate a blockwise
request operation to a resource, to which a previous one is already request operation to a resource, to which a previous one is already
in progress, and which the new request should not cancel. A CoAP in progress, which the new request should not cancel. A CoAP proxy
proxy would be in such a situation when it forwards operations with would be in such a situation when it forwards operations with the
the same cache-key options but possibly different payloads. same cache-key options but possibly different payloads.
When a client fragments an initial message as part of a blockwise For those cases, Request-Tag is the proxy-safe elective option
request operation, it can do so without a Request-Tag option set. suggested in [RFC7959] Section 2.4 last paragraph.
For this application, an operation can be regarded as concluded when
a final Block1 option has been sent and acknowledged, or when the
client chose not to continue with the operation (e.g. by user choice,
or in the case of a proxy when it decides not to take any further
messages in the operation due to a timeout). When another concurrent
blockwise request operation is made (i.e. before the operation is
concluded), the client can not recycle the request tag, and has to
pick a new one. The possible outcomes are:
o The server responds with a successful code. When initializing a new blockwise operation, a client has to look at
other active operations:
The second concurrent blockwise operations can then continue. o If any of them is matchable to the new one, and the client neither
wants to cancel the old one nor postpone the new one, it can pick
a Request-Tag value that is not in use by the other matchable
operations for the new operation.
The first operation might have been cancelled by that (typical of o Otherwise, it can start the new operation without setting the
servers that only support a single blockwise operation), in which Request-Tag option on it.
case its resumption will result in a 4.08 Request Entity
Incomplete error.
o The server responds 5.03 Service Unavailable with a Max-Age option 3.4.3. Simplified block-wise Handling for constrained proxies
to indicate when it is likely to be available again.
This can indicate that the server supports Request-Tag, but still The Block options were defined to be unsafe to forward because a
is not prepared to handle concurrent requests. The client should proxy that woud forward blocks as plain messages would risk mixing up
wait for as long as the response is valid, and then retry the clients' requests.
operation, which may not need to carry a Request-Tag option by
then any more.
In this, the proxy can indicate the anticipated delay by sending a The Request-Tag option provides a very simple way for a proxy to keep
5.03 Service Unavailable response itself. them separate: if it appends a Request-Tag that is particular to the
requesting endpoint to all request carrying any Block option, it does
not need to keep track of any further block state.
[I-D.ietf-lwig-coap] Section TBD provides further details.
Note that a correctly implemented Request-Tag unaware proxy in the [ Note to reviewers and co-authors: That section was so far only
same situation would need to make a choice to either send a 5.03 with syggested in input for lwig-coap. If it does not get into the
Max-Age by itself (holding off the second operation), or to commence document, we should drop it here (for I don't want to explain all
the second operation and reject any further requests on the first this case's details and security considerations here), but if the
operation with 4.08 Request Entity Incompelte errors by itself reference works, this section shows why Request-Tag has become
without forwarding them. repeatable. ]
3.4. Rationale for the option properties 3.5. Rationale for the option properties
The Request-Tag option used to be critical and unsafe to forward in [ This section needs to be reworked after assuming our RFC7959
earlier revisions of this draft. interpretation. ]
Given that supporting it will be mandated for where it is used for The Request-Tag option can be elective, because to servers unaware of
its security properties, the choice of whether it is mandatory or the Request-Tag option, operations with differing request tags will
safe to forward can be made as required for the multiple concurrent not be matchable.
operations use case. For those cases, Request-Tag is the proxy-safe
elective option suggested in [RFC7959] Section 2.4 last paragraph. The Request-Tag option can be safe to forward but part of the cache
key, because to proxies unaware of the Request-Tag option will
consider operations with differing request tags unmatchable but can
still forward them.
In earlier versions of this draft, the Request-Tag option used to be
critical and unsafe to forward. That design was based on an
erroneous understanding of which blocks could be composed according
to [RFC7959].
3.6. Rationale for introducing the option
An alternative that was considered to the Request-Tag option for
coping with the problem of fragmented message body integrity
(Section 3.4.1) was to update [RFC7959] to say that blocks could only
be assembled if their fragments' order corresponded to the sequence
numbers.
That approach would have been difficult to roll out reliably on DTLS
where many implementations do not expose sequence numbers, and would
still not prevent attacks like in [I-D.mattsson-core-coap-actuators]
Section 2.5.2.
4. Block2 / ETag Processing 4. Block2 / ETag Processing
The same security properties as in Section 3.3.1 can be obtained for The same security properties as in Section 3.4.1 can be obtained for
blockwise response operations. The threat model here is not an blockwise response operations. The threat model here is not an
attacker (because the response is made sure to belong to the current attacker (because the response is made sure to belong to the current
request by the security layer), but blocks in the client's cache. request by the security layer), but blocks in the client's cache.
Analogous rules to Section 3.2 are already in place for assembling a Rules stating that response body reassembly is conditional on
response body in Section 2.4 of [RFC7959]. matching ETag values are already in place from Section 2.4 of
[RFC7959].
To gain equivalent protection to Section 3.3.1, a server MUST use the To gain equivalent protection to Section 3.4.1, a server MUST use the
Block2 option in conjunction with the ETag option ([RFC7252], Block2 option in conjunction with the ETag option ([RFC7252],
Section 5.10.6), and MUST NOT use the same ETag value for different Section 5.10.6), and MUST NOT use the same ETag value for different
representations of a resource. representations of a resource.
5. Token Processing 5. Token Processing
This section updates the Token processing in Section 5.3.1 of This section updates the Token processing in Section 5.3.1 of
[RFC7252] by adding the following text: [RFC7252] by adding the following text:
When CoAP is used with a security protocol not providing bindings When CoAP is used with a security protocol not providing bindings
skipping to change at page 14, line 48 skipping to change at page 16, line 17
+--------+-------------+------------+ +--------+-------------+------------+
| TBD1 | Echo | [RFC XXXX] | | TBD1 | Echo | [RFC XXXX] |
| | | | | | | |
| TBD2 | Request-Tag | [RFC XXXX] | | TBD2 | Request-Tag | [RFC XXXX] |
+--------+-------------+------------+ +--------+-------------+------------+
Figure 4: CoAP Option Numbers Figure 4: CoAP Option Numbers
7. Security Considerations 7. Security Considerations
Servers SHOULD NOT put any privacy sensitive information in the Echo Implementations SHOULD NOT put any privacy sensitive information in
or Request-Tag option values. Unencrypted timestamps MAY reveal the Echo or Request-Tag option values. Unencrypted timestamps MAY
information about the server such as its wall clock time or location. reveal information about the server such as its wall clock time or
Servers MUST use a monotonic clock to generate timestamps and compute location. Servers MUST use a monotonic clock to generate timestamps
round-trip times. Servers SHOULD NOT use wall clock time for and compute round-trip times. Servers SHOULD NOT use wall clock time
timestamps, as wall clock time is not monotonic, may reveal that the for timestamps, as wall clock time is not monotonic, may reveal that
server will accept expired certificates, or reveal the server's the server will accept expired certificates, or reveal the server's
location. Use of non-monotonic clocks is not secure as the server location. Use of non-monotonic clocks is not secure as the server
will accept expired Echo option values if the clock is moved will accept expired Echo option values if the clock is moved
backward. The server will also reject fresh Echo option values if backward. The server will also reject fresh Echo option values if
the clock is moved forward. An attacker may be able to affect the the clock is moved forward. An attacker may be able to affect the
server's wall clock time in various ways such as setting up a fake server's wall clock time in various ways such as setting up a fake
NTP server or broadcasting false time signals to radio-controlled NTP server or broadcasting false time signals to radio-controlled
clocks. Servers SHOULD use the time since reboot measured in some clocks. Servers MAY use the time since reboot measured in some unit
unit of time. Servers MAY reset the timer periodically even when not of time. Servers MAY reset the timer periodically. When resetting
rebooting. the timer, the server MUST reject all Echo values that was created
before the reset.
The availability of a secure pseudorandom number generator and truly The availability of a secure pseudorandom number generator and truly
random seeds are essential for the security of the Echo option. If random seeds are essential for the security of the Echo option. If
no true random number generator is available, a truly random seed no true random number generator is available, a truly random seed
must be provided from an external source. must be provided from an external source.
An Echo value with 64 (pseudo-)random bits gives the same theoretical An Echo value with 64 (pseudo-)random bits gives the same theoretical
security level against forgeries as a 64-bit MAC (as used in e.g. security level against forgeries as a 64-bit MAC (as used in e.g.
AES_128_CCM_8). In practice, forgery of an Echo option value is much AES_128_CCM_8). In practice, forgery of an Echo option value is much
harder as an attacker must also forge the MAC in the security harder as an attacker must also forge the MAC in the security
skipping to change at page 16, line 20 skipping to change at page 17, line 34
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in
the Constrained Application Protocol (CoAP)", RFC 7959, the Constrained Application Protocol (CoAP)", RFC 7959,
DOI 10.17487/RFC7959, August 2016, DOI 10.17487/RFC7959, August 2016,
<https://www.rfc-editor.org/info/rfc7959>. <https://www.rfc-editor.org/info/rfc7959>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-09 (work in (OSCORE)", draft-ietf-core-object-security-13 (work in
progress), March 2018. progress), June 2018.
[I-D.ietf-lwig-coap]
Kovatsch, M., Bergmann, O., and C. Bormann, "CoAP
Implementation Guidance", draft-ietf-lwig-coap-05 (work in
progress), October 2017.
[I-D.mattsson-core-coap-actuators] [I-D.mattsson-core-coap-actuators]
Mattsson, J., Fornehed, J., Selander, G., Palombini, F., Mattsson, J., Fornehed, J., Selander, G., Palombini, F.,
and C. Amsuess, "Controlling Actuators with CoAP", draft- and C. Amsuess, "Controlling Actuators with CoAP", draft-
mattsson-core-coap-actuators-04 (work in progress), March mattsson-core-coap-actuators-05 (work in progress), March
2018. 2018.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
skipping to change at page 18, line 8 skipping to change at page 19, line 30
Echo option value: random value r Echo option value: random value r
Server State: random value r, timestamp t0 Server State: random value r, timestamp t0
A server MAY use different methods and security levels for different A server MAY use different methods and security levels for different
uses cases (client aliveness, request freshness, state uses cases (client aliveness, request freshness, state
synchronization, network address reachability, etc.). synchronization, network address reachability, etc.).
Appendix B. Request-Tag Message Size Impact Appendix B. Request-Tag Message Size Impact
In absence of concurrent operations, the Request-Tag mechanism for In absence of concurrent operations, the Request-Tag mechanism for
body integrity (Section 3.3.1) incurs no overhead if no messages are body integrity (Section 3.4.1) incurs no overhead if no messages are
lost (more precisely: in OSCORE, if no operations are aborted due to lost (more precisely: in OSCORE, if no operations are aborted due to
repeated transmission failure; in DTLS, if no packages are lost), or repeated transmission failure; in DTLS, if no packages are lost), or
when blockwise request operations happen rarely (in OSCORE, if only when blockwise request operations happen rarely (in OSCORE, if there
one request operation with losses within the replay window). is always only one request blockwise operation in the replay window).
In those situations, no message has any Request-Tag option set, and In those situations, no message has any Request-Tag option set, and
that can be recycled indefinitely. that can be recycled indefinitely.
When the absence of a Request-Tag option can not be recycled any more When the absence of a Request-Tag option can not be recycled any more
within a security context, the messages with a present but empty within a security context, the messages with a present but empty
Request-Tag option can be used (1 Byte overhead), and when that is Request-Tag option can be used (1 Byte overhead), and when that is
used-up, 256 values from one byte long options (2 Bytes overhead) are used-up, 256 values from one byte long options (2 Bytes overhead) are
available. available.
skipping to change at page 18, line 38 skipping to change at page 20, line 14
o In OSCORE, the sequence number can be artificially increased so o In OSCORE, the sequence number can be artificially increased so
that all lost messages are outside of the replay window by the that all lost messages are outside of the replay window by the
time the first request of the new operation gets processed, and time the first request of the new operation gets processed, and
all earlier operations can therefore be regarded as concluded. all earlier operations can therefore be regarded as concluded.
Appendix C. Change Log Appendix C. Change Log
[ The editor is asked to remove this section before publication. ] [ The editor is asked to remove this section before publication. ]
o Major changes since draft-ietf-core-echo-request-tag-01:
* Follow-up changes after the "relying on blockwise" change in
-01:
+ Simplify the description of Request-Tag and matchability
+ Do not update RFC7959 any more
* Make Request-Tag repeatable.
* Add rationale on not relying purely on sequence numbers.
o Major changes since draft-ietf-core-echo-request-tag-00: o Major changes since draft-ietf-core-echo-request-tag-00:
* Reworded the Echo section. * Reworded the Echo section.
* Added rules for Token processing. * Added rules for Token processing.
* Added security considerations. * Added security considerations.
* Added actual IANA section. * Added actual IANA section.
 End of changes. 57 change blocks. 
186 lines changed or deleted 255 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/