draft-ietf-core-echo-request-tag-02.txt   draft-ietf-core-echo-request-tag-03.txt 
CoRE Working Group C. Amsuess CoRE Working Group C. Amsuess
Internet-Draft Internet-Draft
Updates: 7252 (if approved) J. Mattsson Updates: 7252 (if approved) J. Mattsson
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: December 31, 2018 Ericsson AB Expires: April 25, 2019 Ericsson AB
June 29, 2018 October 22, 2018
Echo and Request-Tag Echo and Request-Tag
draft-ietf-core-echo-request-tag-02 draft-ietf-core-echo-request-tag-03
Abstract Abstract
This document specifies several security enhancements to the This document specifies security enhancements to the Constrained
Constrained Application Protocol (CoAP). Two optional extensions are Application Protocol (CoAP). Two optional extensions are defined:
defined: the Echo option and the Request-Tag option. Each of these the Echo option and the Request-Tag option. Each of these options
options provide additional features to CoAP and protects against provide additional features to CoAP and protects against certain
certain attacks. The document also updates the processing attacks. The document also updates the processing requirements on
requirements on the Token of [RFC7252]. The updated Token processing the Token of RFC 7252. The updated Token processing ensures secure
ensures secure binding of responses to requests. binding of responses to requests.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2018. This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3
1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 3 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4
1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 5 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 6 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 7
2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 9
3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 10 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11
3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 10 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 11
3.2. Request-Tag processing by servers . . . . . . . . . . . . 11 3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12
3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 12 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13
3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 12 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 13
3.4.1. Body Integrity Based on Payload Integrity . . . . . . 12 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 13
3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 13 3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 14
3.4.3. Simplified block-wise Handling for constrained 3.4.3. Simplified Block-Wise Handling for Constrained
proxies . . . . . . . . . . . . . . . . . . . . . . . 14 Proxies . . . . . . . . . . . . . . . . . . . . . . . 15
3.5. Rationale for the option properties . . . . . . . . . . . 14 3.5. Rationale for the Option Properties . . . . . . . . . . . 15
3.6. Rationale for introducing the option . . . . . . . . . . 15 3.6. Rationale for Introducing the Option . . . . . . . . . . 16
4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 15 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 16
5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 15 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 16
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.2. Informative References . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . 18
Appendix A. Methods for Generating Echo Option Values . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . 18
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 19 Appendix A. Methods for Generating Echo Option Values . . . . . 20
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 20 Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 21
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
The initial Constrained Application Protocol (CoAP) suite of The initial Constrained Application Protocol (CoAP) suite of
specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed
with the assumption that security could be provided on a separate with the assumption that security could be provided on a separate
layer, in particular by using DTLS ([RFC6347]). However, for some layer, in particular by using DTLS ([RFC6347]). However, for some
use cases, additional functionality or extra processing is needed to use cases, additional functionality or extra processing is needed to
support secure CoAP operations. This document specifies several support secure CoAP operations. This document specifies security
security enhancements to the Constrained Application Protocol (CoAP). enhancements to the Constrained Application Protocol (CoAP).
This document specifies two server-oriented CoAP options, the Echo This document specifies two server-oriented CoAP options, the Echo
option and the Request-Tag option, mainly addressing the security option and the Request-Tag option: The Echo option enables a CoAP
features request freshness and fragmented message body integrity, server to verify the freshness of a request, synchronize state, or
respectively. The Echo option enables a CoAP server to verify the force a client to demonstrate reachability at its apparent network
freshness of a request, verify the aliveness of a client, synchronize address. The Request-Tag option allows the CoAP server to match
state, or force a client to demonstrate reachability at its apparent message fragments belonging to the same request, fragmented using the
network address. The Request-Tag option allows the CoAP server to CoAP Block-Wise Transfer mechanism, which mitigates attacks and
match message fragments belonging to the same request, fragmented enables concurrent blockwise operations. These options in themselves
using the CoAP Block-Wise Transfer mechanism, which mitigates attacks do not replace the need for a security protocol; they specify the
and enables concurrent blockwise operations. These options in format and processing of data which, when integrity protected using
themselves do not replace the need for a security protocol; they e.g. DTLS ([RFC6347]), TLS ([RFC8446]), or OSCORE
specify the format and processing of data which, when integrity
protected using e.g. DTLS ([RFC6347]), TLS ([RFC5246]), or OSCORE
([I-D.ietf-core-object-security]), provide the additional security ([I-D.ietf-core-object-security]), provide the additional security
features. features.
The document also updates the processing requirements on the Token. The document also updates the processing requirements on the Token.
The updated processing ensures secure binding of responses to The updated processing ensures secure binding of responses to
requests. requests, thus mitigating error cases and attacks where the client
may erroneously associate the wrong response to a request.
1.1. Request Freshness 1.1. Request Freshness
A CoAP server receiving a request is in general not able to verify A CoAP server receiving a request is in general not able to verify
when the request was sent by the CoAP client. This remains true even when the request was sent by the CoAP client. This remains true even
if the request was protected with a security protocol, such as DTLS. if the request was protected with a security protocol, such as DTLS.
This makes CoAP requests vulnerable to certain delay attacks which This makes CoAP requests vulnerable to certain delay attacks which
are particularly incriminating in the case of actuators are particularly incriminating in the case of actuators
([I-D.mattsson-core-coap-actuators]). Some attacks are possible to ([I-D.mattsson-core-coap-actuators]). Some attacks are possible to
mitigate by establishing fresh session keys (e.g. performing the DTLS mitigate by establishing fresh session keys, e.g. performing a DTLS
handshake) for each actuation, but in general this is not a solution handshake for each actuation, but in general this is not a solution
suitable for constrained environments. suitable for constrained environments, for example, due to increased
message overhead and latency. Additionally, if there are proxies,
fresh DTLS session keys between server and proxy does not say
anything about when the client made the request. In a general hop-
by-hop setting, freshness may need to be verified in each hop.
A straightforward mitigation of potential delayed requests is that A straightforward mitigation of potential delayed requests is that
the CoAP server rejects a request the first time it appears and asks the CoAP server rejects a request the first time it appears and asks
the CoAP client to prove that it intended to make the request at this the CoAP client to prove that it intended to make the request at this
point in time. The Echo option, defined in this document, specifies point in time. The Echo option, defined in this document, specifies
such a mechanism which thereby enables the CoAP server to verify the such a mechanism which thereby enables a CoAP server to verify the
freshness of a request. This mechanism is not only important in the freshness of a request. This mechanism is not only important in the
case of actuators, or other use cases where the CoAP operations case of actuators, or other use cases where the CoAP operations
require freshness of requests, but also in general for synchronizing require freshness of requests, but also in general for synchronizing
state between CoAP client and server and to verify aliveness of the state between CoAP client and server and to verify aliveness of the
client. client.
1.2. Fragmented Message Body Integrity 1.2. Fragmented Message Body Integrity
CoAP was designed to work over unreliable transports, such as UDP, CoAP was designed to work over unreliable transports, such as UDP,
and include a lightweight reliability feature to handle messages and include a lightweight reliability feature to handle messages
skipping to change at page 4, line 33 skipping to change at page 4, line 39
which would provide equivalent protection to the case where the which would provide equivalent protection to the case where the
complete body fits into a single payload. The ETag option [RFC7252], complete body fits into a single payload. The ETag option [RFC7252],
set by the CoAP server, identifies a response body fragmented using set by the CoAP server, identifies a response body fragmented using
the Block2 option. This document defines the Request-Tag option for the Block2 option. This document defines the Request-Tag option for
identifying the request body fragmented using the Block1 option, identifying the request body fragmented using the Block1 option,
similar to ETag, but ephemeral and set by the CoAP client. similar to ETag, but ephemeral and set by the CoAP client.
1.3. Request-Response Binding 1.3. Request-Response Binding
A fundamental requirement of secure REST operations is that the A fundamental requirement of secure REST operations is that the
client can bind a response to a particular request. In HTTPS this is client can bind a response to a particular request. If this is not
assured by the ordered and reliable delivery as well as mandating valid a client may erroneously associate the wrong response to a
that the server sends responses in the same order that the requests request. The wrong response may be an old response for the same
were received. resource or for a completely different resource (see e.g.
Section 2.3 of [I-D.mattsson-core-coap-actuators]). For example a
request for the alarm status "GET /status" may be associated to a
prior response "on", instead of the correct response "off".
The same is not true for CoAP where the server can return responses In HTTPS, binding is assured by the ordered and reliable delivery as
in any order. Concurrent requests are instead differentiated by well as mandating that the server sends responses in the same order
their Token. Unfortunately, CoAP [RFC7252] does not treat Token as a that the requests were received. The same is not true for CoAP where
the server (or an attacker) can return responses in any order.
Concurrent requests are instead differentiated by their Token. Note
that the CoAP Message ID cannot be used for this purpose since those
are typically different for REST request and corresponding response
in case of "separate response", see Section 2.2 of [RFC7252].
Unfortunately, CoAP [RFC7252] does not treat Token as a
cryptographically important value and does not give stricter cryptographically important value and does not give stricter
guidelines than that the tokens currently "in use" SHOULD (not SHALL) guidelines than that the tokens currently "in use" SHOULD (not SHALL)
be unique. If used with security protocol not providing bindings be unique. If used with security protocol not providing bindings
between requests and responses (e.g. DTLS and TLS) token reuse may between requests and responses (e.g. DTLS and TLS) token reuse may
result in situations where a client matches a response to the wrong result in situations where a client matches a response to the wrong
request (see e.g. Section 2.3 of request. Note that mismatches can also happen for other reasons than
[I-D.mattsson-core-coap-actuators]). Note that mismatches can also a malicious attacker, e.g. delayed delivery or a server sending
happen for other reasons than a malicious attacker, e.g. delayed notifications to an uninterested client.
delivery or a server sending notifications to an uninterested client.
A straightforward mitigation is to mandate clients to never reuse A straightforward mitigation is to mandate clients to never reuse
tokens until the traffic keys have been replaced. As there may be tokens until the AEAD keys have been replaced. As there may be any
any number of responses to a request (see e.g. [RFC7641]), the number of responses to a request (see e.g. [RFC7641]), the easiest
easiest way to accomplish this is to implement the token as a counter way to accomplish this is to implement the token as a counter and
and never reuse any tokens at all. This document updates the Token never reuse any tokens at all. This document updates the Token
processing in [RFC7252] to always assure a cryptographically secure processing in [RFC7252] to always assure a cryptographically secure
binding of responses to requests. binding of responses to requests.
1.4. Terminology 1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Unless otherwise specified, the terms "client" and "server" refers to Unless otherwise specified, the terms "client" and "server" refers to
"CoAP client" and "CoAP server", respectively, as defined in "CoAP client" and "CoAP server", respectively, as defined in
[RFC7252]. [RFC7252]. The term "origin server" is used as in [RFC7252]. The
term "origin client" is used in this document to denote the client
from which a request originates; to distinguish from clients in
proxies.
The terms "payload" and "body" of a message are used as in [RFC7959]. The terms "payload" and "body" of a message are used as in [RFC7959].
The complete interchange of a request and a response body is called a The complete interchange of a request and a response body is called a
(REST) "operation". An operation fragmented using [RFC7959] is (REST) "operation". An operation fragmented using [RFC7959] is
called a "blockwise operation". A blockwise operation which is called a "blockwise operation". A blockwise operation which is
fragmenting the request body is called a "blockwise request fragmenting the request body is called a "blockwise request
operation". A blockwise operation which is fragmenting the response operation". A blockwise operation which is fragmenting the response
body is called a "blockwise response operation". body is called a "blockwise response operation".
Two request messages are said to be "matchable" if they occur between Two request messages are said to be "matchable" if they occur between
the same endpoint pair, have the same code and the same set of the same endpoint pair, have the same code and the same set of
options except for elective NoCacheKey options and options involved options except for elective NoCacheKey options and options involved
in bock-wise transfer (Block1, Block2 and Request-Tag). Two in block-wise transfer (Block1, Block2 and Request-Tag). Two
operations are said to be matchable if any of their messages are. operations are said to be matchable if any of their messages are.
Two matchable blockwise operations are said to be "concurrent" if a Two matchable blockwise operations are said to be "concurrent" if a
block of the second request is exchanged even though the client still block of the second request is exchanged even though the client still
intends to exchange further blocks in the first operation. intends to exchange further blocks in the first operation.
(Concurrent blockwise request operations are impossible with the (Concurrent blockwise request operations are impossible with the
options of [RFC7959] because the second operation's block overwrites options of [RFC7959] because the second operation's block overwrites
any state of the first exchange.). any state of the first exchange.).
The Echo and Request-Tag options are defined in this document. The Echo and Request-Tag options are defined in this document.
2. The Echo Option 2. The Echo Option
The Echo option is a server-driven challenge-response mechanism for The Echo option is a lightweight server-driven challenge-response
CoAP. The Echo option value is a challenge from the server to the mechanism for CoAP, motivated by the need for a server to verify
client included in a CoAP response and echoed in one or more CoAP freshness of a request as described in Section 1.1. With request
request. freshness we mean that the server can determine that the client (or
in the case of hop-by-hop security the proxy) sent the request
recently. The time threshold for being fresh is application
specific. The Echo option value is a challenge from the server to
the client included in a CoAP response and echoed back to the server
in one or more CoAP requests.
2.1. Option Format 2.1. Option Format
The Echo Option is elective, safe-to-forward, not part of the cache- The Echo Option is elective, safe-to-forward, not part of the cache-
key, and not repeatable, see Figure 1, which extends Table 4 of key, and not repeatable, see Figure 1, which extends Table 4 of
[RFC7252]). [RFC7252]).
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| No. | C | U | N | R | Name | Format | Length | Default | E | | No. | C | U | N | R | Name | Format | Len. | Default | E | U |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| TBD | | | x | | Echo | opaque | 4-40 | (none) | x | | TBD | | | x | | Echo | opaque | 4-40 | (none) | x | x |
+-----+---+---+---+---+-------------+--------+--------+---------+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 1: Echo Option Summary Figure 1: Echo Option Summary
[ Note to RFC editor: If this document is released before core- [ Note to RFC editor: If this document is released before core-
object-security, the following paragraph and the "E" column above object-security, then the following paragraph and the "E"/"U" columns
need to move into OSCORE. ] above need to move into core-object-security, as they are defined in
that draft. ]
The Echo option value is generated by the server, and its content and The Echo option MAY be an Inner or Outer option
[I-D.ietf-core-object-security], and the Inner and Outer values are
independent. The Inner option is encrypted and integrity protected
between the endpoints, whereas the Outer option is not protected by
OSCORE and visible between the endpoints to the extent it is not
protected by some other security protocol. E.g. in the case of DTLS
hop-by-hop between the endpoints, the Outer option is visible to
proxies along the path.
The Echo option value is generated by a server, and its content and
structure are implementation specific. Different methods for structure are implementation specific. Different methods for
generating Echo option values are outlined in Appendix A. Clients generating Echo option values are outlined in Appendix A. Clients
and intermediaries MUST treat an Echo option value as opaque and make and intermediaries MUST treat an Echo option value as opaque and make
no assumptions about its content or structure. no assumptions about its content or structure.
When receiving an Echo option in a request, the server MUST be able When receiving an Echo option in a request, the server MUST be able
to verify that the Echo option value was generated by the server as to verify that the Echo option value was generated by the server as
well as the point in time when the Echo option value was generated. well as the point in time when the Echo option value was generated.
2.2. Echo Processing 2.2. Echo Processing
The Echo option MAY be included in any request or response (see The Echo option MAY be included in any request or response (see
Section 2.3 for different applications), but the Echo option MUST NOT Section 2.3 for different applications), but the Echo option MUST NOT
be used with empty CoAP requests (i.e. Code=0.00). be used with empty CoAP requests (i.e. Code=0.00).
If the server receives a request which has freshness requirements, If a server receives a request which has freshness requirements, the
the request does not contain a fresh Echo option value, and the request does not contain a fresh Echo option value, and the server
server cannot verify the freshness of the request in some other way, cannot verify the freshness of the request in some other way, the
the server MUST NOT process the request further and SHOULD send a server MUST NOT process the request further and SHOULD send a 4.01
4.01 Unauthorized response with an Echo option. Unauthorized response with an Echo option. The server MAY include
the same Echo option value in several different responses and to
different clients.
The application decides under what conditions a CoAP request to a The application decides under what conditions a CoAP request to a
resource is required to be fresh. These conditions can for example resource is required to be fresh. These conditions can for example
include what resource is requested, the request method and other data include what resource is requested, the request method and other data
in the request, and conditions in the environment such as the state in the request, and conditions in the environment such as the state
of the server or the time of the day. of the server or the time of the day.
The server may also include the Echo option in a response to verify The server may use request freshness provided by the Echo option to
the aliveness of a client, to synchronize state, or to force a client verify the aliveness of a client or to synchronize state. The server
to demonstrate reachability at their apparent network address. may also include the Echo option in a response to force a client to
demonstrate reachability at their apparent network address.
Upon receiving a 4.01 Unauthorized response with the Echo option, the Upon receiving a 4.01 Unauthorized response with the Echo option, the
client SHOULD resend the original request with the addition of an client SHOULD resend the original request with the addition of an
Echo option with the received Echo option value. The client MAY send Echo option with the received Echo option value. The client MAY send
a different request compared to the original request. Upon receiving a different request compared to the original request. Upon receiving
any other response with the Echo option, the client SHOULD echo the any other response with the Echo option, the client SHOULD echo the
Echo option value in the next request to the server. The client MAY Echo option value in the next request to the server. The client MAY
include the same Echo option value in several different requests to include the same Echo option value in several different requests to
the server. the server.
Upon receiving a request with the Echo option, the server determines Upon receiving a request with the Echo option, the server determines
if the request has freshness requirement. If the request does not if the request has freshness requirements. If the request does not
have freshness requirements, the Echo option MAY be ignored. If the have freshness requirements, the Echo option MAY be ignored. If the
request has freshness requirements and the server cannot verify the request has freshness requirements and the server cannot verify the
freshness of the request in some other way, the server MUST verify freshness of the request in some other way, the server MUST verify
that the Echo option value was generated by the server; otherwise the that the Echo option value was generated by the server; otherwise the
request is not processed further. The server MUST then calculate the request is not processed further. The server MUST then calculate the
round-trip time RTT = (t1 - t0), where t1 is the request receive time round-trip time RTT = (t1 - t0), where t1 is the request receive time
and t0 is the transmit time of the response that included the and t0 is the time when the Echo option value was generated. The
specific Echo option value. The server MUST only accept requests server MUST only accept requests with a round-trip time below a
with a round-trip time below a certain threshold T, i.e. RTT < T, certain threshold T, i.e. RTT < T. If the server cannot verify that
otherwise the request is not processed further, and an error message the Echo option value was generated by the server or the round-trip
MAY be sent. The threshold T is application specific, its value time is not below the threshold the request is not processed further,
and an error message MAY be sent. The error message SHOULD include a
new Echo option. The threshold T is application specific, its value
depends e.g. on the freshness requirements of the request. An depends e.g. on the freshness requirements of the request. An
example message flow is illustrated in Figure 2. example message flow is illustrated in Figure 2.
Client Server Client Server
| | | |
+------>| Code: 0.03 (PUT) +------>| Code: 0.03 (PUT)
| PUT | Token: 0x41 | PUT | Token: 0x41
| | Uri-Path: lock | | Uri-Path: lock
| | Payload: 0 (Unlock) | | Payload: 0 (Unlock)
| | | |
skipping to change at page 8, line 28 skipping to change at page 8, line 48
| | Uri-Path: lock | | Uri-Path: lock
| | Echo: 0x437468756c687521 | | Echo: 0x437468756c687521
| | Payload: 0 (Unlock) | | Payload: 0 (Unlock)
| | | |
|<------+ Code: 2.04 (Changed) |<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42 | 2.04 | Token: 0x42
| | | |
Figure 2: Example Echo Option Message Flow Figure 2: Example Echo Option Message Flow
Note that the server does not have to synchronize the time used for
the Echo timestamps with any other party. However, if the server
loses time continuity, e.g. due to reboot, it MUST reject all Echo
values that was created before time continuity was lost.
When used to serve freshness requirements (including client aliveness When used to serve freshness requirements (including client aliveness
and state synchronizing), CoAP requests containing the Echo option and state synchronizing), CoAP messages containing the Echo option
MUST be integrity protected, e.g. using DTLS, TLS, or OSCORE MUST be integrity protected between the intended endpoints, e.g.
using DTLS, TLS, or an OSCORE Inner option
([I-D.ietf-core-object-security]). When used to demonstrate ([I-D.ietf-core-object-security]). When used to demonstrate
reachability at their apparent network address, the Echo option MAY reachability at their apparent network address, the Echo option MAY
be used without protection. be unprotected.
Note that the server does not have to synchronize the time used for A CoAP-to-CoAP proxy MAY respond to requests with 4.01 with an Echo
the Echo timestamps with any other party. If the server loses time option to ensure the client's reachability at its apparent address,
synchronization, e.g. due to reboot, it MUST reject all Echo values and MUST remove the Echo option it recognizes as one generated by
that was created before time synchronization was lost. itself on follow-up requests. However, it MUST relay the Echo option
of responses unmodified, and MUST relay the Echo option of requests
it does not recognize as generated by itself unmodified.
CoAP-CoAP proxies MUST relay the Echo option unmodified. The CoAP The CoAP server side of CoAP-to-HTTP proxies MAY request freshness,
server side of CoAP-HTTP proxies MAY request freshness, especially if especially if they have reason to assume that access may require it
they have reason to assume that access may require it (e.g. because (e.g. because it is a PUT or POST); how this is determined is out of
it is a PUT or POST); how this is determined is out of scope for this scope for this document. The CoAP client side of HTTP-to-CoAP
document. The CoAP client side of HTTP-CoAP-Proxies SHOULD respond proxies SHOULD respond to Echo challenges themselves if they know
to Echo challenges themselves if they know from the recent from the recent establishing of the connection that the HTTP request
establishing of the connection that the HTTP request is fresh. is fresh. Otherwise, they SHOULD respond with 503 Service
Otherwise, they SHOULD respond with 503 Service Unavailable, Retry- Unavailable, Retry-After: 0 and terminate any underlying Keep-Alive
After: 0 and terminate any underlying Keep-Alive connection. They connection. They MAY also use other mechanisms to establish
MAY also use other mechanisms to establish freshness of the HTTP freshness of the HTTP request that are not specified here.
request that are not specified here.
2.3. Applications 2.3. Applications
1. Actuation requests often require freshness guarantees to avoid 1. Actuation requests often require freshness guarantees to avoid
accidental or malicious delayed actuator actions. In general, accidental or malicious delayed actuator actions. In general,
all non-safe methods (e.g. POST, PUT, DELETE) may require all non-safe methods (e.g. POST, PUT, DELETE) may require
freshness guarantees for secure operation. freshness guarantees for secure operation.
2. To avoid additional roundtrips for applications with multiple * The same Echo value may be used for multiple actuation
actuator requests in rapid sequence between the same client and requests to the same server, as long as the total round-trip
server, the server may use the Echo option (with a new value) in time since the Echo option value was generated is below the
response to a request containing the Echo option. The client freshness threshold.
then uses the Echo option with the new value in the next
actuation request, and the server compares the receive time
accordingly.
3. If a server reboots during operation it may need to synchronize * For actuator applications with low delay tolerance, to avoid
state with requesting clients before continuing the interaction. additional round-trips for multiple requests in rapid
For example, with OSCORE it is possible to reuse a partly sequence, the server may include the Echo option with a new
persistently stored security context by synchronizing the Partial value in response to a request containing the Echo option.
IV (sequence number) using the Echo option. The client then uses the Echo option with the new value in the
next actuation request, and the server compares the receive
time accordingly.
4. When a device joins a multicast/broadcast group the device may 2. A server may use the Echo option to synchronize state or time
need to synchronize state or time with the sender to ensure that with a requesting client. A server MUST NOT synchronize state or
the received message is fresh. By synchronizing time with the time with clients which are not the authority of the property
broadcaster, time can be used for synchronizing subsequent being synchronized. E.g. if access to a server resource is
broadcast messages. A server MUST NOT synchronize state or time dependent on time, then the client MUST NOT set the time of the
with clients which are not the authority of the property being server.
synchronized. E.g. if access to a server resource is dependent
on time, then the client MUST NOT set the time of the server.
5. A server that sends large responses to unauthenticated peers * If a server reboots during operation it may need to
synchronize state or time before continuing the interaction.
For example, with OSCORE it is possible to reuse a partly
persistently stored security context by synchronizing the
Partial IV (sequence number) using the Echo option, see
Section 7.5 of [I-D.ietf-core-object-security].
* A device joining a CoAP group communication [RFC7390]
protected with OSCORE [I-D.ietf-core-oscore-groupcomm] may be
required to initially verify freshness and synchronize state
or time with a client by using the Echo option in a unicast
response to a multicast request. The client receiving the
response with the Echo option includes the Echo option with
the same value in a request, either in a unicast request to
the responding server, or in a subsequent group request. In
the latter case, the Echo option will be ignored expect by
responding server.
3. A server that sends large responses to unauthenticated peers
SHOULD mitigate amplification attacks such as described in SHOULD mitigate amplification attacks such as described in
Section 11.3 of [RFC7252] (where an attacker would put a victim's Section 11.3 of [RFC7252] (where an attacker would put a victim's
address in the source address of a CoAP request). For this address in the source address of a CoAP request). For this
purpose, the server MAY ask a client to Echo its request to purpose, a server MAY ask a client to Echo its request to verify
verify its source address. This needs to be done only once per its source address. This needs to be done only once per peer and
peer and limits the range of potential victims from the general limits the range of potential victims from the general Internet
Internet to endpoints that have been previously in contact with to endpoints that have been previously in contact with the
the server. For this application, the Echo option can be used in server. For this application, the Echo option can be used in
messages that are not integrity protected, for example during messages that are not integrity protected, for example during
discovery. discovery.
6. A server may want to verify the aliveness of a client by * In the presence of a proxy, a server will not be able to
responding with an Echo option. distiguish different origin client endpoints. Following from
the recommendation above, a proxy that sends large responses
to unauthenticatied peers SHOULD mitigate amplification
attacks. The proxy MAY use Echo to verify origin reachability
as described in Section 2.2. The proxy MAY forward idempotent
requests immediately to have a cached result available when
the client's Echoed request arrives.
4. A server may want to use the request freshness provided by the
Echo to verify the aliveness of a client. Note that in a
deployment with hop-by-hop security and proxies, the server can
only verify aliveness of the closest proxy.
3. The Request-Tag Option 3. The Request-Tag Option
The Request-Tag is intended for use as a short-lived identifier for The Request-Tag is intended for use as a short-lived identifier for
keeping apart distinct blockwise request operations on one resource keeping apart distinct blockwise request operations on one resource
from one client. It enables the receiving server to reliably from one client, addressing the issue described in Section 1.2. It
assemble request payloads (blocks) to their message bodies, and, if enables the receiving server to reliably assemble request payloads
it chooses to support it, to reliably process simultaneous blockwise (blocks) to their message bodies, and, if it chooses to support it,
request operations on a single resource. The requests must be to reliably process simultaneous blockwise request operations on a
integrity protected in order to protect against interchange of blocks single resource. The requests must be integrity protected in order
between different message bodies. to protect against interchange of blocks between different message
bodies.
In essence, it is an implementation of the "proxy-safe elective In essence, it is an implementation of the "proxy-safe elective
option" used just to "vary the cache key" as suggested in [RFC7959] option" used just to "vary the cache key" as suggested in [RFC7959]
Section 2.4. Section 2.4.
3.1. Option Format 3.1. Option Format
The Request-Tag option is not critical, is safe to forward, The Request-Tag option is not critical, is safe to forward,
repeatable, and part of the cache key, see Figure 3, which extends repeatable, and part of the cache key, see Figure 3, which extends
Table 4 of [RFC7252]). Table 4 of [RFC7252]).
+-----+---+---+---+---+-------------+--------+--------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| No. | C | U | N | R | Name | Format | Length | Default | E | U | | No. | C | U | N | R | Name | Format | Len. | Default | E | U |
+-----+---+---+---+---+-------------+--------+--------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x | | TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x |
+-----+---+---+---+---+-------------+--------+--------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 3: Request-Tag Option Summary Figure 3: Request-Tag Option Summary
[ Note to RFC editor: If this document is released before core- [ Note to RFC editor: If this document is released before core-
object-security, the following paragraph and the "E"/"U" columns object-security, then the following paragraph and the "E"/"U" columns
above need to move into OSCORE. ] above need to move into core-object-security, as they are defined in
that draft. ]
Request-Tag, like the block options, is both a class E and a class U Request-Tag, like the block options, is both a class E and a class U
option in terms of OSCORE processing (see Section 4.1 of option in terms of OSCORE processing (see Section 4.1 of
[I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or [I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or
outer option. The inner option is encrypted and integrity protected outer option. It influences the inner or outer block operation,
respectively. The inner and outer values are therefore independent
of each other. The inner option is encrypted and integrity protected
between client and server, and provides message body identification between client and server, and provides message body identification
in case of end-to-end fragmentation of requests. The outer option is in case of end-to-end fragmentation of requests. The outer option is
visible to proxies and labels message bodies in case of hop-by-hop visible to proxies and labels message bodies in case of hop-by-hop
fragmentation of requests. fragmentation of requests.
The Request-Tag option is only used in the request messages of The Request-Tag option is only used in the request messages of
blockwise operations. blockwise operations.
The Request-Tag mechanism can be applied independently on the server The Request-Tag mechanism can be applied independently on the server
and client sides of CoAP-CoAP proxies as are the block options, and client sides of CoAP-to-CoAP proxies as are the block options,
though given it is safe to forward, a proxy is free to just forward though given it is safe to forward, a proxy is free to just forward
it when processing an operation. CoAP-HTTP proxies and HTTP-CoAP it when processing an operation. CoAP-to-HTTP proxies and HTTP-to-
proxies can use Request-Tag on their CoAP sides; it is not applicable CoAP proxies can use Request-Tag on their CoAP sides; it is not
to HTTP requests. applicable to HTTP requests.
3.2. Request-Tag processing by servers 3.2. Request-Tag Processing by Servers
The Request-Tag option does not require any particular processing on The Request-Tag option does not require any particular processing on
the server side: As it varies the set of options that distinguish the server side outside of the processing already necessary for any
blockwise operations (ie. is neither Block1 or Block2 nor elective unknown elective proxy-safe cache-key option: The option varies the
NoCacheKey), the server can not treat their messages as belonging to properties that distinguish blockwise operations (which includes all
the same operation. options except elective NoCacheKey and except Block1/2), and thus the
server can not treat messages with a different list of Request-Tag
options as belonging to the same operation.
To keep utilizing the cache, a server (including proxies) MAY discard To keep utilizing the cache, a server (including proxies) MAY discard
the Request-Tag option from an assembled block-wise request when the Request-Tag option from an assembled block-wise request when
consulting its cache, as the option describes the individual blocks consulting its cache, as the option relates to the operation-on-the-
but not the operation as a whole. For example, a FETCH request with wire and not its semantics. For example, a FETCH request with the
the same body can have a fresh response even if they were requested same body as an older one can be served from the cache if the older's
using different request tags. (This is similar to the situation Max-Age has not expired yet, even if the second operation uses a
Request-Tag and the first did not. (This is similar to the situation
about ETag in that it is formally part of the cache key, but about ETag in that it is formally part of the cache key, but
implementations that are aware of its meaning can cache more implementations that are aware of its meaning can cache more
efficiently, see [RFC7252] Section 5.4.2). efficiently, see [RFC7252] Section 5.4.2).
A server receiving a Request-Tag MUST treat it as opaque and make no A server receiving a Request-Tag MUST treat it as opaque and make no
assumptions about its content or structure. assumptions about its content or structure.
Two messages carrying the same Request-Tag is a necessary but not Two messages carrying the same Request-Tag is a necessary but not
sufficient condition for being part of the same operation. They can sufficient condition for being part of the same operation. They can
still be treated as independent messages by the server (e.g. when it still be treated as independent messages by the server (e.g. when it
sends 2.01/2.04 responses for every block), or initiate a new sends 2.01/2.04 responses for every block), or initiate a new
operation (overwriting kept context) when the later message carries operation (overwriting kept context) when the later message carries
Block1 number 0. Block1 number 0.
[ The following paragraph might be better placed in lwig-coap, but
was left here until lwig-coap has decided on its fate there. ]
As it has always been, a server that can only serve a limited number As it has always been, a server that can only serve a limited number
of block-wise operations at the same time can delay the start of the of block-wise operations at the same time can delay the start of the
operation by replying with 5.03 (Service unavailable) and a Max-Age operation by replying with 5.03 (Service unavailable) and a Max-Age
indicating how long it expects the existing operation to go on, or it indicating how long it expects the existing operation to go on, or it
can forget about the state established with the older operation and can forget about the state established with the older operation and
respond with 4.08 (Request Entity Incompelte) to later blocks on the respond with 4.08 (Request Entity Incomplete) to later blocks on the
first operation. first operation.
Especially, that is the case for any correctly implemented proxy that
does not know how to use Request-Tag in requests and has only one
client endpoint. When it receives concurrent incoming requests on
the same resource, it needs to make that very choice: either send a
5.03 with Max-Age (holding off the second operation), or to commence
the second operation and reject any further requests on the first
operation with 4.08 Request Entity Incompelte errors without
forwarding them. (Alternatively, it could spool the second request,
but the unpredictable nature of the timeouts involved often makes
that an unsuitable choice.)
3.3. Setting the Request-Tag 3.3. Setting the Request-Tag
For each separate blockwise request operation, the client can choose For each separate blockwise request operation, the client can choose
a Request-Tag value, or choose not to set a Request-Tag. Starting a a Request-Tag value, or choose not to set a Request-Tag. Starting a
request operation matchable to a previous operation and even using request operation matchable to a previous operation and even using
the same Request-Tag value is called request tag recycling. Clients the same Request-Tag value is called request tag recycling. The
MUST NOT recycle a request tag unless the first operation has absence of a Request-Tag option is viewed as a value distinct from
all values with a single Request-Tag option set; starting a request
operation matchable to a previous operation where neither has a
Request-Tag option therefore constitutes request tag recycling just
as well (also called "recycling the absent option").
Clients MUST NOT recycle a request tag unless the first operation has
concluded. What constitutes a concluded operation depends on the concluded. What constitutes a concluded operation depends on the
application, and is outlined individually in Section 3.4. application, and is outlined individually in Section 3.4.
When Block1 and Block2 are combined in an operation, the Request-Tag When Block1 and Block2 are combined in an operation, the Request-Tag
of the Block1 phase is set in the Block2 phase as well for otherwise of the Block1 phase is set in the Block2 phase as well for otherwise
the request would have a different set of options and would not be the request would have a different set of options and would not be
recognized any more. recognized any more.
Clients are encouraged to generate compact messages. This means Clients are encouraged to generate compact messages. This means
sending messages without Request-Tag options whenever possible, and sending messages without Request-Tag options whenever possible, and
skipping to change at page 13, line 9 skipping to change at page 14, line 5
In order to gain that protection, use the Request-Tag mechanism as In order to gain that protection, use the Request-Tag mechanism as
follows: follows:
o The individual exchanges MUST be integrity protected end-to-end o The individual exchanges MUST be integrity protected end-to-end
between client and server. between client and server.
o The client MUST NOT recycle a request tag in a new operation o The client MUST NOT recycle a request tag in a new operation
unless the previous operation matchable to the new one has unless the previous operation matchable to the new one has
concluded. concluded.
When considering previous operations in protocols where the If any future security mechanisms allow a block-wise transfer to
security association is not tightly bound to an end point (eg. continue after an endpoint's details (like the IP address) have
OSCORE), the client MUST consider messages sent to _any_ endpoint changed, then the client MUST consider messages sent to _any_
with the new operation's security context. endpoint address within the new operation's security context.
o The client MUST NOT regard a blockwise request operation as o The client MUST NOT regard a blockwise request operation as
concluded unless all of the messages the client previously sent in concluded unless all of the messages the client previously sent in
the operation have been confirmed by the message integrity the operation have been confirmed by the message integrity
protection mechanism, or are considered invalid by the server if protection mechanism, or are considered invalid by the server if
replayed. replayed.
Typically, in OSCORE, these confirmations can result either from Typically, in OSCORE, these confirmations can result either from
the client receiving an OSCORE response message matching the the client receiving an OSCORE response message matching the
request (an empty ACK is insufficient), or because the message's request (an empty ACK is insufficient), or because the message's
skipping to change at page 14, line 16 skipping to change at page 15, line 13
other active operations: other active operations:
o If any of them is matchable to the new one, and the client neither o If any of them is matchable to the new one, and the client neither
wants to cancel the old one nor postpone the new one, it can pick wants to cancel the old one nor postpone the new one, it can pick
a Request-Tag value that is not in use by the other matchable a Request-Tag value that is not in use by the other matchable
operations for the new operation. operations for the new operation.
o Otherwise, it can start the new operation without setting the o Otherwise, it can start the new operation without setting the
Request-Tag option on it. Request-Tag option on it.
3.4.3. Simplified block-wise Handling for constrained proxies 3.4.3. Simplified Block-Wise Handling for Constrained Proxies
The Block options were defined to be unsafe to forward because a The Block options were defined to be unsafe to forward because a
proxy that woud forward blocks as plain messages would risk mixing up proxy that would forward blocks as plain messages would risk mixing
clients' requests. up clients' requests.
The Request-Tag option provides a very simple way for a proxy to keep The Request-Tag option provides a very simple way for a proxy to keep
them separate: if it appends a Request-Tag that is particular to the them separate: if it appends a Request-Tag that is particular to the
requesting endpoint to all request carrying any Block option, it does requesting endpoint to all request carrying any Block option, it does
not need to keep track of any further block state. not need to keep track of any further block state.
[I-D.ietf-lwig-coap] Section TBD provides further details.
[ Note to reviewers and co-authors: That section was so far only
syggested in input for lwig-coap. If it does not get into the
document, we should drop it here (for I don't want to explain all
this case's details and security considerations here), but if the
reference works, this section shows why Request-Tag has become
repeatable. ]
3.5. Rationale for the option properties This is particularly useful to proxies that strive for stateless
operation as described in [I-D.hartke-core-stateless] Section 3.1.
[ This section needs to be reworked after assuming our RFC7959 3.5. Rationale for the Option Properties
interpretation. ]
The Request-Tag option can be elective, because to servers unaware of The Request-Tag option can be elective, because to servers unaware of
the Request-Tag option, operations with differing request tags will the Request-Tag option, operations with differing request tags will
not be matchable. not be matchable.
The Request-Tag option can be safe to forward but part of the cache The Request-Tag option can be safe to forward but part of the cache
key, because to proxies unaware of the Request-Tag option will key, because to proxies unaware of the Request-Tag option will
consider operations with differing request tags unmatchable but can consider operations with differing request tags unmatchable but can
still forward them. still forward them.
The Request-Tag option is repeatable because this easily allows
stateless proxies to "chain" their origin address. Were it a single
option, they would need to employ some length/value scheme to avoid
confusing requests without a Request-Tag option with requests that
carry a zero-length request tag.
In earlier versions of this draft, the Request-Tag option used to be In earlier versions of this draft, the Request-Tag option used to be
critical and unsafe to forward. That design was based on an critical and unsafe to forward. That design was based on an
erroneous understanding of which blocks could be composed according erroneous understanding of which blocks could be composed according
to [RFC7959]. to [RFC7959].
3.6. Rationale for introducing the option 3.6. Rationale for Introducing the Option
An alternative that was considered to the Request-Tag option for An alternative that was considered to the Request-Tag option for
coping with the problem of fragmented message body integrity coping with the problem of fragmented message body integrity
(Section 3.4.1) was to update [RFC7959] to say that blocks could only (Section 3.4.1) was to update [RFC7959] to say that blocks could only
be assembled if their fragments' order corresponded to the sequence be assembled if their fragments' order corresponded to the sequence
numbers. numbers.
That approach would have been difficult to roll out reliably on DTLS That approach would have been difficult to roll out reliably on DTLS
where many implementations do not expose sequence numbers, and would where many implementations do not expose sequence numbers, and would
still not prevent attacks like in [I-D.mattsson-core-coap-actuators] still not prevent attacks like in [I-D.mattsson-core-coap-actuators]
skipping to change at page 15, line 36 skipping to change at page 16, line 36
matching ETag values are already in place from Section 2.4 of matching ETag values are already in place from Section 2.4 of
[RFC7959]. [RFC7959].
To gain equivalent protection to Section 3.4.1, a server MUST use the To gain equivalent protection to Section 3.4.1, a server MUST use the
Block2 option in conjunction with the ETag option ([RFC7252], Block2 option in conjunction with the ETag option ([RFC7252],
Section 5.10.6), and MUST NOT use the same ETag value for different Section 5.10.6), and MUST NOT use the same ETag value for different
representations of a resource. representations of a resource.
5. Token Processing 5. Token Processing
This section updates the Token processing in Section 5.3.1 of As described in Section 1.3, the client must be able to verify that a
[RFC7252] by adding the following text: response corresponds to a particular request. This section updates
the Token processing in Section 5.3.1 of [RFC7252] by adding the
following text:
When CoAP is used with a security protocol not providing bindings When CoAP is used with a security protocol not providing bindings
between requests and responses, the client MUST NOT reuse tokens between requests and responses, the client MUST NOT reuse tokens
until the traffic keys have been replaced. The easiest way to until the traffic keys have been replaced. The easiest way to
accomplish this is to implement the Token as a counter, this approach accomplish this is to implement the Token as a counter, this approach
SHOULD be followed. SHOULD be followed.
6. IANA Considerations 6. Security Considerations
This document adds the following option numbers to the "CoAP Option
Numbers" registry defined by [RFC7252]:
+--------+-------------+------------+
| Number | Name | Reference |
+--------+-------------+------------+
| TBD1 | Echo | [RFC XXXX] |
| | | |
| TBD2 | Request-Tag | [RFC XXXX] |
+--------+-------------+------------+
Figure 4: CoAP Option Numbers
7. Security Considerations
Implementations SHOULD NOT put any privacy sensitive information in
the Echo or Request-Tag option values. Unencrypted timestamps MAY
reveal information about the server such as its wall clock time or
location. Servers MUST use a monotonic clock to generate timestamps
and compute round-trip times. Servers SHOULD NOT use wall clock time
for timestamps, as wall clock time is not monotonic, may reveal that
the server will accept expired certificates, or reveal the server's
location. Use of non-monotonic clocks is not secure as the server
will accept expired Echo option values if the clock is moved
backward. The server will also reject fresh Echo option values if
the clock is moved forward. An attacker may be able to affect the
server's wall clock time in various ways such as setting up a fake
NTP server or broadcasting false time signals to radio-controlled
clocks. Servers MAY use the time since reboot measured in some unit
of time. Servers MAY reset the timer periodically. When resetting
the timer, the server MUST reject all Echo values that was created
before the reset.
The availability of a secure pseudorandom number generator and truly The availability of a secure pseudorandom number generator and truly
random seeds are essential for the security of the Echo option. If random seeds are essential for the security of the Echo option. If
no true random number generator is available, a truly random seed no true random number generator is available, a truly random seed
must be provided from an external source. must be provided from an external source.
An Echo value with 64 (pseudo-)random bits gives the same theoretical An Echo value with 64 (pseudo-)random bits gives the same theoretical
security level against forgeries as a 64-bit MAC (as used in e.g. security level against forgeries as a 64-bit MAC (as used in e.g.
AES_128_CCM_8). In practice, forgery of an Echo option value is much AES_128_CCM_8). In practice, forgery of an Echo option value is much
harder as an attacker must also forge the MAC in the security harder as an attacker must also forge the MAC in the security
skipping to change at page 17, line 10 skipping to change at page 17, line 24
etc.). etc.).
The security provided by the Echo and Request-Tag options depends on The security provided by the Echo and Request-Tag options depends on
the security protocol used. CoAP and HTTP proxies require (D)TLS to the security protocol used. CoAP and HTTP proxies require (D)TLS to
be terminated at the proxies. The proxies are therefore able to be terminated at the proxies. The proxies are therefore able to
manipulate, inject, delete, or reorder options or packets. The manipulate, inject, delete, or reorder options or packets. The
security claims in such architectures only hold under the assumption security claims in such architectures only hold under the assumption
that all intermediaries are fully trusted and have not been that all intermediaries are fully trusted and have not been
compromised. compromised.
Servers MUST use a monotonic clock to generate timestamps and compute
round-trip times. Use of non-monotonic clocks is not secure as the
server will accept expired Echo option values if the clock is moved
backward. The server will also reject fresh Echo option values if
the clock is moved forward.
Servers are not allowed to use wall clock time for timestamps, as
wall clock time is not monotonic. Furthermore, an attacker may be
able to affect the server's wall clock time in various ways such as
setting up a fake NTP server or broadcasting false time signals to
radio-controlled clocks.
Servers MAY use the time since reboot measured in some unit of time.
Servers MAY reset the timer at certain times and MAY generate a
random offset applied to all timestamps. When resetting the timer,
the server MUST reject all Echo values that was created before the
reset.
Servers that use the List of Cached Random Values and Timestamps Servers that use the List of Cached Random Values and Timestamps
method described in Appendix A may be vulnerable to resource method described in Appendix A may be vulnerable to resource
exhaustion attacks. On way to minimizing state is to use the exhaustion attacks. One way to minimize state is to use the
Integrity Protected Timestamp method described in Appendix A. Integrity Protected Timestamp method described in Appendix A.
8. References 7. Privacy Considerations
8.1. Normative References Implementations SHOULD NOT put any privacy sensitive information in
the Echo or Request-Tag option values. Unencrypted timestamps MAY
reveal information about the server such as location or time since
reboot. The use of wall clock time is not allowed (see Section 6)
and there also privacy reasons, e.g. it may reveal that the server
will accept expired certificates. Timestamps MAY be used if Echo is
encrypted between the client and the server, e.g. in the case of DTLS
without proxies or when using OSCORE with an Inner Echo option.
8. IANA Considerations
This document adds the following option numbers to the "CoAP Option
Numbers" registry defined by [RFC7252]:
+--------+-------------+-------------------+
| Number | Name | Reference |
+--------+-------------+-------------------+
| TBD1 | Echo | [[this document]] |
| | | |
| TBD2 | Request-Tag | [[this document]] |
+--------+-------------+-------------------+
Figure 4: CoAP Option Numbers
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in
the Constrained Application Protocol (CoAP)", RFC 7959, the Constrained Application Protocol (CoAP)", RFC 7959,
DOI 10.17487/RFC7959, August 2016, DOI 10.17487/RFC7959, August 2016,
<https://www.rfc-editor.org/info/rfc7959>. <https://www.rfc-editor.org/info/rfc7959>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 9.2. Informative References
[I-D.hartke-core-stateless]
Hartke, K., "Extended Tokens and Stateless Clients in the
Constrained Application Protocol (CoAP)", draft-hartke-
core-stateless-01 (work in progress), September 2018.
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-13 (work in (OSCORE)", draft-ietf-core-object-security-15 (work in
progress), June 2018. progress), August 2018.
[I-D.ietf-lwig-coap] [I-D.ietf-core-oscore-groupcomm]
Kovatsch, M., Bergmann, O., and C. Bormann, "CoAP Tiloca, M., Selander, G., Palombini, F., and J. Park,
Implementation Guidance", draft-ietf-lwig-coap-05 (work in "Group OSCORE - Secure Group Communication for CoAP",
progress), October 2017. draft-ietf-core-oscore-groupcomm-03 (work in progress),
October 2018.
[I-D.mattsson-core-coap-actuators] [I-D.mattsson-core-coap-actuators]
Mattsson, J., Fornehed, J., Selander, G., Palombini, F., Mattsson, J., Fornehed, J., Selander, G., Palombini, F.,
and C. Amsuess, "Controlling Actuators with CoAP", draft- and C. Amsuess, "Controlling Actuators with CoAP", draft-
mattsson-core-coap-actuators-05 (work in progress), March mattsson-core-coap-actuators-06 (work in progress),
2018. September 2018.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC7390] Rahman, A., Ed. and E. Dijk, Ed., "Group Communication for
the Constrained Application Protocol (CoAP)", RFC 7390,
DOI 10.17487/RFC7390, October 2014,
<https://www.rfc-editor.org/info/rfc7390>.
[RFC7641] Hartke, K., "Observing Resources in the Constrained [RFC7641] Hartke, K., "Observing Resources in the Constrained
Application Protocol (CoAP)", RFC 7641, Application Protocol (CoAP)", RFC 7641,
DOI 10.17487/RFC7641, September 2015, DOI 10.17487/RFC7641, September 2015,
<https://www.rfc-editor.org/info/rfc7641>. <https://www.rfc-editor.org/info/rfc7641>.
[RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets", Application Protocol) over TCP, TLS, and WebSockets",
RFC 8323, DOI 10.17487/RFC8323, February 2018, RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://www.rfc-editor.org/info/rfc8323>. <https://www.rfc-editor.org/info/rfc8323>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
Appendix A. Methods for Generating Echo Option Values Appendix A. Methods for Generating Echo Option Values
The content and structure of the Echo option value are implementation The content and structure of the Echo option value are implementation
specific and determined by the server. Use of one of the mechanisms specific and determined by the server. Two simple mechanisms are
outlined in this section is RECOMMENDED. outlined in this section, the first is RECOMMENDED in general, and
the second is RECOMMENDED in case the Echo option is encrypted
between the client and the server.
Different mechanisms have different tradeoffs between the size of the Different mechanisms have different tradeoffs between the size of the
Echo option value, the amount of server state, the amount of Echo option value, the amount of server state, the amount of
computation, and the security properties offered. computation, and the security properties offered. A server MAY use
different methods and security levels for different uses cases
o Integrity Protected Timestamp. One method is to construct the (client aliveness, request freshness, state synchronization, network
Echo option value as an integrity protected timestamp. The address reachability, etc.).
timestamp can have different resolution and range. A 32-bit
timestamp can e.g. give a resolution of 1 second with a range of
136 years. The (pseudo-)random secret key is generated by the
server and not shared with any other party. The use of truncated
HMAC-SHA-256 is RECOMMENDED. With a 32-bit timestamp and a 64-bit
MAC, the size of the Echo option value is 12 bytes and the Server
state is small and constant. If the server loses time
synchronization, e.g. due to reboot, the old key MUST be deleted
and replaced by a new random secret key. A server MAY also want
to encrypt its timestamps, depending on the choice of encryption
algorithms, this may require a nonce to be included in the Echo
option value.
Echo option value: timestamp t0, MAC(k, t0)
Server State: secret key k
o List of Cached Random Values and Timestamps. An alternative 1. List of Cached Random Values and Timestamps. The Echo option
method is to construct the Echo option value as a (pseudo-)random value is a (pseudo-)random byte string. The server caches a list
byte string. The server caches a list containing the random byte containing the random byte strings and their transmission times.
strings and their transmission times. Assuming 64-bit random Assuming 64-bit random values and 32-bit timestamps, the size of the
values and 32-bit timestamps, the size of the Echo option value is Echo option value is 8 bytes and the amount of server state is 12n
8 bytes and the amount of server state is 12n bytes, where n is bytes, where n is the number of active Echo Option values. If the
the number of active Echo Option values. If the server loses time server loses time continuity, e.g. due to reboot, the entries in the
synchronization, e.g. due to reboot, the entries in the old list old list MUST be deleted.
MUST be deleted.
Echo option value: random value r Echo option value: random value r
Server State: random value r, timestamp t0 Server State: random value r, timestamp t0
A server MAY use different methods and security levels for different 2. Integrity Protected Timestamp. The Echo option value is an
uses cases (client aliveness, request freshness, state integrity protected timestamp. The timestamp can have different
synchronization, network address reachability, etc.). resolution and range. A 32-bit timestamp can e.g. give a resolution
of 1 second with a range of 136 years. The (pseudo-)random secret
key is generated by the server and not shared with any other party.
The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit
timestamp and a 64-bit MAC, the size of the Echo option value is 12
bytes and the Server state is small and constant. If the server
loses time continuity, e.g. due to reboot, the old key MUST be
deleted and replaced by a new random secret key. Note that the
privacy considerations in Section 7 may apply to the timestamp. A
server MAY want to encrypt its timestamps, and, depending on the
choice of encryption algorithms, this may require a nonce to be
included in the Echo option value.
Echo option value: timestamp t0, MAC(k, t0)
Server State: secret key k
Other mechanisms complying with the security and privacy
considerations may be used. The use of encrypted timestamps in the
Echo option typically requires an IV to be included in the Echo
option value, which adds overhead and makes the specification of such
a mechanims slightly more complicated than the two mechanisms
specified here.
Appendix B. Request-Tag Message Size Impact Appendix B. Request-Tag Message Size Impact
In absence of concurrent operations, the Request-Tag mechanism for In absence of concurrent operations, the Request-Tag mechanism for
body integrity (Section 3.4.1) incurs no overhead if no messages are body integrity (Section 3.4.1) incurs no overhead if no messages are
lost (more precisely: in OSCORE, if no operations are aborted due to lost (more precisely: in OSCORE, if no operations are aborted due to
repeated transmission failure; in DTLS, if no packages are lost), or repeated transmission failure; in DTLS, if no packages are lost), or
when blockwise request operations happen rarely (in OSCORE, if there when blockwise request operations happen rarely (in OSCORE, if there
is always only one request blockwise operation in the replay window). is always only one request blockwise operation in the replay window).
skipping to change at page 21, line 12 skipping to change at page 22, line 40
* The response code that goes with Echo was changed from 4.03 to * The response code that goes with Echo was changed from 4.03 to
4.01 because the client needs to provide better credentials. 4.01 because the client needs to provide better credentials.
* The interaction between the new option and (cross) proxies is * The interaction between the new option and (cross) proxies is
now covered. now covered.
* Two messages being "Request-Tag matchable" was introduced to * Two messages being "Request-Tag matchable" was introduced to
replace the older concept of having a request tag value with replace the older concept of having a request tag value with
its slightly awkward equivalence definition. its slightly awkward equivalence definition.
Acknowledgments
The authors want to thank Jim Schaad for providing valuable input to
the draft.
Authors' Addresses Authors' Addresses
Christian Amsuess Christian Amsuess
Email: christian@amsuess.com Email: christian@amsuess.com
John Mattsson John Mattsson
Ericsson AB Ericsson AB
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Goeran Selander Goeran Selander
Ericsson AB Ericsson AB
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
 End of changes. 79 change blocks. 
298 lines changed or deleted 399 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/