draft-ietf-core-echo-request-tag-03.txt   draft-ietf-core-echo-request-tag-04.txt 
CoRE Working Group C. Amsuess CoRE Working Group C. Amsuess
Internet-Draft Internet-Draft
Updates: 7252 (if approved) J. Mattsson Updates: 7252 (if approved) J. Mattsson
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: April 25, 2019 Ericsson AB Expires: September 25, 2019 Ericsson AB
October 22, 2018 March 24, 2019
Echo and Request-Tag CoAP: Echo, Request-Tag, and Token Processing
draft-ietf-core-echo-request-tag-03 draft-ietf-core-echo-request-tag-04
Abstract Abstract
This document specifies security enhancements to the Constrained This document specifies enhancements to the Constrained Application
Application Protocol (CoAP). Two optional extensions are defined: Protocol (CoAP) that mitigate security issues in particular use
the Echo option and the Request-Tag option. Each of these options cases. The Echo option enables a CoAP server to verify the freshness
provide additional features to CoAP and protects against certain of a request or to force a client to demonstrate reachability at its
attacks. The document also updates the processing requirements on claimed network address. The Request-Tag option allows the CoAP
the Token of RFC 7252. The updated Token processing ensures secure server to match Block-Wise message fragments belonging to the same
binding of responses to requests. request. The updated Token processing requirements for clients
ensure secure binding of responses to requests when CoAP is used with
security.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019. This Internet-Draft will expire on September 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 19 skipping to change at page 2, line 21
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3
1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4
1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 7 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 7
2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 10
3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11
3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 11
3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12 3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12
3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13
3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 13 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 14
3.4.1. Body Integrity Based on Payload Integrity . . . . . . 13 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 14
3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 14 3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 15
3.4.3. Simplified Block-Wise Handling for Constrained 3.4.3. Simplified Block-Wise Handling for Constrained
Proxies . . . . . . . . . . . . . . . . . . . . . . . 15 Proxies . . . . . . . . . . . . . . . . . . . . . . . 16
3.5. Rationale for the Option Properties . . . . . . . . . . . 15 3.5. Rationale for the Option Properties . . . . . . . . . . . 16
3.6. Rationale for Introducing the Option . . . . . . . . . . 16 3.6. Rationale for Introducing the Option . . . . . . . . . . 16
4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 16 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 17
5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 16 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . 19
Appendix A. Methods for Generating Echo Option Values . . . . . 20 Appendix A. Methods for Generating Echo Option Values . . . . . 20
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 21 Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 22
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 21 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 22
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 22 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
The initial Constrained Application Protocol (CoAP) suite of The initial Constrained Application Protocol (CoAP) suite of
specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed
with the assumption that security could be provided on a separate with the assumption that security could be provided on a separate
layer, in particular by using DTLS ([RFC6347]). However, for some layer, in particular by using DTLS ([RFC6347]). However, for some
use cases, additional functionality or extra processing is needed to use cases, additional functionality or extra processing is needed to
support secure CoAP operations. This document specifies security support secure CoAP operations. This document specifies security
enhancements to the Constrained Application Protocol (CoAP). enhancements to the Constrained Application Protocol (CoAP).
This document specifies two server-oriented CoAP options, the Echo This document specifies two CoAP options, the Echo option and the
option and the Request-Tag option: The Echo option enables a CoAP Request-Tag option: The Echo option enables a CoAP server to verify
server to verify the freshness of a request, synchronize state, or the freshness of a request, synchronize state, or force a client to
force a client to demonstrate reachability at its apparent network demonstrate reachability at its claimed network address. The
address. The Request-Tag option allows the CoAP server to match Request-Tag option allows the CoAP server to match message fragments
message fragments belonging to the same request, fragmented using the belonging to the same request, fragmented using the CoAP Block-Wise
CoAP Block-Wise Transfer mechanism, which mitigates attacks and Transfer mechanism, which mitigates attacks and enables concurrent
enables concurrent blockwise operations. These options in themselves blockwise operations. These options in themselves do not replace the
do not replace the need for a security protocol; they specify the need for a security protocol; they specify the format and processing
format and processing of data which, when integrity protected using of data which, when integrity protected using e.g. DTLS ([RFC6347]),
e.g. DTLS ([RFC6347]), TLS ([RFC8446]), or OSCORE TLS ([RFC8446]), or OSCORE ([I-D.ietf-core-object-security]), provide
([I-D.ietf-core-object-security]), provide the additional security the additional security features.
features.
The document also updates the processing requirements on the Token. The document also updates the Token processing requirements for
The updated processing ensures secure binding of responses to clients specified in [RFC7252]. The updated processing ensures
requests, thus mitigating error cases and attacks where the client secure binding of responses to requests when CoAP is used with
security, thus mitigating error cases and attacks where the client
may erroneously associate the wrong response to a request. may erroneously associate the wrong response to a request.
1.1. Request Freshness 1.1. Request Freshness
A CoAP server receiving a request is in general not able to verify A CoAP server receiving a request is in general not able to verify
when the request was sent by the CoAP client. This remains true even when the request was sent by the CoAP client. This remains true even
if the request was protected with a security protocol, such as DTLS. if the request was protected with a security protocol, such as DTLS.
This makes CoAP requests vulnerable to certain delay attacks which This makes CoAP requests vulnerable to certain delay attacks which
are particularly incriminating in the case of actuators are particularly perilous in the case of actuators
([I-D.mattsson-core-coap-actuators]). Some attacks are possible to ([I-D.mattsson-core-coap-actuators]). Some attacks can be mitigated
mitigate by establishing fresh session keys, e.g. performing a DTLS by establishing fresh session keys, e.g. performing a DTLS handshake
handshake for each actuation, but in general this is not a solution for each request, but in general this is not a solution suitable for
suitable for constrained environments, for example, due to increased constrained environments, for example, due to increased message
message overhead and latency. Additionally, if there are proxies, overhead and latency. Additionally, if there are proxies, fresh DTLS
fresh DTLS session keys between server and proxy does not say session keys between server and proxy does not say anything about
anything about when the client made the request. In a general hop- when the client made the request. In a general hop-by-hop setting,
by-hop setting, freshness may need to be verified in each hop. freshness may need to be verified in each hop.
A straightforward mitigation of potential delayed requests is that A straightforward mitigation of potential delayed requests is that
the CoAP server rejects a request the first time it appears and asks the CoAP server rejects a request the first time it appears and asks
the CoAP client to prove that it intended to make the request at this the CoAP client to prove that it intended to make the request at this
point in time. The Echo option, defined in this document, specifies point in time. The Echo option, defined in this document, specifies
such a mechanism which thereby enables a CoAP server to verify the such a mechanism which thereby enables a CoAP server to verify the
freshness of a request. This mechanism is not only important in the freshness of a request. This mechanism is not only important in the
case of actuators, or other use cases where the CoAP operations case of actuators, or other use cases where the CoAP operations
require freshness of requests, but also in general for synchronizing require freshness of requests, but also in general for synchronizing
state between CoAP client and server and to verify aliveness of the state between CoAP client and server, verify aliveness of the client,
client. or force a client to demonstrate reachability at its claimed network
address. The same functionality can be provided by echoing freshness
tokens in CoAP payloads, but this only works for methods and response
codes defined to have a payload. The Echo option provides a
convention to transfer freshness tokens that works for all methods
and response codes.
1.2. Fragmented Message Body Integrity 1.2. Fragmented Message Body Integrity
CoAP was designed to work over unreliable transports, such as UDP, CoAP was designed to work over unreliable transports, such as UDP,
and include a lightweight reliability feature to handle messages and include a lightweight reliability feature to handle messages
which are lost or arrive out of order. In order for a security which are lost or arrive out of order. In order for a security
protocol to support CoAP operations over unreliable transports, it protocol to support CoAP operations over unreliable transports, it
must allow out-of-order delivery of messages using e.g. a sliding must allow out-of-order delivery of messages using e.g. a sliding
replay window such as described in Section 4.1.2.6 of DTLS replay window such as described in Section 4.1.2.6 of DTLS
([RFC6347]). ([RFC6347]).
skipping to change at page 4, line 33 skipping to change at page 4, line 40
protocol such as DTLS or OSCORE, within the replay window protocol such as DTLS or OSCORE, within the replay window
([I-D.mattsson-core-coap-actuators]), which is a vulnerability of ([I-D.mattsson-core-coap-actuators]), which is a vulnerability of
CoAP when using RFC7959. CoAP when using RFC7959.
A straightforward mitigation of mixing up blocks from different A straightforward mitigation of mixing up blocks from different
messages is to use unique identifiers for different message bodies, messages is to use unique identifiers for different message bodies,
which would provide equivalent protection to the case where the which would provide equivalent protection to the case where the
complete body fits into a single payload. The ETag option [RFC7252], complete body fits into a single payload. The ETag option [RFC7252],
set by the CoAP server, identifies a response body fragmented using set by the CoAP server, identifies a response body fragmented using
the Block2 option. This document defines the Request-Tag option for the Block2 option. This document defines the Request-Tag option for
identifying the request body fragmented using the Block1 option, identifying request bodies, similar to ETag, but ephemeral and set by
similar to ETag, but ephemeral and set by the CoAP client. the CoAP client. The Request-Tag option is only used in requests
that carry the Block1 option, and in Block2 requests following these.
1.3. Request-Response Binding 1.3. Request-Response Binding
A fundamental requirement of secure REST operations is that the A fundamental requirement of secure REST operations is that the
client can bind a response to a particular request. If this is not client can bind a response to a particular request. If this is not
valid a client may erroneously associate the wrong response to a ensured, a client may erroneously associate the wrong response to a
request. The wrong response may be an old response for the same request. The wrong response may be an old response for the same
resource or for a completely different resource (see e.g. resource or for a completely different resource (see e.g.
Section 2.3 of [I-D.mattsson-core-coap-actuators]). For example a Section 2.3 of [I-D.mattsson-core-coap-actuators]). For example, a
request for the alarm status "GET /status" may be associated to a request for the alarm status "GET /status" may be associated to a
prior response "on", instead of the correct response "off". prior response "on", instead of the correct response "off".
In HTTPS, binding is assured by the ordered and reliable delivery as In HTTPS, this type of binding is always assured by the ordered and
well as mandating that the server sends responses in the same order reliable delivery as well as mandating that the server sends
that the requests were received. The same is not true for CoAP where responses in the same order that the requests were received. The
the server (or an attacker) can return responses in any order. same is not true for CoAP where the server (or an attacker) can
Concurrent requests are instead differentiated by their Token. Note return responses in any order and where there can be any number of
that the CoAP Message ID cannot be used for this purpose since those responses to a request (see e.g. [RFC7641]). In CoAP, concurrent
are typically different for REST request and corresponding response requests are differentiated by their Token. Note that the CoAP
in case of "separate response", see Section 2.2 of [RFC7252]. Message ID cannot be used for this purpose since those are typically
different for REST request and corresponding response in case of
"separate response", see Section 2.2 of [RFC7252].
Unfortunately, CoAP [RFC7252] does not treat Token as a CoAP [RFC7252] does not treat Token as a cryptographically important
cryptographically important value and does not give stricter value and does not give stricter guidelines than that the tokens
guidelines than that the tokens currently "in use" SHOULD (not SHALL) currently "in use" SHOULD (not SHALL) be unique. If used with a
be unique. If used with security protocol not providing bindings security protocol not providing bindings between requests and
between requests and responses (e.g. DTLS and TLS) token reuse may responses (e.g. DTLS and TLS) token reuse may result in situations
result in situations where a client matches a response to the wrong where a client matches a response to the wrong request. Note that
request. Note that mismatches can also happen for other reasons than mismatches can also happen for other reasons than a malicious
a malicious attacker, e.g. delayed delivery or a server sending attacker, e.g. delayed delivery or a server sending notifications to
notifications to an uninterested client. an uninterested client.
A straightforward mitigation is to mandate clients to never reuse A straightforward mitigation is to mandate clients to not reuse
tokens until the AEAD keys have been replaced. As there may be any tokens until the traffic keys have been replaced. The easiest way to
number of responses to a request (see e.g. [RFC7641]), the easiest accomplish this is to implement the token as a counter starting at
way to accomplish this is to implement the token as a counter and zero for each new or rekeyed secure connection. This document
never reuse any tokens at all. This document updates the Token updates the Token processing in [RFC7252] to always assure a
processing in [RFC7252] to always assure a cryptographically secure cryptographically secure binding of responses to requests for secure
binding of responses to requests. REST operations like "coaps".
1.4. Terminology 1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Unless otherwise specified, the terms "client" and "server" refers to Unless otherwise specified, the terms "client" and "server" refers to
skipping to change at page 6, line 18 skipping to change at page 6, line 30
block of the second request is exchanged even though the client still block of the second request is exchanged even though the client still
intends to exchange further blocks in the first operation. intends to exchange further blocks in the first operation.
(Concurrent blockwise request operations are impossible with the (Concurrent blockwise request operations are impossible with the
options of [RFC7959] because the second operation's block overwrites options of [RFC7959] because the second operation's block overwrites
any state of the first exchange.). any state of the first exchange.).
The Echo and Request-Tag options are defined in this document. The Echo and Request-Tag options are defined in this document.
2. The Echo Option 2. The Echo Option
The Echo option is a lightweight server-driven challenge-response A fresh request is one whose age has not yet exceeded the freshness
mechanism for CoAP, motivated by the need for a server to verify requirements set by the server. The freshness requirements are
freshness of a request as described in Section 1.1. With request application specific and may vary based on resource, method, and
freshness we mean that the server can determine that the client (or parameters outside of coap such as policies. The Echo option is a
in the case of hop-by-hop security the proxy) sent the request lightweight challenge-response mechanism for CoAP, motivated by a
recently. The time threshold for being fresh is application need for a server to verify freshness of a request as described in
specific. The Echo option value is a challenge from the server to Section 1.1. The Echo option value is a challenge from the server to
the client included in a CoAP response and echoed back to the server the client included in a CoAP response and echoed back to the server
in one or more CoAP requests. in one or more CoAP requests. The Echo option provides a convention
to transfer freshness tokens that works for all CoAP methods and
response codes.
2.1. Option Format 2.1. Option Format
The Echo Option is elective, safe-to-forward, not part of the cache- The Echo Option is elective, safe-to-forward, not part of the cache-
key, and not repeatable, see Figure 1, which extends Table 4 of key, and not repeatable, see Figure 1, which extends Table 4 of
[RFC7252]). [RFC7252]).
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| No. | C | U | N | R | Name | Format | Len. | Default | E | U | | No. | C | U | N | R | Name | Format | Len. | Default | E | U |
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
skipping to change at page 6, line 50 skipping to change at page 7, line 21
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 1: Echo Option Summary Figure 1: Echo Option Summary
[ Note to RFC editor: If this document is released before core- [ Note to RFC editor: If this document is released before core-
object-security, then the following paragraph and the "E"/"U" columns object-security, then the following paragraph and the "E"/"U" columns
above need to move into core-object-security, as they are defined in above need to move into core-object-security, as they are defined in
that draft. ] that draft. ]
The Echo option MAY be an Inner or Outer option
[I-D.ietf-core-object-security], and the Inner and Outer values are
independent. The Inner option is encrypted and integrity protected
between the endpoints, whereas the Outer option is not protected by
OSCORE and visible between the endpoints to the extent it is not
protected by some other security protocol. E.g. in the case of DTLS
hop-by-hop between the endpoints, the Outer option is visible to
proxies along the path.
The Echo option value is generated by a server, and its content and The Echo option value is generated by a server, and its content and
structure are implementation specific. Different methods for structure are implementation specific. Different methods for
generating Echo option values are outlined in Appendix A. Clients generating Echo option values are outlined in Appendix A. Clients
and intermediaries MUST treat an Echo option value as opaque and make and intermediaries MUST treat an Echo option value as opaque and make
no assumptions about its content or structure. no assumptions about its content or structure.
When receiving an Echo option in a request, the server MUST be able When receiving an Echo option in a request, the server MUST be able
to verify that the Echo option value was generated by the server as to verify when the Echo option value was generated. This implies
well as the point in time when the Echo option value was generated. that the server MUST be able to verify that the Echo option value was
generated by the server or some other party that the server trusts.
Depending on the freshness requirements the server may verify exactly
when the Echo option value was generated (time-based freshness) or
verify that the Echo option was generated after a specific event
(event-based freshness). As the request is bound to the Echo option
value, the server can determine that the request is not older that
the Echo option value.
When the Echo option is used with OSCORE
[I-D.ietf-core-object-security] it MAY be an Inner or Outer option,
and the Inner and Outer values are independent. The Inner option is
encrypted and integrity protected between the endpoints, whereas the
Outer option is not protected by OSCORE and visible between the
endpoints to the extent it is not protected by some other security
protocol. E.g. in the case of DTLS hop-by-hop between the endpoints,
the Outer option is visible to proxies along the path.
2.2. Echo Processing 2.2. Echo Processing
The Echo option MAY be included in any request or response (see The Echo option MAY be included in any request or response (see
Section 2.3 for different applications), but the Echo option MUST NOT Section 2.3 for different applications), but the Echo option MUST NOT
be used with empty CoAP requests (i.e. Code=0.00). be used with empty CoAP requests (i.e., Code=0.00).
If a server receives a request which has freshness requirements, the
request does not contain a fresh Echo option value, and the server
cannot verify the freshness of the request in some other way, the
server MUST NOT process the request further and SHOULD send a 4.01
Unauthorized response with an Echo option. The server MAY include
the same Echo option value in several different responses and to
different clients.
The application decides under what conditions a CoAP request to a The application decides under what conditions a CoAP request to a
resource is required to be fresh. These conditions can for example resource is required to be fresh. These conditions can for example
include what resource is requested, the request method and other data include what resource is requested, the request method and other data
in the request, and conditions in the environment such as the state in the request, and conditions in the environment such as the state
of the server or the time of the day. of the server or the time of the day.
If a certain request is required to be fresh, the request does not
contain a fresh Echo option value, and the server cannot verify the
freshness of the request in some other way, the server MUST NOT
process the request further and SHOULD send a 4.01 Unauthorized
response with an Echo option. The server MAY include the same Echo
option value in several different responses and to different clients.
The server may use request freshness provided by the Echo option to The server may use request freshness provided by the Echo option to
verify the aliveness of a client or to synchronize state. The server verify the aliveness of a client or to synchronize state. The server
may also include the Echo option in a response to force a client to may also include the Echo option in a response to force a client to
demonstrate reachability at their apparent network address. demonstrate reachability at its claimed network address.
Upon receiving a 4.01 Unauthorized response with the Echo option, the Upon receiving a 4.01 Unauthorized response with the Echo option, the
client SHOULD resend the original request with the addition of an client SHOULD resend the original request with the addition of an
Echo option with the received Echo option value. The client MAY send Echo option with the received Echo option value. The client MAY send
a different request compared to the original request. Upon receiving a different request compared to the original request. Upon receiving
any other response with the Echo option, the client SHOULD echo the any other response with the Echo option, the client SHOULD echo the
Echo option value in the next request to the server. The client MAY Echo option value in the next request to the server. The client MAY
include the same Echo option value in several different requests to include the same Echo option value in several different requests to
the server. the server.
Upon receiving a request with the Echo option, the server determines Upon receiving a request with the Echo option, the server determines
if the request has freshness requirements. If the request does not if the request is required to be fresh. If not, the Echo option MAY
have freshness requirements, the Echo option MAY be ignored. If the be ignored. If the request is required to be fresh and the server
request has freshness requirements and the server cannot verify the cannot verify the freshness of the request in some other way, the
freshness of the request in some other way, the server MUST verify server MUST use the Echo option to verify that the request is fresh
that the Echo option value was generated by the server; otherwise the enough. If the server cannot verify that the request is fresh
request is not processed further. The server MUST then calculate the enough, the request is not processed further, and an error message
round-trip time RTT = (t1 - t0), where t1 is the request receive time MAY be sent. The error message SHOULD include a new Echo option.
and t0 is the time when the Echo option value was generated. The
server MUST only accept requests with a round-trip time below a
certain threshold T, i.e. RTT < T. If the server cannot verify that
the Echo option value was generated by the server or the round-trip
time is not below the threshold the request is not processed further,
and an error message MAY be sent. The error message SHOULD include a
new Echo option. The threshold T is application specific, its value
depends e.g. on the freshness requirements of the request. An
example message flow is illustrated in Figure 2.
Client Server One way for the server to verify freshness is that to bind the Echo
| | value to a specific point in time and verify that the request is not
+------>| Code: 0.03 (PUT) older than a certain threshold T. The server can verify this by
| PUT | Token: 0x41 checking that (t1 - t0) < T, where t1 is the request receive time and
| | Uri-Path: lock t0 is the time when the Echo option value was generated. An example
| | Payload: 0 (Unlock) message flow is illustrated in Figure 2.
| |
|<------+ t0 Code: 4.01 (Unauthorized)
| 4.01 | Token: 0x41
| | Echo: 0x437468756c687521
| |
+------>| t1 Code: 0.03 (PUT)
| PUT | Token: 0x42
| | Uri-Path: lock
| | Echo: 0x437468756c687521
| | Payload: 0 (Unlock)
| |
|<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42
| |
Figure 2: Example Echo Option Message Flow Client Server
| |
+------>| Code: 0.03 (PUT)
| PUT | Token: 0x41
| | Uri-Path: lock
| | Payload: 0 (Unlock)
| |
|<------+ Code: 4.01 (Unauthorized)
| 4.01 | Token: 0x41
| | Echo: 0x437468756c687521 (t0)
| |
+------>| t1 Code: 0.03 (PUT)
| PUT | Token: 0x42
| | Uri-Path: lock
| | Echo: 0x437468756c687521 (t0)
| | Payload: 0 (Unlock)
| |
|<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42
| |
Note that the server does not have to synchronize the time used for Figure 2: Example Echo Option Message Flow
the Echo timestamps with any other party. However, if the server
loses time continuity, e.g. due to reboot, it MUST reject all Echo
values that was created before time continuity was lost.
When used to serve freshness requirements (including client aliveness When used to serve freshness requirements (including client aliveness
and state synchronizing), CoAP messages containing the Echo option and state synchronizing), CoAP messages containing the Echo option
MUST be integrity protected between the intended endpoints, e.g. MUST be integrity protected between the intended endpoints, e.g.
using DTLS, TLS, or an OSCORE Inner option using DTLS, TLS, or an OSCORE Inner option
([I-D.ietf-core-object-security]). When used to demonstrate ([I-D.ietf-core-object-security]). When used to demonstrate
reachability at their apparent network address, the Echo option MAY reachability at a claimed network address, the Echo option SHOULD
be unprotected. contain the client's network address, but MAY be unprotected.
A CoAP-to-CoAP proxy MAY respond to requests with 4.01 with an Echo A CoAP-to-CoAP proxy MAY respond to requests with 4.01 with an Echo
option to ensure the client's reachability at its apparent address, option to ensure the client's reachability at its claimed address,
and MUST remove the Echo option it recognizes as one generated by and MUST remove the Echo option it recognizes as one generated by
itself on follow-up requests. However, it MUST relay the Echo option itself on follow-up requests. However, it MUST relay the Echo option
of responses unmodified, and MUST relay the Echo option of requests of responses unmodified, and MUST relay the Echo option of requests
it does not recognize as generated by itself unmodified. it does not recognize as generated by itself unmodified.
The CoAP server side of CoAP-to-HTTP proxies MAY request freshness, The CoAP server side of CoAP-to-HTTP proxies MAY request freshness,
especially if they have reason to assume that access may require it especially if they have reason to assume that access may require it
(e.g. because it is a PUT or POST); how this is determined is out of (e.g. because it is a PUT or POST); how this is determined is out of
scope for this document. The CoAP client side of HTTP-to-CoAP scope for this document. The CoAP client side of HTTP-to-CoAP
proxies SHOULD respond to Echo challenges themselves if they know proxies SHOULD respond to Echo challenges themselves if they know
skipping to change at page 10, line 40 skipping to change at page 11, line 14
address in the source address of a CoAP request). For this address in the source address of a CoAP request). For this
purpose, a server MAY ask a client to Echo its request to verify purpose, a server MAY ask a client to Echo its request to verify
its source address. This needs to be done only once per peer and its source address. This needs to be done only once per peer and
limits the range of potential victims from the general Internet limits the range of potential victims from the general Internet
to endpoints that have been previously in contact with the to endpoints that have been previously in contact with the
server. For this application, the Echo option can be used in server. For this application, the Echo option can be used in
messages that are not integrity protected, for example during messages that are not integrity protected, for example during
discovery. discovery.
* In the presence of a proxy, a server will not be able to * In the presence of a proxy, a server will not be able to
distiguish different origin client endpoints. Following from distinguish different origin client endpoints. Following from
the recommendation above, a proxy that sends large responses the recommendation above, a proxy that sends large responses
to unauthenticatied peers SHOULD mitigate amplification to unauthenticated peers SHOULD mitigate amplification
attacks. The proxy MAY use Echo to verify origin reachability attacks. The proxy MAY use Echo to verify origin reachability
as described in Section 2.2. The proxy MAY forward idempotent as described in Section 2.2. The proxy MAY forward idempotent
requests immediately to have a cached result available when requests immediately to have a cached result available when
the client's Echoed request arrives. the client's Echoed request arrives.
4. A server may want to use the request freshness provided by the 4. A server may want to use the request freshness provided by the
Echo to verify the aliveness of a client. Note that in a Echo to verify the aliveness of a client. Note that in a
deployment with hop-by-hop security and proxies, the server can deployment with hop-by-hop security and proxies, the server can
only verify aliveness of the closest proxy. only verify aliveness of the closest proxy.
skipping to change at page 13, line 30 skipping to change at page 14, line 11
When Block1 and Block2 are combined in an operation, the Request-Tag When Block1 and Block2 are combined in an operation, the Request-Tag
of the Block1 phase is set in the Block2 phase as well for otherwise of the Block1 phase is set in the Block2 phase as well for otherwise
the request would have a different set of options and would not be the request would have a different set of options and would not be
recognized any more. recognized any more.
Clients are encouraged to generate compact messages. This means Clients are encouraged to generate compact messages. This means
sending messages without Request-Tag options whenever possible, and sending messages without Request-Tag options whenever possible, and
using short values when the absent option can not be recycled. using short values when the absent option can not be recycled.
The Request-Tag options MAY be present in request messages that carry
a Block2 option even if those messages are not part of a blockwise
request operation (this is to allow the operation described in
Section 3.4.3). The Request-Tag option MUST NOT be present in
response messages, and MUST NOT be present if neither the Block1 nor
the Block2 option is present.
3.4. Applications 3.4. Applications
3.4.1. Body Integrity Based on Payload Integrity 3.4.1. Body Integrity Based on Payload Integrity
When a client fragments a request body into multiple message When a client fragments a request body into multiple message
payloads, even if the individual messages are integrity protected, it payloads, even if the individual messages are integrity protected, it
is still possible for a man-in-the-middle to maliciously replace a is still possible for a man-in-the-middle to maliciously replace a
later operation's blocks with an earlier operation's blocks (see later operation's blocks with an earlier operation's blocks (see
Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the
integrity protection of each block does not extend to the operation's integrity protection of each block does not extend to the operation's
skipping to change at page 15, line 39 skipping to change at page 16, line 31
The Request-Tag option can be elective, because to servers unaware of The Request-Tag option can be elective, because to servers unaware of
the Request-Tag option, operations with differing request tags will the Request-Tag option, operations with differing request tags will
not be matchable. not be matchable.
The Request-Tag option can be safe to forward but part of the cache The Request-Tag option can be safe to forward but part of the cache
key, because to proxies unaware of the Request-Tag option will key, because to proxies unaware of the Request-Tag option will
consider operations with differing request tags unmatchable but can consider operations with differing request tags unmatchable but can
still forward them. still forward them.
The Request-Tag option is repeatable because this easily allows The Request-Tag option is repeatable because this easily allows
stateless proxies to "chain" their origin address. Were it a single stateless proxies to "chain" their origin address. They can perform
option, they would need to employ some length/value scheme to avoid the steps of Section 3.4.3 without the need to create an option value
confusing requests without a Request-Tag option with requests that that is the concatenation of the received option and their own value,
carry a zero-length request tag. and can simply add a new Request-Tag option unconditionally.
In earlier versions of this draft, the Request-Tag option used to be In draft versions of this document, the Request-Tag option used to be
critical and unsafe to forward. That design was based on an critical and unsafe to forward. That design was based on an
erroneous understanding of which blocks could be composed according erroneous understanding of which blocks could be composed according
to [RFC7959]. to [RFC7959].
3.6. Rationale for Introducing the Option 3.6. Rationale for Introducing the Option
An alternative that was considered to the Request-Tag option for An alternative that was considered to the Request-Tag option for
coping with the problem of fragmented message body integrity coping with the problem of fragmented message body integrity
(Section 3.4.1) was to update [RFC7959] to say that blocks could only (Section 3.4.1) was to update [RFC7959] to say that blocks could only
be assembled if their fragments' order corresponded to the sequence be assembled if their fragments' order corresponded to the sequence
skipping to change at page 16, line 38 skipping to change at page 17, line 25
To gain equivalent protection to Section 3.4.1, a server MUST use the To gain equivalent protection to Section 3.4.1, a server MUST use the
Block2 option in conjunction with the ETag option ([RFC7252], Block2 option in conjunction with the ETag option ([RFC7252],
Section 5.10.6), and MUST NOT use the same ETag value for different Section 5.10.6), and MUST NOT use the same ETag value for different
representations of a resource. representations of a resource.
5. Token Processing 5. Token Processing
As described in Section 1.3, the client must be able to verify that a As described in Section 1.3, the client must be able to verify that a
response corresponds to a particular request. This section updates response corresponds to a particular request. This section updates
the Token processing in Section 5.3.1 of [RFC7252] by adding the the CoAP Token processing requirements for clients. The Token
following text: processing for servers is not updated. Token processing in
Section 5.3.1 of [RFC7252] is updated by adding the following text:
When CoAP is used with a security protocol not providing bindings When CoAP is used with a security protocol not providing bindings
between requests and responses, the client MUST NOT reuse tokens between requests and responses, the tokens have cryptographic
until the traffic keys have been replaced. The easiest way to importance. The client MUST make sure that tokens are not used in a
accomplish this is to implement the Token as a counter, this approach way so that responses risk being associated with the wrong request.
SHOULD be followed. The easiest way to accomplish this is to implement the Token (or part
of the Token) as a sequence number starting at zero for each new or
rekeyed secure connection, this approach SHOULD be followed. To
avoid collisions the sequence number can be encoded with a fixed
length or with some length-value encoding.
6. Security Considerations 6. Security Considerations
The availability of a secure pseudorandom number generator and truly The availability of a secure pseudorandom number generator and truly
random seeds are essential for the security of the Echo option. If random seeds are essential for the security of the Echo option. If
no true random number generator is available, a truly random seed no true random number generator is available, a truly random seed
must be provided from an external source. must be provided from an external source.
An Echo value with 64 (pseudo-)random bits gives the same theoretical A single active Echo value with 64 (pseudo-)random bits gives the
security level against forgeries as a 64-bit MAC (as used in e.g. same theoretical security level against forgeries as a 64-bit MAC (as
AES_128_CCM_8). In practice, forgery of an Echo option value is much used in e.g. AES_128_CCM_8). In practice, forgery of an Echo option
harder as an attacker must also forge the MAC in the security value is much harder as an attacker must also forge the MAC in the
protocol. The Echo option value MUST contain 32 (pseudo-)random bits security protocol. The Echo option value MUST contain 32
that are not predictable for any other party than the server, and (pseudo-)random bits that are not predictable for any other party
SHOULD contain 64 (pseudo-)random bits. A server MAY use different than the server, and SHOULD contain 64 (pseudo-)random bits. A
security levels for different uses cases (client aliveness, request server MAY use different security levels for different uses cases
freshness, state synchronization, network address reachability, (client aliveness, request freshness, state synchronization, network
etc.). address reachability, etc.).
The security provided by the Echo and Request-Tag options depends on The security provided by the Echo and Request-Tag options depends on
the security protocol used. CoAP and HTTP proxies require (D)TLS to the security protocol used. CoAP and HTTP proxies require (D)TLS to
be terminated at the proxies. The proxies are therefore able to be terminated at the proxies. The proxies are therefore able to
manipulate, inject, delete, or reorder options or packets. The manipulate, inject, delete, or reorder options or packets. The
security claims in such architectures only hold under the assumption security claims in such architectures only hold under the assumption
that all intermediaries are fully trusted and have not been that all intermediaries are fully trusted and have not been
compromised. compromised.
Servers MUST use a monotonic clock to generate timestamps and compute Servers SHOULD use a monotonic clock to generate timestamps and
round-trip times. Use of non-monotonic clocks is not secure as the compute round-trip times. Use of non-monotonic clocks is not secure
server will accept expired Echo option values if the clock is moved as the server will accept expired Echo option values if the clock is
backward. The server will also reject fresh Echo option values if moved backward. The server will also reject fresh Echo option values
the clock is moved forward. if the clock is moved forward. Non-monotonic clocks MAY be used as
long as they have deviations that are acceptable given the freshness
requirements. If the deviations from a monotonic clock are known, it
may be possible to adjust the threshold accordingly.
Servers are not allowed to use wall clock time for timestamps, as Servers SHOULD NOT use wall clock time for timestamps, as wall clock
wall clock time is not monotonic. Furthermore, an attacker may be time have large deviations from a monotonic clock. Furthermore, an
able to affect the server's wall clock time in various ways such as attacker may be able to affect the server's wall clock time in
setting up a fake NTP server or broadcasting false time signals to various ways such as setting up a fake NTP server or broadcasting
radio-controlled clocks. false time signals to radio-controlled clocks.
Servers MAY use the time since reboot measured in some unit of time. Servers MAY use the time since reboot measured in some unit of time.
Servers MAY reset the timer at certain times and MAY generate a Servers MAY reset the timer at certain times and MAY generate a
random offset applied to all timestamps. When resetting the timer, random offset applied to all timestamps. When resetting the timer,
the server MUST reject all Echo values that was created before the the server MUST reject all Echo values that was created before the
reset. reset.
Servers that use the List of Cached Random Values and Timestamps Servers that use the List of Cached Random Values and Timestamps
method described in Appendix A may be vulnerable to resource method described in Appendix A may be vulnerable to resource
exhaustion attacks. One way to minimize state is to use the exhaustion attacks. One way to minimize state is to use the
skipping to change at page 19, line 8 skipping to change at page 19, line 48
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[I-D.hartke-core-stateless] [I-D.hartke-core-stateless]
Hartke, K., "Extended Tokens and Stateless Clients in the Hartke, K., "Extended Tokens and Stateless Clients in the
Constrained Application Protocol (CoAP)", draft-hartke- Constrained Application Protocol (CoAP)", draft-hartke-
core-stateless-01 (work in progress), September 2018. core-stateless-02 (work in progress), October 2018.
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-15 (work in (OSCORE)", draft-ietf-core-object-security-16 (work in
progress), August 2018. progress), March 2019.
[I-D.ietf-core-oscore-groupcomm] [I-D.ietf-core-oscore-groupcomm]
Tiloca, M., Selander, G., Palombini, F., and J. Park, Tiloca, M., Selander, G., Palombini, F., and J. Park,
"Group OSCORE - Secure Group Communication for CoAP", "Group OSCORE - Secure Group Communication for CoAP",
draft-ietf-core-oscore-groupcomm-03 (work in progress), draft-ietf-core-oscore-groupcomm-04 (work in progress),
October 2018. March 2019.
[I-D.mattsson-core-coap-actuators] [I-D.mattsson-core-coap-actuators]
Mattsson, J., Fornehed, J., Selander, G., Palombini, F., Mattsson, J., Fornehed, J., Selander, G., Palombini, F.,
and C. Amsuess, "Controlling Actuators with CoAP", draft- and C. Amsuess, "Controlling Actuators with CoAP", draft-
mattsson-core-coap-actuators-06 (work in progress), mattsson-core-coap-actuators-06 (work in progress),
September 2018. September 2018.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
skipping to change at page 20, line 23 skipping to change at page 21, line 17
Different mechanisms have different tradeoffs between the size of the Different mechanisms have different tradeoffs between the size of the
Echo option value, the amount of server state, the amount of Echo option value, the amount of server state, the amount of
computation, and the security properties offered. A server MAY use computation, and the security properties offered. A server MAY use
different methods and security levels for different uses cases different methods and security levels for different uses cases
(client aliveness, request freshness, state synchronization, network (client aliveness, request freshness, state synchronization, network
address reachability, etc.). address reachability, etc.).
1. List of Cached Random Values and Timestamps. The Echo option 1. List of Cached Random Values and Timestamps. The Echo option
value is a (pseudo-)random byte string. The server caches a list value is a (pseudo-)random byte string. The server caches a list
containing the random byte strings and their transmission times. containing the random byte strings and their transmission times.
Assuming 64-bit random values and 32-bit timestamps, the size of the Assuming 72-bit random values and 32-bit timestamps, the size of the
Echo option value is 8 bytes and the amount of server state is 12n Echo option value is 9 bytes and the amount of server state is 13n
bytes, where n is the number of active Echo Option values. If the bytes, where n is the number of active Echo Option values. The
server loses time continuity, e.g. due to reboot, the entries in the security against forged echo values is given by s = bit length of r -
old list MUST be deleted. log2(n). The length of r and the maximum allowed n should be set so
that the security level is harmonized with other parts of the
deployment, e.g., s >= 64. If the server loses time continuity, e.g.
due to reboot, the entries in the old list MUST be deleted.
Echo option value: random value r Echo option value: random value r
Server State: random value r, timestamp t0 Server State: random value r, timestamp t0
2. Integrity Protected Timestamp. The Echo option value is an 2. Integrity Protected Timestamp. The Echo option value is an
integrity protected timestamp. The timestamp can have different integrity protected timestamp. The timestamp can have different
resolution and range. A 32-bit timestamp can e.g. give a resolution resolution and range. A 32-bit timestamp can e.g. give a resolution
of 1 second with a range of 136 years. The (pseudo-)random secret of 1 second with a range of 136 years. The (pseudo-)random secret
key is generated by the server and not shared with any other party. key is generated by the server and not shared with any other party.
The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit
timestamp and a 64-bit MAC, the size of the Echo option value is 12 timestamp and a 64-bit MAC, the size of the Echo option value is 12
bytes and the Server state is small and constant. If the server bytes and the Server state is small and constant. The security
against forged echo values is given by the MAC length. If the server
loses time continuity, e.g. due to reboot, the old key MUST be loses time continuity, e.g. due to reboot, the old key MUST be
deleted and replaced by a new random secret key. Note that the deleted and replaced by a new random secret key. Note that the
privacy considerations in Section 7 may apply to the timestamp. A privacy considerations in Section 7 may apply to the timestamp. A
server MAY want to encrypt its timestamps, and, depending on the server MAY want to encrypt its timestamps, and, depending on the
choice of encryption algorithms, this may require a nonce to be choice of encryption algorithms, this may require a nonce to be
included in the Echo option value. included in the Echo option value.
Echo option value: timestamp t0, MAC(k, t0) Echo option value: timestamp t0, MAC(k, t0)
Server State: secret key k Server State: secret key k
Other mechanisms complying with the security and privacy Other mechanisms complying with the security and privacy
considerations may be used. The use of encrypted timestamps in the considerations may be used. The use of encrypted timestamps in the
Echo option typically requires an IV to be included in the Echo Echo option typically requires an IV to be included in the Echo
option value, which adds overhead and makes the specification of such option value, which adds overhead and makes the specification of such
a mechanims slightly more complicated than the two mechanisms a mechanism slightly more complicated than the two mechanisms
specified here. specified here.
Appendix B. Request-Tag Message Size Impact Appendix B. Request-Tag Message Size Impact
In absence of concurrent operations, the Request-Tag mechanism for In absence of concurrent operations, the Request-Tag mechanism for
body integrity (Section 3.4.1) incurs no overhead if no messages are body integrity (Section 3.4.1) incurs no overhead if no messages are
lost (more precisely: in OSCORE, if no operations are aborted due to lost (more precisely: in OSCORE, if no operations are aborted due to
repeated transmission failure; in DTLS, if no packages are lost), or repeated transmission failure; in DTLS, if no packages are lost), or
when blockwise request operations happen rarely (in OSCORE, if there when blockwise request operations happen rarely (in OSCORE, if there
is always only one request blockwise operation in the replay window). is always only one request blockwise operation in the replay window).
skipping to change at page 21, line 41 skipping to change at page 22, line 40
o In OSCORE, the sequence number can be artificially increased so o In OSCORE, the sequence number can be artificially increased so
that all lost messages are outside of the replay window by the that all lost messages are outside of the replay window by the
time the first request of the new operation gets processed, and time the first request of the new operation gets processed, and
all earlier operations can therefore be regarded as concluded. all earlier operations can therefore be regarded as concluded.
Appendix C. Change Log Appendix C. Change Log
[ The editor is asked to remove this section before publication. ] [ The editor is asked to remove this section before publication. ]
o Changes since draft-ietf-core-echo-request-tag-03:
* Mention token processing changes in title
* Abstract reworded
* Clarify updates to token processing
* Describe security levels from Echo length
* Allow non-monotonic clocks under certain conditions for
freshness
* Simplify freshness expressions
* Describe when a Request-Tag can be set
* Add note on application-level freshness mechanisms
* Minor editorial changes
o Changes since draft-ietf-core-echo-request-tag-02:
* Define "freshness"
* Note limitations of "aliveness"
* Clarify proxy and OSCORE handling in presence of "echo"
* Clarify when Echo values may be reused
* Update security considerations
* Various minor clarifications
* Minor editorial changes
o Major changes since draft-ietf-core-echo-request-tag-01: o Major changes since draft-ietf-core-echo-request-tag-01:
* Follow-up changes after the "relying on blockwise" change in * Follow-up changes after the "relying on blockwise" change in
-01: -01:
+ Simplify the description of Request-Tag and matchability + Simplify the description of Request-Tag and matchability
+ Do not update RFC7959 any more + Do not update RFC7959 any more
* Make Request-Tag repeatable. * Make Request-Tag repeatable.
skipping to change at page 22, line 42 skipping to change at page 24, line 30
* The interaction between the new option and (cross) proxies is * The interaction between the new option and (cross) proxies is
now covered. now covered.
* Two messages being "Request-Tag matchable" was introduced to * Two messages being "Request-Tag matchable" was introduced to
replace the older concept of having a request tag value with replace the older concept of having a request tag value with
its slightly awkward equivalence definition. its slightly awkward equivalence definition.
Acknowledgments Acknowledgments
The authors want to thank Jim Schaad for providing valuable input to The authors want to thank Jim Schaad and Carsten Bormann for
the draft. providing valuable input to the draft.
Authors' Addresses Authors' Addresses
Christian Amsuess Christian Amsuess
Email: christian@amsuess.com Email: christian@amsuess.com
John Mattsson John Mattsson
Ericsson AB Ericsson AB
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Goeran Selander Goeran Selander
Ericsson AB Ericsson AB
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
 End of changes. 52 change blocks. 
206 lines changed or deleted 274 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/