draft-ietf-core-echo-request-tag-05.txt   draft-ietf-core-echo-request-tag-06.txt 
CoRE Working Group C. Amsuess CoRE Working Group C. Amsuess
Internet-Draft Internet-Draft
Updates: 7252 (if approved) J. Mattsson Updates: 7252 (if approved) J. Mattsson
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: November 7, 2019 Ericsson AB Expires: March 21, 2020 Ericsson AB
May 06, 2019 September 18, 2019
CoAP: Echo, Request-Tag, and Token Processing CoAP: Echo, Request-Tag, and Token Processing
draft-ietf-core-echo-request-tag-05 draft-ietf-core-echo-request-tag-06
Abstract Abstract
This document specifies enhancements to the Constrained Application This document specifies enhancements to the Constrained Application
Protocol (CoAP) that mitigate security issues in particular use Protocol (CoAP) that mitigate security issues in particular use
cases. The Echo option enables a CoAP server to verify the freshness cases. The Echo option enables a CoAP server to verify the freshness
of a request or to force a client to demonstrate reachability at its of a request or to force a client to demonstrate reachability at its
claimed network address. The Request-Tag option allows the CoAP claimed network address. The Request-Tag option allows the CoAP
server to match Block-Wise message fragments belonging to the same server to match block-wise message fragments belonging to the same
request. The updated Token processing requirements for clients request. The update to the client Token processing requirements of
ensure secure binding of responses to requests when CoAP is used with RFC 7252 forbids non-secure reuse of Tokens to ensure binding of
security. responses to requests when CoAP is used with security.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 7, 2019. This Internet-Draft will expire on March 21, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3
1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4
1.3. Request-Response Binding . . . . . . . . . . . . . . . . 4 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 5
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 7 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 8
2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 10 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 10
3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11
3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 12
3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12 3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12
3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13
3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 14 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 14
3.4.1. Body Integrity Based on Payload Integrity . . . . . . 14 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 14
3.4.2. Multiple Concurrent Blockwise Operations . . . . . . 15 3.4.2. Multiple Concurrent Block-wise Operations . . . . . . 15
3.4.3. Simplified Block-Wise Handling for Constrained 3.4.3. Simplified Block-Wise Handling for Constrained
Proxies . . . . . . . . . . . . . . . . . . . . . . . 16 Proxies . . . . . . . . . . . . . . . . . . . . . . . 16
3.5. Rationale for the Option Properties . . . . . . . . . . . 16 3.5. Rationale for the Option Properties . . . . . . . . . . . 16
3.6. Rationale for Introducing the Option . . . . . . . . . . 16 3.6. Rationale for Introducing the Option . . . . . . . . . . 16
4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 17 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 17
5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 17 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 6.1. Token reuse . . . . . . . . . . . . . . . . . . . . . . . 18
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
9.1. Normative References . . . . . . . . . . . . . . . . . . 19 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
9.2. Informative References . . . . . . . . . . . . . . . . . 19 9.1. Normative References . . . . . . . . . . . . . . . . . . 20
Appendix A. Methods for Generating Echo Option Values . . . . . 21 9.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 22 Appendix A. Methods for Generating Echo Option Values . . . . . 22
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 22 Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 23
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 24 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction 1. Introduction
The initial Constrained Application Protocol (CoAP) suite of The initial Constrained Application Protocol (CoAP) suite of
specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed
with the assumption that security could be provided on a separate with the assumption that security could be provided on a separate
layer, in particular by using DTLS ([RFC6347]). However, for some layer, in particular by using DTLS ([RFC6347]). However, for some
use cases, additional functionality or extra processing is needed to use cases, additional functionality or extra processing is needed to
support secure CoAP operations. This document specifies security support secure CoAP operations. This document specifies security
enhancements to the Constrained Application Protocol (CoAP). enhancements to the Constrained Application Protocol (CoAP).
This document specifies two CoAP options, the Echo option and the This document specifies two CoAP options, the Echo option and the
Request-Tag option: The Echo option enables a CoAP server to verify Request-Tag option: The Echo option enables a CoAP server to verify
the freshness of a request, synchronize state, or force a client to the freshness of a request, synchronize state, or force a client to
demonstrate reachability at its claimed network address. The demonstrate reachability at its claimed network address. The
Request-Tag option allows the CoAP server to match message fragments Request-Tag option allows the CoAP server to match message fragments
belonging to the same request, fragmented using the CoAP Block-Wise belonging to the same request, fragmented using the CoAP block-wise
Transfer mechanism, which mitigates attacks and enables concurrent Transfer mechanism, which mitigates attacks and enables concurrent
blockwise operations. These options in themselves do not replace the block-wise operations. These options in themselves do not replace
need for a security protocol; they specify the format and processing the need for a security protocol; they specify the format and
of data which, when integrity protected using e.g. DTLS ([RFC6347]), processing of data which, when integrity protected using e.g. DTLS
TLS ([RFC8446]), or OSCORE ([I-D.ietf-core-object-security]), provide ([RFC6347]), TLS ([RFC8446]), or OSCORE ([RFC8613]), provide the
the additional security features. additional security features.
The document also updates the Token processing requirements for The document also updates the Token processing requirements for
clients specified in [RFC7252]. The updated processing ensures clients specified in [RFC7252]. The updated processing forbids non-
secure binding of responses to requests when CoAP is used with secure reuse of Tokens to ensure binding of responses to requests
security, thus mitigating error cases and attacks where the client when CoAP is used with security, thus mitigating error cases and
may erroneously associate the wrong response to a request. attacks where the client may erroneously associate the wrong response
to a request.
1.1. Request Freshness 1.1. Request Freshness
A CoAP server receiving a request is in general not able to verify A CoAP server receiving a request is in general not able to verify
when the request was sent by the CoAP client. This remains true even when the request was sent by the CoAP client. This remains true even
if the request was protected with a security protocol, such as DTLS. if the request was protected with a security protocol, such as DTLS.
This makes CoAP requests vulnerable to certain delay attacks which This makes CoAP requests vulnerable to certain delay attacks which
are particularly perilous in the case of actuators are particularly perilous in the case of actuators
([I-D.mattsson-core-coap-actuators]). Some attacks can be mitigated ([I-D.mattsson-core-coap-actuators]). Some attacks can be mitigated
by establishing fresh session keys, e.g. performing a DTLS handshake by establishing fresh session keys, e.g. performing a DTLS handshake
skipping to change at page 4, line 4 skipping to change at page 4, line 10
freshness may need to be verified in each hop. freshness may need to be verified in each hop.
A straightforward mitigation of potential delayed requests is that A straightforward mitigation of potential delayed requests is that
the CoAP server rejects a request the first time it appears and asks the CoAP server rejects a request the first time it appears and asks
the CoAP client to prove that it intended to make the request at this the CoAP client to prove that it intended to make the request at this
point in time. The Echo option, defined in this document, specifies point in time. The Echo option, defined in this document, specifies
such a mechanism which thereby enables a CoAP server to verify the such a mechanism which thereby enables a CoAP server to verify the
freshness of a request. This mechanism is not only important in the freshness of a request. This mechanism is not only important in the
case of actuators, or other use cases where the CoAP operations case of actuators, or other use cases where the CoAP operations
require freshness of requests, but also in general for synchronizing require freshness of requests, but also in general for synchronizing
state between CoAP client and server, verify aliveness of the client, state between CoAP client and server, cryptographically verify the
or force a client to demonstrate reachability at its claimed network aliveness of the client, or force a client to demonstrate
address. The same functionality can be provided by echoing freshness reachability at its claimed network address. The same functionality
tokens in CoAP payloads, but this only works for methods and response can be provided by echoing freshness indicators in CoAP payloads, but
codes defined to have a payload. The Echo option provides a this only works for methods and response codes defined to have a
convention to transfer freshness tokens that works for all methods payload. The Echo option provides a convention to transfer freshness
and response codes. indicators that works for all methods and response codes.
1.2. Fragmented Message Body Integrity 1.2. Fragmented Message Body Integrity
CoAP was designed to work over unreliable transports, such as UDP, CoAP was designed to work over unreliable transports, such as UDP,
and include a lightweight reliability feature to handle messages and include a lightweight reliability feature to handle messages
which are lost or arrive out of order. In order for a security which are lost or arrive out of order. In order for a security
protocol to support CoAP operations over unreliable transports, it protocol to support CoAP operations over unreliable transports, it
must allow out-of-order delivery of messages using e.g. a sliding must allow out-of-order delivery of messages using e.g. a sliding
replay window such as described in Section 4.1.2.6 of DTLS replay window such as described in Section 4.1.2.6 of DTLS
([RFC6347]). ([RFC6347]).
The Block-Wise Transfer mechanism [RFC7959] extends CoAP by defining The block-wise transfer mechanism [RFC7959] extends CoAP by defining
the transfer of a large resource representation (CoAP message body) the transfer of a large resource representation (CoAP message body)
as a sequence of blocks (CoAP message payloads). The mechanism uses as a sequence of blocks (CoAP message payloads). The mechanism uses
a pair of CoAP options, Block1 and Block2, pertaining to the request a pair of CoAP options, Block1 and Block2, pertaining to the request
and response payload, respectively. The blockwise functionality does and response payload, respectively. The block-wise functionality
not support the detection of interchanged blocks between different does not support the detection of interchanged blocks between
message bodies to the same resource having the same block number. different message bodies to the same resource having the same block
This remains true even when CoAP is used together with a security number. This remains true even when CoAP is used together with a
protocol such as DTLS or OSCORE, within the replay window security protocol such as DTLS or OSCORE, within the replay window
([I-D.mattsson-core-coap-actuators]), which is a vulnerability of ([I-D.mattsson-core-coap-actuators]), which is a vulnerability of
CoAP when using RFC7959. CoAP when using RFC7959.
A straightforward mitigation of mixing up blocks from different A straightforward mitigation of mixing up blocks from different
messages is to use unique identifiers for different message bodies, messages is to use unique identifiers for different message bodies,
which would provide equivalent protection to the case where the which would provide equivalent protection to the case where the
complete body fits into a single payload. The ETag option [RFC7252], complete body fits into a single payload. The ETag option [RFC7252],
set by the CoAP server, identifies a response body fragmented using set by the CoAP server, identifies a response body fragmented using
the Block2 option. This document defines the Request-Tag option for the Block2 option. This document defines the Request-Tag option for
identifying request bodies, similar to ETag, but ephemeral and set by identifying request bodies, similar to ETag, but ephemeral and set by
skipping to change at page 5, line 19 skipping to change at page 5, line 28
responses in the same order that the requests were received. The responses in the same order that the requests were received. The
same is not true for CoAP where the server (or an attacker) can same is not true for CoAP where the server (or an attacker) can
return responses in any order and where there can be any number of return responses in any order and where there can be any number of
responses to a request (see e.g. [RFC7641]). In CoAP, concurrent responses to a request (see e.g. [RFC7641]). In CoAP, concurrent
requests are differentiated by their Token. Note that the CoAP requests are differentiated by their Token. Note that the CoAP
Message ID cannot be used for this purpose since those are typically Message ID cannot be used for this purpose since those are typically
different for REST request and corresponding response in case of different for REST request and corresponding response in case of
"separate response", see Section 2.2 of [RFC7252]. "separate response", see Section 2.2 of [RFC7252].
CoAP [RFC7252] does not treat Token as a cryptographically important CoAP [RFC7252] does not treat Token as a cryptographically important
value and does not give stricter guidelines than that the tokens value and does not give stricter guidelines than that the Tokens
currently "in use" SHOULD (not SHALL) be unique. If used with a currently "in use" SHOULD (not SHALL) be unique. If used with a
security protocol not providing bindings between requests and security protocol not providing bindings between requests and
responses (e.g. DTLS and TLS) token reuse may result in situations responses (e.g. DTLS and TLS) Token reuse may result in situations
where a client matches a response to the wrong request. Note that where a client matches a response to the wrong request. Note that
mismatches can also happen for other reasons than a malicious mismatches can also happen for other reasons than a malicious
attacker, e.g. delayed delivery or a server sending notifications to attacker, e.g. delayed delivery or a server sending notifications to
an uninterested client. an uninterested client.
A straightforward mitigation is to mandate clients to not reuse A straightforward mitigation is to mandate clients to not reuse
tokens until the traffic keys have been replaced. One easy way to Tokens until the traffic keys have been replaced. One easy way to
accomplish this is to implement the token as a counter starting at accomplish this is to implement the Token as a counter starting at
zero for each new or rekeyed secure connection. This document zero for each new or rekeyed secure connection. This document
updates the Token processing in [RFC7252] to always assure a updates the Token processing in [RFC7252] to always assure a
cryptographically secure binding of responses to requests for secure cryptographically secure binding of responses to requests for secure
REST operations like "coaps". REST operations like "coaps".
1.4. Terminology 1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
skipping to change at page 6, line 8 skipping to change at page 6, line 15
Unless otherwise specified, the terms "client" and "server" refers to Unless otherwise specified, the terms "client" and "server" refers to
"CoAP client" and "CoAP server", respectively, as defined in "CoAP client" and "CoAP server", respectively, as defined in
[RFC7252]. The term "origin server" is used as in [RFC7252]. The [RFC7252]. The term "origin server" is used as in [RFC7252]. The
term "origin client" is used in this document to denote the client term "origin client" is used in this document to denote the client
from which a request originates; to distinguish from clients in from which a request originates; to distinguish from clients in
proxies. proxies.
The terms "payload" and "body" of a message are used as in [RFC7959]. The terms "payload" and "body" of a message are used as in [RFC7959].
The complete interchange of a request and a response body is called a The complete interchange of a request and a response body is called a
(REST) "operation". An operation fragmented using [RFC7959] is (REST) "operation". An operation fragmented using [RFC7959] is
called a "blockwise operation". A blockwise operation which is called a "block-wise operation". A block-wise operation which is
fragmenting the request body is called a "blockwise request fragmenting the request body is called a "block-wise request
operation". A blockwise operation which is fragmenting the response operation". A block-wise operation which is fragmenting the response
body is called a "blockwise response operation". body is called a "block-wise response operation".
Two request messages are said to be "matchable" if they occur between Two request messages are said to be "matchable" if they occur between
the same endpoint pair, have the same code and the same set of the same endpoint pair, have the same code and the same set of
options except for elective NoCacheKey options and options involved options except for elective NoCacheKey options and options involved
in block-wise transfer (Block1, Block2 and Request-Tag). Two in block-wise transfer (Block1, Block2 and Request-Tag). Two
operations are said to be matchable if any of their messages are. operations are said to be matchable if any of their messages are.
Two matchable blockwise operations are said to be "concurrent" if a Two matchable block-wise operations are said to be "concurrent" if a
block of the second request is exchanged even though the client still block of the second request is exchanged even though the client still
intends to exchange further blocks in the first operation. intends to exchange further blocks in the first operation.
(Concurrent blockwise request operations are impossible with the (Concurrent block-wise request operations are impossible with the
options of [RFC7959] because the second operation's block overwrites options of [RFC7959] because the second operation's block overwrites
any state of the first exchange.). any state of the first exchange.).
The Echo and Request-Tag options are defined in this document. The Echo and Request-Tag options are defined in this document.
2. The Echo Option 2. The Echo Option
A fresh request is one whose age has not yet exceeded the freshness A fresh request is one whose age has not yet exceeded the freshness
requirements set by the server. The freshness requirements are requirements set by the server. The freshness requirements are
application specific and may vary based on resource, method, and application specific and may vary based on resource, method, and
parameters outside of coap such as policies. The Echo option is a parameters outside of CoAP such as policies. The Echo option is a
lightweight challenge-response mechanism for CoAP, motivated by a lightweight challenge-response mechanism for CoAP, motivated by a
need for a server to verify freshness of a request as described in need for a server to verify freshness of a request as described in
Section 1.1. The Echo option value is a challenge from the server to Section 1.1. The Echo option value is a challenge from the server to
the client included in a CoAP response and echoed back to the server the client included in a CoAP response and echoed back to the server
in one or more CoAP requests. The Echo option provides a convention in one or more CoAP requests. The Echo option provides a convention
to transfer freshness tokens that works for all CoAP methods and to transfer freshness indicators that works for all CoAP methods and
response codes. response codes.
2.1. Option Format 2.1. Option Format
The Echo Option is elective, safe-to-forward, not part of the cache- The Echo Option is elective, safe-to-forward, not part of the cache-
key, and not repeatable, see Figure 1, which extends Table 4 of key, and not repeatable, see Figure 1, which extends Table 4 of
[RFC7252]). [RFC7252]).
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| No. | C | U | N | R | Name | Format | Len. | Default | E | U | | No. | C | U | N | R | Name | Format | Len. | Default | E | U |
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| TBD | | | x | | Echo | opaque | 4-40 | (none) | x | x | | TBD | | | x | | Echo | opaque | 4-40 | (none) | x | x |
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 1: Echo Option Summary Figure 1: Echo Option Summary
[ Note to RFC editor: If this document is released before core-
object-security, then the following paragraph and the "E"/"U" columns
above need to move into core-object-security, as they are defined in
that draft. ]
The Echo option value is generated by a server, and its content and The Echo option value is generated by a server, and its content and
structure are implementation specific. Different methods for structure are implementation specific. Different methods for
generating Echo option values are outlined in Appendix A. Clients generating Echo option values are outlined in Appendix A. Clients
and intermediaries MUST treat an Echo option value as opaque and make and intermediaries MUST treat an Echo option value as opaque and make
no assumptions about its content or structure. no assumptions about its content or structure.
When receiving an Echo option in a request, the server MUST be able When receiving an Echo option in a request, the server MUST be able
to verify when the Echo option value was generated. This implies to verify when the Echo option value was generated. This implies
that the server MUST be able to verify that the Echo option value was that the server MUST be able to verify that the Echo option value was
generated by the server or some other party that the server trusts. generated by the server or some other party that the server trusts.
Depending on the freshness requirements the server may verify exactly Depending on the freshness requirements the server may verify exactly
when the Echo option value was generated (time-based freshness) or when the Echo option value was generated (time-based freshness) or
verify that the Echo option was generated after a specific event verify that the Echo option was generated after a specific event
(event-based freshness). As the request is bound to the Echo option (event-based freshness). As the request is bound to the Echo option
value, the server can determine that the request is not older that value, the server can determine that the request is not older that
the Echo option value. the Echo option value.
When the Echo option is used with OSCORE When the Echo option is used with OSCORE [RFC8613] it MAY be an Inner
[I-D.ietf-core-object-security] it MAY be an Inner or Outer option, or Outer option, and the Inner and Outer values are independent.
and the Inner and Outer values are independent. The Inner option is OSCORE servers MUST only produce Inner Echo options unless they are
encrypted and integrity protected between the endpoints, whereas the merely testing for reachability of the client (the same as proxies
Outer option is not protected by OSCORE and visible between the may do). The Inner option is encrypted and integrity protected
endpoints to the extent it is not protected by some other security between the endpoints, whereas the Outer option is not protected by
protocol. E.g. in the case of DTLS hop-by-hop between the endpoints, OSCORE and visible between the endpoints to the extent it is not
the Outer option is visible to proxies along the path. protected by some other security protocol. E.g. in the case of DTLS
hop-by-hop between the endpoints, the Outer option is visible to
proxies along the path.
2.2. Echo Processing 2.2. Echo Processing
The Echo option MAY be included in any request or response (see The Echo option MAY be included in any request or response (see
Section 2.3 for different applications), but the Echo option MUST NOT Section 2.3 for different applications).
be used with empty CoAP requests (i.e., Code=0.00).
The application decides under what conditions a CoAP request to a The application decides under what conditions a CoAP request to a
resource is required to be fresh. These conditions can for example resource is required to be fresh. These conditions can for example
include what resource is requested, the request method and other data include what resource is requested, the request method and other data
in the request, and conditions in the environment such as the state in the request, and conditions in the environment such as the state
of the server or the time of the day. of the server or the time of the day.
If a certain request is required to be fresh, the request does not If a certain request is required to be fresh, the request does not
contain a fresh Echo option value, and the server cannot verify the contain a fresh Echo option value, and the server cannot verify the
freshness of the request in some other way, the server MUST NOT freshness of the request in some other way, the server MUST NOT
skipping to change at page 8, line 32 skipping to change at page 8, line 37
Upon receiving a 4.01 Unauthorized response with the Echo option, the Upon receiving a 4.01 Unauthorized response with the Echo option, the
client SHOULD resend the original request with the addition of an client SHOULD resend the original request with the addition of an
Echo option with the received Echo option value. The client MAY send Echo option with the received Echo option value. The client MAY send
a different request compared to the original request. Upon receiving a different request compared to the original request. Upon receiving
any other response with the Echo option, the client SHOULD echo the any other response with the Echo option, the client SHOULD echo the
Echo option value in the next request to the server. The client MAY Echo option value in the next request to the server. The client MAY
include the same Echo option value in several different requests to include the same Echo option value in several different requests to
the server. the server.
A client MUST only send Echo values to endpoints it received them
from (where as defined in [RFC7252] Section 1.2, the security
association is part of the endpoint). In OSCORE processing, that
means sending Echo values from Outer options (or from non-OSCORE
responses) back in Outer options, and those from Inner options in
Inner options in the same security context.
Upon receiving a request with the Echo option, the server determines Upon receiving a request with the Echo option, the server determines
if the request is required to be fresh. If not, the Echo option MAY if the request is required to be fresh. If not, the Echo option MAY
be ignored. If the request is required to be fresh and the server be ignored. If the request is required to be fresh and the server
cannot verify the freshness of the request in some other way, the cannot verify the freshness of the request in some other way, the
server MUST use the Echo option to verify that the request is fresh server MUST use the Echo option to verify that the request is fresh
enough. If the server cannot verify that the request is fresh enough. If the server cannot verify that the request is fresh
enough, the request is not processed further, and an error message enough, the request is not processed further, and an error message
MAY be sent. The error message SHOULD include a new Echo option. MAY be sent. The error message SHOULD include a new Echo option.
One way for the server to verify freshness is that to bind the Echo One way for the server to verify freshness is that to bind the Echo
skipping to change at page 9, line 31 skipping to change at page 9, line 38
| | | |
|<------+ Code: 2.04 (Changed) |<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42 | 2.04 | Token: 0x42
| | | |
Figure 2: Example Echo Option Message Flow Figure 2: Example Echo Option Message Flow
When used to serve freshness requirements (including client aliveness When used to serve freshness requirements (including client aliveness
and state synchronizing), CoAP messages containing the Echo option and state synchronizing), CoAP messages containing the Echo option
MUST be integrity protected between the intended endpoints, e.g. MUST be integrity protected between the intended endpoints, e.g.
using DTLS, TLS, or an OSCORE Inner option using DTLS, TLS, or an OSCORE Inner option ([RFC8613]). When used to
([I-D.ietf-core-object-security]). When used to demonstrate demonstrate reachability at a claimed network address, the Echo
reachability at a claimed network address, the Echo option SHOULD option SHOULD contain the client's network address, but MAY be
contain the client's network address, but MAY be unprotected. unprotected.
A CoAP-to-CoAP proxy MAY respond to requests with 4.01 with an Echo A CoAP-to-CoAP proxy MAY set an Echo option on responses, both on
option to ensure the client's reachability at its claimed address, forwarded ones that had no Echo option or ones generated by the proxy
and MUST remove the Echo option it recognizes as one generated by (from cache or as an error). If it does so, it MUST remove the Echo
itself on follow-up requests. However, it MUST relay the Echo option option it recognizes as one generated by itself on follow-up
of responses unmodified, and MUST relay the Echo option of requests requests. However, it MUST relay the Echo option of responses
it does not recognize as generated by itself unmodified. unmodified, and MUST relay the Echo option of requests it does not
recognize as generated by itself unmodified.
The CoAP server side of CoAP-to-HTTP proxies MAY request freshness, The CoAP server side of CoAP-to-HTTP proxies MAY request freshness,
especially if they have reason to assume that access may require it especially if they have reason to assume that access may require it
(e.g. because it is a PUT or POST); how this is determined is out of (e.g. because it is a PUT or POST); how this is determined is out of
scope for this document. The CoAP client side of HTTP-to-CoAP scope for this document. The CoAP client side of HTTP-to-CoAP
proxies SHOULD respond to Echo challenges themselves if they know proxies SHOULD respond to Echo challenges themselves if they know
from the recent establishing of the connection that the HTTP request from the recent establishing of the connection that the HTTP request
is fresh. Otherwise, they SHOULD respond with 503 Service is fresh. Otherwise, they SHOULD respond with 503 Service
Unavailable, Retry-After: 0 and terminate any underlying Keep-Alive Unavailable, Retry-After: 0 and terminate any underlying Keep-Alive
connection. They MAY also use other mechanisms to establish connection. They MAY also use other mechanisms to establish
skipping to change at page 10, line 20 skipping to change at page 10, line 28
freshness guarantees for secure operation. freshness guarantees for secure operation.
* The same Echo value may be used for multiple actuation * The same Echo value may be used for multiple actuation
requests to the same server, as long as the total round-trip requests to the same server, as long as the total round-trip
time since the Echo option value was generated is below the time since the Echo option value was generated is below the
freshness threshold. freshness threshold.
* For actuator applications with low delay tolerance, to avoid * For actuator applications with low delay tolerance, to avoid
additional round-trips for multiple requests in rapid additional round-trips for multiple requests in rapid
sequence, the server may include the Echo option with a new sequence, the server may include the Echo option with a new
value in response to a request containing the Echo option. value even in a successful response to a request,
The client then uses the Echo option with the new value in the irrespectively of whether the request contained an Echo option
next actuation request, and the server compares the receive or not. The client then uses the Echo option with the new
time accordingly. value in the next actuation request, and the server compares
the receive time accordingly.
2. A server may use the Echo option to synchronize state or time 2. A server may use the Echo option to synchronize state or time
with a requesting client. A server MUST NOT synchronize state or with a requesting client. A server MUST NOT synchronize state or
time with clients which are not the authority of the property time with clients which are not the authority of the property
being synchronized. E.g. if access to a server resource is being synchronized. E.g. if access to a server resource is
dependent on time, then the client MUST NOT set the time of the dependent on time, then the client MUST NOT set the time of the
server. server.
* If a server reboots during operation it may need to * If a server reboots during operation it may need to
synchronize state or time before continuing the interaction. synchronize state or time before continuing the interaction.
For example, with OSCORE it is possible to reuse a partly For example, with OSCORE it is possible to reuse a partly
persistently stored security context by synchronizing the persistently stored security context by synchronizing the
Partial IV (sequence number) using the Echo option, see Partial IV (sequence number) using the Echo option, see
Section 7.5 of [I-D.ietf-core-object-security]. Section 7.5 of [RFC8613].
* A device joining a CoAP group communication [RFC7390] * A device joining a CoAP group communication [RFC7390]
protected with OSCORE [I-D.ietf-core-oscore-groupcomm] may be protected with OSCORE [I-D.ietf-core-oscore-groupcomm] may be
required to initially verify freshness and synchronize state required to initially verify freshness and synchronize state
or time with a client by using the Echo option in a unicast or time with a client by using the Echo option in a unicast
response to a multicast request. The client receiving the response to a multicast request. The client receiving the
response with the Echo option includes the Echo option with response with the Echo option includes the Echo option with
the same value in a request, either in a unicast request to the same value in a request, either in a unicast request to
the responding server, or in a subsequent group request. In the responding server, or in a subsequent group request. In
the latter case, the Echo option will be ignored expect by the latter case, the Echo option will be ignored except by the
responding server. responding server.
3. A server that sends large responses to unauthenticated peers 3. A server that sends large responses to unauthenticated peers
SHOULD mitigate amplification attacks such as described in SHOULD mitigate amplification attacks such as described in
Section 11.3 of [RFC7252] (where an attacker would put a victim's Section 11.3 of [RFC7252] (where an attacker would put a victim's
address in the source address of a CoAP request). For this address in the source address of a CoAP request). For this
purpose, a server MAY ask a client to Echo its request to verify purpose, a server MAY ask a client to Echo its request to verify
its source address. This needs to be done only once per peer and its source address. This needs to be done only once per peer and
limits the range of potential victims from the general Internet limits the range of potential victims from the general Internet
to endpoints that have been previously in contact with the to endpoints that have been previously in contact with the
skipping to change at page 11, line 30 skipping to change at page 11, line 40
the client's Echoed request arrives. the client's Echoed request arrives.
4. A server may want to use the request freshness provided by the 4. A server may want to use the request freshness provided by the
Echo to verify the aliveness of a client. Note that in a Echo to verify the aliveness of a client. Note that in a
deployment with hop-by-hop security and proxies, the server can deployment with hop-by-hop security and proxies, the server can
only verify aliveness of the closest proxy. only verify aliveness of the closest proxy.
3. The Request-Tag Option 3. The Request-Tag Option
The Request-Tag is intended for use as a short-lived identifier for The Request-Tag is intended for use as a short-lived identifier for
keeping apart distinct blockwise request operations on one resource keeping apart distinct block-wise request operations on one resource
from one client, addressing the issue described in Section 1.2. It from one client, addressing the issue described in Section 1.2. It
enables the receiving server to reliably assemble request payloads enables the receiving server to reliably assemble request payloads
(blocks) to their message bodies, and, if it chooses to support it, (blocks) to their message bodies, and, if it chooses to support it,
to reliably process simultaneous blockwise request operations on a to reliably process simultaneous block-wise request operations on a
single resource. The requests must be integrity protected in order single resource. The requests must be integrity protected if they
to protect against interchange of blocks between different message should protect against interchange of blocks between different
bodies. message bodies.
In essence, it is an implementation of the "proxy-safe elective In essence, it is an implementation of the "proxy-safe elective
option" used just to "vary the cache key" as suggested in [RFC7959] option" used just to "vary the cache key" as suggested in [RFC7959]
Section 2.4. Section 2.4.
3.1. Option Format 3.1. Option Format
The Request-Tag option is not critical, is safe to forward, The Request-Tag option is not critical, is safe to forward,
repeatable, and part of the cache key, see Figure 3, which extends repeatable, and part of the cache key, see Figure 3, which extends
Table 4 of [RFC7252]). Table 4 of [RFC7252]).
skipping to change at page 12, line 16 skipping to change at page 12, line 22
| No. | C | U | N | R | Name | Format | Len. | Default | E | U | | No. | C | U | N | R | Name | Format | Len. | Default | E | U |
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
| TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x | | TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x |
+-----+---+---+---+---+-------------+--------+------+---------+---+---+ +-----+---+---+---+---+-------------+--------+------+---------+---+---+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable,
E = Encrypt and Integrity Protect (when using OSCORE) E = Encrypt and Integrity Protect (when using OSCORE)
Figure 3: Request-Tag Option Summary Figure 3: Request-Tag Option Summary
[ Note to RFC editor: If this document is released before core-
object-security, then the following paragraph and the "E"/"U" columns
above need to move into core-object-security, as they are defined in
that draft. ]
Request-Tag, like the block options, is both a class E and a class U Request-Tag, like the block options, is both a class E and a class U
option in terms of OSCORE processing (see Section 4.1 of option in terms of OSCORE processing (see Section 4.1 of [RFC8613]):
[I-D.ietf-core-object-security]): The Request-Tag MAY be an inner or The Request-Tag MAY be an Inner or Outer option. It influences the
outer option. It influences the inner or outer block operation, Inner or Outer block operation, respectively. The Inner and Outer
respectively. The inner and outer values are therefore independent values are therefore independent of each other. The Inner option is
of each other. The inner option is encrypted and integrity protected encrypted and integrity protected between client and server, and
between client and server, and provides message body identification provides message body identification in case of end-to-end
in case of end-to-end fragmentation of requests. The outer option is fragmentation of requests. The Outer option is visible to proxies
visible to proxies and labels message bodies in case of hop-by-hop and labels message bodies in case of hop-by-hop fragmentation of
fragmentation of requests. requests.
The Request-Tag option is only used in the request messages of The Request-Tag option is only used in the request messages of block-
blockwise operations. wise operations.
The Request-Tag mechanism can be applied independently on the server The Request-Tag mechanism can be applied independently on the server
and client sides of CoAP-to-CoAP proxies as are the block options, and client sides of CoAP-to-CoAP proxies as are the block options,
though given it is safe to forward, a proxy is free to just forward though given it is safe to forward, a proxy is free to just forward
it when processing an operation. CoAP-to-HTTP proxies and HTTP-to- it when processing an operation. CoAP-to-HTTP proxies and HTTP-to-
CoAP proxies can use Request-Tag on their CoAP sides; it is not CoAP proxies can use Request-Tag on their CoAP sides; it is not
applicable to HTTP requests. applicable to HTTP requests.
3.2. Request-Tag Processing by Servers 3.2. Request-Tag Processing by Servers
The Request-Tag option does not require any particular processing on The Request-Tag option does not require any particular processing on
the server side outside of the processing already necessary for any the server side outside of the processing already necessary for any
unknown elective proxy-safe cache-key option: The option varies the unknown elective proxy-safe cache-key option: The option varies the
properties that distinguish blockwise operations (which includes all properties that distinguish block-wise operations (which includes all
options except elective NoCacheKey and except Block1/2), and thus the options except elective NoCacheKey and except Block1/2), and thus the
server can not treat messages with a different list of Request-Tag server can not treat messages with a different list of Request-Tag
options as belonging to the same operation. options as belonging to the same operation.
To keep utilizing the cache, a server (including proxies) MAY discard To keep utilizing the cache, a server (including proxies) MAY discard
the Request-Tag option from an assembled block-wise request when the Request-Tag option from an assembled block-wise request when
consulting its cache, as the option relates to the operation-on-the- consulting its cache, as the option relates to the operation-on-the-
wire and not its semantics. For example, a FETCH request with the wire and not its semantics. For example, a FETCH request with the
same body as an older one can be served from the cache if the older's same body as an older one can be served from the cache if the older's
Max-Age has not expired yet, even if the second operation uses a Max-Age has not expired yet, even if the second operation uses a
skipping to change at page 13, line 36 skipping to change at page 13, line 36
As it has always been, a server that can only serve a limited number As it has always been, a server that can only serve a limited number
of block-wise operations at the same time can delay the start of the of block-wise operations at the same time can delay the start of the
operation by replying with 5.03 (Service unavailable) and a Max-Age operation by replying with 5.03 (Service unavailable) and a Max-Age
indicating how long it expects the existing operation to go on, or it indicating how long it expects the existing operation to go on, or it
can forget about the state established with the older operation and can forget about the state established with the older operation and
respond with 4.08 (Request Entity Incomplete) to later blocks on the respond with 4.08 (Request Entity Incomplete) to later blocks on the
first operation. first operation.
3.3. Setting the Request-Tag 3.3. Setting the Request-Tag
For each separate blockwise request operation, the client can choose For each separate block-wise request operation, the client can choose
a Request-Tag value, or choose not to set a Request-Tag. Starting a a Request-Tag value, or choose not to set a Request-Tag. Starting a
request operation matchable to a previous operation and even using request operation matchable to a previous operation and even using
the same Request-Tag value is called request tag recycling. The the same Request-Tag value is called request tag recycling. The
absence of a Request-Tag option is viewed as a value distinct from absence of a Request-Tag option is viewed as a value distinct from
all values with a single Request-Tag option set; starting a request all values with a single Request-Tag option set; starting a request
operation matchable to a previous operation where neither has a operation matchable to a previous operation where neither has a
Request-Tag option therefore constitutes request tag recycling just Request-Tag option therefore constitutes request tag recycling just
as well (also called "recycling the absent option"). as well (also called "recycling the absent option").
Clients MUST NOT recycle a request tag unless the first operation has Clients MUST NOT recycle a request tag unless the first operation has
skipping to change at page 14, line 45 skipping to change at page 14, line 45
o The client MUST NOT recycle a request tag in a new operation o The client MUST NOT recycle a request tag in a new operation
unless the previous operation matchable to the new one has unless the previous operation matchable to the new one has
concluded. concluded.
If any future security mechanisms allow a block-wise transfer to If any future security mechanisms allow a block-wise transfer to
continue after an endpoint's details (like the IP address) have continue after an endpoint's details (like the IP address) have
changed, then the client MUST consider messages sent to _any_ changed, then the client MUST consider messages sent to _any_
endpoint address within the new operation's security context. endpoint address within the new operation's security context.
o The client MUST NOT regard a blockwise request operation as o The client MUST NOT regard a block-wise request operation as
concluded unless all of the messages the client previously sent in concluded unless all of the messages the client previously sent in
the operation have been confirmed by the message integrity the operation have been confirmed by the message integrity
protection mechanism, or are considered invalid by the server if protection mechanism, or are considered invalid by the server if
replayed. replayed.
Typically, in OSCORE, these confirmations can result either from Typically, in OSCORE, these confirmations can result either from
the client receiving an OSCORE response message matching the the client receiving an OSCORE response message matching the
request (an empty ACK is insufficient), or because the message's request (an empty ACK is insufficient), or because the message's
sequence number is old enough to be outside the server's receive sequence number is old enough to be outside the server's receive
window. window.
In DTLS, this can only be confirmed if the request message was not In DTLS, this can only be confirmed if the request message was not
retransmitted, and was responded to. retransmitted, and was responded to.
Authors of other documents (e.g. [I-D.ietf-core-object-security]) Authors of other documents (e.g. applications of [RFC8613]) are
are invited to mandate this behavior for clients that execute invited to mandate this behavior for clients that execute block-wise
blockwise interactions over secured transports. In this way, the interactions over secured transports. In this way, the server can
server can rely on a conforming client to set the Request-Tag option rely on a conforming client to set the Request-Tag option when
when required, and thereby conclude on the integrity of the assembled required, and thereby conclude on the integrity of the assembled
body. body.
Note that this mechanism is implicitly implemented when the security Note that this mechanism is implicitly implemented when the security
layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]). layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]).
This is because with each message, any earlier message can not be This is because with each message, any earlier message can not be
replayed any more, so the client never needs to set the Request-Tag replayed any more, so the client never needs to set the Request-Tag
option unless it wants to perform concurrent operations. option unless it wants to perform concurrent operations.
3.4.2. Multiple Concurrent Blockwise Operations 3.4.2. Multiple Concurrent Block-wise Operations
CoAP clients, especially CoAP proxies, may initiate a blockwise CoAP clients, especially CoAP proxies, may initiate a block-wise
request operation to a resource, to which a previous one is already request operation to a resource, to which a previous one is already
in progress, which the new request should not cancel. A CoAP proxy in progress, which the new request should not cancel. A CoAP proxy
would be in such a situation when it forwards operations with the would be in such a situation when it forwards operations with the
same cache-key options but possibly different payloads. same cache-key options but possibly different payloads.
For those cases, Request-Tag is the proxy-safe elective option For those cases, Request-Tag is the proxy-safe elective option
suggested in [RFC7959] Section 2.4 last paragraph. suggested in [RFC7959] Section 2.4 last paragraph.
When initializing a new blockwise operation, a client has to look at When initializing a new block-wise operation, a client has to look at
other active operations: other active operations:
o If any of them is matchable to the new one, and the client neither o If any of them is matchable to the new one, and the client neither
wants to cancel the old one nor postpone the new one, it can pick wants to cancel the old one nor postpone the new one, it can pick
a Request-Tag value that is not in use by the other matchable a Request-Tag value that is not in use by the other matchable
operations for the new operation. operations for the new operation.
o Otherwise, it can start the new operation without setting the o Otherwise, it can start the new operation without setting the
Request-Tag option on it. Request-Tag option on it.
skipping to change at page 16, line 17 skipping to change at page 16, line 17
The Block options were defined to be unsafe to forward because a The Block options were defined to be unsafe to forward because a
proxy that would forward blocks as plain messages would risk mixing proxy that would forward blocks as plain messages would risk mixing
up clients' requests. up clients' requests.
The Request-Tag option provides a very simple way for a proxy to keep The Request-Tag option provides a very simple way for a proxy to keep
them separate: if it appends a Request-Tag that is particular to the them separate: if it appends a Request-Tag that is particular to the
requesting endpoint to all request carrying any Block option, it does requesting endpoint to all request carrying any Block option, it does
not need to keep track of any further block state. not need to keep track of any further block state.
This is particularly useful to proxies that strive for stateless This is particularly useful to proxies that strive for stateless
operation as described in [I-D.hartke-core-stateless] Section 3.1. operation as described in [I-D.ietf-core-stateless] Section 3.1.
3.5. Rationale for the Option Properties 3.5. Rationale for the Option Properties
The Request-Tag option can be elective, because to servers unaware of The Request-Tag option can be elective, because to servers unaware of
the Request-Tag option, operations with differing request tags will the Request-Tag option, operations with differing request tags will
not be matchable. not be matchable.
The Request-Tag option can be safe to forward but part of the cache The Request-Tag option can be safe to forward but part of the cache
key, because to proxies unaware of the Request-Tag option will key, because to proxies unaware of the Request-Tag option will
consider operations with differing request tags unmatchable but can consider operations with differing request tags unmatchable but can
skipping to change at page 17, line 30 skipping to change at page 17, line 30
5. Token Processing 5. Token Processing
As described in Section 1.3, the client must be able to verify that a As described in Section 1.3, the client must be able to verify that a
response corresponds to a particular request. This section updates response corresponds to a particular request. This section updates
the CoAP Token processing requirements for clients. The Token the CoAP Token processing requirements for clients. The Token
processing for servers is not updated. Token processing in processing for servers is not updated. Token processing in
Section 5.3.1 of [RFC7252] is updated by adding the following text: Section 5.3.1 of [RFC7252] is updated by adding the following text:
When CoAP is used with a security protocol not providing bindings When CoAP is used with a security protocol not providing bindings
between requests and responses, the tokens have cryptographic between requests and responses, the Tokens have cryptographic
importance. The client MUST make sure that tokens are not used in a importance. The client MUST make sure that Tokens are not used in a
way so that responses risk being associated with the wrong request. way so that responses risk being associated with the wrong request.
One easy way to accomplish this is to implement the Token (or part of One easy way to accomplish this is to implement the Token (or part of
the Token) as a sequence number starting at zero for each new or the Token) as a sequence number starting at zero for each new or
rekeyed secure connection, this approach SHOULD be followed. rekeyed secure connection, this approach SHOULD be followed.
6. Security Considerations 6. Security Considerations
The availability of a secure pseudorandom number generator and truly The availability of a secure pseudorandom number generator and truly
random seeds are essential for the security of the Echo option. If random seeds are essential for the security of the Echo option. If
no true random number generator is available, a truly random seed no true random number generator is available, a truly random seed
must be provided from an external source. must be provided from an external source. As each pseudoranom number
must only be used once, an implementation need to get a new truly
random seed after reboot, or continously store state in nonvolatile
memory, see ([RFC8613], Appendix B.1.1) for issues and solution
approaches for writing to nonvolatile memory.
A single active Echo value with 64 (pseudo-)random bits gives the A single active Echo value with 64 (pseudo-)random bits gives the
same theoretical security level against forgeries as a 64-bit MAC (as same theoretical security level as a 64-bit MAC (as used in e.g.
used in e.g. AES_128_CCM_8). In practice, forgery of an Echo option AES_128_CCM_8). The Echo option value MUST contain 32
value is much harder as an attacker must also forge the MAC in the
security protocol. The Echo option value MUST contain 32
(pseudo-)random bits that are not predictable for any other party (pseudo-)random bits that are not predictable for any other party
than the server, and SHOULD contain 64 (pseudo-)random bits. A than the server, and SHOULD contain 64 (pseudo-)random bits. A
server MAY use different security levels for different uses cases server MAY use different security levels for different uses cases
(client aliveness, request freshness, state synchronization, network (client aliveness, request freshness, state synchronization, network
address reachability, etc.). address reachability, etc.).
The security provided by the Echo and Request-Tag options depends on The security provided by the Echo and Request-Tag options depends on
the security protocol used. CoAP and HTTP proxies require (D)TLS to the security protocol used. CoAP and HTTP proxies require (D)TLS to
be terminated at the proxies. The proxies are therefore able to be terminated at the proxies. The proxies are therefore able to
manipulate, inject, delete, or reorder options or packets. The manipulate, inject, delete, or reorder options or packets. The
skipping to change at page 18, line 41 skipping to change at page 18, line 42
Servers MAY reset the timer at certain times and MAY generate a Servers MAY reset the timer at certain times and MAY generate a
random offset applied to all timestamps. When resetting the timer, random offset applied to all timestamps. When resetting the timer,
the server MUST reject all Echo values that was created before the the server MUST reject all Echo values that was created before the
reset. reset.
Servers that use the List of Cached Random Values and Timestamps Servers that use the List of Cached Random Values and Timestamps
method described in Appendix A may be vulnerable to resource method described in Appendix A may be vulnerable to resource
exhaustion attacks. One way to minimize state is to use the exhaustion attacks. One way to minimize state is to use the
Integrity Protected Timestamp method described in Appendix A. Integrity Protected Timestamp method described in Appendix A.
6.1. Token reuse
Reusing Tokens in a way so that responses are guaranteed to not be
associated with the wrong request is not trivial as on-path attackers
may block, delay, and reorder messages, requests may be sent to
several servers, and servers may process requests in any order and
send many responses to the same request. The use of a sequence
number is therefore recommended when CoAP is used with a security
protocol that does not providing bindings between requests and
responses such as DTLS or TLS.
For a generic response to a confirmable request over DTLS, binding
can only be claimed without out-of-band knowledge if
o the original request was never retransmitted,
o the response was piggybacked in an Acknowledgement message (as a
confirmable or non-confirmable response may have been transmitted
multiple times), and
o if observation was used, the same holds for the registration, all
re-registrations, and the cancellation.
(In addition, for observations, any responses using that Token and a
DTLS sequence number earlier than the cancellation Acknowledgement
message must be discarded. This is typically not supported in DTLS
implementations.)
In some setups, Tokens can be reused without the above constraints,
as a different component in the setup provides the associations:
o In CoAP over TLS, retransmissions are not handled by the CoAP
layer and the replay window size is always exactly 1. When a
client is sending TLS protected requests without Observe to a
single server, the client can reuse a Token as soon as the
previous response with that Token has been received.
o Requests whose responses are cryptographically bound to the
requests (like in OSCORE) can reuse Tokens indefinitely. <!-
could be added but is probably not worth the lines of text
o Requests whose responses reflect all the data in the request that
is varied ofer reuses of the same token (for example, if a token
is always used on a single path with the single query parameter
"?t=X" for various values of X, then the response needs to contain
X in a unique position) can share a token, provided the
application does not rely on the freshness of the responses, or
sends different requests all the time. ->
In all other cases, a sequence number approach is recommended as per
Section 5.
Tokens that cannot be reused need to be blacklisted. This could be
solved by increasing the Token as soon as the currently used Token
cannot be reused, or by keeping a list of all blacklisted Tokens.
When the Token (or part of the Token) contains a sequence number, the When the Token (or part of the Token) contains a sequence number, the
encoding of the sequence number has to be chosen in a way to avoid encoding of the sequence number has to be chosen in a way to avoid
any collisions. This is especially true when the Token contains more any collisions. This is especially true when the Token contains more
information than just the sequence number (e.g. serialized state). information than just the sequence number, e.g. serialized state as
in [I-D.ietf-core-stateless].
7. Privacy Considerations 7. Privacy Considerations
Implementations SHOULD NOT put any privacy sensitive information in Implementations SHOULD NOT put any privacy sensitive information in
the Echo or Request-Tag option values. Unencrypted timestamps MAY the Echo or Request-Tag option values. Unencrypted timestamps MAY
reveal information about the server such as location or time since reveal information about the server such as location or time since
reboot. The use of wall clock time is not allowed (see Section 6) reboot. The use of wall clock time is not allowed (see Section 6)
and there also privacy reasons, e.g. it may reveal that the server and there also privacy reasons, e.g. it may reveal that the server
will accept expired certificates. Timestamps MAY be used if Echo is will accept expired certificates. Timestamps MAY be used if Echo is
encrypted between the client and the server, e.g. in the case of DTLS encrypted between the client and the server, e.g. in the case of DTLS
without proxies or when using OSCORE with an Inner Echo option. without proxies or when using OSCORE with an Inner Echo option.
Like HTTP cookies, the Echo option could potentially be abused as a
tracking mechanism to link to different requests to the same client.
This is especially true for pre-emptive Echo values. Servers MUST
NOT use the Echo option to correlate requests for other purposes than
freshness and reachability. Clients only send Echo to the same from
which they were received. Compared to HTTP, CoAP clients are often
authenticated and non-mobile, and servers can therefore often
correlate requests based on the security context, the client
credentials, or the network address. When the Echo option increases
a server's ability to correlate requests, clients MAY discard all
pre-emptive Echo values.
8. IANA Considerations 8. IANA Considerations
This document adds the following option numbers to the "CoAP Option This document adds the following option numbers to the "CoAP Option
Numbers" registry defined by [RFC7252]: Numbers" registry defined by [RFC7252]:
+--------+-------------+-------------------+ +--------+-------------+-------------------+
| Number | Name | Reference | | Number | Name | Reference |
+--------+-------------+-------------------+ +--------+-------------+-------------------+
| TBD1 | Echo | [[this document]] | | TBD1 | Echo | [[this document]] |
| | | | | | | |
skipping to change at page 20, line 5 skipping to change at page 21, line 26
the Constrained Application Protocol (CoAP)", RFC 7959, the Constrained Application Protocol (CoAP)", RFC 7959,
DOI 10.17487/RFC7959, August 2016, DOI 10.17487/RFC7959, August 2016,
<https://www.rfc-editor.org/info/rfc7959>. <https://www.rfc-editor.org/info/rfc7959>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[I-D.hartke-core-stateless]
Hartke, K., "Extended Tokens and Stateless Clients in the
Constrained Application Protocol (CoAP)", draft-hartke-
core-stateless-02 (work in progress), October 2018.
[I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-16 (work in
progress), March 2019.
[I-D.ietf-core-oscore-groupcomm] [I-D.ietf-core-oscore-groupcomm]
Tiloca, M., Selander, G., Palombini, F., and J. Park, Tiloca, M., Selander, G., Palombini, F., and J. Park,
"Group OSCORE - Secure Group Communication for CoAP", "Group OSCORE - Secure Group Communication for CoAP",
draft-ietf-core-oscore-groupcomm-04 (work in progress), draft-ietf-core-oscore-groupcomm-05 (work in progress),
March 2019. July 2019.
[I-D.ietf-core-stateless]
Hartke, K., "Extended Tokens and Stateless Clients in the
Constrained Application Protocol (CoAP)", draft-ietf-core-
stateless-01 (work in progress), March 2019.
[I-D.mattsson-core-coap-actuators] [I-D.mattsson-core-coap-actuators]
Mattsson, J., Fornehed, J., Selander, G., Palombini, F., Mattsson, J., Fornehed, J., Selander, G., Palombini, F.,
and C. Amsuess, "Controlling Actuators with CoAP", draft- and C. Amsuess, "Controlling Actuators with CoAP", draft-
mattsson-core-coap-actuators-06 (work in progress), mattsson-core-coap-actuators-06 (work in progress),
September 2018. September 2018.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
skipping to change at page 21, line 5 skipping to change at page 22, line 20
[RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets", Application Protocol) over TCP, TLS, and WebSockets",
RFC 8323, DOI 10.17487/RFC8323, February 2018, RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://www.rfc-editor.org/info/rfc8323>. <https://www.rfc-editor.org/info/rfc8323>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments
(OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
<https://www.rfc-editor.org/info/rfc8613>.
Appendix A. Methods for Generating Echo Option Values Appendix A. Methods for Generating Echo Option Values
The content and structure of the Echo option value are implementation The content and structure of the Echo option value are implementation
specific and determined by the server. Two simple mechanisms are specific and determined by the server. Two simple mechanisms are
outlined in this section, the first is RECOMMENDED in general, and outlined in this section, the first is RECOMMENDED in general, and
the second is RECOMMENDED in case the Echo option is encrypted the second is RECOMMENDED in case the Echo option is encrypted
between the client and the server. between the client and the server.
Different mechanisms have different tradeoffs between the size of the Different mechanisms have different tradeoffs between the size of the
Echo option value, the amount of server state, the amount of Echo option value, the amount of server state, the amount of
skipping to change at page 21, line 26 skipping to change at page 22, line 46
different methods and security levels for different uses cases different methods and security levels for different uses cases
(client aliveness, request freshness, state synchronization, network (client aliveness, request freshness, state synchronization, network
address reachability, etc.). address reachability, etc.).
1. List of Cached Random Values and Timestamps. The Echo option 1. List of Cached Random Values and Timestamps. The Echo option
value is a (pseudo-)random byte string. The server caches a list value is a (pseudo-)random byte string. The server caches a list
containing the random byte strings and their transmission times. containing the random byte strings and their transmission times.
Assuming 72-bit random values and 32-bit timestamps, the size of the Assuming 72-bit random values and 32-bit timestamps, the size of the
Echo option value is 9 bytes and the amount of server state is 13n Echo option value is 9 bytes and the amount of server state is 13n
bytes, where n is the number of active Echo Option values. The bytes, where n is the number of active Echo Option values. The
security against forged echo values is given by s = bit length of r - security against an attacker guessing echo values is given by s = bit
log2(n). The length of r and the maximum allowed n should be set so length of r - log2(n). The length of r and the maximum allowed n
that the security level is harmonized with other parts of the should be set so that the security level is harmonized with other
deployment, e.g., s >= 64. If the server loses time continuity, e.g. parts of the deployment, e.g., s >= 64. If the server loses time
due to reboot, the entries in the old list MUST be deleted. continuity, e.g. due to reboot, the entries in the old list MUST be
deleted.
Echo option value: random value r Echo option value: random value r
Server State: random value r, timestamp t0 Server State: random value r, timestamp t0
2. Integrity Protected Timestamp. The Echo option value is an 2. Integrity Protected Timestamp. The Echo option value is an
integrity protected timestamp. The timestamp can have different integrity protected timestamp. The timestamp can have different
resolution and range. A 32-bit timestamp can e.g. give a resolution resolution and range. A 32-bit timestamp can e.g. give a resolution
of 1 second with a range of 136 years. The (pseudo-)random secret of 1 second with a range of 136 years. The (pseudo-)random secret
key is generated by the server and not shared with any other party. key is generated by the server and not shared with any other party.
The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit
timestamp and a 64-bit MAC, the size of the Echo option value is 12 timestamp and a 64-bit MAC, the size of the Echo option value is 12
bytes and the Server state is small and constant. The security bytes and the Server state is small and constant. The security
against forged echo values is given by the MAC length. If the server against an attacker guessing echo values is given by the MAC length.
loses time continuity, e.g. due to reboot, the old key MUST be If the server loses time continuity, e.g. due to reboot, the old key
deleted and replaced by a new random secret key. Note that the MUST be deleted and replaced by a new random secret key. Note that
privacy considerations in Section 7 may apply to the timestamp. A the privacy considerations in Section 7 may apply to the timestamp.
server MAY want to encrypt its timestamps, and, depending on the A server MAY want to encrypt its timestamps, and, depending on the
choice of encryption algorithms, this may require a nonce to be choice of encryption algorithms, this may require a nonce to be
included in the Echo option value. included in the Echo option value.
Echo option value: timestamp t0, MAC(k, t0) Echo option value: timestamp t0, MAC(k, t0)
Server State: secret key k Server State: secret key k
Other mechanisms complying with the security and privacy Other mechanisms complying with the security and privacy
considerations may be used. The use of encrypted timestamps in the considerations may be used. The use of encrypted timestamps in the
Echo option typically requires an IV to be included in the Echo Echo option increases security, but typically requires an IV to be
option value, which adds overhead and makes the specification of such included in the Echo option value, which adds overhead and makes the
a mechanism slightly more complicated than the two mechanisms specification of such a mechanism slightly more complicated than the
specified here. two mechanisms specified here.
Appendix B. Request-Tag Message Size Impact Appendix B. Request-Tag Message Size Impact
In absence of concurrent operations, the Request-Tag mechanism for In absence of concurrent operations, the Request-Tag mechanism for
body integrity (Section 3.4.1) incurs no overhead if no messages are body integrity (Section 3.4.1) incurs no overhead if no messages are
lost (more precisely: in OSCORE, if no operations are aborted due to lost (more precisely: in OSCORE, if no operations are aborted due to
repeated transmission failure; in DTLS, if no packages are lost), or repeated transmission failure; in DTLS, if no packages are lost), or
when blockwise request operations happen rarely (in OSCORE, if there when block-wise request operations happen rarely (in OSCORE, if there
is always only one request blockwise operation in the replay window). is always only one request block-wise operation in the replay
window).
In those situations, no message has any Request-Tag option set, and In those situations, no message has any Request-Tag option set, and
that can be recycled indefinitely. that can be recycled indefinitely.
When the absence of a Request-Tag option can not be recycled any more When the absence of a Request-Tag option can not be recycled any more
within a security context, the messages with a present but empty within a security context, the messages with a present but empty
Request-Tag option can be used (1 Byte overhead), and when that is Request-Tag option can be used (1 Byte overhead), and when that is
used-up, 256 values from one byte long options (2 Bytes overhead) are used-up, 256 values from one byte long options (2 Bytes overhead) are
available. available.
skipping to change at page 22, line 45 skipping to change at page 24, line 20
o In OSCORE, the sequence number can be artificially increased so o In OSCORE, the sequence number can be artificially increased so
that all lost messages are outside of the replay window by the that all lost messages are outside of the replay window by the
time the first request of the new operation gets processed, and time the first request of the new operation gets processed, and
all earlier operations can therefore be regarded as concluded. all earlier operations can therefore be regarded as concluded.
Appendix C. Change Log Appendix C. Change Log
[ The editor is asked to remove this section before publication. ] [ The editor is asked to remove this section before publication. ]
o Changes since draft-ietf-core-echo-request-tag-05:
* Add privacy considerations on cookie-style use of Echo values
* Add security considerations for token reuse
* Add note in security considerations on use of nonvolatile
memory when dealing with pseudorandom numbers
* Appendix on echo generation: add a few words on up- and
downsides of the encrypted timestamp alternative
* Clarifications around Outer Echo:
+ Could be generated by the origin server to prove network
reachability (but for most applications it MUST be inner)
+ Could be generated by intermediaries
+ Is answered by the client to the endpoint from which it
received it (ie. Outer if received as Outer)
* Clarification that a server can send Echo preemtively
* Refer to stateless to explain what "more information than just
the sequence number" could be
* Remove explanations around 0.00 empty messags
* Rewordings:
+ the attack: from "forging" to "guessing"
+ "freshness tokens" to "freshness indicators" (to avoid
confusion with the Token)
* Editorial fixes:
+ Abstract and introduction mention what is updated in RFC7252
+ Reference updates
+ Capitalization, spelling, terms from other documents
o Changes since draft-ietf-core-echo-request-tag-04: o Changes since draft-ietf-core-echo-request-tag-04:
* Editorial fixes * Editorial fixes
+ Moved paragraph on collision-free encoding of data in the + Moved paragraph on collision-free encoding of data in the
token to Security Considerations and rephrased it Token to Security Considerations and rephrased it
+ "easiest" -> "one easy" + "easiest" -> "one easy"
o Changes since draft-ietf-core-echo-request-tag-03: o Changes since draft-ietf-core-echo-request-tag-03:
* Mention token processing changes in title * Mention Token processing changes in title
* Abstract reworded * Abstract reworded
* Clarify updates to token processing * Clarify updates to Token processing
* Describe security levels from Echo length * Describe security levels from Echo length
* Allow non-monotonic clocks under certain conditions for * Allow non-monotonic clocks under certain conditions for
freshness freshness
* Simplify freshness expressions * Simplify freshness expressions
* Describe when a Request-Tag can be set * Describe when a Request-Tag can be set
skipping to change at page 23, line 44 skipping to change at page 26, line 14
* Clarify when Echo values may be reused * Clarify when Echo values may be reused
* Update security considerations * Update security considerations
* Various minor clarifications * Various minor clarifications
* Minor editorial changes * Minor editorial changes
o Major changes since draft-ietf-core-echo-request-tag-01: o Major changes since draft-ietf-core-echo-request-tag-01:
* Follow-up changes after the "relying on blockwise" change in * Follow-up changes after the "relying on block-wise" change in
-01: -01:
+ Simplify the description of Request-Tag and matchability + Simplify the description of Request-Tag and matchability
+ Do not update RFC7959 any more + Do not update RFC7959 any more
* Make Request-Tag repeatable. * Make Request-Tag repeatable.
* Add rationale on not relying purely on sequence numbers. * Add rationale on not relying purely on sequence numbers.
skipping to change at page 24, line 18 skipping to change at page 26, line 36
* Reworded the Echo section. * Reworded the Echo section.
* Added rules for Token processing. * Added rules for Token processing.
* Added security considerations. * Added security considerations.
* Added actual IANA section. * Added actual IANA section.
* Made Request-Tag optional and safe-to-forward, relying on * Made Request-Tag optional and safe-to-forward, relying on
blockwise to treat it as part of the cache-key block-wise to treat it as part of the cache-key
* Dropped use case about OSCORE outer-blockwise (the case went * Dropped use case about OSCORE Outer-block-wise (the case went
away when its Partial IV was moved into the Object-Security away when its Partial IV was moved into the Object-Security
option) option)
o Major changes since draft-amsuess-core-repeat-request-tag-00: o Major changes since draft-amsuess-core-repeat-request-tag-00:
* The option used for establishing freshness was renamed from * The option used for establishing freshness was renamed from
"Repeat" to "Echo" to reduce confusion about repeatable "Repeat" to "Echo" to reduce confusion about repeatable
options. options.
* The response code that goes with Echo was changed from 4.03 to * The response code that goes with Echo was changed from 4.03 to
skipping to change at page 25, line 4 skipping to change at page 27, line 22
Acknowledgments Acknowledgments
The authors want to thank Jim Schaad and Carsten Bormann for The authors want to thank Jim Schaad and Carsten Bormann for
providing valuable input to the draft. providing valuable input to the draft.
Authors' Addresses Authors' Addresses
Christian Amsuess Christian Amsuess
Email: christian@amsuess.com Email: christian@amsuess.com
John Mattsson
John Preuss Mattsson
Ericsson AB Ericsson AB
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Goeran Selander Goeran Selander
Ericsson AB Ericsson AB
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
 End of changes. 67 change blocks. 
167 lines changed or deleted 285 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/