draft-ietf-lwig-security-protocol-comparison-02.txt   draft-ietf-lwig-security-protocol-comparison-03.txt 
Network Working Group J. Mattsson LWIG Working Group J. Mattsson
Internet-Draft F. Palombini Internet-Draft F. Palombini
Intended status: Informational Ericsson AB Intended status: Informational Ericsson AB
Expires: July 6, 2019 January 2, 2019 Expires: September 12, 2019 March 11, 2019
Comparison of CoAP Security Protocols Comparison of CoAP Security Protocols
draft-ietf-lwig-security-protocol-comparison-02 draft-ietf-lwig-security-protocol-comparison-03
Abstract Abstract
This document analyzes and compares per-packet message size overheads This document analyzes and compares the sizes of key exchange flights
when using different security protocols to secure CoAP. The analyzed and the per-packet message size overheads when using different
security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and security protocols to secure CoAP. The analyzed security protocols
OSCORE. DTLS and TLS are analyzed with and without 6LoWPAN-GHC are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group
compression. DTLS is analyzed with and without Connection ID. OSCORE. The DTLS and TLS record layers are analyzed with and without
6LoWPAN-GHC compression. DTLS is analyzed with and without
Connection ID.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 6, 2019. This Internet-Draft will expire on September 12, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overhead of Security Protocols . . . . . . . . . . . . . . . 2 2. Overhead of Key Exchange Protocols . . . . . . . . . . . . . 3
2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 3
2.1.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 4
2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 5
2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 5
2.2.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 6 2.2.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 10
2.2.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 6 2.2.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 11
2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 7 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12
2.3. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13
2.3.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14
2.3.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 8 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15
2.4. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16
2.4.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 9 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22
2.5. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23
3. Overhead with Different Parameters . . . . . . . . . . . . . 11 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24
5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 2.4.2. Message Sizes Certificates . . . . . . . . . . . . . 26
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 2.4.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 26
7. Informative References . . . . . . . . . . . . . . . . . . . 13 2.4.4. message_1 . . . . . . . . . . . . . . . . . . . . . . 26
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.5. message_2 . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.6. message_3 . . . . . . . . . . . . . . . . . . . . . . 27
2.4.7. Summary . . . . . . . . . . . . . . . . . . . . . . . 27
2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 27
3. Overhead for Protection of Application Data . . . . . . . . . 28
3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 30
3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 30
3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 31
3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 32
3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 32
3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 32
3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 33
3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 33
3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 34
3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 34
3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35
3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 35
3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 36
3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 38
3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 38
4. Security Considerations . . . . . . . . . . . . . . . . . . . 39
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39
6. Informative References . . . . . . . . . . . . . . . . . . . 39
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
This document analyzes and compares per-packet message size overheads This document analyzes and compares the sizes of key exchange flights
when using different security protocols to secure CoAP over UPD and the per-packet message size overheads when using different
[RFC7252] and TCP [RFC8323]. The analyzed security protocols are security protocols to secure CoAP over UPD [RFC7252] and TCP
DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347],
[RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446],
[I-D.ietf-core-object-security]. The DTLS and TLS record layers are EDHOC [I-D.selander-ace-cose-ecdhe], OSCORE
analyzed with and without compression. DTLS is anlyzed with and [I-D.ietf-core-object-security], and Group OSCORE
without Connection ID [I-D.ietf-tls-dtls-connection-id]. Readers are [I-D.ietf-core-oscore-groupcomm].
expected to be familiar with some of the terms described in RFC 7925
[RFC7925], such as ICV.
2. Overhead of Security Protocols The DTLS and TLS record layers are analyzed with and without 6LoWPAN-
GHC compression. DTLS is anlyzed with and without Connection ID
[I-D.ietf-tls-dtls-connection-id]. Readers are expected to be
familiar with some of the terms described in RFC 7925 [RFC7925], such
as ICV. Section 2 compares the overhead of key exchange, while
Section 3 covers the overhead for protection of application data.
2. Overhead of Key Exchange Protocols
This section analyzes and compares the sizes of key exchange flights
for different protocols.
To enable a fair comparison between protocols, the following
assumptions are made:
o All the overhead calculations in this section use AES-CCM with a
tag length of 8 bytes (e.g. AES_128_CCM_8 or AES-CCM-16-64-128).
o A minimum number of algorithms and cipher suites is offered. The
algorithm used/offered are Curve25519, ECDSA with P-256, AES-
CCM_8, SHA-256.
o The length of key identifiers are 1 byte.
o The length of connection identifiers are 1 byte.
o DTLS RPK makes use of point compression, which saves 32 bytes.
o DTLS handshake message fragmentation is not considered.
o Only the DTLS mandatory extensions are considered, except for
Connection ID.
Section 2.1 gives a short summary of the message overhead based on
different parameters and some assumptions. The following sections
detail the assumptions and the calculations.
2.1. Summary
The DTLS overhead is dependent on the parameter Connection ID. The
following overheads apply for all Connection IDs of the same length,
when Connection ID is used.
The EDHOC overhead is dependent on the key identifiers included. The
following overheads apply for Sender IDs of the same length.
All the overhead are dependent on the tag length. The following
overheads apply for tags of the same length.
Figure 1 compares the message sizes of EDHOC
[I-D.selander-ace-cose-ecdhe] with the DTLS 1.3 [I-D.ietf-tls-dtls13]
and TLS 1.3 [RFC8446] handshakes with connection ID.
=====================================================================
Flight #1 #2 #3 Total
---------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE 150 373 213 736
DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742
DTLS 1.3 PSK + ECDHE 184 190 57 431
DTLS 1.3 PSK 134 150 57 341
---------------------------------------------------------------------
EDHOC RPK + ECDHE 39 114 80 233
EDHOC PSK + ECDHE 41 45 11 97
=====================================================================
Figure 1: Comparison of message sizes in bytes with Connection ID
Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13]
and TLS 1.3 [RFC8446] handshakes without connection ID.
=====================================================================
Flight #1 #2 #3 Total
---------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE 144 364 212 722
DTLS 1.3 PSK + ECDHE 178 183 56 417
DTLS 1.3 PSK 128 143 56 327
---------------------------------------------------------------------
TLS 1.3 RPK + ECDHE 129 322 194 645
TLS 1.3 PSK + ECDHE 163 157 50 370
TLS 1.3 PSK 113 117 50 280
=====================================================================
Figure 2: Comparison of message sizes in bytes without Connection ID
The details of the message size calculations are given in the
following sections.
2.2. DTLS 1.3
This section gives an estimate of the message sizes of DTLS 1.3 with
different authentication methods. Note that the examples in this
section are not test vectors, the cryptographic parts are just
replaced with byte strings of the same length, while other fixed
length fields are replace with arbitrary strings or omitted, in which
case their length is indicated. Values that are not arbitrary are
given in hexadecimal.
2.2.1. Message Sizes RPK + ECDHE
In this section, a Connection ID of 1 byte is used.
2.2.1.1. flight_1
Record Header - DTLSPlaintext (13 bytes):
16 fe fd EE EE SS SS SS SS SS SS LL LL
Handshake Header - Client Hello (10 bytes):
01 LL LL LL SS SS 00 00 00 LL LL LL
Legacy Version (2 bytes):
fe fd
Client Random (32 bytes):
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Legacy Session ID (1 bytes):
00
Legacy Cookie (1 bytes):
00
Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes):
00 02 13 05
Compression Methods (null) (2 bytes):
01 00
Extensions Length (2 bytes):
LL LL
Extension - Supported Groups (x25519) (8 bytes):
00 0a 00 04 00 02 00 1d
Extension - Signature Algorithms (ecdsa_secp256r1_sha256)
(8 bytes):
00 0d 00 04 00 02 08 07
Extension - Key Share (42 bytes):
00 33 00 26 00 24 00 1d 00 20
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Extension - Supported Versions (1.3) (7 bytes):
00 2b 00 03 02 03 04
Extension - Client Certificate Type (Raw Public Key) (6 bytes):
00 13 00 01 01 02
Extension - Server Certificate Type (Raw Public Key) (6 bytes):
00 14 00 01 01 02
Extension - Connection Identifier (43) (6 bytes):
XX XX 00 02 01 42
13 + 10 + 2 + 32 + 1 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 + 6 = 150
bytes
DTLS 1.3 RPK + ECDHE flight_1 gives 150 bytes of overhead.
2.2.1.2. flight_2
Record Header - DTLSPlaintext (13 bytes):
16 fe fd EE EE SS SS SS SS SS SS LL LL
Handshake Header - Server Hello (10 bytes):
02 LL LL LL SS SS 00 00 00 LL LL LL
Legacy Version (2 bytes):
fe fd
Server Random (32 bytes):
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Legacy Session ID (1 bytes):
00
Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes):
13 05
Compression Method (null) (1 bytes):
00
Extensions Length (2 bytes):
LL LL
Extension - Key Share (40 bytes):
00 33 00 24 00 1d 00 20
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Extension - Supported Versions (1.3) (6 bytes):
00 2b 00 02 03 04
Extension - Connection Identifier (43) (6 bytes):
XX XX 00 02 01 43
Record Header - DTLSCiphertext, Full (6 bytes):
HH ES SS 43 LL LL
Handshake Header - Encrypted Extensions (10 bytes):
08 LL LL LL SS SS 00 00 00 LL LL LL
Extensions Length (2 bytes):
LL LL
Extension - Client Certificate Type (Raw Public Key) (6 bytes):
00 13 00 01 01 02
Extension - Server Certificate Type (Raw Public Key) (6 bytes):
00 14 00 01 01 02
Handshake Header - Certificate Request (10 bytes):
0d LL LL LL SS SS 00 00 00 LL LL LL
Request Context (1 bytes):
00
Extensions Length (2 bytes):
LL LL
Extension - Signature Algorithms (ecdsa_secp256r1_sha256)
(8 bytes):
00 0d 00 04 00 02 08 07
Handshake Header - Certificate (10 bytes):
0b LL LL LL SS SS 00 00 00 LL LL LL
Request Context (1 bytes):
00
Certificate List Length (3 bytes):
LL LL LL
Certificate Length (3 bytes):
LL LL LL
Certificate (59 bytes) // Point compression
....
Certificate Extensions (2 bytes):
00 00
Handshake Header - Certificate Verify (10 bytes):
0f LL LL LL SS SS 00 00 00 LL LL LL
Signature (68 bytes):
ZZ ZZ 00 40 ....
Handshake Header - Finished (10 bytes):
14 LL LL LL SS SS 00 00 00 LL LL LL
Verify Data (32 bytes):
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Record Type (1 byte):
16
Auth Tag (8 bytes):
e0 8b 0e 45 5a 35 0a e5
13 + 102 + 6 + 24 + 21 + 78 + 78 + 42 + 1 + 8 = 373 bytes
DTLS 1.3 RPK + ECDHE flight_2 gives 373 bytes of overhead.
2.2.1.3. flight_3
Record Header (6 bytes) // DTLSCiphertext, Full:
ZZ ES SS 42 LL LL
Handshake Header - Certificate (10 bytes):
0b LL LL LL SS SS XX XX XX LL LL LL
Request Context (1 bytes):
00
Certificate List Length (3 bytes):
LL LL LL
Certificate Length (3 bytes):
LL LL LL
Certificate (59 bytes) // Point compression
....
Certificate Extensions (2 bytes):
00 00
Handshake Header - Certificate Verify (10 bytes):
0f LL LL LL SS SS 00 00 00 LL LL LL
Signature (68 bytes):
04 03 LL LL //ecdsa_secp256r1_sha256
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b
0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
Handshake Header - Finished (10 bytes):
14 LL LL LL SS SS 00 00 00 LL LL LL
Verify Data (32 bytes) // SHA-256:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Record Type (1 byte):
16
Auth Tag (8 bytes) // AES-CCM_8:
00 01 02 03 04 05 06 07
6 + 78 + 78 + 42 + 1 + 8 = 213 bytes
DTLS 1.3 RPK + ECDHE flight_2 gives 213 bytes of overhead.
2.2.2. Message Sizes PSK + ECDHE
2.2.2.1. flight_1
The differences in overhead compared to Section 2.2.1.1 are:
The following is added:
+ Extension - PSK Key Exchange Modes (6 bytes):
00 2d 00 02 01 01
+ Extension - Pre Shared Key (48 bytes):
00 29 00 2F
00 0a 00 01 ID 00 00 00 00
00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13
14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
The following is removed:
- Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes)
- Extension - Client Certificate Type (Raw Public Key) (6 bytes)
- Extension - Server Certificate Type (Raw Public Key) (6 bytes)
In total:
150 + 6 + 48 - 8 - 6 - 6 = 184 bytes
DTLS 1.3 PSK + ECDHE flight_1 gives 184 bytes of overhead.
2.2.2.2. flight_2
The differences in overhead compared to Section 2.2.1.2 are:
The following is added:
+ Extension - Pre Shared Key (6 bytes)
00 29 00 02 00 00
The following is removed:
- Handshake Message Certificate (78 bytes)
- Handshake Message CertificateVerify (78 bytes)
- Handshake Message CertificateRequest (21 bytes)
- Extension - Client Certificate Type (Raw Public Key) (6 bytes)
- Extension - Server Certificate Type (Raw Public Key) (6 bytes)
In total:
373 - 78 - 78 - 21 - 6 - 6 + 6 = 190 bytes
DTLS 1.3 PSK + ECDHE flight_2 gives 190 bytes of overhead.
2.2.2.3. flight_3
The differences in overhead compared to Section 2.2.1.3 are:
The following is removed:
- Handshake Message Certificate (78 bytes)
- Handshake Message Certificate Verify (78 bytes)
In total:
213 - 78 - 78 = 57 bytes
DTLS 1.3 PSK + ECDHE flight_3 gives 57 bytes of overhead.
2.2.3. Message Sizes PSK
2.2.3.1. flight_1
The differences in overhead compared to Section 2.2.2.1 are:
The following is removed:
- Extension - Supported Groups (x25519) (8 bytes)
- Extension - Key Share (42 bytes)
In total:
184 - 8 - 42 = 134 bytes
DTLS 1.3 PSK flight_1 gives 134 bytes of overhead.
2.2.3.2. flight_2
The differences in overhead compared to Section 2.2.2.2 are:
The following is removed:
- Extension - Key Share (40 bytes)
In total:
190 - 40 = 150 bytes
DTLS 1.3 PSK flight_2 gives 150 bytes of overhead.
2.2.3.3. flight_3
There are no differences in overhead compared to Section 2.2.2.3.
DTLS 1.3 PSK flight_3 gives 57 bytes of overhead.
2.2.4. Cached Information
In this section, we consider the effect of [RFC7924] on the message
size overhead.
Cached information together with server X.509 can be used to move
bytes from flight #2 to flight #1 (cached RPK increases the number of
bytes compared to cached X.509).
The differences compared to Section 2.2.1 are the following.
For the flight #1, the following is added:
+ Extension - Client Cashed Information (39 bytes):
00 19 LL LL LL LL
01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
And the following is removed:
- Extension - Server Certificate Type (Raw Public Key) (6 bytes)
Giving a total of:
150 + 33 = 183 bytes
For the flight #2, the following is added:
+ Extension - Server Cashed Information (7 bytes):
00 19 LL LL LL LL 01
And the following is removed:
- Extension - Server Certificate Type (Raw Public Key) (6 bytes)
- Server Certificate (59 bytes -> 32 bytes)
Giving a total of:
373 - 26 = 347 bytes
A summary of the calculation is given in Figure 3.
======================================================================
Flight #1 #2 #3 Total
----------------------------------------------------------------------
DTLS 1.3 Cached X.509/RPK + ECDHE 183 347 213 743
DTLS 1.3 RPK + ECDHE 150 373 213 736
=======================================================================
Figure 3: Comparison of message sizes in bytes for DTLS 1.3 RPK +
ECDH with and without cached X.509
2.2.5. Resumption
To enable resumption, a 4th flight (New Session Ticket) is added to
the PSK handshake.
Record Header - DTLSCiphertext, Full (6 bytes):
HH ES SS 43 LL LL
Handshake Header - New Session Ticket (10 bytes):
04 LL LL LL SS SS 00 00 00 LL LL LL
Ticket Lifetime (4 bytes):
00 01 02 03
Ticket Age Add (4 bytes):
00 01 02 03
Ticket Nonce (2 bytes):
01 00
Ticket (6 bytes):
00 04 ID ID ID ID
Extensions (2 bytes):
00 00
Auth Tag (8 bytes) // AES-CCM_8:
00 01 02 03 04 05 06 07
6 + 10 + 4 + 4 + 2 + 6 + 2 + 8 = 42 bytes
The initial handshake when resumption is enabled is just a PSK
handshake with 134 + 150 + 57 + 42 = 383 bytes.
2.2.6. Without Connection ID
Without a Connection ID the DTLS 1.3 flight sizes changes as follows.
DTLS 1.3 Flight #1: -6 bytes
DTLS 1.3 Flight #2: -7 bytes
DTLS 1.3 Flight #3: -1 byte
=======================================================================
Flight #1 #2 #3 Total
-----------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE (no cid) 144 364 212 722
DTLS 1.3 PSK + ECDHE (no cid) 178 183 56 417
DTLS 1.3 PSK (no cid) 128 143 56 327
=======================================================================
Figure 4: Comparison of message sizes in bytes for DTLS 1.3 without
Connection ID
2.2.7. DTLS Raw Public Keys
TODO
2.2.7.1. SubjectPublicKeyInfo without point compression
0x30 // Sequence
0x59 // Size 89
0x30 // Sequence
0x13 // Size 19
0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01
// OID 1.2.840.10045.2.1 (ecPublicKey)
0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07
// OID 1.2.840.10045.3.1.7 (secp256r1)
0x03 // Bit string
0x42 // Size 66
0x00 // Unused bits 0
0x04 // Uncompressed
...... 64 bytes X and Y
Total of 91 bytes
2.2.7.2. SubjectPublicKeyInfo with point compression
0x30 // Sequence
0x59 // Size 89
0x30 // Sequence
0x13 // Size 19
0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01
// OID 1.2.840.10045.2.1 (ecPublicKey)
0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07
// OID 1.2.840.10045.3.1.7 (secp256r1)
0x03 // Bit string
0x42 // Size 66
0x00 // Unused bits 0
0x03 // Compressed
...... 32 bytes X
Total of 59 bytes
2.3. TLS 1.3
In this section, the message sizes are calculated for TLS 1.3. The
major changes compared to DTLS 1.3 are that the record header is
smaller, the handshake headers is smaller, and that Connection ID is
not supported. Recently, additional work has taken shape with the
goal to further reduce overhead for TLS 1.3 (see
[I-D.schaad-ace-tls-cbor-handshake] ).
TLS Assumptions:
o Minimum number of algorithms and cipher suites offered
o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256
o Length of key identifiers: 1 bytes
o TLS RPK with point compression (saves 32 bytes)
o Only mandatory TLS extensions
For the PSK calculations, [Ulfheim-TLS13] was a useful resource,
while for RPK calculations we followed the work of [IoT-Cert].
2.3.1. Message Sizes RPK + ECDHE
2.3.1.1. flight_1
Record Header - TLSPlaintext (5 bytes):
16 03 03 LL LL
Handshake Header - Client Hello (4 bytes):
01 LL LL LL
Legacy Version (2 bytes):
03 03
Client Random (32 bytes):
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Legacy Session ID (1 bytes):
00
Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes):
00 02 13 05
Compression Methods (null) (2 bytes):
01 00
Extensions Length (2 bytes):
LL LL
Extension - Supported Groups (x25519) (8 bytes):
00 0a 00 04 00 02 00 1d
Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes):
00 0d 00 04 00 02 08 07
Extension - Key Share (42 bytes):
00 33 00 26 00 24 00 1d 00 20
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Extension - Supported Versions (1.3) (7 bytes):
00 2b 00 03 02 03 04
Extension - Client Certificate Type (Raw Public Key) (6 bytes):
00 13 00 01 01 02
Extension - Server Certificate Type (Raw Public Key) (6 bytes):
00 14 00 01 01 02
5 + 4 + 2 + 32 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 = 129 bytes
TLS 1.3 RPK + ECDHE flight_1 gives 129 bytes of overhead.
2.3.1.2. flight_2
Record Header - TLSPlaintext (5 bytes):
16 03 03 LL LL
Handshake Header - Server Hello (4 bytes):
02 LL LL LL
Legacy Version (2 bytes):
fe fd
Server Random (32 bytes):
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Legacy Session ID (1 bytes):
00
Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes):
13 05
Compression Method (null) (1 bytes):
00
Extensions Length (2 bytes):
LL LL
Extension - Key Share (40 bytes):
00 33 00 24 00 1d 00 20
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Extension - Supported Versions (1.3) (6 bytes):
00 2b 00 02 03 04
Record Header - TLSCiphertext (5 bytes):
17 03 03 LL LL
Handshake Header - Encrypted Extensions (4 bytes):
08 LL LL LL
Extensions Length (2 bytes):
LL LL
Extension - Client Certificate Type (Raw Public Key) (6 bytes):
00 13 00 01 01 02
Extension - Server Certificate Type (Raw Public Key) (6 bytes):
00 14 00 01 01 02
Handshake Header - Certificate Request (4 bytes):
0d LL LL LL
Request Context (1 bytes):
00
Extensions Length (2 bytes):
LL LL
Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes):
00 0d 00 04 00 02 08 07
Handshake Header - Certificate (4 bytes):
0b LL LL LL
Request Context (1 bytes):
00
Certificate List Length (3 bytes):
LL LL LL
Certificate Length (3 bytes):
LL LL LL
Certificate (59 bytes) // Point compression
....
Certificate Extensions (2 bytes):
00 00
Handshake Header - Certificate Verify (4 bytes):
0f LL LL LL
Signature (68 bytes):
ZZ ZZ 00 40 ....
Handshake Header - Finished (4 bytes):
14 LL LL LL
Verify Data (32 bytes):
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Record Type (1 byte):
16
Auth Tag (8 bytes):
e0 8b 0e 45 5a 35 0a e5
5 + 90 + 5 + 18 + 15 + 72 + 72 + 36 + 1 + 8 = 322 bytes
TLS 1.3 RPK + ECDHE flight_2 gives 322 bytes of overhead.
2.3.1.3. flight_3
Record Header - TLSCiphertext (5 bytes):
17 03 03 LL LL
Handshake Header - Certificate (4 bytes):
0b LL LL LL
Request Context (1 bytes):
00
Certificate List Length (3 bytes):
LL LL LL
Certificate Length (3 bytes):
LL LL LL
Certificate (59 bytes) // Point compression
....
Certificate Extensions (2 bytes):
00 00
Handshake Header - Certificate Verify (4 bytes):
0f LL LL LL
Signature (68 bytes):
04 03 LL LL //ecdsa_secp256r1_sha256
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b
0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
Handshake Header - Finished (4 bytes):
14 LL LL LL
Verify Data (32 bytes) // SHA-256:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f
Record Type (1 byte)
16
Auth Tag (8 bytes) // AES-CCM_8:
00 01 02 03 04 05 06 07
5 + 72 + 72 + 36 + 1 + 8 = 194 bytes
TLS 1.3 RPK + ECDHE flight_3 gives 194 bytes of overhead.
2.3.2. Message Sizes PSK + ECDHE
2.3.2.1. flight_1
The differences in overhead compared to Section 2.3.1.3 are:
The following is added:
+ Extension - PSK Key Exchange Modes (6 bytes):
00 2d 00 02 01 01
+ Extension - Pre Shared Key (48 bytes):
00 29 00 2F
00 0a 00 01 ID 00 00 00 00
00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13
14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
The following is removed:
- Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes)
- Extension - Client Certificate Type (Raw Public Key) (6 bytes)
- Extension - Server Certificate Type (Raw Public Key) (6 bytes)
In total:
129 + 6 + 48 - 8 - 6 - 6 = 163 bytes
TLS 1.3 PSK + ECDHE flight_1 gives 166 bytes of overhead.
2.3.2.2. flight_2
The differences in overhead compared to Section 2.3.1.2 are:
The following is added:
+ Extension - Pre Shared Key (6 bytes)
00 29 00 02 00 00
The following is removed:
- Handshake Message Certificate (72 bytes)
- Handshake Message CertificateVerify (72 bytes)
- Handshake Message CertificateRequest (15 bytes)
- Extension - Client Certificate Type (Raw Public Key) (6 bytes)
- Extension - Server Certificate Type (Raw Public Key) (6 bytes)
In total:
322 - 72 - 72 - 15 - 6 - 6 + 6 = 157 bytes
TLS 1.3 PSK + ECDHE flight_2 gives 157 bytes of overhead.
2.3.2.3. flight_3
The differences in overhead compared to Section 2.3.1.3 are:
The following is removed:
- Handshake Message Certificate (72 bytes)
- Handshake Message Certificate Verify (72 bytes)
In total:
194 - 72 - 72 = 50 bytes
TLS 1.3 PSK + ECDHE flight_3 gives 50 bytes of overhead.
2.3.3. Message Sizes PSK
2.3.3.1. flight_1
The differences in overhead compared to Section 2.3.2.1 are:
The following is removed:
- Extension - Supported Groups (x25519) (8 bytes)
- Extension - Key Share (42 bytes)
In total:
163 - 8 - 42 = 113 bytes
TLS 1.3 PSK flight_1 gives 116 bytes of overhead.
2.3.3.2. flight_2
The differences in overhead compared to Section 2.3.2.2 are:
The following is removed:
- Extension - Key Share (40 bytes)
In total:
157 - 40 = 117 bytes
TLS 1.3 PSK flight_2 gives 117 bytes of overhead.
2.3.3.3. flight_3
There are no differences in overhead compared to Section 2.3.2.3.
TLS 1.3 PSK flight_3 gives 57 bytes of overhead.
2.4. EDHOC
This section gives an estimate of the message sizes of EDHOC with
different authentication methods. Note that the examples in this
section are not test vectors, the cryptographic parts are just
replaced with byte strings of the same length. All examples are
given in CBOR diagnostic notation and hexadecimal.
2.4.1. Message Sizes RPK
2.4.1.1. message_1
message_1 = (
1,
0,
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f',
h'c3'
)
message_1 (38 bytes):
01 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3
2.4.1.2. message_2
plaintext = <<
h'a1',
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b
3c3d3e3f'
>>
The header map { 4 : h'a1' } is encoded as the two bytes h'a1'. The
length of plaintext is 68 bytes so assuming a 64-bit MAC value the
length of ciphertext is 76 bytes.
message_2 = (
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f',
h'c4',
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b
3c3d3e3f404142434445464748494a4b'
)
message_2 (114 bytes):
58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11
12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 58 51 00 01
02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15
16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29
2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D
3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B
2.4.1.3. message_3
The plaintext and ciphertext in message_3 are assumed to be of equal
sizes as in message_2.
message_3 = (
h'c4',
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b
3c3d3e3f404142434445464748494a4b'
)
message_3 (80 bytes):
41 C4 58 51 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23
24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B
2.4.2. Message Sizes Certificates
When the certificates are distributed out-of-band and identified with
the x5t header parameter and a SHA256/64 hash value, the header map
will be 13 bytes (assuming labels in the range -24...23).
{ TDB1 : [ TDB6, h'0001020304050607' ] }
When the certificates are identified with the x5chain header
parameter, the message sizes depends on the size of the (truncated)
certificate chains. The header map will be 3 bytes + the size of the
certificate chain (assuming a label in the range -24...23).
{ TDB3 : h'0001020304050607...' }
2.4.3. Message Sizes PSK
2.4.4. message_1
message_1 = (
4,
0,
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f',
h'c3',
h'a2'
)
message_1 (40 bytes):
04 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 41 A2
2.4.5. message_2
Assuming a 0 byte plaintext and a 64-bit MAC value the ciphertext is
8 bytes
message_2 = (
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f',
h'c4',
h'0001020304050607'
)
message_2 (45 bytes):
58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11
12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 48 61 62 63
64 65 66 67 68
2.4.6. message_3
The plaintext and ciphertext in message_3 are assumed to be of equal
sizes as in message_2.
message_3 = (
h'c4',
h'0001020304050607'
)
message_3 (11 bytes):
41 C4 48 00 01 02 03 04 05 06 07
2.4.7. Summary
The previous examples of typical message sizes are summarized in
Figure 5.
=====================================================================
PSK RPK x5t x5chain
---------------------------------------------------------------------
message_1 40 38 38 38
message_2 45 114 126 116 + Certificate chain
message_3 11 80 91 81 + Certificate chain
---------------------------------------------------------------------
Total 96 232 255 235 + Certificate chains
=====================================================================
Figure 5: Typical message sizes in bytes
2.5. Conclusion
To do a fair comparison, one has to choose a specific deployment and
look at the topology, the whole protocol stack, frame sizes (e.g. 51
or 128 bytes), how and where in the protocol stack fragmentation is
done, and the expected packet loss. Note that the number of byte in
each frame that is available for the key exchange protocol may depend
on the underlying protocol layers as well as the number of hops in
multi-hop networks. The packet loss depends may depend on how many
other devices that are transmitting at the same time, and may
increase during network formation. The total overhead will be larger
due to mechanisms for fragmentation, retransmission, and packet
ordering. The overhead of fragmentation is roughly proportional to
the number of fragments, while the expected overhead due to
retransmission in noisy environments is a superlinear function of the
flight sizes.
3. Overhead for Protection of Application Data
To enable comparison, all the overhead calculations in this section To enable comparison, all the overhead calculations in this section
use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES- use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES-
CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'. CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'.
This follows the example in [RFC7400], Figure 16. This follows the example in [RFC7400], Figure 16.
Note that the compressed overhead calculations for DLTS 1.2, DTLS Note that the compressed overhead calculations for DLTS 1.2, DTLS
1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch,
sequence number, and length, and all the overhead calculations are sequence number, and length, and all the overhead calculations are
dependent on the parameter Connection ID when used. Note that the dependent on the parameter Connection ID when used. Note that the
OSCORE overhead calculations are dependent on the CoAP option OSCORE overhead calculations are dependent on the CoAP option
numbers, as well as the length of the OSCORE parameters Sender ID and numbers, as well as the length of the OSCORE parameters Sender ID and
Sequence Number. The following are only examples. Sequence Number. The following calculations are only examples.
2.1. DTLS 1.2 Section 3.1 gives a short summary of the message overhead based on
different parameters and some assumptions. The following sections
detail the assumptions and the calculations.
2.1.1. DTLS 1.2 3.1. Summary
The DTLS overhead is dependent on the parameter Connection ID. The
following overheads apply for all Connection IDs with the same
length.
The compression overhead (GHC) is dependent on the parameters epoch,
sequence number, Connection ID, and length (where applicable). The
following overheads should be representative for sequence numbers and
Connection IDs with the same length.
The OSCORE overhead is dependent on the included CoAP Option numbers
as well as the length of the OSCORE parameters Sender ID and sequence
number. The following overheads apply for all sequence numbers and
Sender IDs with the same length.
Sequence Number '05' '1005' '100005'
-------------------------------------------------------------
DTLS 1.2 29 29 29
DTLS 1.3 11 12 12
-------------------------------------------------------------
DTLS 1.2 (GHC) 16 16 16
DTLS 1.3 (GHC) 12 13 13
-------------------------------------------------------------
TLS 1.2 21 21 21
TLS 1.3 14 14 14
-------------------------------------------------------------
TLS 1.2 (GHC) 17 18 19
TLS 1.3 (GHC) 15 16 17
-------------------------------------------------------------
OSCORE request 13 14 15
OSCORE response 11 11 11
Figure 6: Overhead in bytes as a function of sequence number
(Connection/Sender ID = '')
Connection/Sender ID '' '42' '4002'
-------------------------------------------------------------
DTLS 1.2 29 30 31
DTLS 1.3 11 12 13
-------------------------------------------------------------
DTLS 1.2 (GHC) 16 17 18
DTLS 1.3 (GHC) 12 13 14
-------------------------------------------------------------
OSCORE request 13 14 15
OSCORE response 11 11 11
Figure 7: Overhead in bytes as a function of Connection/Sender ID
(Sequence Number = '05')
Protocol Overhead Overhead (GHC)
-------------------------------------------------------------
DTLS 1.2 21 8
DTLS 1.3 3 4
-------------------------------------------------------------
TLS 1.2 13 9
TLS 1.3 6 7
-------------------------------------------------------------
OSCORE request 5
OSCORE response 3
Figure 8: Overhead (excluding ICV) in bytes
(Connection/Sender ID = '', Sequence Number = '05')
3.2. DTLS 1.2
3.2.1. DTLS 1.2
This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce
follow the strict profiling given in [RFC7925]. This example is follow the strict profiling given in [RFC7925]. This example is
taken directly from [RFC7400], Figure 16. taken directly from [RFC7400], Figure 16.
DTLS 1.2 record layer (35 bytes, 29 bytes overhead): DTLS 1.2 record layer (35 bytes, 29 bytes overhead):
17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00
00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4
cb 35 b9 cb 35 b9
skipping to change at page 3, line 45 skipping to change at page 30, line 37
00 16 00 16
Nonce: Nonce:
00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 05
Ciphertext: Ciphertext:
ae a0 15 56 67 92 ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 gives 29 bytes overhead. DTLS 1.2 gives 29 bytes overhead.
2.1.2. DTLS 1.2 with 6LoWPAN-GHC 3.2.2. DTLS 1.2 with 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.2 [RFC6347] when This section analyzes the overhead of DTLS 1.2 [RFC6347] when
compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with
[OlegHahm-ghc]. [OlegHahm-ghc].
Note that the sequence number '01' used in [RFC7400], Figure 15 gives Note that the sequence number '01' used in [RFC7400], Figure 15 gives
an exceptionally small overhead that is not representative. an exceptionally small overhead that is not representative.
Note that this header compression is not available when DTLS is used Note that this header compression is not available when DTLS is used
over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
skipping to change at page 4, line 22 skipping to change at page 31, line 19
Compressed DTLS 1.2 record layer header and nonce: Compressed DTLS 1.2 record layer header and nonce:
b0 c3 03 05 00 16 f2 0e b0 c3 03 05 00 16 f2 0e
Ciphertext: Ciphertext:
ae a0 15 56 67 92 ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
(epoch, sequence number, length) gives 16 bytes overhead. (epoch, sequence number, length) gives 16 bytes overhead.
2.1.3. DTLS 1.2 with Connection ID 3.2.3. DTLS 1.2 with Connection ID
This section analyzes the overhead of DTLS 1.2 [RFC6347] with This section analyzes the overhead of DTLS 1.2 [RFC6347] with
Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead
calculations in this section uses Connection ID = '42'. DTLS recored calculations in this section uses Connection ID = '42'. DTLS recored
layer with a Connection ID = '' (the empty string) is equal to DTLS layer with a Connection ID = '' (the empty string) is equal to DTLS
without Connection ID. without Connection ID.
DTLS 1.2 record layer (36 bytes, 30 bytes overhead): DTLS 1.2 record layer (36 bytes, 30 bytes overhead):
17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01
00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24
skipping to change at page 5, line 4 skipping to change at page 31, line 50
Connection ID: Connection ID:
42 42
Length: Length:
00 16 00 16
Nonce: Nonce:
00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 05
Ciphertext: Ciphertext:
ae a0 15 56 67 92 ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 with Connection ID gives 30 bytes overhead. DTLS 1.2 with Connection ID gives 30 bytes overhead.
2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.2 [RFC6347] with This section analyzes the overhead of DTLS 1.2 [RFC6347] with
Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with
6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that the sequence number '01' used in [RFC7400], Figure 15 gives Note that the sequence number '01' used in [RFC7400], Figure 15 gives
an exceptionally small overhead that is not representative. an exceptionally small overhead that is not representative.
Note that this header compression is not available when DTLS is used Note that this header compression is not available when DTLS is used
over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
skipping to change at page 5, line 33 skipping to change at page 32, line 32
b0 c3 04 05 42 00 16 f2 0e b0 c3 04 05 42 00 16 f2 0e
Ciphertext: Ciphertext:
ae a0 15 56 67 92 ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
(epoch, sequence number, Connection ID, length) gives 17 bytes (epoch, sequence number, Connection ID, length) gives 17 bytes
overhead. overhead.
2.2. DTLS 1.3 3.3. DTLS 1.3
2.2.1. DTLS 1.3 3.3.1. DTLS 1.3
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13].
The changes compared to DTLS 1.2 are: omission of version number, The changes compared to DTLS 1.2 are: omission of version number,
merging of epoch into the first byte containing signalling bits, merging of epoch into the first byte containing signalling bits,
optional omission of length, reduction of sequence number into a 1 or optional omission of length, reduction of sequence number into a 1 or
2-bytes field. 2-bytes field.
In this example, the length field is omitted, and the 1-byte field is Only the minimal header format for DTLS 1.3 is analyzed (see Figure 4
used for the sequence number. The minimal DTLSCiphertext structure of [I-D.ietf-tls-dtls13]). The minimal header formal omit the length
is used (see Figure 4 of [I-D.ietf-tls-dtls13]). field and only a 1-byte field is used to carry the 8 low order bits
of the sequence number
DTLS 1.3 record layer (17 bytes, 11 bytes overhead): DTLS 1.3 record layer (17 bytes, 11 bytes overhead):
21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9
First byte (including epoch): First byte (including epoch):
21 21
Sequence number: Sequence number:
05 05
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 gives 11 bytes overhead. DTLS 1.3 gives 11 bytes overhead.
2.2.2. DTLS 1.3 with 6LoWPAN-GHC 3.3.2. DTLS 1.3 with 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when DTLS is used Note that this header compression is not available when DTLS is used
over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead): Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead):
11 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 11 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb
35 b9 35 b9
skipping to change at page 6, line 41 skipping to change at page 33, line 40
Compressed DTLS 1.3 record layer header and nonce: Compressed DTLS 1.3 record layer header and nonce:
11 21 05 11 21 05
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
(epoch, sequence number, no length) gives 12 bytes overhead. (epoch, sequence number, no length) gives 12 bytes overhead.
2.2.3. DTLS 1.3 with Connection ID 3.3.3. DTLS 1.3 with Connection ID
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
with Connection ID [I-D.ietf-tls-dtls-connection-id]. with Connection ID [I-D.ietf-tls-dtls-connection-id].
In this example, the length field is omitted, and the 1-byte field is In this example, the length field is omitted, and the 1-byte field is
used for the sequence number. The minimal DTLSCiphertext structure used for the sequence number. The minimal DTLSCiphertext structure
is used (see Figure 4 of [I-D.ietf-tls-dtls13]), with the addition of is used (see Figure 4 of [I-D.ietf-tls-dtls13]), with the addition of
the Connection ID field. the Connection ID field.
DTLS 1.3 record layer (18 bytes, 12 bytes overhead): DTLS 1.3 record layer (18 bytes, 12 bytes overhead):
skipping to change at page 7, line 21 skipping to change at page 34, line 21
42 42
Sequence number: Sequence number:
05 05
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 with Connection ID gives 12 bytes overhead. DTLS 1.3 with Connection ID gives 12 bytes overhead.
2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed
with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when DTLS is used Note that this header compression is not available when DTLS is used
over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed DTLS 1.3 record layer (19 bytes, 13 bytes overhead): Compressed DTLS 1.3 record layer (19 bytes, 13 bytes overhead):
12 31 05 42 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 12 31 05 42 ae a0 15 56 67 92 ec 4d ff 8a 24 e4
skipping to change at page 7, line 45 skipping to change at page 34, line 45
12 31 05 42 12 31 05 42
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
(epoch, sequence number, Connection ID, no length) gives 13 bytes (epoch, sequence number, Connection ID, no length) gives 13 bytes
overhead. overhead.
2.3. TLS 1.2 3.4. TLS 1.2
2.3.1. TLS 1.2 3.4.1. TLS 1.2
This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes
compared to DTLS 1.2 is that the TLS 1.2 record layer does not have compared to DTLS 1.2 is that the TLS 1.2 record layer does not have
epoch and sequence number, and that the version is different. epoch and sequence number, and that the version is different.
TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): TLS 1.2 Record Layer (27 bytes, 21 bytes overhead):
17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15
56 67 92 4d ff 8a 24 e4 cb 35 b9 56 67 92 4d ff 8a 24 e4 cb 35 b9
Content type: Content type:
skipping to change at page 8, line 24 skipping to change at page 35, line 24
00 16 00 16
Nonce: Nonce:
00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 05
Ciphertext: Ciphertext:
ae a0 15 56 67 92 ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
TLS 1.2 gives 21 bytes overhead. TLS 1.2 gives 21 bytes overhead.
2.3.2. TLS 1.2 with 6LoWPAN-GHC 3.4.2. TLS 1.2 with 6LoWPAN-GHC
This section analyzes the overhead of TLS 1.2 [RFC5246] when This section analyzes the overhead of TLS 1.2 [RFC5246] when
compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when TLS is used Note that this header compression is not available when TLS is used
over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead): Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead):
05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d
ff 8a 24 e4 cb 35 b9 ff 8a 24 e4 cb 35 b9
skipping to change at page 8, line 46 skipping to change at page 35, line 46
Compressed TLS 1.2 record layer header and nonce: Compressed TLS 1.2 record layer header and nonce:
05 17 03 03 00 16 85 0f 05 05 17 03 03 00 16 85 0f 05
Ciphertext: Ciphertext:
ae a0 15 56 67 92 ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters
(epoch, sequence number, length) gives 17 bytes overhead. (epoch, sequence number, length) gives 17 bytes overhead.
2.4. TLS 1.3 3.5. TLS 1.3
2.4.1. TLS 1.3 3.5.1. TLS 1.3
This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]. This section analyzes the overhead of TLS 1.3 [RFC8446]. The change
The change compared to TLS 1.2 is that the TLS 1.3 record layer uses compared to TLS 1.2 is that the TLS 1.3 record layer uses a different
a different version. version.
TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): TLS 1.3 Record Layer (20 bytes, 14 bytes overhead):
17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24
e4 cb 35 b9 e4 cb 35 b9
Content type: Content type:
17 17
Legacy version: Legacy version:
03 03 03 03
Length: Length:
00 0f 00 0f
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
TLS 1.3 gives 14 bytes overhead. TLS 1.3 gives 14 bytes overhead.
2.4.2. TLS 1.3 with 6LoWPAN-GHC 3.5.2. TLS 1.3 with 6LoWPAN-GHC
This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13] This section analyzes the overhead of TLS 1.3 [RFC8446] when
when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when TLS is used Note that this header compression is not available when TLS is used
over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead): Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead):
14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a
24 e4 cb 35 b9 24 e4 cb 35 b9
Compressed TLS 1.3 record layer header and nonce: Compressed TLS 1.3 record layer header and nonce:
14 17 03 03 00 0f 14 17 03 03 00 0f
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters
(epoch, sequence number, length) gives 15 bytes overhead. (epoch, sequence number, length) gives 15 bytes overhead.
2.5. OSCORE 3.6. OSCORE
This section analyzes the overhead of OSCORE This section analyzes the overhead of OSCORE
[I-D.ietf-core-object-security]. [I-D.ietf-core-object-security].
The below calculation Option Delta = '9', Sender ID = '' (empty The below calculation Option Delta = '9', Sender ID = '' (empty
string), and Sequence Number = '05', and is only an example. Note string), and Sequence Number = '05', and is only an example. Note
that Sender ID = '' (empty string) can only be used by one client per that Sender ID = '' (empty string) can only be used by one client per
server. server.
OSCORE request (19 bytes, 13 bytes overhead): OSCORE request (19 bytes, 13 bytes overhead):
skipping to change at page 11, line 26 skipping to change at page 38, line 26
ec ae a0 15 56 67 92 ec ae a0 15 56 67 92
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
OSCORE with the above parameters gives 13-14 bytes overhead for OSCORE with the above parameters gives 13-14 bytes overhead for
requests and 11 bytes overhead for responses. requests and 11 bytes overhead for responses.
Unlike DTLS and TLS, OSCORE has much smaller overhead for responses Unlike DTLS and TLS, OSCORE has much smaller overhead for responses
than requests. than requests.
3. Overhead with Different Parameters 3.7. Group OSCORE
The DTLS overhead is dependent on the parameter Connection ID. The
following overheads apply for all Connection IDs with the same
length.
The compression overhead (GHC) is dependent on the parameters epoch,
sequence number, Connection ID, and length (where applicable). The
following overheads should be representative for sequence numbers and
Connection IDs with the same length.
The OSCORE overhead is dependent on the included CoAP Option numbers
as well as the length of the OSCORE parameters Sender ID and sequence
number. The following overheads apply for all sequence numbers and
Sender IDs with the same length.
Sequence Number '05' '1005' '100005'
-------------------------------------------------------------
DTLS 1.2 29 29 29
DTLS 1.3 11 12 12
-------------------------------------------------------------
DTLS 1.2 (GHC) 16 16 16
DTLS 1.3 (GHC) 12 13 13
-------------------------------------------------------------
TLS 1.2 21 21 21
TLS 1.3 14 14 14
-------------------------------------------------------------
TLS 1.2 (GHC) 17 18 19
TLS 1.3 (GHC) 15 16 17
-------------------------------------------------------------
OSCORE request 13 14 15
OSCORE response 11 11 11
Figure 1: Overhead in bytes as a function of sequence number
(Connection/Sender ID = '')
Connection/Sender ID '' '42' '4002'
-------------------------------------------------------------
DTLS 1.2 29 30 31
DTLS 1.3 11 12 13
-------------------------------------------------------------
DTLS 1.2 (GHC) 16 17 18
DTLS 1.3 (GHC) 12 13 14
-------------------------------------------------------------
OSCORE request 13 14 15
OSCORE response 11 11 11
Figure 2: Overhead in bytes as a function of Connection/Sender ID
(Sequence Number = '05')
Protocol Overhead Overhead (GHC) This section analyzes the overhead of Group OSCORE
------------------------------------------------------------- [I-D.ietf-core-oscore-groupcomm].
DTLS 1.2 21 8
DTLS 1.3 3 4
-------------------------------------------------------------
TLS 1.2 13 9
TLS 1.3 6 7
-------------------------------------------------------------
OSCORE request 5
OSCORE response 3
Figure 3: Overhead (excluding ICV) in bytes TODO
(Connection/Sender ID = '', Sequence Number = '05')
4. Summary 3.8. Conclusion
DTLS 1.2 has quite a large overhead as it uses an explicit sequence DTLS 1.2 has quite a large overhead as it uses an explicit sequence
number and an explicit nonce. TLS 1.2 has significantly less (but number and an explicit nonce. TLS 1.2 has significantly less (but
not small) overhead. TLS 1.3 has quite a small overhead. OSCORE and not small) overhead. TLS 1.3 has quite a small overhead. OSCORE and
DTLS 1.3 (using the minimal structure) format have very small DTLS 1.3 (using the minimal structure) format have very small
overhead. overhead.
The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS
1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic
Header Compression (6LoWPAN-GHC) works very well for Connection ID Header Compression (6LoWPAN-GHC) works very well for Connection ID
and the overhead seems to increase exactly with the length of the and the overhead seems to increase exactly with the length of the
Connection ID (which is optimal). The compression of TLS 1.2 is not Connection ID (which is optimal). The compression of TLS 1.2 is not
as good as the compression of DTLS 1.2 (as the static dictionary only as good as the compression of DTLS 1.2 (as the static dictionary only
contains the DTLS 1.2 version number). Similar compression levels as contains the DTLS 1.2 version number). Similar compression levels as
for DTLS could be achieved also for TLS 1.2, but this would require for DTLS could be achieved also for TLS 1.2, but this would require
different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC
increases the overhead. The 6LoWPAN-GHC header compression is not increases the overhead. The 6LoWPAN-GHC header compression is not
available when (D)TLS is used over transports that do not use 6LoWPAN available when (D)TLS is used over transports that do not use 6LoWPAN
together with 6LoWPAN-GHC. together with 6LoWPAN-GHC.
Only the minimal header format for DTLS 1.3 was considered, which New security protocols like OSCORE, TLS 1.3, and DTLS 1.3 have much
reduces the header of 3 bytes compared to the full header, by lower overhead than DTLS 1.2 and TLS 1.2. The overhead is even
omitting the 2-byte-long length value and sending 1 byte of sequence smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN with compression, and
number instead of 2. This may create problems reconstructing the therefore the small overhead is achieved even on deployments without
full sequence number, if ~2000 datagrams in sequence are lost. 6LoWPAN or 6LoWPAN without compression. OSCORE is lightweight
because it makes use of CoAP, CBOR, and COSE, which were designed to
have as low overhead as possible.
OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2. The Note that the compared protocols have slightly different use cases.
overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN TLS and DTLS are designed for the transport layer and are terminated
with compression, and this small overhead is achieved even on in CoAP proxies. OSCORE is designed for the application layer and
deployments without 6LoWPAN or 6LoWPAN without DTLS compression. protects information end-to-end between the CoAP client and the CoAP
OSCORE is lightweight because it makes use of CoAP, CBOR, and COSE, server. Group OSCORE is designed for group communication and
which were designed to have as low overhead as possible. protects information between a CoAP client and any number of CoAP
servers.
5. Security Considerations 4. Security Considerations
This document is purely informational. This document is purely informational.
6. IANA Considerations 5. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
7. Informative References 6. Informative References
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-15 (work in (OSCORE)", draft-ietf-core-object-security-15 (work in
progress), August 2018. progress), August 2018.
[I-D.ietf-core-oscore-groupcomm]
Tiloca, M., Selander, G., Palombini, F., and J. Park,
"Group OSCORE - Secure Group Communication for CoAP",
draft-ietf-core-oscore-groupcomm-03 (work in progress),
October 2018.
[I-D.ietf-tls-dtls-connection-id] [I-D.ietf-tls-dtls-connection-id]
Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom,
"Connection Identifiers for DTLS 1.2", draft-ietf-tls- "Connection Identifiers for DTLS 1.2", draft-ietf-tls-
dtls-connection-id-02 (work in progress), October 2018. dtls-connection-id-02 (work in progress), October 2018.
[I-D.ietf-tls-dtls13] [I-D.ietf-tls-dtls13]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version Datagram Transport Layer Security (DTLS) Protocol Version
1.3", draft-ietf-tls-dtls13-30 (work in progress), 1.3", draft-ietf-tls-dtls13-30 (work in progress),
November 2018. November 2018.
[I-D.ietf-tls-tls13] [I-D.schaad-ace-tls-cbor-handshake]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Schaad, J., "TLS Handshake in CBOR", draft-schaad-ace-tls-
Version 1.3", draft-ietf-tls-tls13-28 (work in progress), cbor-handshake-00 (work in progress), March 2019.
March 2018.
[I-D.selander-ace-cose-ecdhe]
Selander, G., Mattsson, J., and F. Palombini, "Ephemeral
Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace-
cose-ecdhe-12 (work in progress), February 2019.
[IoT-Cert]
Forsby, F., "Digital Certificates for the Internet of
Things", June 2017, <https://kth.diva-
portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf>.
[OlegHahm-ghc] [OlegHahm-ghc]
Hahm, O., "Generic Header Compression", July 2016, Hahm, O., "Generic Header Compression", July 2016,
<https://github.com/OlegHahm/ghc>. <https://github.com/OlegHahm/ghc>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
skipping to change at page 15, line 5 skipping to change at page 40, line 42
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for
IPv6 over Low-Power Wireless Personal Area Networks IPv6 over Low-Power Wireless Personal Area Networks
(6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November
2014, <https://www.rfc-editor.org/info/rfc7400>. 2014, <https://www.rfc-editor.org/info/rfc7400>.
[RFC7924] Santesson, S. and H. Tschofenig, "Transport Layer Security
(TLS) Cached Information Extension", RFC 7924,
DOI 10.17487/RFC7924, July 2016,
<https://www.rfc-editor.org/info/rfc7924>.
[RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer
Security (TLS) / Datagram Transport Layer Security (DTLS) Security (TLS) / Datagram Transport Layer Security (DTLS)
Profiles for the Internet of Things", RFC 7925, Profiles for the Internet of Things", RFC 7925,
DOI 10.17487/RFC7925, July 2016, DOI 10.17487/RFC7925, July 2016,
<https://www.rfc-editor.org/info/rfc7925>. <https://www.rfc-editor.org/info/rfc7925>.
[RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets", Application Protocol) over TCP, TLS, and WebSockets",
RFC 8323, DOI 10.17487/RFC8323, February 2018, RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://www.rfc-editor.org/info/rfc8323>. <https://www.rfc-editor.org/info/rfc8323>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[Ulfheim-TLS13]
Driscoll, M., "Every Byte Explained The Illustrated TLS
1.3 Connection", March 2018, <https://tls13.ulfheim.net>.
Acknowledgments Acknowledgments
The authors want to thank Ari Keraenen, Carsten Bormann, Goeran The authors want to thank Ari Keraenen, Carsten Bormann, Goeran
Selander, and Hannes Tschofenig for comments and suggestions on Selander, and Hannes Tschofenig for comments and suggestions on
previous versions of the draft. previous versions of the draft.
All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. All 6LoWPAN-GHC compression was done with [OlegHahm-ghc].
Authors' Addresses Authors' Addresses
 End of changes. 44 change blocks. 
152 lines changed or deleted 1297 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/