draft-ietf-lwig-security-protocol-comparison-03.txt   draft-ietf-lwig-security-protocol-comparison-04.txt 
LWIG Working Group J. Mattsson LWIG Working Group J. Mattsson
Internet-Draft F. Palombini Internet-Draft F. Palombini
Intended status: Informational Ericsson AB Intended status: Informational Ericsson AB
Expires: September 12, 2019 March 11, 2019 Expires: September 10, 2020 M. Vucinic
INRIA
March 09, 2020
Comparison of CoAP Security Protocols Comparison of CoAP Security Protocols
draft-ietf-lwig-security-protocol-comparison-03 draft-ietf-lwig-security-protocol-comparison-04
Abstract Abstract
This document analyzes and compares the sizes of key exchange flights This document analyzes and compares the sizes of key exchange flights
and the per-packet message size overheads when using different and the per-packet message size overheads when using different
security protocols to secure CoAP. The analyzed security protocols security protocols to secure CoAP. The analyzed security protocols
are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group
OSCORE. The DTLS and TLS record layers are analyzed with and without OSCORE. The DTLS and TLS record layers are analyzed with and without
6LoWPAN-GHC compression. DTLS is analyzed with and without 6LoWPAN-GHC compression. DTLS is analyzed with and without
Connection ID. Connection ID.
skipping to change at page 1, line 36 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on September 10, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 26 skipping to change at page 2, line 28
2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12
2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13
2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14
2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15
2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16
2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22
2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23
2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24
2.4.2. Message Sizes Certificates . . . . . . . . . . . . . 26 2.4.2. Message Sizes PSK . . . . . . . . . . . . . . . . . . 25
2.4.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 26 2.4.3. message_1 . . . . . . . . . . . . . . . . . . . . . . 25
2.4.4. message_1 . . . . . . . . . . . . . . . . . . . . . . 26 2.4.4. message_2 . . . . . . . . . . . . . . . . . . . . . . 25
2.4.5. message_2 . . . . . . . . . . . . . . . . . . . . . . 26 2.4.5. message_3 . . . . . . . . . . . . . . . . . . . . . . 26
2.4.6. message_3 . . . . . . . . . . . . . . . . . . . . . . 27 2.4.6. Summary . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.7. Summary . . . . . . . . . . . . . . . . . . . . . . . 27 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 26
2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 27 3. Overhead for Protection of Application Data . . . . . . . . . 27
3. Overhead for Protection of Application Data . . . . . . . . . 28 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 29
3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 30 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 29
3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 30 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 29
3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 30 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 30
3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 31 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 31
3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 32 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 32 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 31
3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 32 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 32
3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 33 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 32
3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 33 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 33
3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 34 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 33
3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 34 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34
3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 34
3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 35 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35
3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 36
3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 38 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 37
3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 38 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 37
4. Security Considerations . . . . . . . . . . . . . . . . . . . 39 4. Security Considerations . . . . . . . . . . . . . . . . . . . 38
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
6. Informative References . . . . . . . . . . . . . . . . . . . 39 6. Informative References . . . . . . . . . . . . . . . . . . . 38
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 41 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
This document analyzes and compares the sizes of key exchange flights This document analyzes and compares the sizes of key exchange flights
and the per-packet message size overheads when using different and the per-packet message size overheads when using different
security protocols to secure CoAP over UPD [RFC7252] and TCP security protocols to secure CoAP over UPD [RFC7252] and TCP
[RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347],
DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446],
EDHOC [I-D.selander-ace-cose-ecdhe], OSCORE EDHOC [I-D.selander-lake-edhoc], OSCORE [RFC8613], and Group OSCORE
[I-D.ietf-core-object-security], and Group OSCORE
[I-D.ietf-core-oscore-groupcomm]. [I-D.ietf-core-oscore-groupcomm].
The DTLS and TLS record layers are analyzed with and without 6LoWPAN- The DTLS and TLS record layers are analyzed with and without 6LoWPAN-
GHC compression. DTLS is anlyzed with and without Connection ID GHC compression. DTLS is anlyzed with and without Connection ID
[I-D.ietf-tls-dtls-connection-id]. Readers are expected to be [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be
familiar with some of the terms described in RFC 7925 [RFC7925], such familiar with some of the terms described in RFC 7925 [RFC7925], such
as ICV. Section 2 compares the overhead of key exchange, while as ICV. Section 2 compares the overhead of key exchange, while
Section 3 covers the overhead for protection of application data. Section 3 covers the overhead for protection of application data.
2. Overhead of Key Exchange Protocols 2. Overhead of Key Exchange Protocols
skipping to change at page 4, line 25 skipping to change at page 4, line 25
following overheads apply for all Connection IDs of the same length, following overheads apply for all Connection IDs of the same length,
when Connection ID is used. when Connection ID is used.
The EDHOC overhead is dependent on the key identifiers included. The The EDHOC overhead is dependent on the key identifiers included. The
following overheads apply for Sender IDs of the same length. following overheads apply for Sender IDs of the same length.
All the overhead are dependent on the tag length. The following All the overhead are dependent on the tag length. The following
overheads apply for tags of the same length. overheads apply for tags of the same length.
Figure 1 compares the message sizes of EDHOC Figure 1 compares the message sizes of EDHOC
[I-D.selander-ace-cose-ecdhe] with the DTLS 1.3 [I-D.ietf-tls-dtls13] [I-D.selander-lake-edhoc] with the DTLS 1.3 [I-D.ietf-tls-dtls13] and
and TLS 1.3 [RFC8446] handshakes with connection ID. TLS 1.3 [RFC8446] handshakes with connection ID.
===================================================================== =====================================================================
Flight #1 #2 #3 Total Flight #1 #2 #3 Total
--------------------------------------------------------------------- ---------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE 150 373 213 736 DTLS 1.3 RPK + ECDHE 150 373 213 736
DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742
DTLS 1.3 PSK + ECDHE 184 190 57 431 DTLS 1.3 PSK + ECDHE 184 190 57 431
DTLS 1.3 PSK 134 150 57 341 DTLS 1.3 PSK 134 150 57 341
--------------------------------------------------------------------- ---------------------------------------------------------------------
EDHOC RPK + ECDHE 39 114 80 233 EDHOC RPK + ECDHE 37 46 20 103
EDHOC PSK + ECDHE 41 45 11 97 EDHOC PSK + ECDHE 38 44 10 92
===================================================================== =====================================================================
Figure 1: Comparison of message sizes in bytes with Connection ID Figure 1: Comparison of message sizes in bytes with Connection ID
Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13]
and TLS 1.3 [RFC8446] handshakes without connection ID. and TLS 1.3 [RFC8446] handshakes without connection ID.
===================================================================== =====================================================================
Flight #1 #2 #3 Total Flight #1 #2 #3 Total
--------------------------------------------------------------------- ---------------------------------------------------------------------
skipping to change at page 16, line 12 skipping to change at page 16, line 12
Total of 59 bytes Total of 59 bytes
2.3. TLS 1.3 2.3. TLS 1.3
In this section, the message sizes are calculated for TLS 1.3. The In this section, the message sizes are calculated for TLS 1.3. The
major changes compared to DTLS 1.3 are that the record header is major changes compared to DTLS 1.3 are that the record header is
smaller, the handshake headers is smaller, and that Connection ID is smaller, the handshake headers is smaller, and that Connection ID is
not supported. Recently, additional work has taken shape with the not supported. Recently, additional work has taken shape with the
goal to further reduce overhead for TLS 1.3 (see goal to further reduce overhead for TLS 1.3 (see
[I-D.schaad-ace-tls-cbor-handshake] ). [I-D.rescorla-tls-ctls]).
TLS Assumptions: TLS Assumptions:
o Minimum number of algorithms and cipher suites offered o Minimum number of algorithms and cipher suites offered
o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256
o Length of key identifiers: 1 bytes o Length of key identifiers: 1 bytes
o TLS RPK with point compression (saves 32 bytes) o TLS RPK with point compression (saves 32 bytes)
skipping to change at page 24, line 29 skipping to change at page 24, line 29
2.3.3.3. flight_3 2.3.3.3. flight_3
There are no differences in overhead compared to Section 2.3.2.3. There are no differences in overhead compared to Section 2.3.2.3.
TLS 1.3 PSK flight_3 gives 57 bytes of overhead. TLS 1.3 PSK flight_3 gives 57 bytes of overhead.
2.4. EDHOC 2.4. EDHOC
This section gives an estimate of the message sizes of EDHOC with This section gives an estimate of the message sizes of EDHOC with
different authentication methods. Note that the examples in this different authentication methods. All examples are given in CBOR
section are not test vectors, the cryptographic parts are just diagnostic notation and hexadecimal.
replaced with byte strings of the same length. All examples are
given in CBOR diagnostic notation and hexadecimal.
2.4.1. Message Sizes RPK 2.4.1. Message Sizes RPK
2.4.1.1. message_1 2.4.1.1. message_1
message_1 = ( message_1 = (
1, 13,
0, 0,
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d h'8D3EF56D1B750A4351D68AC250A0E883790EFC80A538A444EE9E2B57E244
1e1f', 1A7C',
h'c3' -2
) )
message_1 (38 bytes): message_1 (37 bytes):
01 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0d 00 58 20 8d 3e f5 6d 1b 75 0a 43 51 d6 8a c2 50 a0 e8 83
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 79 0e fc 80 a5 38 a4 44 ee 9e 2b 57 e2 44 1a 7c 21
2.4.1.2. message_2 2.4.1.2. message_2
plaintext = <<
h'a1',
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d
1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b
3c3d3e3f'
>>
The header map { 4 : h'a1' } is encoded as the two bytes h'a1'. The
length of plaintext is 68 bytes so assuming a 64-bit MAC value the
length of ciphertext is 76 bytes.
message_2 = ( message_2 = (
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d h'52FBA0BDC8D953DD86CE1AB2FD7C05A4658C7C30AFDBFC3301047069451B
1e1f', AF35',
h'c4', 8,
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d h'DCF6FE9C524C22454DEB'
1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b
3c3d3e3f404142434445464748494a4b'
) )
message_2 (114 bytes): message_2 (46 bytes):
58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 58 20 52 fb a0 bd c8 d9 53 dd 86 ce 1a b2 fd 7c 05 a4 65 8c
12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 58 51 00 01 7c 30 af db fc 33 01 04 70 69 45 1b af 35 08 4a dc f6 fe 9c
02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 52 4c 22 45 4d eb
16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29
2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D
3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B
2.4.1.3. message_3 2.4.1.3. message_3
The plaintext and ciphertext in message_3 are assumed to be of equal
sizes as in message_2.
message_3 = ( message_3 = (
h'c4', 8,
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d h'53C3991999A5FFB86921E99B607C067770E0'
1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b
3c3d3e3f404142434445464748494a4b'
) )
message_3 (80 bytes): message_3 (20 bytes):
41 C4 58 51 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 08 52 53 c3 99 19 99 a5 ff b8 69 21 e9 9b 60 7c 06 77 70 e0
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23
24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B
2.4.2. Message Sizes Certificates
When the certificates are distributed out-of-band and identified with
the x5t header parameter and a SHA256/64 hash value, the header map
will be 13 bytes (assuming labels in the range -24...23).
{ TDB1 : [ TDB6, h'0001020304050607' ] }
When the certificates are identified with the x5chain header
parameter, the message sizes depends on the size of the (truncated)
certificate chains. The header map will be 3 bytes + the size of the
certificate chain (assuming a label in the range -24...23).
{ TDB3 : h'0001020304050607...' }
2.4.3. Message Sizes PSK 2.4.2. Message Sizes PSK
2.4.4. message_1 2.4.3. message_1
message_1 = ( message_1 = (
4, 17,
0, 0,
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d h'3662C4A71D624E8A4D9DFF879ABC6E2A0E745F82F497F7AFBEBFF3B01A8F
1e1f', AB57',
h'c3', 14,
h'a2' -17
) )
message_1 (40 bytes): message_1 (38 bytes):
04 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 11 00 58 20 36 62 c4 a7 1d 62 4e 8a 4d 9d ff 87 9a bc 6e 2a
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 41 A2 0e 74 5f 82 f4 97 f7 af be bf f3 b0 1a 8f ab 57 0e 30
2.4.5. message_2
Assuming a 0 byte plaintext and a 64-bit MAC value the ciphertext is
8 bytes
2.4.4. message_2
message_2 = ( message_2 = (
h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d h'A3967F6CF99B6DDC7E7C219D0D119A383F754001DF33515971EC6C842553
1e1f', B776',
h'c4', -24,
h'0001020304050607' h'4F355451E069226F'
) )
message_2 (45 bytes): message_2 (44 bytes):
58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 58 20 a3 96 7f 6c f9 9b 6d dc 7e 7c 21 9d 0d 11 9a 38 3f 75
12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 48 61 62 63 40 01 df 33 51 59 71 ec 6c 84 25 53 b7 76 37 48 4f 35 54 51
64 65 66 67 68 e0 69 22 6f
2.4.6. message_3
The plaintext and ciphertext in message_3 are assumed to be of equal 2.4.5. message_3
sizes as in message_2.
message_3 = ( message_3 = (
h'c4', -24,
h'0001020304050607' h'763BD2F3C10F0D45'
) )
message_3 (11 bytes): message_3 (10 bytes):
41 C4 48 00 01 02 03 04 05 06 07 37 48 76 3b d2 f3 c1 0f 0d 45
2.4.7. Summary 2.4.6. Summary
The previous examples of typical message sizes are summarized in The previous examples of typical message sizes are summarized in
Figure 5. Figure 5.
===================================================================== =====================================================================
PSK RPK x5t x5chain PSK RPK x5t x5chain
--------------------------------------------------------------------- ---------------------------------------------------------------------
message_1 40 38 38 38 message_1 38 37 37 37
message_2 45 114 126 116 + Certificate chain message_2 44 46 117 110 + Certificate chain
message_3 11 80 91 81 + Certificate chain message_3 10 20 91 84 + Certificate chain
--------------------------------------------------------------------- ---------------------------------------------------------------------
Total 96 232 255 235 + Certificate chains Total 92 103 245 231 + Certificate chains
===================================================================== =====================================================================
Figure 5: Typical message sizes in bytes Figure 5: Typical message sizes in bytes
2.5. Conclusion 2.5. Conclusion
To do a fair comparison, one has to choose a specific deployment and To do a fair comparison, one has to choose a specific deployment and
look at the topology, the whole protocol stack, frame sizes (e.g. 51 look at the topology, the whole protocol stack, frame sizes (e.g. 51
or 128 bytes), how and where in the protocol stack fragmentation is or 128 bytes), how and where in the protocol stack fragmentation is
done, and the expected packet loss. Note that the number of byte in done, and the expected packet loss. Note that the number of byte in
skipping to change at page 29, line 36 skipping to change at page 28, line 36
------------------------------------------------------------- -------------------------------------------------------------
DTLS 1.2 29 30 31 DTLS 1.2 29 30 31
DTLS 1.3 11 12 13 DTLS 1.3 11 12 13
------------------------------------------------------------- -------------------------------------------------------------
DTLS 1.2 (GHC) 16 17 18 DTLS 1.2 (GHC) 16 17 18
DTLS 1.3 (GHC) 12 13 14 DTLS 1.3 (GHC) 12 13 14
------------------------------------------------------------- -------------------------------------------------------------
OSCORE request 13 14 15 OSCORE request 13 14 15
OSCORE response 11 11 11 OSCORE response 11 11 11
Figure 7: Overhead in bytes as a function of Connection/Sender ID Figure 7: Overhead in bytes as a function of Connection/Sender
(Sequence Number = '05') ID (Sequence Number = '05')
Protocol Overhead Overhead (GHC) Protocol Overhead Overhead (GHC)
------------------------------------------------------------- -------------------------------------------------------------
DTLS 1.2 21 8 DTLS 1.2 21 8
DTLS 1.3 3 4 DTLS 1.3 3 4
------------------------------------------------------------- -------------------------------------------------------------
TLS 1.2 13 9 TLS 1.2 13 9
TLS 1.3 6 7 TLS 1.3 6 7
------------------------------------------------------------- -------------------------------------------------------------
OSCORE request 5 OSCORE request 5
skipping to change at page 36, line 46 skipping to change at page 35, line 46
Ciphertext (including encrypted content type): Ciphertext (including encrypted content type):
ae a0 15 56 67 92 ec ae a0 15 56 67 92 ec
ICV: ICV:
4d ff 8a 24 e4 cb 35 b9 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters
(epoch, sequence number, length) gives 15 bytes overhead. (epoch, sequence number, length) gives 15 bytes overhead.
3.6. OSCORE 3.6. OSCORE
This section analyzes the overhead of OSCORE This section analyzes the overhead of OSCORE [RFC8613].
[I-D.ietf-core-object-security].
The below calculation Option Delta = '9', Sender ID = '' (empty The below calculation Option Delta = '9', Sender ID = '' (empty
string), and Sequence Number = '05', and is only an example. Note string), and Sequence Number = '05', and is only an example. Note
that Sender ID = '' (empty string) can only be used by one client per that Sender ID = '' (empty string) can only be used by one client per
server. server.
OSCORE request (19 bytes, 13 bytes overhead): OSCORE request (19 bytes, 13 bytes overhead):
92 09 05 92 09 05
ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9
skipping to change at page 39, line 31 skipping to change at page 38, line 31
4. Security Considerations 4. Security Considerations
This document is purely informational. This document is purely informational.
5. IANA Considerations 5. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
6. Informative References 6. Informative References
[I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-15 (work in
progress), August 2018.
[I-D.ietf-core-oscore-groupcomm] [I-D.ietf-core-oscore-groupcomm]
Tiloca, M., Selander, G., Palombini, F., and J. Park, Tiloca, M., Selander, G., Palombini, F., and J. Park,
"Group OSCORE - Secure Group Communication for CoAP", "Group OSCORE - Secure Group Communication for CoAP",
draft-ietf-core-oscore-groupcomm-03 (work in progress), draft-ietf-core-oscore-groupcomm-06 (work in progress),
October 2018. November 2019.
[I-D.ietf-tls-dtls-connection-id] [I-D.ietf-tls-dtls-connection-id]
Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, Rescorla, E., Tschofenig, H., and T. Fossati, "Connection
"Connection Identifiers for DTLS 1.2", draft-ietf-tls- Identifiers for DTLS 1.2", draft-ietf-tls-dtls-connection-
dtls-connection-id-02 (work in progress), October 2018. id-07 (work in progress), October 2019.
[I-D.ietf-tls-dtls13] [I-D.ietf-tls-dtls13]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version Datagram Transport Layer Security (DTLS) Protocol Version
1.3", draft-ietf-tls-dtls13-30 (work in progress), 1.3", draft-ietf-tls-dtls13-34 (work in progress),
November 2018. November 2019.
[I-D.schaad-ace-tls-cbor-handshake] [I-D.rescorla-tls-ctls]
Schaad, J., "TLS Handshake in CBOR", draft-schaad-ace-tls- Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS
cbor-handshake-00 (work in progress), March 2019. 1.3", draft-rescorla-tls-ctls-03 (work in progress),
November 2019.
[I-D.selander-ace-cose-ecdhe] [I-D.selander-lake-edhoc]
Selander, G., Mattsson, J., and F. Palombini, "Ephemeral Selander, G., Mattsson, J., and F. Palombini, "Ephemeral
Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace- Diffie-Hellman Over COSE (EDHOC)", draft-selander-lake-
cose-ecdhe-12 (work in progress), February 2019. edhoc-00 (work in progress), November 2019.
[IoT-Cert] [IoT-Cert]
Forsby, F., "Digital Certificates for the Internet of Forsby, F., "Digital Certificates for the Internet of
Things", June 2017, <https://kth.diva- Things", June 2017, <https://kth.diva-
portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf>. portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf>.
[OlegHahm-ghc] [OlegHahm-ghc]
Hahm, O., "Generic Header Compression", July 2016, Hahm, O., "Generic Header Compression", July 2016,
<https://github.com/OlegHahm/ghc>. <https://github.com/OlegHahm/ghc>.
skipping to change at page 41, line 15 skipping to change at page 40, line 15
[RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets", Application Protocol) over TCP, TLS, and WebSockets",
RFC 8323, DOI 10.17487/RFC8323, February 2018, RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://www.rfc-editor.org/info/rfc8323>. <https://www.rfc-editor.org/info/rfc8323>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments
(OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
<https://www.rfc-editor.org/info/rfc8613>.
[Ulfheim-TLS13] [Ulfheim-TLS13]
Driscoll, M., "Every Byte Explained The Illustrated TLS Driscoll, M., "Every Byte Explained The Illustrated TLS
1.3 Connection", March 2018, <https://tls13.ulfheim.net>. 1.3 Connection", March 2018, <https://tls13.ulfheim.net>.
Acknowledgments Acknowledgments
The authors want to thank Ari Keraenen, Carsten Bormann, Goeran The authors want to thank Ari Keraenen, Carsten Bormann, Goeran
Selander, and Hannes Tschofenig for comments and suggestions on Selander, and Hannes Tschofenig for comments and suggestions on
previous versions of the draft. previous versions of the draft.
All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. All 6LoWPAN-GHC compression was done with [OlegHahm-ghc].
Authors' Addresses Authors' Addresses
John Mattsson John Preuss Mattsson
Ericsson AB Ericsson AB
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Francesca Palombini Francesca Palombini
Ericsson AB Ericsson AB
Email: francesca.palombini@ericsson.com Email: francesca.palombini@ericsson.com
Malisa Vucinic
INRIA
Email: malisa.vucinic@inria.fr
 End of changes. 45 change blocks. 
166 lines changed or deleted 118 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/