CoRE Working Group | A. Rahman, Ed. |
Internet-Draft | InterDigital Communications, LLC |
Intended status: Informational | E.O. Dijk, Ed. |
Expires: November 28, 2013 | Philips Research |
May 27, 2013 |
Group Communication for CoAP
draft-ietf-core-groupcomm-08
CoAP is a RESTful transfer protocol for constrained devices and constrained networks. It is anticipated that constrained devices will often naturally operate in groups (e.g., in a building automation scenario all lights in a given room may need to be switched on/off as a group). This document provides guidance for how the CoAP protocol should be used in a group communication context. An approach for using CoAP on top of IP multicast is detailed. Also, various use cases and corresponding protocol flows are provided to illustrate important concepts. Finally, guidance is provided for deployment in various network topologies.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 28, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The above key words are used to establish a set of guidelines for CoAP group communication. An implementation of CoAP group communication MAY implement these guidelines; an implementation claiming compliance to this document MUST implement the set.
This document assumes readers are familiar with the terms and concepts that are used in [I-D.ietf-core-coap]. In addition, this document defines the following terminology:
Constrained Application Protocol (CoAP) is a Representational State Transfer (REST) based approach for resource constrained devices operating in an IP network [I-D.ietf-core-coap]. CoAP has many similarities to HTTP [RFC2616] but also has some key differences. Constrained devices can be large in number, but are often highly correlated to each other (e.g., by type or location). For example, all the light switches in a building may belong to one group and all the thermostats may belong to another group. Groups may be pre-configured before deployment or dynamically formed during operation. If information needs to be sent to or received from a group of devices, group communication mechanisms can improve efficiency and latency of communication and reduce bandwidth requirements for a given application. HTTP does not support any equivalent functionality to CoAP group communication.
Group communication involves sending a CoAP Request as an IP Multicast message and handling the potential multitude of (unicast) CoAP Responses. The normative protocol aspects of running CoAP on top of IP Multicast and processing the responses are given in [I-D.ietf-core-coap]. The main contribution of this document lies in providing additional guidance for key group communication features. Among the topics covered are group definition, group resource manipulation, and group configuration. Also, proxy operation and minimizing congestion scenarios for group communication is discussed. Finally, specific use case behavior and deployment guidelines are outlined for CoAP group communication.
IP Multicast protocols have been evolving for decades, resulting in proposed standards such as Protocol Independent Multicast - Sparse Mode (PIM-SM) [RFC4601]. Yet, due to various technical and business reasons, IP Multicast is not widely deployed on the general Internet. However, IP Multicast is very popular in specific deployments such as in enterprise networks (e.g., for video conferencing), smart home networks (e.g., Universal Plug and Play (UPnP)) and carrier IPTV deployments. The packet economy and minimal host complexity of IP multicast make it attractive for group communication in constrained environments.
To achieve IP multicast beyond a subnet, an IP multicast routing or forwarding protocol needs to be active on IP routers. An example of a routing protocol specifically for LLNs is the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) (Section 12 of [RFC6550]) and an example of a forwarding protocol for LLNs is Multicast Protocol for Low power and Lossy Networks (MPL) [I-D.ietf-roll-trickle-mcast]. Finally, PIM-SM [RFC4601] is often used for multicast routing in un-constrained networks.
IP multicast can also be run in a Link-Local (LL) scope. This means that there is no routing involved and an IP multicast message is only received over the link on which it was sent.
For a complete IP multicast solution, in addition to a routing/forwarding protocol, a so-called "listener" protocol is needed for the devices to subscribe to groups (see Section 5.2).
A group is defined as a set of CoAP endpoints, where each endpoint is configured to receive a multicast CoAP request that is sent to the group's associated IP multicast address. An endpoint MAY be a member of multiple groups. Group membership of an endpoint MAY dynamically change over time.
For group communication, the Group URI will be the CoAP request URI. A Group URI has the scheme 'coap' and includes in the authority part either a group IP multicast address plus optional port number; or a hostname (e.g., Group Fully Qualified Domain Name (FQDN)) plus optional port number that can be resolved to the group IP multicast address. Group URIs follow the CoAP URI syntax [I-D.ietf-core-coap]. It is recommended, for sending nodes, to use the IP multicast address literal as the default for the Group URI.
URI authority Targeted group all.bldg6.example.com "all nodes in building 6" all.west.bldg6.example.com "all nodes in west wing, building 6" all.floor1.west.bldg6.examp... "all nodes in floor 1, west wing, building 6" all.bu036.floor1.west.bldg6... "all nodes in office bu036, floor1, west wing, building 6"
If a Group FQDN is used, it can be uniquely mapped to a site-local or global IP multicast address via DNS resolution (if supported). Some examples of hierarchical Group FQDN naming (and scoping) for a building control application are shown below ([I-D.vanderstok-core-dna]):
Similarly, if supported, reverse mapping (from IP multicast address to Group FQDN) is possible using the reverse DNS resolution technique ([I-D.vanderstok-core-dna]).
A CoAP group member listens for CoAP messages on the group's IP multicast address, on a specified UDP port. The default UDP port is the CoAP default port of 5683 but a non-default UDP port MAY be specified for the group; in which case implementers MUST ensure that all group members are configured to use this same port.
Multicast based group communication will not work if there diversity in the authority port (i.e., a diversity of dynamic port addresses across the group) or if the resources are located at different paths on different endpoints. Therefore, some measures must be present to ensure uniformity in port number and resource names/locations within a group. All CoAP multicast requests MUST be sent using the port number as follows:
All CoAP multicast requests SHOULD operate on URI paths ("links") as follows:
Group communication SHALL only be used for idempotent methods (i.e., CoAP GET, PUT, and DELETE). The CoAP messages that are sent via multicast SHALL be Non-Confirmable.
A unicast response per server MAY be sent back to answer the group request (e.g., response "2.05 Content" to a group GET request) taking into account the congestion control rules defined in Section 3.8. The unicast responses received may be a mixture of success (e.g., 2.05 Content) and failure (e.g., 4.04 Not Found) codes depending on the individual server processing result.
Group communication SHALL NOT be used for non-idempotent methods (i.e., CoAP POST). This is because not all group members are guaranteed to receive the multicast request, and the sender cannot readily find out which group members did not receive it.
CoAP defines a resource discovery capability [RFC6690], but does not specify how to discover groups (e.g., find a group to join or send a multicast message to) or how to discover members of a group (e.g., to address selected group members by unicast). A simple ad-hoc method to discover members of a CoAP group would be to send a multicast "CoAP ping" [I-D.ietf-core-coap]. The collected responses to the ping would then give an indication of the group members.
The group membership of a CoAP endpoint may be configured in one of the following ways. First, the group membership may be pre-configured before node deployment. Second, a node may be programmed to discover (query) its group membership during operation using a specific service discovery means. Third, it may be configured during operation by another node (e.g., a commissioning device).
In the first case, the pre-configured group information may be either directly a IP multicast address, or a hostname (FQDN) which is during operation resolved to a IP multicast address by the endpoint using DNS (if supported).
For the second case, a CoAP endpoint may look up its group membership using techniques such as DNS-SD and Resource Directory [I-D.shelby-core-resource-directory]. The latter is detailed more in Section 4.6.
In the third case, typical in scenarios such as building control, a commissioning tool determines to which group a sensor or actuator node belongs, and writes this information to the node, which can subsequently join the correct IP multicast group on its network interface. The information written may again be a IP multicast address or a hostname.
To achieve better interoperability between endpoints from different manufacturers, an OPTIONAL RESTful interface for configuring CoAP endpoints with relevant group information is described here. This interface provides a solution for the third case mentioned above. To access this interface a client MUST use unicast methods (GET/PUT/POST/DELETE) only as it is a method of configuring group information in individual endpoints. Using multicast operations in this situation may lead to unexpected (possibly circular) behavior in the network.
CoAP endpoints implementing this optional mechanism MUST support the group configuration Internet Media Type "application/coap-group+json" (Section 7.2). A resource offering this representation can be annotated for direct discovery [RFC6690] using the resource type (rt) "core.gp" where "gp" is shorthand for "group" (Section 7.1). An authorized controller uses this media type to query/manage group membership of a CoAP endpoint as defined below.
Req: GET /gp Res: 2.05 Content (Content-Format: application/coap-group+json) [ { "n": "Room-A-Lights.floor1.west.bldg6.example.com", "ip": "ff15::4200:f7fe:ed37:14ca" } ]
The group configuration resource has a JSON-based content format (as indicated by the media type). A (unicast) GET on a resource accepting this format returns a JSON array of group objects, each group object formatted as shown below:
Note that each group object in the JSON array represents a single IP multicast group for the endpoint. If there are multiple elements in the array then the endpoint is a member of multiple IP multicast groups.
Req: POST /gp (Content-Format: application/coap-group+json) { "n": "floor1.west.bldg6.example.com", "ip": "ff15::4200:f7fe:ed37:14cb" } Res: 2.04 Changed
A (unicast) POST with a group configuration media type as payload instructs the CoAP endpoint to join the defined group(s). The endpoint adds the specified IP multicast address(es) to its network interface configuration. The endpoint also updates the resource by adding the specified group object(s) to the existing ones:
After any change on a Group configuration resource, the endpoint MUST effect registration/de-registration from the corresponding IP multicast group(s) as soon as possible. Finally, any (unicast) operation to change a CoAP endpoint group membership configuration (i.e., PUT/POST/DELETE) MUST use DTLS-secured CoAP [I-D.ietf-core-coap]. Thus only authorized controllers will be allowed by an endpoint to configure its group membership.
CoAP [I-D.ietf-core-coap] and CoRE Link Format [RFC6690] define normative behaviors for:
This section first summarizes these normative behaviors and then presents additional guidelines for response suppression. Also a number of multicast example applications are given to illustrate the overall approach.
To apply any rules for request and/or response suppression, the IP stack interface of a CoAP server must be able to indicate for an incoming request that the destination address of the request was multicast.
For multicast request acceptance, the behaviors are:
For multicast response suppression, the behaviors are:
The above response suppression behaviors are complemented by the following guidelines. CoAP servers should implement configurable response suppression, enabling at least the following per resource:
A number of group communication example applications are given below to illustrate how to make use of response suppression:
Multicast CoAP requests may result in a multitude of replies from different nodes, potentially causing congestion. Therefore both the sending of multicast requests and sending unicast CoAP responses to multicast requests should be conservatively controlled.
CoAP [I-D.ietf-core-coap] reduces multicast-specific congestion risks through the following measures:
Additional guidelines to reduce congestion risks are:
CoAP [I-D.ietf-core-coap] allows a client to request a forward-proxy to process its CoAP request. For this purpose the client either specifies the request URI as a string in the Proxy-URI option, or it specifies the Proxy-Scheme option with the URI constructed from the usual Uri-* options. This approach works well for unicast requests. However, there are certain issues and limitations of processing the (unicast) responses to a group communication request made in this manner through a proxy. Specifically, if a proxy would apply aggregation of responses in such a case: [I-D.ietf-core-coap], the proxy would simply forward all the individual (unicast) responses to a group communication request to the client (i.e., no aggregation). There are also issues with this approach:
But if a proxy would follow the specification for a CoAP Proxy
Due to above issues, a guideline is defined here that a CoAP Proxy SHOULD NOT support processing a multicast CoAP request but rather return a 501 (Not Implemented) response in such case. The exception case here (i.e., to process it) is allowed under following conditions:
Group communication using IP multicast offers improved network efficiency and latency amongst other benefits. However, group communication may not always be possible to implement in a given network. The primary reason for this will be if IP multicast is not (fully) supported in the network. For example, assume an LLN where the MPL protocol is not supported, but the RPL protocol is used used for routing multicast packets. Also assume the RPL routers operate in "Non-storing mode" [RFC6550]. Then there will be no IP multicast routing in this network beyond link-local scope. This means that any CoAP group communication above link-local scope will not be supported in this network.
The use of CoAP group communication is shown in the context of the following two use cases and corresponding protocol flows:
To illustrate the use cases we define two network configurations. Both are based on the topology as shown in Figure 1. The two configurations using this topology are:
Both configurations are further specified by the following:
Network Backbone ################################################ | # ********************** Room-A # | # ** Subnet-1 ** # | # * ** # | # * +----------+ * # | # * | Light |-------+ * # | # * | Switch | | * # | # * +----------+ +---------+ * # | # * | Rtr-1 |-----------------------------+ # * +---------+ * # | # * +----------+ | * # | # * | Light-1 |--------+ * # | # * +----------+ * # | # * * # | # ** ** # | # ********************** # | # # | # ********************** # | # ** Subnet-2 ** # | # * ** # | # * +----------+ * # | # * | Light-2 |-------+ * # | # * | | | * # | # * +----------+ +---------+ * # | # * | Rtr-2 |-----------------------------+ # * +---------+ * # | # * +----------+ | * # | # * | Light-3 |--------+ * # | # * +----------+ * # +------------+ | # * * # | Controller |--+ # ** ** # | Client | | # ********************** # +------------+ | ################################################ | | +------------+ | | CoAP | | | Resource |-----------------+ | Directory | | +------------+ | +------------+ | | DNS Server | | | (Optional) |-----------------+ +------------+
Figure 1: Network Topology of a Large Room (Room-A)
The protocol flow for discovery of the CoAP RD for the given network (of Figure 1) is shown in Figure 2:
The CoAP RD may also be discovered by other means such as by assuming a default location (e.g., on a 6LBR), using DHCP, anycast address, etc. However, these approaches do not invoke CoAP group communication so are not further discussed here.
For other discovery use cases such as discovering local CoAP servers, services or resources group communication can be used in a similar fashion as in the above use case. Both Link-Local (LL) and site-local discovery are possible this way.
Light CoAP Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 RD | | | | | | | | | | | | | | ********************************** | | | * Light-2 is installed * | | | * and powers on for first time * | | | ********************************** | | | | | | | | | | | | | | | | | | | COAP NON Mcast(GET | | | | /.well-known/core?rt=core.rd) | | | |--------->-------------------------------->| | | | | | | |--------->| | | | | | | | | | | | | | | | | COAP NON (2.05 Content | | | | </rd>;rt="core.rd";ins="Primary") |<---------| | |<------------------------------------------| | | | | | | | |
Figure 2: Resource Directory Discovery via Multicast Message
The protocol flow for a building automation lighting control scenario for the network (Figure 1) in 6LoWPAN configuration is shown in sequence in Figure 3 for the case that the CoAP servers in each Light are configured to not generate a CoAP response to lighting control CoAP multicast requests. (See Section 3.7 for more details on response suppression by a server.)
In addition, Figure 4 shows a protocol flow example for the case that servers do respond to a lighting control multicast request with (unicast) CoAP NON responses. There are two success responses and one 5.00 error response. In this particular use case the Light Switch does not check, based on the responses, that all Lights in the group actually received the multicast request, because it is not configured with an exhaustive list of IP addresses of all Lights belonging to the group. However, based on received error responses it could take additional action such as logging a fault or alerting the user via its LCD display.
Reliability of CoAP multicast is not guaranteed. Therefore, one or more lights in the group may not have received the CoAP control request due to packet loss. In this use case there is no detection nor correction of such situations: the application layer expects that the multicast forwarding/routing will be of sufficient quality to provide on average a very high probability of packet delivery to all CoAP endpoints in a multicast group. An example protocol to accomplish this is the MPL forwarding protocol for LLNs [I-D.ietf-roll-trickle-mcast].
We assume the following steps have already occurred before the illustrated flows:
Note for the Commissioning phase: the switch's software supports sending unicast, multicast or proxied unicast/multicast CoAP requests, including processing of the multiple responses that may be generated by a multicast CoAP request.
Light Network Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 Backbone | | | | | | | | | | | | | | | | *********************** | | | | * User flips on * | | | | * light switch to * | | | | * turn on all the * | | | | * lights in Room A * | | | | *********************** | | | | | | | | | | | | | | | | | | | COAP NON Mcast(PUT, | | | | | Payload=lights ON) | | |<-------------------------------+--------->| | | ON | | | |-------------------->| | | | | | |<---------| | |<---------|<-------------------------------| | | ON ON | | | | ^ ^ ^ | | | | *********************** | | | | * Lights in Room-A * | | | | * turn on (nearly * | | | | * simultaneously) * | | | | *********************** | | | | | | | | | | |
Figure 3: Light Switch Sends Multicast Control Message
Light Network Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 Backbone | | | | | | | | COAP NON (2.04 Changed) | | | | |------------------------------->| | | | | | | | | | | | | | | | | | | COAP NON (2.04 Changed) | | | | |------------------------------------------>| | | | | | | |--------->| | | | | |<--------------------| | | | |<---------| | | | | | | | | | | | COAP NON (5.00 Internal Server Error) | | | |------------------------------->| | | | | | | |--------->| | | | | |<--------------------| | | | |<---------| | | | | | | | | |
Figure 4: Lights (Optionally) Respond to Multicast CoAP Request
Another, but similar, lighting control use case is shown in Figure 5. In this case a controller connected to the Network Backbone sends a CoAP multicast request to turn on all lights in Room-A. Every Light sends back a CoAP response to the Controller after being turned on.
Network Light-1 Light-2 Light-3 Rtr-1 Rtr-2 Backbone Controller | | | | | | | | | | | | COAP NON Mcast(PUT, | | | | | Payload=lights ON) | | | | | |<-------| | | | |<----------<---------| | |<--------------------------------| | | | ON | | | | | | | |<----------<---------------------| | | | ON ON | | | | ^ ^ ^ | | | | *********************** | | | | * Lights in Room-A * | | | | * turn on (nearly * | | | | * simultaneously) * | | | | *********************** | | | | | | | | | | | | | | | | | | | COAP NON (2.04 Changed) | | | | |-------------------------------->| | | | | | | |-------------------->| | | | COAP NON (2.04 Changed) | |------->| | |-------------------------------->| | | | | | | |--------->| | | | | COAP NON (2.04 Changed) |------->| | | |--------------------->| | | | | | | |--------->| | | | | | | |------->| | | | | | | |
Figure 5: Controller On Backbone Sends Multicast Control Message
The use case of previous section can also apply in networks where nodes support the MLD protocol [RFC3810]. The Lights then take on the role of MLDv2 listener and the routers (Rtr-1, Rtr-2) are MLDv2 Routers. In the Ethernet based network configuration, MLD may be available on all involved network interfaces. Use of MLD in the 6LoWPAN based configuration is also possible, but requires MLD support in all nodes in the 6LoWPAN which is usually not implemented in many deployments.
The resulting protocol flow is shown in Figure 6. This flow is executed after the commissioning phase, as soon as Lights are configured with a group address to listen to. The (unicast) MLD Reports may require periodic refresh activity as specified by the MLD protocol. In the figure, LL denotes Link Local communication.
After the shown sequence of MLD Report messages has been executed, both Rtr-1 and Rtr-2 are automatically configured to forward multicast traffic destined to Room-A-Lights onto their connected subnet. Hence, no manual Network Configuration of routers, as previously indicated in Section 4.4, is needed anymore.
Light Network Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 Backbone | | | | | | | | | | | | | | | | | | | | | | MLD Report: Join | | | | | | Group (Room-A-Lights) | | | | |---LL------------------------------------->| | | | | | | |MLD Report: Join | | | | | |Group (Room-A-Lights)| | | | | |---LL---->----LL---->| | | | | | | | | | MLD Report: Join | | | | | | Group (Room-A-Lights) | | | | |---LL------------------------------------->| | | | | | | | | | | | MLD Report: Join | | | | | | Group (Room-A-Lights) | | | | |---LL-------------------------->| | | | | | | | | | | | | |MLD Report: Join | | | | | |Group (Room-A-Lights)| | | | | |<--LL-----+---LL---->| | | | | | | | | | | | | | |
Figure 6: Joining Lighting Groups Using MLD
This section outlines how devices in the lighting use case (both Switches and Lights) can be commissioned, making use of Resource Directory [I-D.shelby-core-resource-directory] and its group configuration feature.
Once the Resource Directory (RD) is discovered, the Switches and Lights need to be discovered and their groups need to be defined. For the commissioning of these devices, a commissioning tool can be used that defines the entries in the RD. The commissioning tool has the authority to change the contents of the RD and the nodes. DTLS based security is used by the commissioning tool to modify operational data in RD, Switches and Lights.
In our particular use case, a group of three lights is defined with one multicast address and hostname "Room-A-Lights.floor1.west.bldg6.example.com". The commissioning device has a list of the three lights and the associated multicast address. For each light in the list the tool learns the IP address of the light and instructs the RD with 3 POST commands to store the end-points associated with the three lights as prescribed by RD. Finally the commissioning device defines the group in the RD to contain these three end-points. Also the commissioning tool writes the MC address in the Lights with, for example, the POST /gp command discussed in Section 3.6.
The light switch can discover the group in RD and learn the MC address of the group. The light switch will use this address to send MC commands to the members of the group. When the message arrives the Lights should recognize the MC address and accept the message.
This section provides guidelines how an IP Multicast based solution for CoAP group communication can be deployed in various network configurations.
CoAP group communication can be deployed in various network topologies. First, the target network may be a regular IP network, or a LLN such as a 6LoWPAN network, or consist of mixed constrained/unconstrained network segments. Second, it may be a single subnet only or multi-subnet; e.g., multiple 6LoWPAN networks joined by a single backbone LAN. Third, a wireless network segment may have all nodes reachable in a single IP hop, or it may require multiple IP hops for some pairs of nodes to reach each other.
Each topology may pose different requirements on the configuration of routers and protocol(s), in order to enable efficient CoAP group communication.
If a multicast routing/forwarding protocol is used in a network, server nodes that intend to receive CoAP multicast requests generally require a method to advertise the specific IP multicast address(es) they want to receive (i.e., a method to join specific IP multicast groups). This section identifies the ways in which this can be accomplished.
CoAP nodes that are IP hosts (i.e., not IP routers) are generally unaware of the specific multicast routing/forwarding protocol being used. When such a host needs to join a specific (CoAP) multicast group, it requires a way to signal to multicast routers which multicast traffic it wants to receive. For efficient multicast routing (i.e., avoid always flooding IP multicast packets), routers must know which hosts need to receive packets addressed to specific IP multicast destinations.
The Multicast Listener Discovery (MLD) protocol [RFC3810] (Appendix A) is the standard IPv6 method to achieve this. [RFC6636] discusses tuning of MLD for mobile and wireless networks. These guidelines may be useful when implementing MLD in LLNs.
Alternatively, to avoid the use of MLD in LLN deployments, either all nodes can be configured as multicast routers in an LLN, or a multicast forwarding/flooding protocol can be used that forwards any IP multicast packet to all forwarders (routers) in the subnet (LLN).
The RPL routing protocol [RFC6550] defines in Section 12 the advertisement of IP multicast destinations using DAO messages. This mechanism can be used by CoAP nodes (which are also RPL routers) to advertise IP multicast group membership to other RPL routers. Then, the RPL protocol can route multicast CoAP requests over multiple hops to the correct CoAP servers.
This mechanism can be used as a means to convey IP multicast group membership information to an edge router (e.g., 6LBR), in case the edge router is also the root of the RPL DODAG. This could be useful in LLN segments where MLD is not available and the edge router needs to know what IP multicast traffic to pass through from the backbone network into the LLN subnet.
The MPL forwarding protocol [I-D.ietf-roll-trickle-mcast] can be used in a predefined network domain for propagation of IP multicast packets to all MPL routers, over multiple hops. MPL is designed to work in LLN deployments. Due to its property of propagating all (non-link-local) IP multicast packets to all MPL routers, there is in principle no need for CoAP server nodes to advertise IP multicast group membership assuming that any IP multicast source is also part of the MPL domain.
To support multi-LoWPAN scenarios for CoAP group communication, it is RECOMMENDED that a 6LoWPAN Border Router (6LBR) will act in an MLD Router role on the backbone link. If this is not possible then the 6LBR SHOULD be configured to act as an MLD Multicast Address Listener and/or MLD Snooper (Appendix A) on the backbone link.
To avoid that backbone IP multicast traffic needlessly congests 6LoWPAN network segments, it is RECOMMENDED that a filtering means is implemented to block IP multicast traffic from 6LoWPAN segments where none of the 6LoWPAN nodes listen to this traffic. Possible means are:
This section describes the relevant security configuration for CoAP group communication using IP multicast. The threats to CoAP group communication are also identified and various approaches to mitigate these threats are summarized.
As defined in [I-D.ietf-core-coap], CoAP group communication based on IP multicast must use the following security modes:
Essentially the above configuration means that there is no security at the CoAP layer for group communication. This is due to the fact that the current DTLS based approach for CoAP is exclusively unicast oriented and does not support group security features such as group key exchange and group authentication. As a direct consequence of this, CoAP group communication is vulnerable to all attacks mentioned in [I-D.ietf-core-coap] for IP multicast.
[I-D.ietf-core-coap] identifies various threat mitigation techniques for CoAP IP multicast. In addition to those guidelines, it is recommended that for sensitive data or safety-critical control, a combination of appropriate link-layer security and administrative control of IP multicast boundaries should be used. Some examples are given below.
In a home automation scenario (using WiFi), the WiFi encryption should be enabled to prevent rogue nodes from joining. Also, if MAC address filtering at the WiFi Access Point is supported that should also be enabled. The IP router should have the fire wall enabled to isolate the home network from the rest of the Internet. In addition, the domain of the IP multicast should be set to be either link-local scope or site-local scope. Finally, if possible, devices should be configured to accept only Source Specific Multicast (SSM) packets (see [RFC4607]) from within the trusted home network. For example, all lights in a particular room should only accept IP multicast traffic originating from the master light switch in that room. In this case, the Spoofed Source Address considerations of Section 7.4 of [RFC4607] should be heeded.
In a building automation scenario, a particular room may have a single 6LoWPAN topology with a single Edge Router (6LBR). Nodes on the subnet can use link-layer encryption to prevent rogue nodes from joining. The 6LBR can be configured so that it blocks any incoming IP multicast traffic. Another example topology could be a multi-subnet 6LoWPAN in a large conference room. In this case, the backbone can implement port authentication (IEEE 802.1X) to ensure only authorized devices can join the Ethernet backbone. The access router to this secured segment can also be configured to block incoming IP multicast traffic.
In the future, to further mitigate the threats, the developing approach for DTLS-based IP multicast security for CoAP networks (see [I-D.keoh-tls-multicast-security]) or similar approaches should be considered once they mature.
This memo registers a new resource type (rt) from the CoRE Parameters Registry called 'core.gp'.
(Note to IANA/RFC Editor: This registration follows the process described in section 7.4 of [RFC6690]).
Attribute Value: core.gp
Description: Optional Group Configuration resource. This resource is used to query/manage the group membership of a CoAP server.
Reference: See Section 3.6.
This memo registers a new Internet Media Type for CoAP group configuration resource called 'application/coap-group+json'.
(Note to IANA/RFC Editor: This registration follows the guidance from [RFC6839], and [I-D.ietf-core-coap] section 12.3 (last paragraph)).
Type name: application
Subtype name: coap-group+json
Required parameters: None
Optional parameters: None
Encoding considerations: 8bit if UTF-8; binary if UTF-16 or UTF-32.
JSON may be represented using UTF-8, UTF-16, or UTF-32. When JSON is written in UTF-8, JSON is 8bit compatible. When JSON is written in UTF-16 or UTF-32, the binary content-transfer-encoding must be used.
If the client is aware that the server group configuration resource is 8bit encoded (which is most efficient for a constrained device), that encoding should be respected by the client (i.e., it should not try to replace it by a binary encoded group configuration resource).
Security considerations:
Denial of Service attacks could be performed by constantly setting the group configuration resource of a CoAP endpoint. This will cause the endpoint to register (or de-register) from the related IP multicast group. To prevent this it is mandatory that DTLS-secured CoAP communication be used for setting the group configuration resource. Thus only authorized clients will be allowed by a server to configure its group membership.
Interoperability considerations: None
Published specification: (This I-D when it becomes an RFC)
Applications that use this media type:
CoAP client and server implementations that wish to set/read the group configuration resource via 'application/coap-group+json' payload as described in Section 3.6.
Additional Information:
Magic number(s): None
File extension(s): *.json
Macintosh file type code(s): TEXT
Intended usage: COMMON
Restrictions on usage: None
Author: CoRE WG
Change controller: IETF
Thanks to Peter Bigot, Carsten Bormann, Anders Brandt, Angelo Castellani, Bjoern Hoehrmann, Matthias Kovatsch, Guang Lu, Salvatore Loreto, Kerry Lynn, Dale Seed, Zach Shelby, Peter van der Stok, and Juan Carlos Zuniga for their helpful comments and discussions that have helped shape this document.
[I-D.ietf-core-block] | Bormann, C. and Z. Shelby, "Blockwise transfers in CoAP", Internet-Draft draft-ietf-core-block-11, March 2013. |
[I-D.vanderstok-core-dna] | Stok, P., Lynn, K. and A. Brandt, "CoRE Discovery, Naming, and Addressing", Internet-Draft draft-vanderstok-core-dna-02, July 2012. |
[I-D.ietf-roll-trickle-mcast] | Hui, J. and R. Kelsey, "Multicast Protocol for Low power and Lossy Networks (MPL)", Internet-Draft draft-ietf-roll-trickle-mcast-04, February 2013. |
[I-D.keoh-tls-multicast-security] | Keoh, S., Kumar, S. and E. Dijk, "DTLS-based Multicast Security for Low-Power and Lossy Networks (LLNs)", Internet-Draft draft-keoh-tls-multicast-security-00, October 2012. |
[I-D.shelby-core-resource-directory] | Shelby, Z., Krco, S. and C. Bormann, "CoRE Resource Directory", Internet-Draft draft-shelby-core-resource-directory-05, February 2013. |
In order to extend the scope of IP multicast beyond link-local scope, an IP multicast routing or forwarding protocol has to be active in routers on an LLN. To achieve efficient multicast routing (i.e., avoid always flooding IP multicast packets), routers have to learn which hosts need to receive packets addressed to specific IP multicast destinations.
The Multicast Listener Discovery (MLD) protocol [RFC3810] (or its IPv4 pendant IGMP) is today the method of choice used by an (IP multicast enabled) router to discover the presence of multicast listeners on directly attached links, and to discover which multicast addresses are of interest to those listening nodes. MLD was specifically designed to cope with fairly dynamic situations in which multicast listeners may join and leave at any time.
IGMP/MLD Snooping is a technique implemented in some corporate LAN routing/switching devices. An MLD snooping switch listens to MLD State Change Report messages from MLD listeners on attached links. Based on this, the switch learns on what LAN segments there is interest for what IP multicast traffic. If the switch receives at some point an IP multicast packet, it uses the stored information to decide onto which LAN segment(s) to send the packet. This improves network efficiency compared to the regular behavior of forwarding every incoming multicast packet onto all LAN segments. An MLD snooping switch may also send out MLD Query messages (which is normally done by a device in MLD Router role) if no MLD Router is present.
[RFC6636] discusses optimal tuning of the parameters of MLD for routers for mobile and wireless networks. These guidelines may be useful when implementing MLD in LLNs.
Changes from ietf-07 to ietf-08:
Changes from ietf-06 to ietf-07:
Changes from ietf-05 to ietf-06:
Changes from ietf-04 to ietf-05:
Changes from ietf-03 to ietf-04:
Changes from ietf-02 to ietf-03:
Changes from ietf-01 to ietf-02:
Changes from ietf-00 to ietf-01:
Changes from rahman-07 to ietf-00: