Internet DRAFT - draft-mattsson-lwig-security-protocol-comparison
draft-mattsson-lwig-security-protocol-comparison
Network Working Group J. Mattsson
Internet-Draft F. Palombini
Intended status: Informational Ericsson AB
Expires: September 20, 2018 March 19, 2018
Comparison of CoAP Security Protocols
draft-mattsson-lwig-security-protocol-comparison-01
Abstract
This document analyzes and compares per-packet message size overheads
when using different security protocols to secure CoAP. The analyzed
security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and
OSCORE. DTLS and TLS are analyzed with and without 6LoWPAN-GHC
compression. DTLS is analyzed with and without Connection ID.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 20, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Mattsson & Palombini Expires September 20, 2018 [Page 1]
Internet-Draft CoAP Security Overhead March 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overhead of Security Protocols . . . . . . . . . . . . . . . 3
2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 4
2.1.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 4
2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 5
2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 6
2.2.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 6
2.2.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 7
2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 7
2.2.5. DTLS 1.3 with short header . . . . . . . . . . . . . 8
2.2.6. DTLS 1.3 with short header and 6LoWPAN-GHC . . . . . 8
2.3. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 9
2.4. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 10
2.4.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 10
2.5. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 11
3. Overhead with Different Parameters . . . . . . . . . . . . . 12
4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
7. Informative References . . . . . . . . . . . . . . . . . . . 15
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
This document analyzes and compares per-packet message size overheads
when using different security protocols to secure CoAP over UPD
[RFC7252] and TCP [RFC8323]. The analyzed security protocols are
DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2
[RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE
[I-D.ietf-core-object-security]. The DTLS and TLS record layers are
analyzed with and without compression. DTLS is anlyzed with and
without Connection ID [I-D.ietf-tls-dtls-connection-id] and DTLS 1.3
is analyzed with and without the use of the short header. Readers
are expected to be familiar with some of the terms described in RFC
7925 [RFC7925], such as ICV.
Mattsson & Palombini Expires September 20, 2018 [Page 2]
Internet-Draft CoAP Security Overhead March 2018
2. Overhead of Security Protocols
To enable comparison, all the overhead calculations in this section
use AES-CCM with a tag length of 8 bytes (i.e. AES_128_CCM_8, AES-
CCM-16-64, or AES-CCM-64-64), a plaintext of 6 bytes, and the
sequence number '05'. This follows the example in [RFC7400],
Figure 16.
Note that the compressed overhead calculations for DLTS 1.2, DTLS
1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch,
sequence number, and length, and all the overhead calculations are
dependent on the parameter Connection ID when used. Note that the
OSCORE overhead calculations are dependent on the CoAP option
numbers, as well as the length of the OSCORE parameters Sender ID and
Sequence Number. The following are only examples.
2.1. DTLS 1.2
2.1.1. DTLS 1.2
This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce
follow the strict profiling given in [RFC7925]. This example is
taken directly from [RFC7400], Figure 16.
DTLS 1.2 Record Layer (35 bytes, 29 bytes overhead):
17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00
00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4
cb 35 b9
Content type:
17
Version:
fe fd
Epoch:
00 01
Sequence number:
00 00 00 00 00 05
Length:
00 16
Nonce:
00 01 00 00 00 00 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 gives 29 bytes overhead.
Mattsson & Palombini Expires September 20, 2018 [Page 3]
Internet-Draft CoAP Security Overhead March 2018
2.1.2. DTLS 1.2 with 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.2 [RFC6347] when
compressed with [RFC7400]. The compression was done with
[OlegHahm-ghc].
Note that the sequence number '01' used in [RFC7400], Figure 15 gives
an exceptionally small overhead that is not representative.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Compressed DTLS 1.2 Record Layer (22 bytes, 16 bytes overhead):
b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff
8a 24 e4 cb 35 b9
Compressed DTLS 1.2 Record Layer Header and Nonce:
b0 c3 03 05 00 16 f2 0e
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
(epoch, sequence number, length) gives 16 bytes overhead.
2.1.3. DTLS 1.2 with Connection ID
This section analyzes the overhead of DTLS 1.2 [RFC6347] with
Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead
calculations in this section uses Connection ID = '42'. DTLS with a
Connection ID = '' (the empty string) is equal to DTLS without
Connection ID.
Mattsson & Palombini Expires September 20, 2018 [Page 4]
Internet-Draft CoAP Security Overhead March 2018
DTLS 1.2 Record Layer (36 bytes, 30 bytes overhead):
17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01
00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24
e4 cb 35 b9
Content type:
17
Version:
fe fd
Epoch:
00 01
Sequence number:
00 00 00 00 00 05
Connection ID:
42
Length:
00 16
Nonce:
00 01 00 00 00 00 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 with Connection ID gives 30 bytes overhead.
2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.2 [RFC6347] with
Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with
[RFC7400] [OlegHahm-ghc].
Note that the sequence number '01' used in [RFC7400], Figure 15 gives
an exceptionally small overhead that is not representative.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Mattsson & Palombini Expires September 20, 2018 [Page 5]
Internet-Draft CoAP Security Overhead March 2018
Compressed DTLS 1.2 Record Layer (23 bytes, 17 bytes overhead):
b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d
ff 8a 24 e4 cb 35 b9
Compressed DTLS 1.2 Record Layer Header and Nonce:
b0 c3 04 05 42 00 16 f2 0e
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
(epoch, sequence number, Connection ID, length) gives 17 bytes
overhead.
2.2. DTLS 1.3
2.2.1. DTLS 1.3
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13].
The changes compared to DTLS 1.2 are: omission of version number,
merging of epoch and sequence number fields (of total 8 bytes) into
one 4-bytes-field.
DTLS 1.3 Record Layer (22 bytes, 16 bytes overhead):
17 40 00 00 05 00 0f ae a0 15 56 67 92 ec 4d ff
8a 24 e4 cb 35 b9
Content type:
17
Epoch and Sequence:
40 00 00 05
Length:
00 0f
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 gives 16 bytes overhead.
2.2.2. DTLS 1.3 with 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
when compressed with [RFC7400] [OlegHahm-ghc].
Mattsson & Palombini Expires September 20, 2018 [Page 6]
Internet-Draft CoAP Security Overhead March 2018
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Compressed DTLS 1.3 Record Layer (23 bytes, 17 bytes overhead):
02 17 40 80 12 05 00 0f ae a0 15 56 67 92 ec 4d
ff 8a 24 e4 cb 35 b9
Compressed DTLS 1.3 Record Layer Header and Nonce:
02 17 40 80 12 05 00 0f
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
(epoch, sequence number, length) gives 17 bytes overhead.
2.2.3. DTLS 1.3 with Connection ID
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
with Connection ID [I-D.ietf-tls-dtls-connection-id].
DTLS 1.3 Record Layer (23 bytes, 17 bytes overhead):
17 40 00 00 05 42 00 0f ae a0 15 56 67 92 ec 4d
ff 8a 24 e4 cb 35 b9
Content type:
17
Epoch and Sequence:
40 00 00 05
Connection ID:
42
Length:
00 0f
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 gives 17 bytes overhead.
2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]
with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed
with [RFC7400] [OlegHahm-ghc].
Mattsson & Palombini Expires September 20, 2018 [Page 7]
Internet-Draft CoAP Security Overhead March 2018
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Compressed DTLS 1.3 Record Layer (24 bytes, 18 bytes overhead):
02 17 40 80 13 05 42 00 0f ae a0 15 56 67 92 ec
4d ff 8a 24 e4 cb 35 b9
Compressed DTLS 1.3 Record Layer Header and Nonce:
02 17 40 80 13 05 42 00 0f
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
(epoch, sequence number, Connection ID, length) gives 18 bytes
overhead.
2.2.5. DTLS 1.3 with short header
This section analyzes the overhead of DTLS 1.3 with short header
format [I-D.ietf-tls-dtls13]. The short header format for DTLS 1.3
reduces the header of 5 bytes, by omitting the length value and
sending 1 lower bit of epoch value instead of 2, and 12 lower bits of
sequence number instead of 30.
DTLS 1.3 Record Layer (17 bytes, 11 bytes overhead):
30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35
b9
DTLS 1.3 short header:
30 05
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 with short header gives 11 bytes overhead.
2.2.6. DTLS 1.3 with short header and 6LoWPAN-GHC
This section analyzes the overhead of DTLS 1.3 with short header
[I-D.ietf-tls-dtls13] when compressed with [RFC7400] [OlegHahm-ghc].
Mattsson & Palombini Expires September 20, 2018 [Page 8]
Internet-Draft CoAP Security Overhead March 2018
Compressed DTLS 1.3 Record Layer (18 bytes, 12 bytes overhead)
11 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb
35 b9
Compressed DTLS 1.3 short header (including sequence number)
11 30 05
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
Compressed DTLS 1.3 with short header gives 12 bytes overhead.
2.3. TLS 1.2
2.3.1. TLS 1.2
This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes
compared to DTLS 1.2 is that the TLS 1.2 record layer does not have
epoch and sequence number, and that the version is different.
TLS 1.2 Record Layer (27 bytes, 21 bytes overhead):
17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15
56 67 92 4d ff 8a 24 e4 cb 35 b9
Content type:
17
Version:
03 03
Length:
00 16
Nonce:
00 00 00 00 00 00 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
TLS 1.2 gives 21 bytes overhead.
2.3.2. TLS 1.2 with 6LoWPAN-GHC
This section analyzes the overhead of TLS 1.2 [RFC5246] when
compressed with [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when TLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Mattsson & Palombini Expires September 20, 2018 [Page 9]
Internet-Draft CoAP Security Overhead March 2018
Compressed TLS 1.2 Record Layer (23 bytes, 17 bytes overhead):
05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d
ff 8a 24 e4 cb 35 b9
Compressed TLS 1.2 Record Layer Header and Nonce:
05 17 03 03 00 16 85 0f 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters
(epoch, sequence number, length) gives 17 bytes overhead.
2.4. TLS 1.3
2.4.1. TLS 1.3
This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13].
The change compared to TLS 1.2 is that the TLS 1.3 record layer uses
a different version.
TLS 1.3 Record Layer (20 bytes, 14 bytes overhead):
17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24
e4 cb 35 b9
Content type:
17
Legacy Version:
03 03
Length:
00 0f
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
TLS 1.3 gives 14 bytes overhead.
2.4.2. TLS 1.3 with 6LoWPAN-GHC
This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]
when compressed with [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when TLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Mattsson & Palombini Expires September 20, 2018 [Page 10]
Internet-Draft CoAP Security Overhead March 2018
Compressed TLS 1.3 Record Layer (21 bytes, 15 bytes overhead)
14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a
24 e4 cb 35 b9
Compressed TLS 1.3 Record Layer Header and Nonce:
14 17 03 03 00 0f
Ciphertext (including encrypted ContentType):
ae a0 15 56 67 92 ec
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters
(epoch, sequence number, length) gives 15 bytes overhead.
2.5. OSCORE
This section analyzes the overhead of OSCORE
[I-D.ietf-core-object-security].
Note that Sender ID = '' (empty string) can only be used by one
client per server.
The examples below assume that the original messages does not have
payload (note that this does not affect the overhead).
The below calculation Option Delta = '9', Sender ID = '' (empty
string), and Sequence Number = '05', and is only an example.
OSCORE Request (19 bytes, 13 bytes overhead):
92 09 05
ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9
CoAP Option Delta and Length
92
Option Value (flag byte and sequence number):
09 05
Payload Marker
ff
Ciphertext (including encrypted code):
ec ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
The below calculation Option Delta = '9', Sender ID = '42', and
Sequence Number = '05', and is only an example.
Mattsson & Palombini Expires September 20, 2018 [Page 11]
Internet-Draft CoAP Security Overhead March 2018
OSCORE Request (20 bytes, 14 bytes overhead):
93 09 05 42
ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9
CoAP Option Delta and Length
93
Option Value (flag byte, sequence number, and Sender ID):
09 05 42
Payload Marker
ff
Ciphertext (including encrypted code):
ec ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
The below calculation uses Option Delta = '9'.
OSCORE Response (17 bytes, 11 bytes overhead):
90
ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9
CoAP Delta and Option Length:
90
Option Value
-
Payload Marker
ff
Ciphertext (including encrypted code):
ec ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
OSCORE with the above parameters gives 13-14 bytes overhead for
requests and 11 bytes overhead for responses.
Unlike DTLS and TLS, OSCORE has much smaller overhead for responses
than requests.
3. Overhead with Different Parameters
The DTLS overhead is dependent on the parameter Connection ID. The
following overheads apply for all Connection IDs with the same
length.
The compression overhead (GHC) is dependent on the parameters epoch,
sequence number, Connection ID, and length (where applicable). The
following overheads should be representative for sequence numbers and
Connection IDs with the same length.
Mattsson & Palombini Expires September 20, 2018 [Page 12]
Internet-Draft CoAP Security Overhead March 2018
The OSCORE overhead is dependent on the included CoAP Option numbers
as well as the length of the OSCORE parameters Sender ID and sequence
number. The following overheads apply for all sequence numbers and
Sender IDs with the same length.
Sequence Number '05' '1005' '100005'
-------------------------------------------------------------
DTLS 1.2 29 29 29
DTLS 1.3 16 16 16
DTLS 1.3 (short header) 11 11 11
-------------------------------------------------------------
DTLS 1.2 (GHC) 16 16 16
DTLS 1.3 (GHC) 17 17 17
DTLS 1.3 (short header) (GCH) 12 12 12
-------------------------------------------------------------
TLS 1.2 21 21 21
TLS 1.3 14 14 14
-------------------------------------------------------------
TLS 1.2 (GHC) 17 18 19
TLS 1.3 (GHC) 15 16 17
-------------------------------------------------------------
OSCORE Request 13 14 15
OSCORE Response 11 11 11
Figure 1: Overhead in bytes as a function of sequence number
(Connection/Sender ID = '')
Connection/Sender ID '' '42' '4002'
-------------------------------------------------------------
DTLS 1.2 29 30 31
DTLS 1.3 16 17 18
DTLS 1.3 (short header) 11 12 13
-------------------------------------------------------------
DTLS 1.2 (GHC) 16 17 18
DTLS 1.3 (GHC) 17 18 19
DTLS 1.3 (short header) (GCH) 12 13 14
-------------------------------------------------------------
OSCORE Request 13 14 15
OSCORE Response 11 11 11
Figure 2: Overhead in bytes as a function of Connection/Sender ID
(Sequence Number = '05')
Mattsson & Palombini Expires September 20, 2018 [Page 13]
Internet-Draft CoAP Security Overhead March 2018
Protocol Overhead Overhead (GHC)
-------------------------------------------------------------
DTLS 1.2 21 8
DTLS 1.3 8 9
DTLS 1.3 (short header) 3 4
-------------------------------------------------------------
TLS 1.2 13 9
TLS 1.3 6 7
-------------------------------------------------------------
OSCORE Request 5
OSCORE Response 3
Figure 3: Overhead (excluding ICV) in bytes (Connection/Sender
ID = '', Sequence Number = '05')
4. Summary
DTLS 1.2 has quite a large overhead as it uses an explicit sequence
number and an explicit nonce. TLS 1.2 has significantly less (but
not small) overhead. TLS 1.3 and DTLS 1.3 have quite small overhead.
OSCORE and DTLS 1.3 with short header format has very small overhead.
The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS
1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic
Header Compression (6LoWPAN-GHC) works very well for Connection ID
and the overhead seems to increase exactly with the length of the
Connection ID (which is optimal). The compression of TLS 1.2 is not
as good as the compression of DTLS 1.2 (as the static dictionary only
contains the DTLS 1.2 version number). Similar compression levels as
for DTLS could be achieved also for TLS 1.2, but this would require
different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC
increases the overhead. The 6LoWPAN-GHC header compression is not
available when (D)TLS is exchanged over transports that do not use
6LoWPAN together with 6LoWPAN-GHC.
The short header format for DTLS 1.3 reduces the header of 5 bytes,
by omitting the length value and sending 1 lower bit of epoch value
instead of 2, and 12 lower bits of sequence number instead of 30.
This may create problems reconstructing the full sequence number, if
~2000 datagrams in sequence are lost.
OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2. The
overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN
with compression, and this small overhead is achieved even on
deployments without 6LoWPAN or 6LoWPAN without DTLS compression.
OSCORE is lightweight because it makes use of some excellent features
in CoAP, CBOR, and COSE.
Mattsson & Palombini Expires September 20, 2018 [Page 14]
Internet-Draft CoAP Security Overhead March 2018
5. Security Considerations
This document is purely informational.
6. IANA Considerations
This document has no actions for IANA.
7. Informative References
[I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments
(OSCORE)", draft-ietf-core-object-security-11 (work in
progress), March 2018.
[I-D.ietf-tls-dtls-connection-id]
Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom,
"The Datagram Transport Layer Security (DTLS) Connection
Identifier", draft-ietf-tls-dtls-connection-id-00 (work in
progress), December 2017.
[I-D.ietf-tls-dtls13]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version
1.3", draft-ietf-tls-dtls13-26 (work in progress), March
2018.
[I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-27 (work in progress),
March 2018.
[OlegHahm-ghc]
Hahm, O., "Generic Header Compression", July 2016,
<https://github.com/OlegHahm/ghc>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.
Mattsson & Palombini Expires September 20, 2018 [Page 15]
Internet-Draft CoAP Security Overhead March 2018
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>.
[RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for
IPv6 over Low-Power Wireless Personal Area Networks
(6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November
2014, <https://www.rfc-editor.org/info/rfc7400>.
[RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer
Security (TLS) / Datagram Transport Layer Security (DTLS)
Profiles for the Internet of Things", RFC 7925,
DOI 10.17487/RFC7925, July 2016,
<https://www.rfc-editor.org/info/rfc7925>.
[RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets",
RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://www.rfc-editor.org/info/rfc8323>.
Acknowledgments
The authors want to thank Ari Keraenen, Carsten Bormann, Goeran
Selander, and Hannes Tschofenig for comments and suggestions on
previous versions of the draft.
All 6LoWPAN-GHC compression was done with [OlegHahm-ghc].
Authors' Addresses
John Mattsson
Ericsson AB
Email: john.mattsson@ericsson.com
Francesca Palombini
Ericsson AB
Email: francesca.palombini@ericsson.com
Mattsson & Palombini Expires September 20, 2018 [Page 16]