]> UPC

C/Esteve Terradas, 7 Castelldefels 08860 Spain carles.gomez@upc.edu

UPC

C/Jordi Girona, 1-3 Barcelona 08034 Spain anna.calveras@upc.edu

INT CoRE Working Group The Bundle Protocol (BP) was designed to enable end-to-end communication in challenged networks. The Constrained Application Protocol (CoAP), which was designed for constrained-node networks, may be a suitable application-layer protocol for the scenarios where BP is used. This document specifies how CoAP is carried over BP.

The Delay-Tolerant Networking (DTN) architecture has been designed to enable communication in challenged networks, which are characterized by long delays, intermittent connectivity, and high error rates, among other constraints . DTN was mainly intended for deep space communication (e.g., to enable an Interplanetary Internet). However, it is also applicable to enable communication on Earth in environments exhibiting relatively similar features, such as sensor networks or temporarily disconnected areas. The Bundle Protocol (BP) is the fundamental component of DTN. BP is a message-oriented protocol that operates as a store-carry-forward overlay atop the transport-layer protocols of a number of constituent networks . The protocol data unit of BP is called a bundle. Application-layer functionality runs atop BP. The Constrained Application Protocol (CoAP) is an application-layer protocol that was specifically designed for constrained-node networks , which are typical in Internet of Things (IoT) scenarios. Such environments are often characterized by significantly constrained node and network features, including low computational capacity, limited energy availability (which often leads to the use of duty-cycled links), low bandwidth, high latency, and high loss rates. Accordingly, CoAP offers several features, which are also suitable for DTN, including lightweight operation, asynchronous message exchanges, and a significant degree of flexibility, based on RESTful principles. The present document specifies how CoAP is carried over BP.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 , , when, and only when, they appear in all capitals, as shown here.

The reader is expected to be familiar with the terms and concepts defined by the DTN main specifications (e.g., , , and ), and the CoAP main specifications (e.g., , , , , and ).

Single message: a CoAP message, as defined in RFC 7252. In CoAP over BP, a Single message is carried as the block-type-specific data field of the Bundle Payload Block of the encapsulating bundle. Aggregate message: a concatenation of Single messages that carry the Payload-length option (see Section 4.3). In CoAP over BP, an Aggregate message is carried as the block-type-specific data field of the Bundle Payload Block of the encapsulating bundle.

Figure 1 illustrates the protocol stack model for CoAP over BP. (Note: this figure is the same as Figure 1 of RFC 9171, except for the indication of CoAP's location in the protocol stack model.) In this model, CoAP entities exchange application-layer messages carried by BP over an end-to-end path composed of a number of constituent networks.

>>>>>>>>>v-+ +->>>>>>>>>>v-+ +-^---------+ | BP v | | ^ BP v | | ^ BP v | | ^ BP | +---------v-+ +-^---------v-+ +-^---------v-+ +-^---------+ | T1 v | + ^ T1/T2 v | + ^ T2/T3 v | | ^ T3 | +---------v-+ +-^---------v-+ +-^---------v + +-^---------+ | N1 v | | ^ N1/N2 v | | ^ N2/N3 v | | ^ N3 | +---------v-+ +-^---------v + +-^---------v-+ +-^---------+ | >>>>>>>>^ >>>>>>>>>>^ >>>>>>>>^ | +-----------+ +-------------+ +-------------+ +-----------+ | | | | |<---- A network ---->| |<---- A network ---->| | | | | ]]>

The CoAP base specification was produced assuming UDP as the underlying transport-layer protocol [RFC 7252]. Like UDP, BP is a message-oriented protocol. Furthermore, BP does not provide bundle retransmission. Therefore, when CoAP is used over BP, the same messaging model defined for CoAP in RFC 7252 is used, and the CoAP signaling messages defined in RFC 8323 (which are intended for use over reliable transports) MUST NOT be used. Figure 2 shows the two-sublayer structure of CoAP, when used over BP.

CoAP follows a client/server model, whereby a client may request an action on a resource on a server. Upon receipt of a request, the server sends a response, including a response code, which may also include a resource representation. (Note that, if a request includes the "No-Response" option , the server may suppress the response.) Requests and responses are encapsulated in messages. CoAP defines four message types: Confirmable (CON), Non-confirmable (NON), Acknowledgment (ACK), and Reset (RST). CON messages elicit ACKs, whereas NON messages do not. For CON messages, CoAP uses stop-and-wait retransmission with exponential back-off. A RST message is sent by a CoAP endpoint that has received a message but is unable to process it. When CoAP is used over BP, a source bundle node MAY set the "request reporting of bundle delivery" flag in the bundle's status report request field of a bundle that encapsulates a CoAP CON message. Upon receipt of a bundle that carries a CoAP CON message with the "request reporting of bundle delivery" flag set, the receiver MAY opt to only send the corresponding bundle delivery status report and omit sending a bundle encapsulating a CoAP ACK message, if and only if the CoAP ACK message does not carry a payload. In that case, if the CoAP CON message sender receives the status report sent in response to its bundle-encapsulated CON message, it MUST assume that the status report serves as CoAP ACK for the CON message. (Note: the assumption is that the status report size is shorter than the size of a bundle encapsulating a CoAP ACK message that does not carry a payload. To be further confirmed.)

In CoAP over BP, the format of a Single message (Figure 4) is the same as the CoAP message format defined in RFC 7252 (Figure 3), except for the Message ID size, which is increased to 24 bits for CoAP over BP. The reason for this change is avoiding a severe limitation on the number of messages a sender can send per time unit, considering the latency values in the environments where CoAP over BP may be used, and that, as stated in RFC 7252, "the same Message ID MUST NOT be reused (in communicating with the same endpoint) within the EXCHANGE_LIFETIME". See Appendix B for further details.

CoAP messages destined to the same endpoint MAY be aggregated and carried as the payload of the underlying protocol data unit. An Aggregate message is a concatenation of Single messages that carry the Payload-length option. The Payload-length option defined in this subsection (see Figure 5, which extends "Table 4: Options" of [RFC7252]) indicates the size of the payload of a CoAP message. The option value is an integer number of bytes. The Payload-length option is critical, Unsafe-to-forward, and not repeatable.

When encapsulated in a bundle, a CoAP message is represented as a definite-length CBOR byte string (see Section 5 of this document and Section 4.3.2 of RFC 9171). Thus, the length of the CoAP message is unambiguously represented. For this reason, the Payload-length option MUST NOT be included in a Single message.

The Payload-length option is a "Class U" (i.e., "unprotected") option for Object Security for Constrained RESTful Environments (OSCORE) [RFC 8613]. If a CoAP message is intended to carry the Payload-length option, while benefitting from OSCORE protection, first an OSCORE message is built using the CoAP message (without the Payload-length option) as an input, as described in RFC 8613. After that, the Payload-length option is inserted in the OSCORE message, where the payload size indicated by the Payload-length option corresponds to the OSCORE message payload size. Note that, in some cases, the Payload-length option that indicates the OSCORE message payload size may need to be subsequently updated. An example is when the EDHOC + OSCORE request is used, where the original OSCORE message payload is replaced by the concatenation of the EDHOC message_3 and the original OSCORE ciphertext in the CoAP payload (see Section 3.2.1 of RFC 9668). OSCORE messages carrying the Payload-length option and being destined to the same endpoint MAY be aggregated and carried as the payload of the underlying protocol data unit.

In order to transmit a CoAP message (either a Single message or an Aggregate message) over BP, the CoAP message MUST be carried as the block-type-specific data field of the Bundle Payload Block (block type 1) of an encapsulating bundle. The lifetime field of the bundle encapsulating a CON Single message MUST be set to EXCHANGE_LIFETIME (see Section 6). The lifetime field of the bundle encapsulating a NON Single message MUST be set to NON_LIFETIME (see Section 6). For Aggregate messages: - If an Aggregate message only comprises CON messages, the lifetime field of the encapsulating bundle is set to EXCHANGE_LIFETIME + MAX_AGGR_DELAY. (Note: MAX_AGGR_DELAY indicates the maximum time since the first Single message belonging to an Aggregate message is generated until the Aggregate message is passed to the BP layer.) - If an Aggregate message comprises only NON messages, the lifetime field of the encapsulating bundle is set to NON_LIFETIME + MAX_AGGR_DELAY. - If an Aggregate message comprises at least one CON message and one NON message, the lifetime field of the encapsulating bundle is set to the max(imum of EXCHANGE_LIFETIME, and NON_LIFETIME)+ MAX_AGGR_DELAY. In some cases, upon receipt of a CoAP message, the receiving endpoint needs to transmit a CoAP message in response to the sender. The Destination EID and Source Node ID fields of the primary bundle block of the bundle encapsulating such a CoAP message sent as a response SHALL be set as follows: Destination EID: The Destination EID SHALL be identical to the Source Node ID of the bundle encapsulating the received CoAP message that produces the response. Source Node ID: The Source Node ID SHOULD be the EID of the endpoint that produces the bundle encapsulating the CoAP message sent in response. Note that, as described in RFC 9171, the Source Node ID MAY be the null endpoint ID in the event that the bundle's source chooses to remain anonymous.

This section discusses the main CoAP parameters and times that are relevant in the environments where BP may be used. (Note that the complete set of parameters, assumptions, default values, and related times in CoAP can be found in Section 4.8 of RFC 7252.) Most of these CoAP parameters and times are relevant for CON messages. Note that, in some scenarios, the protocols operating below BP may support reliability and congestion control. In that case, using NON messages might suffice to achieve a reasonable degree of reliability. The congestion control considerations for NON message transmission would still apply, though (see Sections 4.7 and 4.8 of RFC 7252). As a congestion control measure, the maximum number of outstanding interactions between a client and a given server is limited to NSTART, which is set to a default value of 1. A greater value for NSTART can be used only when mechanisms that ensure congestion control safety are used [RFC 7252]. The main parameters related with CON messages are indicated next. ACK_TIMEOUT and ACK_RANDOM_FACTOR. These two parameters determine the duration of the initial retransmission timeout, which is set to a randomly chosen value between ACK_TIMEOUT and ACK_TIMEOUT * ACK_RANDOM_FACTOR. The default values for ACK_TIMEOUT and ACK_RANDOM_FACTOR are 2 s and 1.5, respectively. Therefore, the default initial retransmission timeout in CoAP is between 2 and 3 s. For CoAP over BP, ACK_TIMEOUT should be set to a value of at least the expected RTT, which may be of an order of magnitude several times greater than the default one (see Appendix A). ACK_RANDOM_FACTOR needs to be at least equal to or greater than 1.0. The default value of 1.5 is intended to avoid synchronization effects among different senders when RTTs are in the order of seconds. However, the greater latency in delay-tolerant environments may reduce the risk of synchronization effects therein. In such case, a lower ACK_RANDOM_FACTOR may help reduce total message delivery latency when retries are performed. MAX_RETRANSMIT. This parameter defines the maximum number of retries for a given CON message. The default value for this parameter is 4. Since there is an exponential back-off between retransmissions, and considering the delay values in environments where BP is used, it may be suitable to set this parameter to a value lower than the default one (see Appendix A). The following assumptions on the characteristics of the network and the nodes need to be considered: MAX_LATENCY is the maximum time a datagram is expected to take from the start of its transmission to the completion of its reception. In RFC 7252, this value is arbitrarily set to 100 s, which is close to the historic Maximum Segment Lifetime (MSL) of 120 s defined in the TCP specification [RFC9293]. However, such value assumes communication in non-challenged environments. Therefore, in environments where BP is used, MAX_LATENCY may need to be increased by at least 2-3 orders of magnitude. PROCESSING_DELAY is the time since a node receives a CON message until it transmits an ACK in response. In RFC 7252, this value is assumed to be of at most the default ACK_TIMEOUT value of 2 s. For the sake of limiting latency, it is assumed that the same value can be used also in environments where BP is used. A relevant CON message derived time is EXCHANGE_LIFETIME. This time indicates the maximum possible time since a CON message is sent for the first time, until ACK reception (which may potentially occur after several retries). EXCHANGE_LIFETIME includes the following components: the total time since the first transmission attempt of a CON message until the last one (called MAX_TRANSMIT_SPAN in RFC 7252), a MAX_LATENCY for the CON, PROCESSING_DELAY, and a MAX_LATENCY for the ACK. The default value for EXCHANGE_LIFETIME is 247 s. However, in challenged environments (e.g., deep space), and considering the increased values for protocol parameters and network characteristics described above, EXCHANGE_LIFETIME will be at least 2 (and perhaps a greater number of) orders of magnitude greater than the default one (see Appendix A). The main time related with NON messages is NON_LIFETIME. This is the time since a NON message is transmitted until its Message ID can be safely reused. This time is actually equal to MAX_LATENCY, therefore its default value is 100 s. However, as described earlier, in challenged environments (e.g, deep space) it may need to be increased by 2-3 orders of magnitude. In CoAP group communication, a client sends multicast CoAP request messages to a destination group. Each server in the target destination group sends a unicast response message back to the client, although a server can suppress its response for several reasons (see Section 3.1.2 of ). defines the minimum time between reuse of Token values for different group requests, MIN_TOKEN_REUSE_TIME, to be greater than: MIN_TOKEN_REUSE_TIME = (NON_LIFETIME + MAX_LATENCY + MAX_SERVER_RESPONSE_DELAY) where MAX_SERVER_RESPONSE_DELAY is the expected maximum response delay over all servers that the client can send a CoAP group request to. states that, "using the default CoAP parameters, the Token reuse time MUST be greater than 250 seconds plus MAX_SERVER_RESPONSE_DELAY". also adds that, while a possible approach is to generate a new unique Token for every new group request, if a client has to reuse Token values for some reason, MAX_SERVER_RESPONSE_DELAY = 250 seconds is a suitable value, therefore leading to a time between Token reuses greater than MIN_TOKEN_REUSE_TIME = 500 seconds (see Appendix A). Note that CoAP implementations may also need to be adapted if they have been designed to use 8-bit timers to handle CON or NON message lifetimes (e.g., to retire Message IDs) in seconds.

The CoAP Observe Option allows a server to send notifications carrying a representation of the current state of a resource to interested clients called observers [RFC7641]. The latter need to initially register at a specific server that they are interested in being notified whenever the resource state changes. There is also work in progress intended to allow a CoAP client to limit notifications to those where the state representation of a resource fulfills certain constraints (e.g., a minimum/maximum value) [draft-ietf-core-conditional-attributes]. Observe generally provides significant performance benefits, since, after the registration, the client does not have to send a request to receive a notification. This feature is particularly beneficial in environments where end-to-end latency is high, and energy and bandwidth resources may be constrained. As per the Observe specification, when the time between the two last notifications received by a CoAP client is greater than 128 seconds, it can be concluded that the last one received is also the latest sent by the server. The duration of 128 seconds was chosen as a number greater than the default MAX_LATENCY value of the base CoAP specification. When CoAP is used over BP, determining whether a notification was sent by the server later than another notification MUST be performed based on the creation timestamps of the corresponding bundles encapsulating the two notifications. The duration of 128 seconds may be insufficient in many scenarios. In such cases, the duration needs to be chosen as a value greater than the MAX_LATENCY of the scenario (see Appendix A).

CoAP supports functionality that allows carrying large payloads by means of block-wise transfers [RFC7959], [RFC9177]. BP also supports fragmentation and reassembly functionality. RFC 7959 states, in the context of fragmentation and reassembly functionality being available at several protocol stack layers, that "the fragmentation/reassembly process burdens the lower layers with conversation state that is better managed in the application layer". However, an implicit assumption in RFC 7959 is that details on the data unit sizes that can be carried over the different links of an end-to-end path are known in advance by the sender. When CoAP is used over BP, CoAP block-wise transfers MAY be used if the source knows in advance the duration and type of expected contacts (e.g., scheduled or predicted) between the BP nodes that will forward the bundles from the source bundle node to the destination bundle node. This does not preclude the use of BP fragmentation and reassembly when deemed necessary. There exist two CoAP specifications that allow to perform block-wise transfers: [RFC7959] and [RFC9177]. As per RFC 7959, a CoAP endpoint can only ask for (or send) the next block after the previous block has been transferred. Furthermore, RFC 7959 recommends the use of CON messages. Therefore, communication follows a stop-and-wait pattern, which is not suitable for environments with long delays. RFC 9177 is particularly suitable for DTN environments, as it enables block-wise transfers using NON messages. Thus, blocks can be transmitted serially without having to wait for a response or next request from the remote CoAP peer. Recovery of multiple missing blocks (which can be reported at once in a single CoAP message) is also supported.

The following new parameters are defined by RFC 9177, for use with NON messages and the Q-Block1 and Q-Block2 options: MAX_PAYLOADS, NON_TIMEOUT, NON_TIMEOUT_RANDOM, NON_RECEIVE_TIMEOUT, NON_MAX_RETRANSMIT, NON_PROBING_WAIT, and NON_PARTIAL_TIMEOUT. MAX_PAYLOADS indicates the number of consecutive blocks an endpoint can transmit without eliciting a message from the other endpoint. The default value defined in RFC 9177 for this parameter is 10, which is in line with the initial window size currently defined for TCP [RFC6928]. The motivation for such value is that "Ten segments are likely to fit into queue space available at any broadband access link, even when there are a reasonable number of concurrent connections" [RFC6928]. However, the previous statement assumes typical Internet characteristics and TCP segment sizes. For CoAP over BP environments, the characteristics of BP paths and CoAP message sizes involved need to be considered when setting MAX_PAYLOADS. NON_TIMEOUT is the minimum time between sending two consecutive sets of MAX_PAYLOADS blocks that correspond to the same body. The actual time between sending two consecutive sets of MAX_PAYLOADS blocks is called NON_TIMEOUT_RANDOM, which is calculated as NON_TIMEOUT * ACK_RANDOM_FACTOR. In RFC 9177, NON_TIMEOUT is defined as having the same value as ACK_TIMEOUT. ACK_RANDOM_FACTOR is set to 1.5, following RFC 7252. As a result, by default, NON_TIMEOUT_RANDOM is equal to a randomly chosen value between 2 and 3 s. The NON_TIMEOUT_RANDOM inactivity interval described above is introduced to avoid causing congestion due to the transmission of MAX_PAYLOADS itself. As discussed previously, in challenged networks, ACK_TIMEOUT should be set to a value greater than default. When CoAP is used in deep space, NON_TIMEOUT, and thus NON_TIMEOUT_RANDOM, need to be adjusted considering the characteristics of the end-to-end path, independent of ACK_TIMEOUT. NON_RECEIVE_TIMEOUT is the initial time that a receiver will wait for a missing block within MAX_PAYLOADS before requesting retransmission for the first time. Every time the missing payload is re-requested, the time to wait value doubles. NON_RECEIVE_TIMEOUT has a default value of 2*NON_TIMEOUT. As described earlier, in challenged networks, NON_TIMEOUT needs to be adjusted considering the characteristics of the end-to-end path. NON_MAX_RETRANSMIT is the maximum number of times a request for the retransmission of missing payloads can occur without a response from the remote peer. By default, NON_MAX_RETRANSMIT has the same value as MAX_RETRANSMIT (Section 4.8 of [RFC7252]). Accordingly, when CoAP is used in deep space, the same considerations regarding MAX_RETRANSMIT in Section 5 apply to NON_MAX_RETRANSMIT as well. That is, when CoAP is used in space, while the default value for this parameter is 4, it may be suitable to set this parameter to a value lower than the default one.

RFC 7252 defines a "proxy" as "An intermediary that mainly is concerned with forwarding requests and relaying back responses, possibly performing caching, namespace translation, or protocol translation in the process". The same specification also states that "A proxy is a CoAP endpoint that can be tasked by CoAP clients to perform requests on their behalf." Among others, this can be useful "to service the response from a cache in order to reduce response time and network bandwidth or energy consumption". The latter are advantages that may be desirable as well in the environments where BP is used.

Depending on the protocol(s) supported at each side of the proxy, a proxy can be a "CoAP-to-CoAP proxy", which "maps from a CoAP request to a CoAP request", or a "cross-proxy", which "translates between different protocols, such as a CoAP-to-HTTP proxy or an HTTP-to-CoAP proxy" [RFC 7252]. Figure 6 and Figure 7 illustrate the upper-layer protocol stacks for a CoAP-to-CoAP proxy and an HTTP-to-CoAP cross-proxy, when CoAP or HTTP [draft-blanchet-dtn-http-over-bp] run over BP, respectively.

>>>>>>>>>>>>>>>>>>>>>>>^ >>>>>>>>>>>>>>>>>>>>>>>>^ CoAP CoAP-to-CoAP CoAP client proxy origin server ]]>

>>>>>>>>>>>>>>>>>>>>>>>^ >>>>>>>>>>>>>>>>>>>>>>>>^ HTTP HTTP-to-CoAP CoAP client cross-proxy origin server ]]>

RFC 7252 states that "When using a proxy, the URI of the resource to request is included in the request, while the destination IP address is set to the address of the proxy". However, that statement assumes the original design of CoAP, where IP is used at the network layer. In CoAP over BP, the destination EID of the encapsulating bundle is set to the EID of the bundle node that implements the CoAP proxy. Also, RFC 7252 states, when describing forward-proxy operation: "For a CoAP-to-CoAP proxy, the origin server's IP address and port are determined by the authority component of the request URI". In CoAP over BP, the authority component of the request URI provides the origin server's EID.

When a proxy that supports the Payload-length option receives an Aggregate message, it disaggregates the Single messages the Aggregate message is composed of. Then, the proxy operates normally (i.e., as described in [RFC 7252]) upon each Single message. A proxy MAY aggregate messages that are destined to the same endpoint, even if they are originally triggered by different endpoints. However, there is also risk that a proxy aiming to aggregate messages eventually cannot do so within a reasonable amount of time, thus contributing delay. The motivation for the aim to aggregate CoAP messages is illustrated by means of two examples provided next. Let us first assume the network shown in Figure 8, where the clients are on Earth, the proxy is in a Mars orbiter, and the origin servers are on Mars. Links on the left and on the right of the proxy do not necessarily exist simultaneously over time due to orbital dynamics. The proxy may want to aggregate CoAP messages from the origin servers while there is no connectivity on the left or it may want to aggregate CoAP messages from the clients while there is no connectivity on the right. The proxy may also want to aggregate messages to reduce protocol overhead at the BP layer and lower layers.

|Origin server X| +--------+ | +-------+ | +---------------+ +----> | | <----+ +--------+ | | +---------------+ |Client 2| <--------> | proxy | <---------> |Origin server Y| +--------+ | | +---------------+ +----> | | <----+ +--------+ | +-------+ | +---------------+ |Client 3| <---+ +----> |Origin server Z| +--------+ +---------------+ Earth Mars orbiter Mars ]]>

In a first example, in Figure 8, if Client 2 sends a request targetting a resource at Origin server X and it also sends another request targetting another resource at Origin server Y, the subsequent responses to Client 2 may be aggregated by the proxy. Note that connectivity from the proxy to the clients may be unavailable during some time interval, which can be exploited by the proxy to aggregate the responses from the clients. In a second example, if Client 2 and Client 3 send requests targetting resources at Origin server Z, and the proxy cannot service those responses from a cache, the proxy may aggregate the requests that will be sent to Origin server Z. This may occur while there is no connectivity between the proxy and the origin servers. When a proxy aggregates CoAP messages, the proxy adds the Payload-length option to each Single message an Aggregate message is composed of. In consequence, the proxy MUST recompute the deltas of the outer CoAP options from each Single message accordingly. When a proxy needs to send a Single message that arrived at the proxy as part of an Aggregate message, the proxy MUST remove its Payload-length option prior to its transmission. In consequence, the proxy MUST recompute the deltas of the outer CoAP options accordingly.

The URI scheme for CoAP over BP is "coap" as per the recommendation of Section 6 of [draft-ietf-core-transport-indication]. The "coap" scheme is defined in Section 6 of [RFC7252]. When the endpoint ID of the target resource is based on the "dtn" scheme, the authority component of the URI is formed as the reg-name of the endpoint ID, followed by .dtn.arpa. When the endpoint ID of the target resource is based on the "ipn" scheme, the authority component of the URI is formed as the service-nbr, followed by the nbr-delim (".") and the node-nbr of the endpoint ID, followed by .ipn.arpa. User information and port are always absent with the URI scheme used in CoAP over BP. For example, under the rules of Section 6 of [RFC7252], the URI of a request for the discovery resource of a CoAP over BP entity with endpoint ID dtn://JupiterSensor would be: coap://JupiterSensor.dtn.arpa/.well-known/core Similarly, the URI of a request for the discovery resource of a CoAP over BP entity with endpoint ID ipn:81.TBD2 would be: coap://TBD2.81.ipn.arpa/.well-known/core Note: this specification requests a Well-known Service Number for CoAP over BPv7 in the 'ipn' Scheme URI Well-known Service Numbers for BPv7 registry [RFC 9758] (see section 12.2). Such number is TBD2.

The base CoAP specification defines a binding to Datagram Transport Layer Security (DTLS) [RFC7252][RFC9147]. There are four possible DTLS security modes: NoSec, PreSharedKey, RawPublicKey, and Certificate. The NoSec and RawPublicKey modes are mandatory to implement. Subsequently, Object Security for Constrained RESTful Environments (OSCORE) was specified [RFC8613]. OSCORE is a security protocol for CoAP that allows to protect an application-layer data payload end-to-end, even in the presence of untrusted proxies in the path between two endpoints. The Group OSCORE protocol [draft-ietf-core-oscore-groupcomm] is used to secure CoAP group communication [draft-ietf-core-groupcomm-bis]. In OSCORE, the communicating endpoints require a shared security context. An interesting aspect of OSCORE for the environments where BP is used is that, if the materials used to establish such context are pre-shared, there is no initial handshake prior to actual communication, thus avoiding a significant latency penalty. In contrast, DTLS does require an initial handshake. For this reason, the use of DTLS to secure CoAP over BP is generally NOT RECOMMENDED, possible exceptions being environments where the latency penalty is considered acceptable.

On the other hand, Bundle Protocol Security (BPSec) [RFC 9172] provides security services for BP bundles, allowing to protect (with integrity and/or confidentiality) one or more blocks of a bundle. BPSec may be used to provide end-to-end protection between the bundle source and the bundle destination. When CoAP is carried over BP, the CoAP message will be carried as the block-type-specific data field of the Bundle Payload Block (block type 1) of an encapsulating bundle. If OSCORE is used to protect CoAP, only the CoAP message payload, one CoAP message header field, and some of the CoAP options are protected. Currently, all CoAP message fields that are protected by OSCORE are provided with confidentiality and integrity protection. BPSec allows to protect all fields of the carried CoAP message. However, in the context of CoAP over BP, the scope of BPSec protection is delimited by a bundle node implementing a CoAP endpoint at the application layer, including a CoAP proxy. Therefore, when one or more CoAP proxies are present between a CoAP client and a CoAP origin server, BPSec cannot ensure the protection of application-layer data between those two CoAP endpoints. In that case, OSCORE SHOULD be used to protect application-layer data between the two CoAP endpoints. Nevertheless, use of BPSec is still useful to protect all fields of the carried CoAP message in each corresponding BP end-to-end path (i.e., from the origin CoAP source until the first CoAP proxy, between consecutive CoAP proxies, or from the last CoAP proxy until the final, end-to-end CoAP destination). Such fields include the Payload-length option, when present, which is "Class U" for OSCORE (see Section 4.3.1 and Section 14). Note that, in some scenarios, a CoAP client might not be aware that it is communicating with a reverse-proxy (instead of the origin CoAP server). In scenarios without CoAP proxies, both OSCORE or BPSec MAY be used to provide end-to-end application-layer data protection. As discussed above, BPSec allows to protect all fields of the carried CoAP message. In order to offer protection against replay attacks, OSCORE uses by default an anti-replay sliding window, with a window size of 32 [RFC 8613]. If a greater window size is deemed necessary (e.g., due to high latency in an intended scenario), that window size needs to be known by both sender and receiver at the moment of security context establishment. Note that the BP freshness feature, whereby a bundle includes a creation timestamp and a lifetime field, provides additional protection against replay attacks. If the bundle is replayed outside of its lifetime, the bundle will be discarded and the replay attack will fail (see Section 8.2.4 of RFC 9172). Note that RFC 9171 offers provisions for nodes without accurate clocks (see Sections 4.2.7 and 4.3.1 of RFC 9171). The Echo option in CoAP [RFC 9175] allows a server to verify the freshness of a request. Two types of freshness verifications can be enabled by using the Echo option: time-based freshness and event-based freshness. When a request is required to be fresh, and its freshness cannot be verified, the server rejects the request and includes the Echo option in the response to the client. The latter usually resends the original request, echoing the Echo option value in the request, and also echoes the Echo option value in at least the next request after a received Echo option value from the server. However, the round trip incurred to check the freshness of the first request may incur significant delay penalty in BP environments. On the other hand, in a scenario with proxies, the freshness features provided by BP are limited to the scope of the path between the bundle source and the bundle destination. Thus, the Echo option would be needed to verify the end-to-end freshness of a CoAP request in such a scenario.

When CoAP is carried over BP, a CoAP response SHOULD be protected with at least the same level of security as its corresponding CoAP request.

IANA is asked to create two new reserved domain names in the .arpa name space as described in [RFC6761]: the suffixes .dtn.arpa and .ipn.arpa. The expectation for application software is that no DNS resolution is attempted; instead, the prefix is processed into an endpoint ID, and any operation on that endpoint ID is pointed to the BP node(s) registered in that endpoint ID.

The Domain Reservation Considerations from Section 5 of [RFC6761] for both domain names (.dtn.arpa and .ipn.arpa) are: * Users: users are not expected to recognize those names as special. * Application Software: application software is expected to pass those names on to their CoAP over BP implementation. CoAP over BP implementations are expected to recognize those names as BP endpoint IDs and MUST NOT pass them on to DNS-based resolvers (unless the name resolution API happens to explicitly support resolution into endpoint ID, see below). * Name resolution APIs and libraries: name resolution APIs and libraries MAY indicate that .dtn.arpa and .ipn.arpa names resolve to the endpoint ID encoded inside them (but no details for this are specified in known resolution APIs or libraries). Otherwise, they SHOULD report them as NXDOMAIN. * Caching DNS Servers: caching DNS servers MAY recognize the special domains and report them as NXDOMAIN. Otherwise, they will cache the .arpa DNS servers' responses. * Authoritative DNS Servers: authoritative DNS servers MAY recognize the special domains and report them as NXDOMAIN. * DNS Server Operators: No impact on DNS server operators is expected. * DNS Registries/Registrars: Any changes to .dtn.arpa or .ipn.arpa require updates to this document and the corresponding process through IANA.

IANA is requested to assign a Well-known Service Number for CoAP in the 'ipn' Scheme URI Well-known Service Numbers for BPv7 registry [RFC9758].

IANA is kindly requested to add the Payload-length option to the CoAP Option Numbers registry:

(Note to the RFC Editor: please remove this entire section before publication [RFC 7942].) This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

- Organization responsible for the implementation: Universitat Politecnica de Catalunya (UPC). - Implementation name: Space CoAP. - Links: https://github.com/ENTEL-WNG/CoAPoverBP-no-proxy-version https://github.com/ENTEL-WNG/CoAPoverBP-proxy-version https://github.com/ENTEL-WNG/CoAPoverBP-proxy-version-BP - Overview: three CoAP over BP scenarios are supported, based on modifications made on top of the aiocoap library (CoAP implementation) and the uD3TN library (BP implementation): o CoAPoverBP-no-proxy-version: direct integration of CoAP over BP, where both the CoAP client and server run directly on bundle nodes. CoAP messages are buffered, optionally aggregated and then encapsulated in BP bundles. Persistent storage and scheduled contact plans manage delayed delivery. No CoAP proxying is used. Message creation, aggregation and parsing happen entirely within the bundle nodes. o CoAPoverBP-proxy-version: CoAP-to-BP proxy nodes that bridge conventional CoAP-over-UDP clients and servers with a BP network. CoAP participants communicate via UDP with local proxy applications running on bundle nodes. These proxies are responsible for encapsulating CoAP messages into BP bundles for transmission across the DTN and vice versa. Each proxy preserves the CoAP Message ID and Token hop-based while adding a custom Payload-length option to enable message aggregation and correct reassembly. Aggregate messages are stored, carried and forwarded through a uD3TN-based DTN topology with scheduled contact plans and persistent storage. o CoAPoverBP-proxy-version-BP: CoAP-over-BP proxy architecture where both CoAP client and server operate directly on bundle nodes and a dedicated proxy mediates CoAP over BP. The proxy performs forwarding of CoAP messages with hop-by-hop based Message ID and Token matching. CoAP messages are buffered and optionally aggregated, with each message tagged using a custom Payload-length option to allow for message disaggregation on the receiving side. All forwarding, storage and delay simulation is managed using uD3TN with persistent storage and scheduled contacts between nodes. - Implementation level of maturity: research - Coverage: o Two proxy and one non-proxy scenario o CoAP Client and Server with multiple Bundle Nodes o Contact plan scheduling for delay simulation o Persistent storage on bundle node with bundle decision maker o PUT, POST, GET, DELETE methods o NON and CON message handling o Hop-based token and MID matching. Round Trip is Piggybacked for simplicity o Extended Message ID to 24 bits and timers according to draft-gomez-core-coap-bp-03 o Message aggregation and payload_length option field o Space CoAP Lua dissector o CoAP over BP URI Scheme - Licensing: This project incorporates code from several open source libraries and includes original code and modifications. The project code is licensed under the GNU Affero General Public License Version 3 (AGPLv3). See the LICENSE file in the root of this repository for the full text. The project includes modified files from the aiocoap library (https://github.com/chrysn/aiocoap), originally developed by Christian Amsuess and contributors. Modifications were made to implement draft-gomez-core-coap-bp-03. All changes are clearly marked in the source files with inline comments "experimental for draft-gomez-core-coap-bp-03". aiocoap Library: This project includes code from the aiocoap library, which is licensed under the BSD 3-Clause License. The full text of this license can be found in the LICENSE folder in the aiocoap library. uD3TN Library: This project includes code from the uD3TN library, which is licensed under the AGPLv3 License. The full text of this license can be found in the LICENSE file in the uD3TN library. - Contact information: o Michael Karpov: michael.karpov@estudiantat.upc.edu - Main developer o Anna Calveras: anna.calveras@upc.edu - Project supervisor

Other implementations of CoAP over BP have been reported over time . However, please note that such implementations preceded the creation of the initial version of the present document, therefore they were not intended as implementations of this document.

The Payload-length option is "Class U" for OSCORE, therefore this option, which conveys the payload size of a CoAP message, cannot be protected by means of OSCORE. A possible risk is that, even if an OSCORE message payload is protected, an attacker might try to infer some features of the communication between the involved endpoints based on the payload size of each message. Note that exposing the individual sizes of the Single messages an Aggregate message is composed of provides additional information compared to knowing the Aggregate message size (assuming that the latter can be obtained by the attacker). One possible solution might be based on not using the Payload-length option, at the expense of the inability of benefitting from message aggregation. A less radical approach, which allows to benefit from message aggregation, is based on using the Padding option [draft-ietf-core-cacheable-oscore]. In that case, a Single message may be padded before being protected with OSCORE. Note that the Padding option is Class E for OSCORE. On the other hand, lower-layer security (e.g., BPSec) may also help mitigate the risk.

The authors would like to thank (in alphabetical order) Christian Amsuess, Edward J. Birrane, Marc Blanchet, Carsten Bormann, Scott Burleigh, Joshua Deaton, Jaime Jimenez, Achim Kraus, Bilhanan Silverajan, Brian Sipos, Rick Taylor, Marco Tiloca, Laurent Toutain, Rodney Van Meter, and Magnus Westerlund for useful design considerations, reviews and comments. The authors would also like to thank Michael Karpov as the main developer of the "Space CoAP" research implementation of CoAP over BP. Carles Gomez and Anna Calveras have been funded in part by MCIU/AEI/10.13039/501100011033/FEDER/UE through project PID2023-146378NB-I00, and by Secretaria d'Universitats i Recerca del Departament d'Empresa i Coneixement de la Generalitat de Catalunya with the grant number 2021 SGR 00330.

S.M. Davidovich, J. Whittington M. Adalier, A. Riffel, M. Galvan, B. Johnson, S. Burleigh M. Auzias, M. Yves, F. Raimbault

Figure 7 shows the Round-Trip Time (RTT) between two endpoints on (or close to) different celestial bodies of the Solar System, for the maximum distances between such endpoints , and in an idealized scenario where communication latency only comprises a propagation delay component. (Note that message storing until the next connectivity opportunity may significantly increase total communication latency.) The RTT also provides a lower bound on (and an approximation of) the ACK_TIMEOUT values required to avoid spurious retransmission timer expiration. Figure 9 provides approximate EXCHANGE_LIFETIME values that would stem from the use of ACK_TIMEOUT values such as those shown in Figure 5, for MAX_RETRANSMIT=1. (Note that the values provided in Figure 5 are also approximately equal to EXCHANGE_LIFETIME, for MAX_RETRANSMIT=0, under the conditions considered.) For the sake of comparison, Figure 10 also provides the hypothetical, approximate EXCHANGE_LIFETIME values that would correspond to MAX_RETRANSMIT= 1, but with a retransmission scheme using a constant RTO value for message retries. Finally, Figure 11 provides the one-way delay for communication between endpoints on (or close to) different celestial bodies of the Solar System, for the maximum distances between such endpoints, and assuming an idealized scenario where communication latency only comprises a propagation delay component. The values in this figure correspond approximately to MAX_LATENCY in the described scenarios.

With default settings [RFC 7252], and a 16-bit message ID size, CoAP supports the transmission of up to 265 messages/s between a sender and its destination endpoint. If CoAP is used in scenarios involving much greater latencies (e.g., deep space), the greater EXCHANGE_LIFETIME would significantly limit the CoAP message rate. Figure 9 provides the maximum possible message rates for message ID sizes of 16 and 24 bits, and a range of EXCHANGE_LIFETIME values.