Skip to main content

Shepherd writeup

### Summary

Document Shepherd: Marco Tiloca <>
Area Director: Barry Leiba <>

The document considers the following security issues when using the CoAP
protocol, even if together with a security protocol. These are especially
severe in use cases involving actuators.

1. A server receiving a request is in general not able to verify when the
client generated the request, which can be delayed or not fresh. This can
further result in amplification attacks.

2. When using block-wise transfer, the integrity protection of a block does not
extend to the whole request body. Interchanged blocks between different message
bodies to the same resource may go undetected, so endangering multiple
concurrent block-wise transfers.

3. A client may erroneously associate the wrong response to a request.

The document addresses the issues (1)(2) by defining the usage of two new CoAP
options, namely Echo and Request-Tag; as well as the issue (3) by updating RFC
7252 to forbid non-secure reuse of Tokens in CoAP.

The document updates RFC 7252 also with respect to amplification mitigation,
for which it recommends the use of the new Echo option.

The document is intended for Standards Track.

Version -12 addressed Last Call comments from GenART, TSVART and OpsDir, about
providing clarifications and small fixes.

### Review and Consensus

The document has been discussed on multiple IETF meetings, and has gone through
multiple expert reviews. Consensus has been reached on the content of this
document and its need.

### Intellectual Property

Each author has stated that they do not have direct, personal knowledge of any
IPR related to this document. I am not aware of any IPR discussion about this
document on the CoRE WG.

### Other Points

The document registers two new option numbers in the "CoAP Option Numbers"
registry defined by RFC 7252, and provides detailed reasoning for the suggested

### Checklist

- [x] Does the shepherd stand behind the document and think the document is
ready for publication? - [x] Is the correct RFC type indicated in the title
page header? - [x] Is the abstract both brief and sufficient, and does it stand
alone as a brief summary? - [x] Is the intent of the document accurately and
adequately explained in the introduction? - [x] Have all required formal
reviews (MIB Doctor, Media Type, URI, etc.) been requested and/or completed? -
[x] Has the shepherd performed automated checks -- idnits (see and the Internet-Drafts Checklist), checks of
BNF rules, XML code and schemas, MIB definitions, and so on -- and determined
that the document passes the tests?
   'Note: There are 10 lines having 2 characters in excess each (see tables in
   Figure 1 and Figure 4). Their length will become within the limit when the
   RFC editor replaces the TBDxxx numbers with the ones assigned by IANA.'
- [x] Has each author stated that their direct, personal knowledge of any IPR
related to this document has already been disclosed, in conformance with BCPs
78 and 79? - [x] Have all references within this document been identified as
either normative or informative, and does the shepherd agree with how they have
been classified? - [x] Are all normative references made to documents that are
ready for advancement and are otherwise in a clear state? - [x] If publication
of this document changes the status of any existing RFCs, are those RFCs listed
on the title page header, and are the changes listed in the abstract and
discussed (explained, not just mentioned) in the introduction? - [x] If this is
a "bis" document, have all of the errata been considered?
   'Does not apply'

**IANA** Considerations:

- [x] Are the IANA Considerations clear and complete? Remember that IANA have
to understand unambiguously what's being requested, so they can perform the
required actions. - [x] Are all protocol extensions that the document makes
associated with the appropriate reservations in IANA registries? - [x] Are all
IANA registries referred to by their exact names (check them in to be sure)? - [x] Have you checked that any
registrations made by this document correctly follow the policies and
procedures for the appropriate registries? - [x] For registrations that require
expert review (policies of Expert Review or Specification Required), have you
or the working group had any early review done, to make sure the requests are
ready for last call? - [x] For any new registries that this document creates,
has the working group actively chosen the allocation procedures and policies
and discussed the alternatives?
   'Does not apply'
- [x]  Have reasonable registry names been chosen (that will not be confused
with those of other registries), and have the initial contents and valid value
ranges been clearly specified?
   'Does not apply'