Network Working Group J. Mattsson
Internet-Draft Ericsson AB
Intended status: Informational March 13, 2017
Expires: September 14, 2017
Message Size Overhead of CoAP Security Protocols
draft-mattsson-core-security-overhead-00
Abstract
This document analyzes and compares per-packet message size overheads
when using different security protocols to secure CoAP. The analyzed
security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and
OSCOAP. DTLS and TLS are analyzed with and without compression.
DTLS are analyzed with two different alternatives for header
compression.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Mattsson Expires September 14, 2017 [Page 1]
Internet-Draft CoAP Security Overhead March 2017
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overhead of Security Protocols . . . . . . . . . . . . . . . 2
2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 3
2.3. DTLS 1.2 with raza-6lo-compressed-dtls . . . . . . . . . 4
2.4. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 5
2.6. DTLS 1.3 with raza-6lo-compressed-dtls . . . . . . . . . 6
2.7. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.8. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 7
2.9. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.10. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 8
2.11. OSCOAP . . . . . . . . . . . . . . . . . . . . . . . . . 8
3. Overhead with Different Sequence Numbers . . . . . . . . . . 9
4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
7. Informative References . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
This document analyzes and compares per-packet message size overheads
when using different security protocols to secure CoAP over UPD
[RFC7252] and TCP [I-D.ietf-core-coap-tcp-tls]. The analyzed
security protocols are DTLS 1.2 [RFC6347], DTLS 1.3
[I-D.rescorla-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3
[I-D.ietf-tls-tls13], and OSCOAP [I-D.ietf-core-object-security].
The DTLS and TLS record layers are analyzed with and without
compression. DTLS are analyzed with two different alternatives
([RFC7400] and [raza-6lo-compressed-dtls]) for header compression.
2. Overhead of Security Protocols
To enable comparison, all the overhead calculations in this section
use AES-CCM with a tag length of 8 bytes, a plaintext of 6 bytes, and
the sequence number '05'. This follows the example in [RFC7400],
Figure 16.
Mattsson Expires September 14, 2017 [Page 2]
Internet-Draft CoAP Security Overhead March 2017
2.1. DTLS 1.2
This example is taken directly from [RFC7400], Figure 16. The nonce
follow the strict profiling given in [RFC7925].
DTLS 1.2 Record Layer (35 bytes, 29 bytes overhead):
17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00
00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4
cb 35 b9
Content type:
17
Version:
fe fd
Epoch:
00 01
Sequence number:
00 00 00 00 00 05
Length:
00 16
Nonce:
00 01 00 00 00 00 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 gives 29 bytes overhead.
2.2. DTLS 1.2 with 6LoWPAN-GHC
Note that the compressed overhead is dependent on the parameters
epoch, sequence number, and length. The following is only an
example.
Note that the sequence number '01' used in [RFC7400], Figure 15 gives
an exceptionally small overhead that is not representative at all.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Mattsson Expires September 14, 2017 [Page 3]
Internet-Draft CoAP Security Overhead March 2017
Compressed DTLS 1.2 Record Layer (22 bytes, 16 bytes overhead):
b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff
8a 24 e4 cb 35 b9
Compressed DTLS 1.2 Record Layer Header and Nonce:
b0 c3 03 05 00 16 f2 0e
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters
(epoch, sequence number, length) gives 16 bytes overhead.
2.3. DTLS 1.2 with raza-6lo-compressed-dtls
Note that the compressed overhead is dependent on the parameters
epoch and sequence number. The following is only an example.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with raza-
6lo-compressed-dtls.
Compressed DTLS 1.2 Record Layer (19 bytes, 13 bytes overhead):
90 17 01 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4
cb 35 b9
NHC
90
Compressed DTLS 1.2 Record Layer Header and Nonce:
17 01 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with raza-6lo-compressed-dtls, DTLS 1.2 with the
above parameters (epoch, sequence number) gives 13 bytes overhead.
2.4. DTLS 1.3
The only change compared to DTLS 1.2 is that the DTLS 1.3 record
layer does not have an explicit nonce.
Mattsson Expires September 14, 2017 [Page 4]
Internet-Draft CoAP Security Overhead March 2017
DTLS 1.3 Record Layer (27 bytes, 21 bytes overhead):
17 fe fd 00 01 00 00 00 00 00 05 00 0e ae a0 15
56 67 92 4d ff 8a 24 e4 cb 35 b9
Content type:
17
Version:
fe fd
Epoch:
00 01
Sequence number:
00 00 00 00 00 05
Length:
00 0e
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 gives 21 bytes overhead.
2.5. DTLS 1.3 with 6LoWPAN-GHC
Note that the overhead is dependent on the parameters epoch, sequence
number, and length. The following is only an example.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Compressed DTLS 1.3 Record Layer (20 bytes, 14 bytes overhead):
b0 c3 11 05 00 0e ae a0 15 56 67 92 4d ff 8a 24
e4 cb 35 b9
Compressed DTLS 1.3 Record Layer Header and Nonce:
b0 c3 11 05 00 0e
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters
(epoch, sequence number, length) gives 14 bytes overhead.
Mattsson Expires September 14, 2017 [Page 5]
Internet-Draft CoAP Security Overhead March 2017
2.6. DTLS 1.3 with raza-6lo-compressed-dtls
Note that the compressed overhead is dependent on the parameters
epoch and sequence number. The following is only an example.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with raza-
6lo-compressed-dtls.
Note that this header compression is not available when DTLS is
exchanged over transports that do not use 6LoWPAN together with raza-
6lo-compressed-dtls.
Compressed DTLS 1.3 Record Layer (19 bytes, 13 bytes overhead):
90 17 01 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4
cb 35 b9
NHC
90
Compressed DTLS 1.3 Record Layer Header and Nonce:
17 01 00 05
c3 03 05 00 16 f2 0e
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with raza-6lo-compressed-dtls, DTLS 1.3 with the
above parameters (epoch, sequence number) gives 13 bytes overhead.
2.7. TLS 1.2
The changes compared to DTLS 1.2 is that the TLS 1.2 record layer
does not have epoch and sequence number, and that the version is
different.
Mattsson Expires September 14, 2017 [Page 6]
Internet-Draft CoAP Security Overhead March 2017
TLS 1.2 Record Layer (27 bytes, 21 byte overhead):
17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15
56 67 92 4d ff 8a 24 e4 cb 35 b9
Content type:
17
Version:
03 03
Length:
00 16
Nonce:
00 00 00 00 00 00 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
TLS 1.2 gives 21 bytes overhead.
2.8. TLS 1.2 with 6LoWPAN-GHC
Note that the overhead is dependent on the parameters epoch, sequence
number, and length. The following is only an example.
Note that this header compression is not available when TLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Compressed TLS 1.2 Record Layer (23 bytes, 17 bytes overhead):
05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d
ff 8a 24 e4 cb 35 b9
Compressed TLS 1.2 Record Layer Header and Nonce:
05 17 03 03 00 16 85 0f 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters
(epoch, sequence number, length) gives 17 bytes overhead.
2.9. TLS 1.3
The change compared to TLS 1.2 is that the TLS 1.3 record layer uses
a different version.
Mattsson Expires September 14, 2017 [Page 7]
Internet-Draft CoAP Security Overhead March 2017
TLS 1.3 Record Layer (27 bytes, 21 byte overhead):
17 03 01 00 16 00 00 00 00 00 00 00 05 ae a0 15
56 67 92 4d ff 8a 24 e4 cb 35 b9
Content type:
17
Version:
03 01
Length:
00 16
Nonce:
00 00 00 00 00 00 00 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
TLS 1.3 gives 21 bytes overhead.
2.10. TLS 1.3 with 6LoWPAN-GHC
Note that the overhead is dependent on the parameters epoch, sequence
number, and length. The following is only an example.
Note that this header compression is not available when TLS is
exchanged over transports that do not use 6LoWPAN together with
6LoWPAN-GHC.
Compressed TLS 1.3 Record Layer (23 bytes, 17 bytes overhead):
02 17 03 c3 01 16 85 0f 05 ae a0 15 56 67 92 4d
ff 8a 24 e4 cb 35 b9
Compressed TLS 1.3 Record Layer Header and Nonce:
02 17 03 c3 01 16 85 0f 05
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters
(epoch, sequence number, length) gives 17 bytes overhead.
2.11. OSCOAP
Note that the overhead is dependent on the included CoAP Option
numbers, if the CoAP method allows payload, as well as the length of
the OSCOAP parameters Sender ID and sequence number. The below
Mattsson Expires September 14, 2017 [Page 8]
Internet-Draft CoAP Security Overhead March 2017
calculation uses Method = POST, Option Delta = '9', and Sender ID =
'25', and is only an example.
OSCOAP Request (19 bytes, 13 bytes overhead):
90 19 05 41 25 ae a0 15 56 67 92 4d ff 8a 24 e4
cb 35 b9
CoAP Delta and Option Length:
90
Compressed COSE Header:
19 05 41 25
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
OSCOAP Response (15 bytes, 9 bytes overhead):
90 ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9
CoAP Delta and Option Length:
90
Ciphertext:
ae a0 15 56 67 92
ICV:
4d ff 8a 24 e4 cb 35 b9
OSCOAP with the above parameters gives 13 bytes overhead for requests
and 9 bytes overhead for responses.
Unlike DTLS and TLS, OSCOAP has much smaller overhead for responses
than requests.
3. Overhead with Different Sequence Numbers
The compression overhead (GHC) is dependent on the parameters epoch,
sequence number, and length. The following overheads should be
representative for sequence numbers with the same length.
The compression overhead (raza-6lo-compressed-dtls) is dependent on
the length of the parameters epoch and sequence number. The
following overheads apply for all sequence numbers with the same
length.
The OSCOAP overhead is dependent on the included CoAP Option numbers,
if the CoAP method allows payload, as well as the length of the
OSCOAP parameters Sender ID and sequence number.
Mattsson Expires September 14, 2017 [Page 9]
Internet-Draft CoAP Security Overhead March 2017
Sequence Number '05' '1005' '100005'
----------------------------------------------------------
DTLS 1.2 29 29 29
DTLS 1.3 21 21 21
TLS 1.2 21 21 21
TLS 1.3 21 21 21
----------------------------------------------------------
DTLS 1.2 (GHC) 16 16 17
DTLS 1.2 (Raza) 13 13 14
DTLS 1.3 (GHC) 14 14 15
DTLS 1.3 (Raza) 13 13 14
TLS 1.2 (GHC) 17 18 19
TLS 1.3 (GHC) 17 18 19
----------------------------------------------------------
OSCOAP Request 13 14 15
OSCOAP Response 9 9 9
Figure 1: Overhead as a function of sequence number
4. Summary
DTLS 1.2 has quite a large overhead as it uses an explicit sequence
number and an explicit nonce. DTLS 1.3, TLS 1.2, and TLS 1.3 have
significantly less overhead.
Both DTLS compression methods provides very good compression. raza-
6lo-compressed-dtls achieves slightly better compression but requires
state. GHC is stateless but provides slightly worse compression. As
DTLS 1.3 uses the same version number as DTLS 1.2, both GHC and raza-
6lo-compressed-dtls works well also for DTLS 1.3.
The Generic Header Compression (6LoWPAN-GHC) is not very generic (the
static dictionary is more or less a DTLS record layer) and the
compression of TLS is significantly worse than the compression of
DTLS. Similar compression levels as for DTLS could be achieved also
for TLS, but this would require different static dictionaries for
each version of TLS (as TLS 1.2 and TLS 1.3 uses different version
numbers).
The header compression is not available when (D)TLS is exchanged over
transports that do not use 6LoWPAN together with 6LoWPAN-GHC or raza-
6lo-compressed-dtls.
OSCOAP has much lower overhead than DTLS and TLS. The overhead of
OSCOAP is smaller than DTLS over 6LoWPAN with compression, and this
small overhead is achieved even on deployments without 6LoWPAN or
6LoWPAN without DTLS compression. OSCOAP is lightweight because it
makes use of some excellent features in CoAP, CBOR, and COSE.
Mattsson Expires September 14, 2017 [Page 10]
Internet-Draft CoAP Security Overhead March 2017
5. Security Considerations
This document is purely informational.
6. Acknowledgments
The authors want to thank Ari Keraenen for reviewing previous
versions of the draft.
7. Informative References
[I-D.ietf-core-coap-tcp-tls]
Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets",
draft-ietf-core-coap-tcp-tls-07 (work in progress), March
2017.
[I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security of CoAP (OSCOAP)", draft-ietf-core-
object-security-01 (work in progress), December 2016.
[I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-19 (work in progress),
March 2017.
[I-D.rescorla-tls-dtls13]
Rescorla, E. and H. Tschofenig, "The Datagram Transport
Layer Security (DTLS) Protocol Version 1.3", draft-
rescorla-tls-dtls13-00 (work in progress), October 2016.
[raza-6lo-compressed-dtls]
Raza, S., Shafagh, H., and O. Dupont, "Compression of
Record and Handshake Headers for Constrained
Environments", March 2017,
<http://shahidraza.info/draft-raza-6lo-compressed.txt>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <http://www.rfc-editor.org/info/rfc6347>.
Mattsson Expires September 14, 2017 [Page 11]
Internet-Draft CoAP Security Overhead March 2017
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
<http://www.rfc-editor.org/info/rfc7252>.
[RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for
IPv6 over Low-Power Wireless Personal Area Networks
(6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November
2014, <http://www.rfc-editor.org/info/rfc7400>.
[RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer
Security (TLS) / Datagram Transport Layer Security (DTLS)
Profiles for the Internet of Things", RFC 7925,
DOI 10.17487/RFC7925, July 2016,
<http://www.rfc-editor.org/info/rfc7925>.
Author's Address
John Mattsson
Ericsson AB
Faeroegatan 6
Kista SE-164 80 Stockholm
Sweden
Email: john.mattsson@ericsson.com
Mattsson Expires September 14, 2017 [Page 12]