Network Working Group                                     L. Schmertmann
Internet-Draft                                                 K. Hartke
Intended status: Informational                           C. Bormann, Ed.
Expires: February 16, 2015                       Universitaet Bremen TZI
                                                         August 15, 2014


                   CoDTLS: DTLS handshakes over CoAP
                    draft-schmertmann-dice-codtls-01

Abstract

   The Datagram Transport Layer Security protocol, DTLS, is usually
   transported over UDP.  In Constrained Node Networks, there may be
   considerable limitations on the packet delivery rates and on
   practically usable packet sizes.  Applications often can control the
   size and retransmission requirements of their data packets, but the
   DTLS handshake is out of scope for such application optimizations.

   This specification defines how to perform a DTLS handshake on top of
   the CoAP protocol.  The resulting DTLS connection may then be used
   for instance for transporting CoAP, or as a source of keying
   material.  The latter case is particularly interesting if the CoAP
   exchanges transporting the DTLS handshake messages traverse CoAP
   proxies.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 16, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.




Schmertmann, et al.     Expires February 16, 2015               [Page 1]


Internet-Draft                   CoDTLS                      August 2014


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Stateless Compression . . . . . . . . . . . . . . . . . . . .   3
   3.  Operation . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Discussion  . . . . . . . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
     5.1.  Media Types ("MIME Type") . . . . . . . . . . . . . . . .   7
     5.2.  CoAP Content-Formats  . . . . . . . . . . . . . . . . . .   9
     5.3.  Link relation . . . . . . . . . . . . . . . . . . . . . .   9
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  10
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   Constrained nodes in constrained node networks [RFC7228] often need
   robust security.  The Constrained Application Protocol (CoAP),
   [RFC7252], has chosen DTLS as the protocol to be used for
   communication security between CoAP nodes.  DTLS was defined without
   special considerations for the capabilities of constrained nodes.
   The packets are relatively verbose, and the error control mechanisms
   and parameters work best in a typical Ethernet-like environment.

   [I-D.hartke-core-codtls] proposes to mitigate these problems by
   running the DTLS handshake over CoAP.  The present document discusses
   such a protocol in more detail, based on an initial implementation
   that was tested on MC13224-based constrained nodes (ARM7TDMI, 96 KiB
   RAM shared for both code and data filled from serial flash).








Schmertmann, et al.     Expires February 16, 2015               [Page 2]


Internet-Draft                   CoDTLS                      August 2014


1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  Stateless Compression

   DTLS handshake messages are carried in CoAP bodies exchanged in CoAP
   requests and responses, possibly sliced up by the block protocol
   [I-D.ietf-core-block].  Each body is of a media type (Content-Format)
   that can contain multiple concatenated handshake messages.  Along the
   lines of a compression scheme also defined in
   [I-D.hartke-core-codtls], the DTLS header is compressed as follows:

     struct {
        ContentType type;
        ProtocolVersion version;
        uint16 epoch;                                    // New field
        uint48 sequence_number;                          // New field
        uint16 length;
        opaque fragment[DTLSPlaintext.length];
     } DTLSPlaintext;

     enum {
         change_cipher_spec(20), alert(21), handshake(22),
         application_data(23), (255)
     } ContentType;

     ->

      0                   1
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |0| T | V |  E  |1 1 0|  S  | L |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   For T = 0, the initial header is followed by an 8-bit field for the
   "type".  T = 1 compactly encodes the "type" value "alert" (21), T = 2
   stands for "handshake" (22), T = 3 for "application_data" (23).  (Not
   that "change_cipher_spec" is transported in a different way.)

   For V = 1, this is followed by a two-byte field for the "version".
   For V = 0, version is 254.255 (TLS 1.0), for V = 2 version is 254.253
   (TLS 1.2), and V = 3 is reserved.

   E encodes the epoch directly (0..4), 5 or 6 specifies that an 8 or
   16-bit field followed.  The value 7 is only allowed for handshake



Schmertmann, et al.     Expires February 16, 2015               [Page 3]


Internet-Draft                   CoDTLS                      August 2014


   packets following another handshake packet in a CoAP body, it means
   the epoch is copied from the previous handshake packet in the same
   body.

   S encodes the sequence number.  For values 1 to 6, the sequence
   number is attached in 1 to 6 bytes, respectively.  Value 0 means the
   sequence number is not sent at all.  Value 7 again refers to the
   preceding handshake packet in the same body, adding one to the
   sequence number used there.

   L encodes the length.  For values 1 and 2, the length is attached in
   1 or 2 bytes.  For value 3, the length is the remaining length of the
   payload.  Value 0 is reserved.

   Within a handshake payload, multiple handshake messages are
   concatenated, each preceded by a short header:

      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |     T     | L |
     +-+-+-+-+-+-+-+-+

   T defines the handshake type (with two values special-cased: 32 for
   change_cipher_spec and 33 for alert).  L is the number of bytes that
   follow and give the length; 0 stands for length 0, 1 and 2 for 1 or 2
   bytes following giving the length, and 3 standing for the rest of the
   handshake payload.  Note that this format does not address the
   fragmentation mechanism provided by DTLS, as the assumption is this
   will not be required in DTLS handshakes performed by constrained
   nodes.

3.  Operation

   To offer DTLS over CoAP, a CoAP server provides a resource that
   accepts the media types defined in this section, identified by the
   content-formats in Section 5.2.  The specific URI of the resource is
   up to the server.  (In the examples, we are assuming it is at the
   root of the server, i.e., no Uri-Path options are sent.)  The client
   learns the URI using the usual discovery processes, e.g., the CoRE
   resource directory [I-D.ietf-core-resource-directory].

   The client sends the client hello as an application/dtls-hello
   payload in a POST request to the DTLS URI of the server.  The server
   MUST NOT accept Block1 options on requests carrying application/dtls-
   hello hello payloads unless it can already verify a cookie from the
   first block.  (This means that both a cookieless ClientHello request,
   and the part of a cookied ClientHello that contains the cookie, need




Schmertmann, et al.     Expires February 16, 2015               [Page 4]


Internet-Draft                   CoDTLS                      August 2014


   to fit into a single UDP packet of an appropriate size.  The server
   needs to dimension its cookies accordingly.)

   Once the client hello is accepted, the server builds state, as
   indicated in Location options in the 2.01 created response.  The
   client switches to PATCHing that state using application/dtls-
   handshake messages.  Instead of creating a separate resource for
   this, the client simply continues sending to the same DTLS resource.
   (Alternatively, the server could send back a URI for a new resource
   from the first successful POST exchange.  This is not implemented in
   the current code, but will be required for operation through
   proxies.)

   Figure 1 shows an example message exchange.  The PATCH method is
   currently implemented as a POST, awaiting a PATCH method registration
   for CoAP.



































Schmertmann, et al.     Expires February 16, 2015               [Page 5]


Internet-Draft                   CoDTLS                      August 2014


     Client                                Server
     ------                                ------

     POST /
     ClientHello                  ----->

                                           4.01 Unauthorized
                                  <-----   HelloVerifyRequest


     POST /
     ClientHello                  ----->

                                           2.01 Created /dCST0E
                                           ServerHello
                                           Certificate*
                                           ServerKeyExchange*
                                           CertificateRequest*
                                  <-----   ServerHelloDone

     PATCH /dCST0E
     Certificate*
     ClientKeyExchange
     CertificateVerify*
     [ChangeCipherSpec]
     Finished                     ----->

                                           2.04 Changed
                                           [ChangeCipherSpec]
                                  <-----   Finished

               Figure 1: Message Flights for Full Handshake

   Table 1 shows the implementation size of the current demonstrator
   implementation.  Assuming that a CoAP library is already available,
   around 7.2 KiB are required for the entire CoDTLS implementation.
   (Note that the specific CoAP library in use required about 2134 bytes
   additional code to implement all the CoAP features required,
   including Block1, and some management code.)  The implementation can
   operate with 2.0 KiB stack size.











Schmertmann, et al.     Expires February 16, 2015               [Page 6]


Internet-Draft                   CoDTLS                      August 2014


           +------------+--------------------------------------+
           | Size (KiB) | Function                             |
           +------------+--------------------------------------+
           | 2.41       | ECC functions                        |
           | 0.95       | AES modes (CCM + CMAC)               |
           | 0.80       | Storage management                   |
           | 0.79       | Session management                   |
           | 0.15       | PRF                                  |
           | 1.78       | CoAP Resource implementing handshake |
           | 0.32       | Parse & Send                         |
           +------------+--------------------------------------+

            Table 1: Code sizes in demonstrator implementation

4.  Discussion

   An alternative approach to the DTLS tunneling described here is to
   directly use the TLS handshake [RFC5246], as all prerequisites are
   already available in the reliability mechanisms provided by CoAP.
   However, this would require the addition of a DoS countermeasure,
   which in turn might be a useful component beyond the usage in this
   specification.  Also, if it is desired to directly use the DTLS
   record layer after a CoAP-mediated handshake, the details of the
   transition from TLS to DTLS need to be specified.

5.  IANA Considerations

   This specification defines two new Internet media types [RFC6838]:

   o  application/dtls-hello

   o  application/dtls-handshake

   This specification also defines the entries in the Content-Format
   registry for these new media types.

5.1.  Media Types ("MIME Type")

   The Internet media type [RFC6838] for a DTLS hello is application/
   dtls-hello.

   Type name: application

   Subtype name: dtls-hello

   Required parameters: n/a

   Optional parameters: n/a



Schmertmann, et al.     Expires February 16, 2015               [Page 7]


Internet-Draft                   CoDTLS                      August 2014


   Encoding considerations:  binary

   Security considerations:  See Section 6 of this document

   Interoperability considerations: n/a

   Published specification: This document

   Applications that use this media type:  Setup of DTLS sessions over
      CoAP

   Additional information:
     Magic number(s): n/a
     File extension(s): n/a
     Macintosh file type code(s): n/a

   Person & email address to contact for further information:
     Carsten Bormann
     cabo@tzi.org

   Intended usage: COMMON

   Restrictions on usage: none

   Author:
     Carsten Bormann <cabo@tzi.org>

   Change controller:
     The IESG <iesg@ietf.org>

   The Internet media type [RFC6838] for a DTLS handshake message is
   application/dtls-handshake.

   Type name: application

   Subtype name: dtls-hello

   Required parameters: n/a

   Optional parameters: n/a

   Encoding considerations:  binary

   Security considerations:  See Section 6 of this document

   Interoperability considerations: n/a

   Published specification: This document



Schmertmann, et al.     Expires February 16, 2015               [Page 8]


Internet-Draft                   CoDTLS                      August 2014


   Applications that use this media type:  Setup of DTLS sessions over
      CoAP

   Additional information:
     Magic number(s): n/a
     File extension(s): n/a
     Macintosh file type code(s): n/a

   Person & email address to contact for further information:
     Carsten Bormann
     cabo@tzi.org

   Intended usage: COMMON

   Restrictions on usage: none

   Author:
     Carsten Bormann <cabo@tzi.org>

   Change controller:
     The IESG <iesg@ietf.org>

5.2.  CoAP Content-Formats

   Media Type: application/dtls-hello

   Encoding: -

   Id: TBD1

   Reference: [RFC-THIS-SPEC]

   Media Type: application/dtls-handshake

   Encoding: -

   Id: TBD2

   Reference: [RFC-THIS-SPEC]

5.3.  Link relation

   TBD: There needs to be a way to find DTLS resources on a server,
   e.g., in a resource directory.  This is usually done by defining an
   appropriate link relation.






Schmertmann, et al.     Expires February 16, 2015               [Page 9]


Internet-Draft                   CoDTLS                      August 2014


6.  Security Considerations

   The security considerations of [RFC6347] and [RFC7252] apply.

   In its main part, this specification provides a way to carry around
   DTLS packets.  Under the Internet Threat Model, those packets already
   traverse unsecured networks, so any attack that could be used to
   subvert DTLS packets sent over CoAP could already be used to subvert
   the DTLS packets when sent over traditional transports.  Obviously
   implementers still need to implement the DTLS state machine fully.
   In addition, if the CoAP exchanges run over unsecured channels, those
   channels will need to be made robust to the usual attacks.

   If the option is chosen to derive the Finished MACs from the CoAP
   representation, much more substantial security analysis is required,
   and this section will need to discuss its security considerations.

7.  Acknowledgements

   Olaf Bergmann is a co-author of the base specification this
   implementation has been derived from.

8.  References

8.1.  Normative References

   [I-D.ietf-core-block]
              Bormann, C. and Z. Shelby, "Blockwise transfers in CoAP",
              draft-ietf-core-block-15 (work in progress), July 2014.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252, June 2014.

8.2.  Informative References

   [I-D.hartke-core-codtls]
              Hartke, K. and O. Bergmann, "Datagram Transport Layer
              Security in Constrained Environments", draft-hartke-core-
              codtls-02 (work in progress), July 2012.



Schmertmann, et al.     Expires February 16, 2015              [Page 10]


Internet-Draft                   CoDTLS                      August 2014


   [I-D.ietf-core-resource-directory]
              Shelby, Z., Bormann, C., and S. Krco, "CoRE Resource
              Directory", draft-ietf-core-resource-directory-01 (work in
              progress), December 2013.

   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
              Specifications and Registration Procedures", BCP 13, RFC
              6838, January 2013.

   [RFC7228]  Bormann, C., Ersue, M., and A. Keranen, "Terminology for
              Constrained-Node Networks", RFC 7228, May 2014.

Authors' Addresses

   Lars Schmertmann
   Universitaet Bremen TZI
   Postfach 330440
   Bremen  D-28359
   Germany

   Email: lars@tzi.de


   Klaus Hartke
   Universitaet Bremen TZI
   Postfach 330440
   Bremen  D-28359
   Germany

   Phone: +49-421-218-63905
   Email: hartke@tzi.org


   Carsten Bormann (editor)
   Universitaet Bremen TZI
   Postfach 330440
   Bremen  D-28359
   Germany

   Phone: +49-421-218-63921
   Email: cabo@tzi.org










Schmertmann, et al.     Expires February 16, 2015              [Page 11]