rfc9175.original   rfc9175.txt 
CoRE Working Group C. Amsuess Internet Engineering Task Force (IETF) C. Amsüss
Internet-Draft Request for Comments: 9175
Updates: 7252 (if approved) J. Mattsson Updates: 7252 J. Preuß Mattsson
Intended status: Standards Track G. Selander Category: Standards Track G. Selander
Expires: 7 April 2022 Ericsson AB ISSN: 2070-1721 Ericsson AB
4 October 2021 February 2022
CoAP: Echo, Request-Tag, and Token Processing Constrained Application Protocol (CoAP): Echo, Request-Tag, and Token
draft-ietf-core-echo-request-tag-14 Processing
Abstract Abstract
This document specifies enhancements to the Constrained Application This document specifies enhancements to the Constrained Application
Protocol (CoAP) that mitigate security issues in particular use Protocol (CoAP) that mitigate security issues in particular use
cases. The Echo option enables a CoAP server to verify the freshness cases. The Echo option enables a CoAP server to verify the freshness
of a request or to force a client to demonstrate reachability at its of a request or to force a client to demonstrate reachability at its
claimed network address. The Request-Tag option allows the CoAP claimed network address. The Request-Tag option allows the CoAP
server to match block-wise message fragments belonging to the same server to match block-wise message fragments belonging to the same
request. This document updates RFC 7252 with respect to the client request. This document updates RFC 7252 with respect to the
Token processing requirements, forbidding non-secure reuse of Tokens following: processing requirements for client Tokens, forbidding non-
to ensure binding of response to request when CoAP is used with a secure reuse of Tokens to ensure response-to-request binding when
security protocol, and with respect to amplification mitigation, CoAP is used with a security protocol, and amplification mitigation
where the use of Echo is now recommended. (where the use of the Echo option is now recommended).
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the CORE Working Group
mailing list (core@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/core/.
Source for this draft and an issue tracker can be found at
https://github.com/core-wg/echo-request-tag.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 7 April 2022. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9175.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Simplified BSD License text to this document. Code Components extracted from this document must
as described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Simplified BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology
2. Request Freshness and the Echo Option . . . . . . . . . . . . 5 2. Request Freshness and the Echo Option
2.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 5 2.1. Request Freshness
2.2. The Echo Option . . . . . . . . . . . . . . . . . . . . . 5 2.2. The Echo Option
2.2.1. Echo Option Format . . . . . . . . . . . . . . . . . 6 2.2.1. Echo Option Format
2.3. Echo Processing . . . . . . . . . . . . . . . . . . . . . 7 2.3. Echo Processing
2.4. Applications of the Echo Option . . . . . . . . . . . . . 10 2.4. Applications of the Echo Option
2.5. Characterization of Echo Applications . . . . . . . . . . 13 2.5. Characterization of Echo Applications
2.5.1. Time versus Event Based Freshness . . . . . . . . . . 13 2.5.1. Time-Based versus Event-Based Freshness
2.5.2. Authority over Used Information . . . . . . . . . . . 13 2.5.2. Authority over Used Information
2.5.3. Protection by a Security Protocol . . . . . . . . . . 14 2.5.3. Protection by a Security Protocol
2.6. Updated Amplification Mitigation Requirements for 2.6. Updated Amplification Mitigation Requirements for Servers
Servers . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. Protecting Message Bodies Using Request Tags
3. Protecting Message Bodies using Request Tags . . . . . . . . 15 3.1. Fragmented Message Body Integrity
3.1. Fragmented Message Body Integrity . . . . . . . . . . . . 15 3.2. The Request-Tag Option
3.2. The Request-Tag Option . . . . . . . . . . . . . . . . . 16 3.2.1. Request-Tag Option Format
3.2.1. Request-Tag Option Format . . . . . . . . . . . . . . 16 3.3. Request-Tag Processing by Servers
3.3. Request-Tag Processing by Servers . . . . . . . . . . . . 17 3.4. Setting the Request-Tag
3.4. Setting the Request-Tag . . . . . . . . . . . . . . . . . 18 3.5. Applications of the Request-Tag Option
3.5. Applications of the Request-Tag Option . . . . . . . . . 19 3.5.1. Body Integrity Based on Payload Integrity
3.5.1. Body Integrity Based on Payload Integrity . . . . . . 19 3.5.2. Multiple Concurrent Block-Wise Operations
3.5.2. Multiple Concurrent Block-wise Operations . . . . . . 20 3.5.3. Simplified Block-Wise Handling for Constrained Proxies
3.5.3. Simplified Block-Wise Handling for Constrained 3.6. Rationale for the Option Properties
Proxies . . . . . . . . . . . . . . . . . . . . . . . 21 3.7. Rationale for Introducing the Option
3.8. Block2 and ETag Processing
3.6. Rationale for the Option Properties . . . . . . . . . . . 21 4. Token Processing for Secure Request-Response Binding
3.7. Rationale for Introducing the Option . . . . . . . . . . 21 4.1. Request-Response Binding
3.8. Block2 / ETag Processing . . . . . . . . . . . . . . . . 22 4.2. Updated Token Processing Requirements for Clients
4. Token Processing for Secure Request-Response Binding . . . . 22 5. Security Considerations
4.1. Request-Response Binding . . . . . . . . . . . . . . . . 22 5.1. Token Reuse
4.2. Updated Token Processing Requirements for Clients . . . . 23 6. Privacy Considerations
5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 7. IANA Considerations
5.1. Token reuse . . . . . . . . . . . . . . . . . . . . . . . 25 8. References
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 26 8.1. Normative References
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 8.2. Informative References
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 Appendix A. Methods for Generating Echo Option Values
8.1. Normative References . . . . . . . . . . . . . . . . . . 28 Appendix B. Request-Tag Message Size Impact
8.2. Informative References . . . . . . . . . . . . . . . . . 28 Acknowledgements
Appendix A. Methods for Generating Echo Option Values . . . . . 30 Authors' Addresses
Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 32
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 32
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
The initial Constrained Application Protocol (CoAP) suite of The initial suite of specifications for the Constrained Application
specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed Protocol (CoAP) ([RFC7252], [RFC7641], and [RFC7959]) was designed
with the assumption that security could be provided on a separate with the assumption that security could be provided on a separate
layer, in particular by using DTLS ([RFC6347]). However, for some layer, in particular, by using DTLS [RFC6347]. However, for some use
use cases, additional functionality or extra processing is needed to cases, additional functionality or extra processing is needed to
support secure CoAP operations. This document specifies security support secure CoAP operations. This document specifies security
enhancements to the Constrained Application Protocol (CoAP). enhancements to CoAP.
[ Note to RFC editor: If C321 gets published before C280, then the
[RFC6347] references can be upgraded to draft-ietf-tls-dtls13-43
without the need for further changes; the reference is to 6347 here
because that was the stable DTLS reference when the document was last
touched by the authors. ]
This document specifies two CoAP options, the Echo option and the This document specifies two CoAP options, the Echo option and the
Request-Tag option: The Echo option enables a CoAP server to verify Request-Tag option. The Echo option enables a CoAP server to verify
the freshness of a request, which can be used to synchronize state, the freshness of a request, which can be used to synchronize state,
or to force a client to demonstrate reachability at its claimed or to force a client to demonstrate reachability at its claimed
network address. The Request-Tag option allows the CoAP server to network address. The Request-Tag option allows the CoAP server to
match message fragments belonging to the same request, fragmented match message fragments belonging to the same request, fragmented
using the CoAP block-wise transfer mechanism, which mitigates attacks using the CoAP block-wise transfer mechanism, which mitigates attacks
and enables concurrent block-wise operations. These options in and enables concurrent block-wise operations. These options in
themselves do not replace the need for a security protocol; they themselves do not replace the need for a security protocol; they
specify the format and processing of data which, when integrity specify the format and processing of data that, when integrity
protected using e.g. DTLS ([RFC6347]), TLS ([RFC8446]), or OSCORE protected using, e.g., DTLS [RFC6347], TLS [RFC8446], or Object
([RFC8613]), provide the additional security features. Security for Constrained RESTful Environments (OSCORE) [RFC8613],
provide the additional security features.
This document updates [RFC7252] with a recommendation that servers This document updates [RFC7252] with a recommendation that servers
use the Echo option to mitigate amplification attacks. use the Echo option to mitigate amplification attacks.
The document also updates the Token processing requirements for The document also updates the Token processing requirements for
clients specified in [RFC7252]. The updated processing forbids non- clients specified in [RFC7252]. The updated processing forbids non-
secure reuse of Tokens to ensure binding of responses to requests secure reuse of Tokens to ensure binding of responses to requests
when CoAP is used with security, thus mitigating error cases and when CoAP is used with security, thus mitigating error cases and
attacks where the client may erroneously associate the wrong response attacks where the client may erroneously associate the wrong response
to a request. to a request.
Each of the following sections provides a more detailed introduction Each of the following sections provides a more-detailed introduction
to the topic at hand in its first subsection. to the topic at hand in its first subsection.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Like [RFC7252], this document is relying on the Representational Like [RFC7252], this document relies on the Representational State
State Transfer [REST] architecture of the Web. Transfer [REST] architecture of the Web.
Unless otherwise specified, the terms "client" and "server" refer to Unless otherwise specified, the terms "client" and "server" refer to
"CoAP client" and "CoAP server", respectively, as defined in "CoAP client" and "CoAP server", respectively, as defined in
[RFC7252]. The term "origin server" is used as in [RFC7252]. The [RFC7252].
term "origin client" is used in this document to denote the client
from which a request originates; to distinguish from clients in
proxies.
A message's "freshness" is a measure of when a message was sent on a A message's "freshness" is a measure of when a message was sent on a
time scale of the recipient. A server that receives a request can timescale of the recipient. A server that receives a request can
either verify that the request is fresh or determine that it cannot either verify that the request is fresh or determine that it cannot
be verified that the request is fresh. What is considered a fresh be verified that the request is fresh. What is considered a fresh
message is application dependent; exemplary uses are "no more than message is application dependent; exemplary uses are "no more than 42
one hour ago" or "after this server's last reboot". seconds ago" or "after this server's last reboot".
The terms "payload" and "body" of a message are used as in [RFC7959]. The terms "payload" and "body" of a message are used as in [RFC7959].
The complete interchange of a request and a response body is called a The complete interchange of a request and a response body is called a
(REST) "operation". An operation fragmented using [RFC7959] is (REST) "operation". An operation fragmented using [RFC7959] is
called a "block-wise operation". A block-wise operation which is called a "block-wise operation". A block-wise operation that is
fragmenting the request body is called a "block-wise request fragmenting the request body is called a "block-wise request
operation". A block-wise operation which is fragmenting the response operation". A block-wise operation that is fragmenting the response
body is called a "block-wise response operation". body is called a "block-wise response operation".
Two request messages are said to be "matchable" if they occur between Two request messages are said to be "matchable" if they occur between
the same endpoint pair, have the same code, and have the same set of the same endpoint pair, have the same code, and have the same set of
options, with the exception that elective NoCacheKey options and options, with the exception that elective NoCacheKey options and
options involved in block-wise transfer (Block1, Block2 and Request- options involved in block-wise transfer (Block1, Block2, and Request-
Tag) need not be the same. Two operations are said to be matchable Tag) need not be the same. Two blockwise request operations are said
if any of their messages are. to be matchable if their request messages are matchable.
Two matchable block-wise operations are said to be "concurrent" if a Two matchable block-wise request operations are said to be
block of the second request is exchanged even though the client still "concurrent" if a block of the second request is exchanged even
intends to exchange further blocks in the first operation. though the client still intends to exchange further blocks in the
(Concurrent block-wise request operations from a single endpoint are first operation. (Concurrent block-wise request operations from a
impossible with the options of [RFC7959] (see the last paragraphs of single endpoint are impossible with the options of [RFC7959] -- see
Sections 2.4 and 2.5) because the second operation's block overwrites the last paragraphs of Sections 2.4 and 2.5 -- because the second
any state of the first exchange.). operation's block overwrites any state of the first exchange.)
The Echo and Request-Tag options are defined in this document. The Echo and Request-Tag options are defined in this document.
2. Request Freshness and the Echo Option 2. Request Freshness and the Echo Option
2.1. Request Freshness 2.1. Request Freshness
A CoAP server receiving a request is in general not able to verify A CoAP server receiving a request is, in general, not able to verify
when the request was sent by the CoAP client. This remains true even when the request was sent by the CoAP client. This remains true even
if the request was protected with a security protocol, such as DTLS. if the request was protected with a security protocol, such as DTLS.
This makes CoAP requests vulnerable to certain delay attacks which This makes CoAP requests vulnerable to certain delay attacks that are
are particularly perilous in the case of actuators particularly perilous in the case of actuators [COAP-ATTACKS]. Some
([I-D.mattsson-core-coap-attacks]). Some attacks can be mitigated by attacks can be mitigated by establishing fresh session keys, e.g.,
establishing fresh session keys, e.g. performing a DTLS handshake for performing a DTLS handshake for each request, but, in general, this
each request, but in general this is not a solution suitable for is not a solution suitable for constrained environments, for example,
constrained environments, for example, due to increased message due to increased message overhead and latency. Additionally, if
overhead and latency. Additionally, if there are proxies, fresh DTLS there are proxies, fresh DTLS session keys between the server and the
session keys between server and proxy does not say anything about proxy do not say anything about when the client made the request. In
when the client made the request. In a general hop-by-hop setting, a general hop-by-hop setting, freshness may need to be verified in
freshness may need to be verified in each hop. each hop.
A straightforward mitigation of potential delayed requests is that A straightforward mitigation of potential delayed requests is that
the CoAP server rejects a request the first time it appears and asks the CoAP server rejects a request the first time it appears and asks
the CoAP client to prove that it intended to make the request at this the CoAP client to prove that it intended to make the request at this
point in time. point in time.
2.2. The Echo Option 2.2. The Echo Option
This document defines the Echo option, a lightweight challenge- This document defines the Echo option, a lightweight challenge-
response mechanism for CoAP that enables a CoAP server to verify the response mechanism for CoAP that enables a CoAP server to verify the
freshness of a request. A fresh request is one whose age has not yet freshness of a request. A fresh request is one whose age has not yet
exceeded the freshness requirements set by the server. The freshness exceeded the freshness requirements set by the server. The freshness
requirements are application specific and may vary based on resource, requirements are application specific and may vary based on resource,
method, and parameters outside of CoAP such as policies. The Echo method, and parameters outside of CoAP, such as policies. The Echo
option value is a challenge from the server to the client included in option value is a challenge from the server to the client included in
a CoAP response and echoed back to the server in one or more CoAP a CoAP response and echoed back to the server in one or more CoAP
requests. requests.
This mechanism is not only important in the case of actuators, or This mechanism is not only important in the case of actuators, or
other use cases where the CoAP operations require freshness of other use cases where the CoAP operations require freshness of
requests, but also in general for synchronizing state between CoAP requests, but also in general for synchronizing state between a CoAP
client and server, cryptographically verifying the aliveness of the client and server, cryptographically verifying the aliveness of the
client, or forcing a client to demonstrate reachability at its client or forcing a client to demonstrate reachability at its claimed
claimed network address. The same functionality can be provided by network address. The same functionality can be provided by echoing
echoing freshness indicators in CoAP payloads, but this only works freshness indicators in CoAP payloads, but this only works for
for methods and response codes defined to have a payload. The Echo methods and response codes defined to have a payload. The Echo
option provides a convention to transfer freshness indicators that option provides a convention to transfer freshness indicators that
works for all methods and response codes. works for all methods and response codes.
2.2.1. Echo Option Format 2.2.1. Echo Option Format
The Echo Option is elective, safe-to-forward, not part of the cache- The Echo option is elective, safe to forward, not part of the cache-
key, and not repeatable, see Figure 1, which extends Table 4 of key, and not repeatable (see Table 1, which extends Table 4 of
[RFC7252]). [RFC7252]).
+--------+---+---+---+---+-------------+--------+------+---------+ +=====+===+===+===+===+======+========+========+=========+
| No. | C | U | N | R | Name | Format | Len. | Default | | No. | C | U | N | R | Name | Format | Length | Default |
+--------+---+---+---+---+-------------+--------+------+---------+ +=====+===+===+===+===+======+========+========+=========+
| TBD252 | | | x | | Echo | opaque | 1-40 | (none) | | 252 | | | x | | Echo | opaque | 1-40 | (none) |
+--------+---+---+---+---+-------------+--------+------+---------+ +-----+---+---+---+---+------+--------+--------+---------+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable Table 1: Echo Option Summary
Figure 1: Echo Option Summary C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable
The Echo option value is generated by a server, and its content and The Echo option value is generated by a server, and its content and
structure are implementation specific. Different methods for structure are implementation specific. Different methods for
generating Echo option values are outlined in Appendix A. Clients generating Echo option values are outlined in Appendix A. Clients
and intermediaries MUST treat an Echo option value as opaque and make and intermediaries MUST treat an Echo option value as opaque and make
no assumptions about its content or structure. no assumptions about its content or structure.
When receiving an Echo option in a request, the server MUST be able When receiving an Echo option in a request, the server MUST be able
to verify that the Echo option value (a) was generated by the server to verify that the Echo option value (a) was generated by the server
or some other party that the server trusts, and (b) fulfills the or some other party that the server trusts and (b) fulfills the
freshness requirements of the application. Depending on the freshness requirements of the application. Depending on the
freshness requirements the server may verify exactly when the Echo freshness requirements, the server may verify exactly when the Echo
option value was generated (time-based freshness) or verify that the option value was generated (time-based freshness) or verify that the
Echo option was generated after a specific event (event-based Echo option was generated after a specific event (event-based
freshness). As the request is bound to the Echo option value, the freshness). As the request is bound to the Echo option value, the
server can determine that the request is not older that the Echo server can determine that the request is not older than the Echo
option value. option value.
When the Echo option is used with OSCORE [RFC8613] it MAY be an Inner When the Echo option is used with OSCORE [RFC8613], it MAY be an
or Outer option, and the Inner and Outer values are independent. Inner or Outer option, and the Inner and Outer values are
OSCORE servers MUST only produce Inner Echo options unless they are independent. OSCORE servers MUST only produce Inner Echo options
merely testing for reachability of the client (the same as proxies unless they are merely testing for reachability of the client (the
may do). The Inner option is encrypted and integrity protected same as proxies may do). The Inner option is encrypted and integrity
between the endpoints, whereas the Outer option is not protected by protected between the endpoints, whereas the Outer option is not
OSCORE. As always with OSCORE, outer options are visible to (and may protected by OSCORE. As always with OSCORE, Outer options are
be acted on by) all proxies, and are visible on all links where no visible to (and may be acted on by) all proxies and are visible on
additional encryption (like TLS between client and proxy) is used. all links where no additional encryption (like TLS between client and
proxy) is used.
2.3. Echo Processing 2.3. Echo Processing
The Echo option MAY be included in any request or response (see The Echo option MAY be included in any request or response (see
Section 2.4 for different applications). Section 2.4 for different applications).
The application decides under what conditions a CoAP request to a The application decides under what conditions a CoAP request to a
resource is required to be fresh. These conditions can for example resource is required to be fresh. These conditions can, for example,
include what resource is requested, the request method and other data include what resource is requested, the request method and other data
in the request, and conditions in the environment such as the state in the request, and conditions in the environment, such as the state
of the server or the time of the day. of the server or the time of the day.
If a certain request is required to be fresh, the request does not If a certain request is required to be fresh, the request does not
contain a fresh Echo option value, and the server cannot verify the contain a fresh Echo option value, and the server cannot verify the
freshness of the request in some other way, the server MUST NOT freshness of the request in some other way, the server MUST NOT
process the request further and SHOULD send a 4.01 Unauthorized process the request further and SHOULD send a 4.01 (Unauthorized)
response with an Echo option. The server MAY include the same Echo response with an Echo option. The server MAY include the same Echo
option value in several different response messages and to different option value in several different response messages and to different
clients. Examples of this could be time-based freshness when several clients. Examples of this could be time-based freshness (when
responses are sent closely after each other or event-based freshness several responses are sent closely after each other) or event-based
with no event taking place between the responses. freshness (with no event taking place between the responses).
The server may use request freshness provided by the Echo option to The server may use request freshness provided by the Echo option to
verify the aliveness of a client or to synchronize state. The server verify the aliveness of a client or to synchronize state. The server
may also include the Echo option in a response to force a client to may also include the Echo option in a response to force a client to
demonstrate reachability at its claimed network address. Note that demonstrate reachability at its claimed network address. Note that
the Echo option does not bind a request to any particular previous the Echo option does not bind a request to any particular previous
response, but provides an indication that the client had access to response but provides an indication that the client had access to the
the previous response at the time when it created the request. previous response at the time when it created the request.
Upon receiving a 4.01 Unauthorized response with the Echo option, the Upon receiving a 4.01 (Unauthorized) response with the Echo option,
client SHOULD resend the original request with the addition of an the client SHOULD resend the original request with the addition of an
Echo option with the received Echo option value. The client MAY send Echo option with the received Echo option value. The client MAY send
a different request compared to the original request. Upon receiving a different request compared to the original request. Upon receiving
any other response with the Echo option, the client SHOULD echo the any other response with the Echo option, the client SHOULD echo the
Echo option value in the next request to the server. The client MAY Echo option value in the next request to the server. The client MAY
include the same Echo option value in several different requests to include the same Echo option value in several different requests to
the server, or discard it at any time (especially to avoid tracking, the server or discard it at any time (especially to avoid tracking;
see Section 6). see Section 6).
A client MUST only send Echo values to endpoints it received them A client MUST only send Echo option values to endpoints it received
from (where as defined in [RFC7252] Section 1.2, the security them from (where, as defined in Section 1.2 of [RFC7252], the
association is part of the endpoint). In OSCORE processing, that security association is part of the endpoint). In OSCORE processing,
means sending Echo values from Outer options (or from non-OSCORE that means sending Echo option values from Outer options (or from
responses) back in Outer options, and those from Inner options in non-OSCORE responses) back in Outer options and sending those from
Inner options in the same security context. Inner options in Inner options in the same security context.
Upon receiving a request with the Echo option, the server determines Upon receiving a request with the Echo option, the server determines
if the request is required to be fresh. If not, the Echo option MAY if the request is required to be fresh. If not, the Echo option MAY
be ignored. If the request is required to be fresh and the server be ignored. If the request is required to be fresh and the server
cannot verify the freshness of the request in some other way, the cannot verify the freshness of the request in some other way, the
server MUST use the Echo option to verify that the request is fresh. server MUST use the Echo option to verify that the request is fresh.
If the server cannot verify that the request is fresh, the request is If the server cannot verify that the request is fresh, the request is
not processed further, and an error message MAY be sent. The error not processed further, and an error message MAY be sent. The error
message SHOULD include a new Echo option. message SHOULD include a new Echo option.
One way for the server to verify freshness is to bind the Echo value One way for the server to verify freshness is to bind the Echo option
to a specific point in time and verify that the request is not older value to a specific point in time and verify that the request is not
than a certain threshold T. The server can verify this by checking older than a certain threshold T. The server can verify this by
that (t1 - t0) < T, where t1 is the request receive time and t0 is checking that (t1 - t0) < T, where t1 is the request receive time and
the time when the Echo option value was generated. An example t0 is the time when the Echo option value was generated. An example
message flow over DTLS is shown Figure 2. message flow over DTLS is shown Figure 1.
Client Server Client Server
| | | |
+------>| Code: 0.03 (PUT) +------>| Code: 0.03 (PUT)
| PUT | Token: 0x41 | PUT | Token: 0x41
| | Uri-Path: lock | | Uri-Path: lock
| | Payload: 0 (Unlock) | | Payload: 0 (Unlock)
| | | |
|<------+ Code: 4.01 (Unauthorized) |<------+ Code: 4.01 (Unauthorized)
| 4.01 | Token: 0x41 | 4.01 | Token: 0x41
skipping to change at page 9, line 5 skipping to change at line 359
| | Uri-Path: lock | | Uri-Path: lock
| | Echo: 0x00000009437468756c687521 (t0 = 9, +MAC) | | Echo: 0x00000009437468756c687521 (t0 = 9, +MAC)
| | Payload: 0 (Unlock) | | Payload: 0 (Unlock)
| | | |
| | Verify MAC, compare t1 - t0 = 1 < T => permitted. | | Verify MAC, compare t1 - t0 = 1 < T => permitted.
| | | |
|<------+ Code: 2.04 (Changed) |<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42 | 2.04 | Token: 0x42
| | | |
Figure 2: Example Message Flow for Time-Based Freshness using the Figure 1: Example Message Flow for Time-Based Freshness Using the
'Integrity Protected Timestamp' construction of Appendix A 'Integrity-Protected Timestamp' Construction of Appendix A
Another way for the server to verify freshness is to maintain a cache Another way for the server to verify freshness is to maintain a cache
of values associated to events. The size of the cache is defined by of values associated to events. The size of the cache is defined by
the application. In the following we assume the cache size is 1, in the application. In the following, we assume the cache size is 1, in
which case freshness is defined as no new event has taken place. At which case, freshness is defined as "no new event has taken place".
each event a new value is written into the cache. The cache values At each event, a new value is written into the cache. The cache
MUST be different except with negligible probability. The server values MUST be different or chosen in a way so the probability for
verifies freshness by checking that e0 equals e1, where e0 is the collisions is negligible. The server verifies freshness by checking
cached value when the Echo option value was generated, and e1 is the that e0 equals e1, where e0 is the cached value when the Echo option
cached value at the reception of the request. An example message value was generated, and e1 is the cached value at the reception of
flow over DTLS is shown in Figure 3. the request. An example message flow over DTLS is shown in Figure 2.
Client Server Client Server
| | | |
+------>| Code: 0.03 (PUT) +------>| Code: 0.03 (PUT)
| PUT | Token: 0x41 | PUT | Token: 0x41
| | Uri-Path: lock | | Uri-Path: lock
| | Payload: 0 (Unlock) | | Payload: 0 (Unlock)
| | | |
|<------+ Code: 4.01 (Unauthorized) |<------+ Code: 4.01 (Unauthorized)
| 4.01 | Token: 0x41 | 4.01 | Token: 0x41
skipping to change at page 9, line 45 skipping to change at line 399
| PUT | Token: 0x42 | PUT | Token: 0x42
| | Uri-Path: lock | | Uri-Path: lock
| | Echo: 0x05 | | Echo: 0x05
| | Payload: 0 (Unlock) | | Payload: 0 (Unlock)
| | | |
| | Compare e1 = e0 => permitted. | | Compare e1 = e0 => permitted.
| | | |
|<------+ Code: 2.04 (Changed) |<------+ Code: 2.04 (Changed)
| 2.04 | Token: 0x42 | 2.04 | Token: 0x42
| | Echo: 0x06 (e2 = 6, to allow later locking | | Echo: 0x06 (e2 = 6, to allow later locking
| | without more round-trips) | | without more round trips)
| | | |
Figure 3: Example Message Flow for Event-Based Freshness using Figure 2: Example Message Flow for Event-Based Freshness Using
the 'Persistent Counter' construction of Appendix A the 'Persistent Counter' Construction of Appendix A
When used to serve freshness requirements (including client aliveness When used to serve freshness requirements (including client aliveness
and state synchronizing), the Echo option value MUST be integrity and state synchronizing), the Echo option value MUST be integrity
protected between the intended endpoints, e.g. using DTLS, TLS, or an protected between the intended endpoints, e.g., using DTLS, TLS, or
OSCORE Inner option ([RFC8613]). When used to demonstrate an OSCORE Inner option [RFC8613]. When used to demonstrate
reachability at a claimed network address, the Echo option SHOULD be reachability at a claimed network address, the Echo option SHOULD be
a MAC of the claimed address, but MAY be unprotected. Combining a Message Authentication Code (MAC) of the claimed address but MAY be
different Echo applications can necessitate different choices, see unprotected. Combining different Echo applications can necessitate
Appendix A item 2 for an example. different choices; see Appendix A, item 2 for an example.
An Echo option MAY be sent with a successful response, i.e., even An Echo option MAY be sent with a successful response, i.e., even
though the request satisfied any freshness requirements on the though the request satisfied any freshness requirements on the
operation. This is called a "preemptive" Echo value, and useful when operation. This is called a "preemptive" Echo option value and is
the server anticipates that the client will need to demonstrate useful when the server anticipates that the client will need to
freshness relative to the current response the near future. demonstrate freshness relative to the current response in the near
future.
A CoAP-to-CoAP proxy MAY set an Echo option on responses, both on A CoAP-to-CoAP proxy MAY set an Echo option on responses, both on
forwarded ones that had no Echo option or ones generated by the proxy forwarded ones that had no Echo option or ones generated by the proxy
(from cache or as an error). If it does so, it MUST remove the Echo (from cache or as an error). If it does so, it MUST remove the Echo
option it recognizes as one generated by itself on follow-up option it recognizes as one generated by itself on follow-up
requests. When it receives an Echo option in a response, it MAY requests. When it receives an Echo option in a response, it MAY
forward it to the client (and, not recognizing it as an own in future forward it to the client (and, not recognizing it as its own in
requests, relay it in the other direction as well) or process it on future requests, relay it in the other direction as well) or process
its own. If it does so, it MUST ensure that the client's request was it on its own. If it does so, it MUST ensure that the client's
generated (or is re-generated) after the Echo value used to send to request was generated (or is regenerated) after the Echo option value
the server was first seen. (In most cases, this means that the proxy used to send to the server was first seen. (In most cases, this
needs to ask the client to repeat the request with a new Echo value.) means that the proxy needs to ask the client to repeat the request
with a new Echo option value.)
The CoAP server side of CoAP-to-HTTP proxies MAY request freshness, The CoAP server side of CoAP-to-HTTP proxies MAY request freshness,
especially if they have reason to assume that access may require it especially if they have reason to assume that access may require it
(e.g. because it is a PUT or POST); how this is determined is out of (e.g., because it is a PUT or POST); how this is determined is out of
scope for this document. The CoAP client side of HTTP-to-CoAP scope for this document. The CoAP client side of HTTP-to-CoAP
proxies MUST respond to Echo challenges itself if the proxy knows proxies MUST respond to Echo challenges itself if the proxy knows
from the recent establishing of the connection that the HTTP request from the recent establishing of the connection that the HTTP request
is fresh. Otherwise, it MUST NOT repeat an unsafe request and SHOULD is fresh. Otherwise, it MUST NOT repeat an unsafe request and SHOULD
respond with 503 Service Unavailable, Retry-After: 0 and terminate respond with a 503 (Service Unavailable) with a Retry-After value of
any underlying Keep-Alive connection. If the HTTP request arrived in 0 seconds and terminate any underlying Keep-Alive connection. If the
Early Data, the proxy SHOULD use a 425 Too Early response instead HTTP request arrived in early data, the proxy SHOULD use a 425 (Too
(see [RFC8470]). They MAY also use other mechanisms to establish Early) response instead (see [RFC8470]). The proxy MAY also use
freshness of the HTTP request that are not specified here. other mechanisms to establish freshness of the HTTP request that are
not specified here.
2.4. Applications of the Echo Option 2.4. Applications of the Echo Option
Unless otherwise noted, all these applications require a security Unless otherwise noted, all these applications require a security
protocol to be used, and the Echo option to be protected by it. protocol to be used and the Echo option to be protected by it.
1. Actuation requests often require freshness guarantees to avoid 1. Actuation requests often require freshness guarantees to avoid
accidental or malicious delayed actuator actions. In general, accidental or malicious delayed actuator actions. In general,
all non-safe methods (e.g. POST, PUT, DELETE) may require all unsafe methods (e.g., POST, PUT, and DELETE) may require
freshness guarantees for secure operation. freshness guarantees for secure operation.
* The same Echo value may be used for multiple actuation * The same Echo option value may be used for multiple actuation
requests to the same server, as long as the total time since requests to the same server, as long as the total time since
the Echo option value was generated is below the freshness the Echo option value was generated is below the freshness
threshold. threshold.
* For actuator applications with low delay tolerance, to avoid * For actuator applications with low delay tolerance, to avoid
additional round-trips for multiple requests in rapid additional round trips for multiple requests in rapid
sequence, the server may send preemptive Echo values in sequence, the server may send preemptive Echo option values in
successful requests, irrespectively of whether the request successful requests, irrespectively of whether or not the
contained an Echo option or not. The client then uses the request contained an Echo option. The client then uses the
Echo option with the new value in the next actuation request, Echo option with the new value in the next actuation request,
and the server compares the receive time accordingly. and the server compares the receive time accordingly.
2. A server may use the Echo option to synchronize properties (such 2. A server may use the Echo option to synchronize properties (such
as state or time) with a requesting client. A server MUST NOT as state or time) with a requesting client. A server MUST NOT
synchronize a property with a client which is not the authority synchronize a property with a client that is not the authority of
of the property being synchronized. E.g. if access to a server the property being synchronized. For example, if access to a
resource is dependent on time, then server MUST NOT synchronize server resource is dependent on time, then the server MUST NOT
time with a client requesting access unless the client is time synchronize time with a client requesting access unless the
authority for the server. client is a time authority for the server.
Note that the state to be synchronized is not carried inside the Note that the state to be synchronized is not carried inside the
Echo option. Any explicit state information needs to be carried Echo option. Any explicit state information needs to be carried
along in the messages the Echo value is sent in; the Echo along in the messages the Echo option value is sent in; the Echo
mechanism only provides a partial order on the messages' mechanism only provides a partial order on the messages'
processing. processing.
* If a server reboots during operation it may need to * If a server reboots during operation, it may need to
synchronize state or time before continuing the interaction. synchronize state or time before continuing the interaction.
For example, with OSCORE it is possible to reuse a partly For example, with OSCORE, it is possible to reuse a partly
persistently stored security context by synchronizing the persistently stored security context by synchronizing the
Partial IV (sequence number) using the Echo option as Partial IV (sequence number) using the Echo option, as
specified in Section 7.5 of [RFC8613]. specified in Section 7.5 of [RFC8613].
* A device joining a CoAP group communication * A device joining a CoAP group communication [GROUP-COAP]
[I-D.ietf-core-groupcomm-bis] protected with OSCORE protected with OSCORE [GROUP-OSCORE] may be required to
[I-D.ietf-core-oscore-groupcomm] may be required to initially initially synchronize its replay window state with a client by
synchronize its replay window state with a client by using the using the Echo option in a unicast response to a multicast
Echo option in a unicast response to a multicast request. The request. The client receiving the response with the Echo
client receiving the response with the Echo option includes option includes the Echo option value in a subsequent unicast
the Echo value in a subsequent unicast request to the request to the responding server.
responding server.
3. An attacker can perform a denial-of-service attack by putting a 3. An attacker can perform a denial-of-service attack by putting a
victim's address in the source address of a CoAP request and victim's address in the source address of a CoAP request and
sending the request to a resource with a large amplification sending the request to a resource with a large amplification
factor. The amplification factor is the ratio between the size factor. The amplification factor is the ratio between the size
of the request and the total size of the response(s) to that of the request and the total size of the response(s) to that
request. A server that provides a large amplification factor to request. A server that provides a large amplification factor to
an unauthenticated peer SHOULD mitigate amplification attacks as an unauthenticated peer SHOULD mitigate amplification attacks, as
described in Section 11.3 of [RFC7252]. One way to mitigate such described in Section 11.3 of [RFC7252]. One way to mitigate such
attacks is that the server responds to the alleged source address attacks is for the server to respond to the alleged source
of the request with an Echo option in short response message address of the request with an Echo option in a short response
(e.g. 4.01 Unauthorized), thereby requesting the client to verify message (e.g., 4.01 (Unauthorized)), thereby requesting the
its source address. This needs to be done only once per endpoint client to verify its source address. This needs to be done only
and limits the range of potential victims from the general once per endpoint and limits the range of potential victims from
Internet to endpoints that have been previously in contact with the general Internet to endpoints that have been previously in
the server. For this application, the Echo option can be used in contact with the server. For this application, the Echo option
messages that are not integrity protected, for example during can be used in messages that are not integrity protected, for
discovery. (This is formally recommended in Section 2.6). example, during discovery. (This is formally recommended in
Section 2.6.)
* In the presence of a proxy, a server will not be able to * In the presence of a proxy, a server will not be able to
distinguish different origin client endpoints. Following from distinguish different origin client endpoints, i.e., the
the recommendation above, a proxy that provides a large client from which a request originates. Following from the
recommendation above, a proxy that provides a large
amplification factor to unauthenticated peers SHOULD mitigate amplification factor to unauthenticated peers SHOULD mitigate
amplification attacks. The proxy SHOULD use Echo to verify amplification attacks. The proxy SHOULD use the Echo option
origin reachability as described in Section 2.3. The proxy to verify origin reachability, as described in Section 2.3.
MAY forward safe requests immediately to have a cached result The proxy MAY forward safe requests immediately to have a
available when the client's repeated request arrives. cached result available when the client's repeated request
arrives.
* Amplification mitigation is a trade-off between giving * Amplification mitigation is a trade-off between giving
leverage to an attacker and causing overhead. An leverage to an attacker and causing overhead. An
amplification factor of 3 (i.e., don't send more than three amplification factor of 3 (i.e., don't send more than three
times the number of bytes received until the peer's address is times the number of bytes received until the peer's address is
confirmed) is considered acceptable for unconstrained confirmed) is considered acceptable for unconstrained
applications in [RFC9000] Section 8. applications in [RFC9000], Section 8.
When that limit is applied and no further context is When that limit is applied and no further context is
available, a safe default is sending initial responses no available, a safe default is sending initial responses no
larger than 136 Bytes in CoAP serialization. (The number is larger than 136 bytes in CoAP serialization. (The number is
assuming a 14 + 40 + 8 Bytes Ethernet, IP and UDP header with assuming Ethernet, IP, and UDP headers of 14, 40, and 8 bytes,
4 Bytes added for the CoAP header. Triple that minus the non- respectively, with 4 bytes added for the CoAP header. Triple
CoAP headers gives the 136 Bytes). Given the token also takes that minus the non-CoAP headers gives the 136 bytes.) Given
up space in the request, responding with 132 Bytes after the the token also takes up space in the request, responding with
token is safe as well. 132 bytes after the token is safe as well.
* When an Echo response is sent to mitigate amplification, it * When an Echo response is sent to mitigate amplification, it
MUST be sent as a piggybacked or Non-confirmable response, MUST be sent as a piggybacked or Non-confirmable response,
never as a separate one (which would cause amplification due never as a separate one (which would cause amplification due
to retransmission). to retransmission).
4. A server may want to use the request freshness provided by the 4. A server may want to use the request freshness provided by the
Echo to verify the aliveness of a client. Note that in a Echo option to verify the aliveness of a client. Note that, in a
deployment with hop-by-hop security and proxies, the server can deployment with hop-by-hop security and proxies, the server can
only verify aliveness of the closest proxy. only verify aliveness of the closest proxy.
2.5. Characterization of Echo Applications 2.5. Characterization of Echo Applications
Use cases for the Echo option can be characterized by several Use cases for the Echo option can be characterized by several
criteria that help determine the required properties of the Echo criteria that help determine the required properties of the Echo
value. These criteria apply both to those listed in Section 2.4 and option value. These criteria apply both to those listed in
any novel applications. They provide rationale for the statements in Section 2.4 and any novel applications. They provide rationale for
the former, and guidance for the latter. the statements in the former and guidance for the latter.
2.5.1. Time versus Event Based Freshness 2.5.1. Time-Based versus Event-Based Freshness
The property a client demonstrates by sending an Echo value is that The property a client demonstrates by sending an Echo option value is
the request was sent after a certain point in time, or after some that the request was sent after a certain point in time or after some
event happened on the server. event happened on the server.
When events are counted, they form something that can be used as a When events are counted, they form something that can be used as a
monotonic but very non-uniform time line. With highly regular events monotonic but very non-uniform time line. With highly regular events
and low-resolution time, the distinction between time and event based and low-resolution time, the distinction between time-based and
freshness can be blurred: "No longer than a month ago" is similar to event-based freshness can be blurred: "no longer than a month ago" is
"since the last full moon". similar to "since the last full moon".
In an extreme form of event based freshness, the server can place an In an extreme form of event-based freshness, the server can place an
event whenever an Echo value is used. This makes the Echo value event whenever an Echo option value is used. This makes the Echo
effectively single-use. option value effectively single use.
Event and time based freshness can be combined in a single Echo Event-based and time-based freshness can be combined in a single Echo
value, e.g. by encrypting a timestamp with a key that changes with option value, e.g., by encrypting a timestamp with a key that changes
every event to obtain "usable once but only for 5 minutes"-style with every event to obtain semantics in the style of "usable once but
semantics. only for 5 minutes".
2.5.2. Authority over Used Information 2.5.2. Authority over Used Information
Information conveyed to the server in the request Echo value has Information conveyed to the server in the request Echo option value
different authority depending on the application. Understanding who has different authority depending on the application. Understanding
or what is the authoritative source of that information helps the who or what is the authoritative source of that information helps the
server implementer decide the necessary protection of the Echo value. server implementor decide the necessary protection of the Echo option
value.
If all that is conveyed to the server is information which the client If all that is conveyed to the server is information that the client
is authorized to provide arbitrarily, (which is another way of saying is authorized to provide arbitrarily (which is another way of saying
that the server has to trust the client on whatever Echo is being that the server has to trust the client on whatever the Echo option
used for), then the server can issue Echo values that do not need to is being used for), then the server can issue Echo option values that
be protected on their own. They still need to be covered by the do not need to be protected on their own. They still need to be
security protocol that covers the rest of the message, but the Echo covered by the security protocol that covers the rest of the message,
value can be just short enough to be unique between this server and but the Echo option value can be just short enough to be unique
client. between this server and client.
For example, the client's OSCORE sender sequence number (as used in For example, the client's OSCORE Sender Sequence Number (as used in
[RFC8613] Appendix B.1.2) is such information. [RFC8613], Appendix B.1.2) is such information.
In most other cases, there is information conveyed for which the In most other cases, there is information conveyed for which the
server is the authority ("The request must not be older than five server is the authority ("the request must not be older than five
minutes" is counted on the server's clock, not the client's) or which minutes" is counted on the server's clock, not the client's) or which
even involve the network (as when performing amplification even involve the network (as when performing amplification
mitigation). In these cases, the Echo value itself needs to be mitigation). In these cases, the Echo option value itself needs to
protected against forgery by the client, e.g. by using a sufficiently be protected against forgery by the client, e.g., by using a
large random value or a MAC as described in Appendix A items 1 and 2. sufficiently large, random value or a MAC, as described in
Appendix A, items 1 and 2.
For some applications, the server may be able to trust the client to For some applications, the server may be able to trust the client to
also act as the authority (e.g. when using time based freshness also act as the authority (e.g., when using time-based freshness
purely to mitigate request delay attacks); these need careful case- purely to mitigate request delay attacks); these need careful case-
by-case evaluation. by-case evaluation.
To issue Echo values without own protection, the server needs to To issue Echo option values without integrity protection of its own,
trust the client to never produce requests with attacker controlled the server needs to trust the client to never produce requests with
Echo values. The provisions of Section 2.3 (saying that an Echo attacker-controlled Echo option values. The provisions of
value may only be sent as received from the same server) allow that. Section 2.3 (saying that an Echo option value may only be sent as
The requirement stated there for the client to treat the Echo value received from the same server) allow that. The requirement stated
as opaque holds for these application like for all others. there for the client to treat the Echo option value as opaque holds
for these applications like for all others.
When the client is the sole authority over the synchronized property, When the client is the sole authority over the synchronized property,
the server can still use time or events to issue new Echo values. the server can still use time or events to issue new Echo option
Then, the request's Echo value not so much proves the indicated values. Then, the request's Echo option value not so much proves the
freshness to the server, but reflects the client's intention to indicated freshness to the server but reflects the client's intention
indicate reception of responses containing that value when sending to indicate reception of responses containing that value when sending
the later ones. the later ones.
Note that a single Echo value can be used for multiple purposes (e.g. Note that a single Echo option value can be used for multiple
to get both the sequence number information and perform amplification purposes (e.g., to both get the sequence number information and
mitigation). In this case the stricter protection requirements perform amplification mitigation). In this case, the stricter
apply. protection requirements apply.
2.5.3. Protection by a Security Protocol 2.5.3. Protection by a Security Protocol
For meaningful results, the Echo option needs to be used in For meaningful results, the Echo option needs to be used in
combination with a security protocol in almost all applications. combination with a security protocol in almost all applications.
When the information extracted by the server is only about a part of When the information extracted by the server is only about a part of
the system outside of any security protocol, then the Echo option can the system outside of any security protocol, then the Echo option can
also be used without a security protocol (in case of OSCORE, as an also be used without a security protocol (in case of OSCORE, as an
outer option). Outer option).
The only known application satisfying this requirement is network The only known application satisfying this requirement is network
address reachability, where unprotected Echo values are used both by address reachability, where unprotected Echo option values are used
servers (e.g. during setup of a security context) and proxies (which both by servers (e.g., during setup of a security context) and
do not necessarily have a security association with their clients) proxies (which do not necessarily have a security association with
for amplification mitigation. their clients) for amplification mitigation.
2.6. Updated Amplification Mitigation Requirements for Servers 2.6. Updated Amplification Mitigation Requirements for Servers
This section updates the amplification mitigation requirements for This section updates the amplification mitigation requirements for
servers in [RFC7252] to recommend use of the Echo option to mitigate servers in [RFC7252] to recommend the use of the Echo option to
amplification attacks. The requirements for clients are not updated. mitigate amplification attacks. The requirements for clients are not
Section 11.3 of [RFC7252] is updated by adding the following text: updated. Section 11.3 of [RFC7252] is updated by adding the
following text:
A CoAP server SHOULD mitigate potential amplification attacks by | A CoAP server SHOULD mitigate potential amplification attacks by
responding to unauthenticated clients with 4.01 Unauthorized | responding to unauthenticated clients with 4.01 (Unauthorized)
including an Echo option, as described in Section 2.4 item 3 of | including an Echo option, as described in item 3 in Section 2.4 of
[[this document]]. | RFC 9175.
3. Protecting Message Bodies using Request Tags 3. Protecting Message Bodies Using Request Tags
3.1. Fragmented Message Body Integrity 3.1. Fragmented Message Body Integrity
CoAP was designed to work over unreliable transports, such as UDP, CoAP was designed to work over unreliable transports, such as UDP,
and includes a lightweight reliability feature to handle messages and includes a lightweight reliability feature to handle messages
which are lost or arrive out of order. In order for a security that are lost or arrive out of order. In order for a security
protocol to support CoAP operations over unreliable transports, it protocol to support CoAP operations over unreliable transports, it
must allow out-of-order delivery of messages. must allow out-of-order delivery of messages.
The block-wise transfer mechanism [RFC7959] extends CoAP by defining The block-wise transfer mechanism [RFC7959] extends CoAP by defining
the transfer of a large resource representation (CoAP message body) the transfer of a large resource representation (CoAP message body)
as a sequence of blocks (CoAP message payloads). The mechanism uses as a sequence of blocks (CoAP message payloads). The mechanism uses
a pair of CoAP options, Block1 and Block2, pertaining to the request a pair of CoAP options, Block1 and Block2, pertaining to the request
and response payload, respectively. The block-wise functionality and response payload, respectively. The block-wise functionality
does not support the detection of interchanged blocks between does not support the detection of interchanged blocks between
different message bodies to the same resource having the same block different message bodies to the same resource having the same block
number. This remains true even when CoAP is used together with a number. This remains true even when CoAP is used together with a
security protocol such as DTLS or OSCORE, within the replay window security protocol (such as DTLS or OSCORE) within the replay window
([I-D.mattsson-core-coap-attacks]), which is a vulnerability of CoAP [COAP-ATTACKS], which is a vulnerability of the block-wise
when using RFC7959. functionality of CoAP [RFC7959].
A straightforward mitigation of mixing up blocks from different A straightforward mitigation of mixing up blocks from different
messages is to use unique identifiers for different message bodies, messages is to use unique identifiers for different message bodies,
which would provide equivalent protection to the case where the which would provide equivalent protection to the case where the
complete body fits into a single payload. The ETag option [RFC7252], complete body fits into a single payload. The ETag option [RFC7252],
set by the CoAP server, identifies a response body fragmented using set by the CoAP server, identifies a response body fragmented using
the Block2 option. the Block2 option.
3.2. The Request-Tag Option 3.2. The Request-Tag Option
This document defines the Request-Tag option for identifying request This document defines the Request-Tag option for identifying request
bodies, similar to ETag, but ephemeral and set by the CoAP client. bodies, similar to ETag, but ephemeral and set by the CoAP client.
The Request-Tag is intended for use as a short-lived identifier for The Request-Tag is intended for use as a short-lived identifier for
keeping apart distinct block-wise request operations on one resource keeping apart distinct block-wise request operations on one resource
from one client, addressing the issue described in Section 3.1. It from one client, addressing the issue described in Section 3.1. It
enables the receiving server to reliably assemble request payloads enables the receiving server to reliably assemble request payloads
(blocks) to their message bodies, and, if it chooses to support it, (blocks) to their message bodies and, if it chooses to support it, to
to reliably process simultaneous block-wise request operations on a reliably process simultaneous block-wise request operations on a
single resource. The requests must be integrity protected if they single resource. The requests must be integrity protected if they
should protect against interchange of blocks between different should protect against interchange of blocks between different
message bodies. The Request-Tag option is only used in requests that message bodies. The Request-Tag option is mainly used in requests
carry the Block1 option, and in Block2 requests following these. that carry the Block1 option and in Block2 requests following these.
In essence, it is an implementation of the "proxy-safe elective In essence, it is an implementation of the "proxy-safe elective
option" used just to "vary the cache key" as suggested in [RFC7959] option" used just to "vary the cache key", as suggested in [RFC7959],
Section 2.4. Section 2.4.
3.2.1. Request-Tag Option Format 3.2.1. Request-Tag Option Format
The Request-Tag option is not critical, is safe to forward, The Request-Tag option is elective, safe to forward, repeatable, and
repeatable, and part of the cache key, see Figure 4, which extends part of the cache key (see Table 2, which extends Table 4 of
Table 4 of [RFC7252]). [RFC7252]).
+--------+---+---+---+---+-------------+--------+------+---------+ +=====+===+===+===+===+=============+========+========+=========+
| No. | C | U | N | R | Name | Format | Len. | Default | | No. | C | U | N | R | Name | Format | Length | Default |
+--------+---+---+---+---+-------------+--------+------+---------+ +=====+===+===+===+===+=============+========+========+=========+
| TBD292 | | | | x | Request-Tag | opaque | 0-8 | (none) | | 292 | | | | x | Request-Tag | opaque | 0-8 | (none) |
+--------+---+---+---+---+-------------+--------+------+---------+ +-----+---+---+---+---+-------------+--------+--------+---------+
C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable Table 2: Request-Tag Option Summary
Figure 4: Request-Tag Option Summary C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable
Request-Tag, like the block options, is both a class E and a class U Request-Tag, like the Block options, is both a class E and a class U
option in terms of OSCORE processing (see Section 4.1 of [RFC8613]): option in terms of OSCORE processing (see Section 4.1 of [RFC8613]).
The Request-Tag MAY be an Inner or Outer option. It influences the The Request-Tag MAY be an Inner or Outer option. It influences the
Inner or Outer block operation, respectively. The Inner and Outer Inner or Outer block operations, respectively. The Inner and Outer
values are therefore independent of each other. The Inner option is values are therefore independent of each other. The Inner option is
encrypted and integrity protected between client and server, and encrypted and integrity protected between the client and server, and
provides message body identification in case of end-to-end it provides message body identification in case of end-to-end
fragmentation of requests. The Outer option is visible to proxies fragmentation of requests. The Outer option is visible to proxies
and labels message bodies in case of hop-by-hop fragmentation of and labels message bodies in case of hop-by-hop fragmentation of
requests. requests.
The Request-Tag option is only used in the request messages of block- The Request-Tag option is only used in the request messages of block-
wise operations. wise operations.
The Request-Tag mechanism can be applied independently on the server The Request-Tag mechanism can be applied independently on the server
and client sides of CoAP-to-CoAP proxies as are the block options, and client sides of CoAP-to-CoAP proxies, as are the Block options.
though given it is safe to forward, a proxy is free to just forward However, given it is safe to forward, a proxy is free to just forward
it when processing an operation. CoAP-to-HTTP proxies and HTTP-to- it when processing an operation. CoAP-to-HTTP proxies and HTTP-to-
CoAP proxies can use Request-Tag on their CoAP sides; it is not CoAP proxies can use Request-Tag on their CoAP sides; it is not
applicable to HTTP requests. applicable to HTTP requests.
3.3. Request-Tag Processing by Servers 3.3. Request-Tag Processing by Servers
The Request-Tag option does not require any particular processing on The Request-Tag option does not require any particular processing on
the server side outside of the processing already necessary for any the server side outside of the processing already necessary for any
unknown elective proxy-safe cache-key option: The option varies the unknown elective proxy-safe cache-key option. The option varies the
properties that distinguish block-wise operations (which includes all properties that distinguish block-wise operations (which includes all
options except elective NoCacheKey and except Block1/2), and thus the options except Block1, Block2, and all operations that are elective
server cannot treat messages with a different list of Request-Tag NoCacheKey). Thus, the server cannot treat messages with a different
options as belonging to the same operation. list of Request-Tag options as belonging to the same operation.
To keep utilizing the cache, a server (including proxies) MAY discard To keep utilizing the cache, a server (including proxies) MAY discard
the Request-Tag option from an assembled block-wise request when the Request-Tag option from an assembled block-wise request when
consulting its cache, as the option relates to the operation-on-the- consulting its cache, as the option relates to the operation on the
wire and not its semantics. For example, a FETCH request with the wire and not its semantics. For example, a FETCH request with the
same body as an older one can be served from the cache if the older's same body as an older one can be served from the cache if the older's
Max-Age has not expired yet, even if the second operation uses a Max-Age has not expired yet, even if the second operation uses a
Request-Tag and the first did not. (This is similar to the situation Request-Tag and the first did not. (This is similar to the situation
about ETag in that it is formally part of the cache key, but about ETag in that it is formally part of the cache key, but
implementations that are aware of its meaning can cache more implementations that are aware of its meaning can cache more
efficiently, see [RFC7252] Section 5.4.2). efficiently (see [RFC7252], Section 5.4.2).
A server receiving a Request-Tag MUST treat it as opaque and make no A server receiving a Request-Tag MUST treat it as opaque and make no
assumptions about its content or structure. assumptions about its content or structure.
Two messages carrying the same Request-Tag is a necessary but not Two messages carrying the same Request-Tag is a necessary but not
sufficient condition for being part of the same operation. For one, sufficient condition for being part of the same operation. For one,
a server may still treat them as independent messages when it sends a server may still treat them as independent messages when it sends
2.01/2.04 responses for every block. Also, a client that lost 2.01 (Created) and 2.04 (Changed) responses for every block. Also, a
interest in an old operation but wants to start over can overwrite client that lost interest in an old operation but wants to start over
the server's old state with a new initial (num=0) Block1 request and can overwrite the server's old state with a new initial (num=0)
the same Request-Tag under some circumstances. Likewise, that Block1 request and the same Request-Tag under some circumstances.
results in the new message not being part of the old operation. Likewise, that results in the new message not being part of the old
operation.
As it has always been, a server that can only serve a limited number As it has always been, a server that can only serve a limited number
of block-wise operations at the same time can delay the start of the of block-wise operations at the same time can delay the start of the
operation by replying with 5.03 (Service unavailable) and a Max-Age operation by replying with 5.03 (Service Unavailable) and a Max-Age
indicating how long it expects the existing operation to go on, or it indicating how long it expects the existing operation to go on, or it
can forget about the state established with the older operation and can forget about the state established with the older operation and
respond with 4.08 (Request Entity Incomplete) to later blocks on the respond with 4.08 (Request Entity Incomplete) to later blocks on the
first operation. first operation.
3.4. Setting the Request-Tag 3.4. Setting the Request-Tag
For each separate block-wise request operation, the client can choose For each separate block-wise request operation, the client can choose
a Request-Tag value, or choose not to set a Request-Tag. It needs to a Request-Tag value or choose not to set a Request-Tag. It needs to
be set to the same value (or unset) in all messages belonging to the be set to the same value (or unset) in all messages belonging to the
same operation, as otherwise they are treated as separate operations same operation; otherwise, they are treated as separate operations by
by the server. the server.
Starting a request operation matchable to a previous operation and Starting a request operation matchable to a previous operation and
even using the same Request-Tag value is called request tag even using the same Request-Tag value is called "request tag
recycling. The absence of a Request-Tag option is viewed as a value recycling". The absence of a Request-Tag option is viewed as a value
distinct from all values with a single Request-Tag option set; distinct from all values with a single Request-Tag option set;
starting a request operation matchable to a previous operation where starting a request operation matchable to a previous operation where
neither has a Request-Tag option therefore constitutes request tag neither has a Request-Tag option therefore constitutes request tag
recycling just as well (also called "recycling the absent option"). recycling just as well (also called "recycling the absent option").
Clients that use Request-Tag for a particular purpose (like in Clients that use Request-Tag for a particular purpose (like in
Section 3.5) MUST NOT recycle a request tag unless the first Section 3.5) MUST NOT recycle a request tag unless the first
operation has concluded. What constitutes a concluded operation operation has concluded. What constitutes a concluded operation
depends on the purpose, and is defined accordingly; see examples in depends on the purpose and is defined accordingly; see examples in
Section 3.5. Section 3.5.
When Block1 and Block2 are combined in an operation, the Request-Tag When Block1 and Block2 are combined in an operation, the Request-Tag
of the Block1 phase is set in the Block2 phase as well for otherwise of the Block1 phase is set in the Block2 phase as well; otherwise,
the request would have a different set of options and would not be the request would have a different set of options and would not be
recognized any more. recognized any more.
Clients are encouraged to generate compact messages. This means Clients are encouraged to generate compact messages. This means
sending messages without Request-Tag options whenever possible, and sending messages without Request-Tag options whenever possible and
using short values when the absent option cannot be recycled. using short values when the absent option cannot be recycled.
Note that Request-Tag options can be present in request messages that Note that Request-Tag options can be present in request messages that
carry no Block option (for example, because a Request-Tag unaware carry no Block options (for example, because a proxy unaware of
proxy reassembled them), and MUST be ignored in those. Request-Tag reassembled them).
The Request-Tag option MUST NOT be present in response messages. The Request-Tag option MUST NOT be present in response messages.
3.5. Applications of the Request-Tag Option 3.5. Applications of the Request-Tag Option
3.5.1. Body Integrity Based on Payload Integrity 3.5.1. Body Integrity Based on Payload Integrity
When a client fragments a request body into multiple message When a client fragments a request body into multiple message
payloads, even if the individual messages are integrity protected, it payloads, even if the individual messages are integrity protected, it
is still possible for an attacker to maliciously replace a later is still possible for an attacker to maliciously replace a later
operation's blocks with an earlier operation's blocks (see operation's blocks with an earlier operation's blocks (see
Section 2.5 of [I-D.mattsson-core-coap-attacks]). Therefore, the Section 2.5 of [COAP-ATTACKS]). Therefore, the integrity protection
integrity protection of each block does not extend to the operation's of each block does not extend to the operation's request body.
request body.
In order to gain that protection, use the Request-Tag mechanism as In order to gain that protection, use the Request-Tag mechanism as
follows: follows:
* The individual exchanges MUST be integrity protected end-to-end * The individual exchanges MUST be integrity protected end to end
between client and server. between the client and server.
* The client MUST NOT recycle a request tag in a new operation * The client MUST NOT recycle a request tag in a new operation
unless the previous operation matchable to the new one has unless the previous operation matchable to the new one has
concluded. concluded.
If any future security mechanisms allow a block-wise transfer to If any future security mechanisms allow a block-wise transfer to
continue after an endpoint's details (like the IP address) have continue after an endpoint's details (like the IP address) have
changed, then the client MUST consider messages matchable if they changed, then the client MUST consider messages matchable if they
were sent to _any_ endpoint address using the new operation's were sent to any endpoint address using the new operation's
security context. security context.
* The client MUST NOT regard a block-wise request operation as * The client MUST NOT regard a block-wise request operation as
concluded unless all of the messages the client has sent in the concluded unless all of the messages the client has sent in the
operation would be regarded as invalid by the server if they were operation would be regarded as invalid by the server if they were
replayed. replayed.
When security services are provided by OSCORE, these confirmations When security services are provided by OSCORE, these confirmations
typically result either from the client receiving an OSCORE typically result either from the client receiving an OSCORE
response message matching the request (an empty ACK is response message matching the request (an empty Acknowledgement
insufficient), or because the message's sequence number is old (ACK) is insufficient) or because the message's sequence number is
enough to be outside the server's receive window. old enough to be outside the server's receive window.
When security services are provided by DTLS, this can only be When security services are provided by DTLS, this can only be
confirmed if there was no CoAP retransmission of the request, the confirmed if there was no CoAP retransmission of the request, the
request was responded to, and the server uses replay protection. request was responded to, and the server uses replay protection.
Authors of other documents (e.g. applications of [RFC8613]) are Authors of other documents (e.g., applications of [RFC8613]) are
invited to mandate this subsection's behavior for clients that invited to mandate this subsection's behavior for clients that
execute block-wise interactions over secured transports. In this execute block-wise interactions over secured transports. In this
way, the server can rely on a conforming client to set the Request- way, the server can rely on a conforming client to set the Request-
Tag option when required, and thereby have confidence in the Tag option when required and thereby have confidence in the integrity
integrity of the assembled body. of the assembled body.
Note that this mechanism is implicitly implemented when the security Note that this mechanism is implicitly implemented when the security
layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]). layer guarantees ordered delivery (e.g., CoAP over TLS [RFC8323]).
This is because with each message, any earlier message cannot be This is because, with each message, any earlier message cannot be
replayed any more, so the client never needs to set the Request-Tag replayed any more, so the client never needs to set the Request-Tag
option unless it wants to perform concurrent operations. option unless it wants to perform concurrent operations.
Body integrity only makes sense in applications that have stateful Body integrity only makes sense in applications that have stateful
block-wise transfers. On applications where all the state is in the block-wise transfers. On applications where all the state is in the
application (e.g. because rather than POSTing a large representation application (e.g., because rather than POSTing a large representation
to a collection in a stateful block-wise transfer, a collection item to a collection in a stateful block-wise transfer, a collection item
is created first, then written to once and available when written is created first, then written to once and available when written
completely), clients need not concern themselves with body integrity completely), clients need not concern themselves with body integrity
and thus the Request-Tag. and thus the Request-Tag.
Body integrity is largely independent from replay protection: When no Body integrity is largely independent from replay protection. When
replay protection is available (it is optional in DTLS), a full no replay protection is available (it is optional in DTLS), a full
block-wise operation may be replayed, but by adhering to the above, block-wise operation may be replayed, but, by adhering to the above,
no operations will be mixed up. The only link between body integrity no operations will be mixed up. The only link between body integrity
and replay protection is that without replay protection, recycling is and replay protection is that, without replay protection, recycling
not possible. is not possible.
3.5.2. Multiple Concurrent Block-wise Operations 3.5.2. Multiple Concurrent Block-Wise Operations
CoAP clients, especially CoAP proxies, may initiate a block-wise CoAP clients, especially CoAP proxies, may initiate a block-wise
request operation to a resource, to which a previous one is already request operation to a resource, to which a previous one is already
in progress, which the new request should not cancel. A CoAP proxy in progress, which the new request should not cancel. A CoAP proxy
would be in such a situation when it forwards operations with the would be in such a situation when it forwards operations with the
same cache-key options but possibly different payloads. same cache-key options but possibly different payloads.
For those cases, Request-Tag is the proxy-safe elective option For those cases, Request-Tag is the proxy-safe elective option
suggested in [RFC7959] Section 2.4 last paragraph. suggested in the last paragraph of Section 2.4 of [RFC7959].
When initializing a new block-wise operation, a client has to look at When initializing a new block-wise operation, a client has to look at
other active operations: other active operations:
* If any of them is matchable to the new one, and the client neither * If any of them is matchable to the new one, and the client neither
wants to cancel the old one nor postpone the new one, it can pick wants to cancel the old one nor postpone the new one, it can pick
a Request-Tag value (including the absent option) that is not in a Request-Tag value (including the absent option) that is not in
use by the other matchable operations for the new operation. use by the other matchable operations for the new operation.
* Otherwise, it can start the new operation without setting the * Otherwise, it can start the new operation without setting the
Request-Tag option on it. Request-Tag option on it.
3.5.3. Simplified Block-Wise Handling for Constrained Proxies 3.5.3. Simplified Block-Wise Handling for Constrained Proxies
The Block options were defined to be unsafe to forward because a The Block options were defined to be unsafe to forward because a
proxy that would forward blocks as plain messages would risk mixing proxy that would forward blocks as plain messages would risk mixing
up clients' requests. up clients' requests.
In some cases, for example when forwarding block-wise request In some cases, for example, when forwarding block-wise request
operations, appending a Request-Tag value unique to the client can operations, appending a Request-Tag value unique to the client can
satisfy the requirements on the proxy that come from the presence of satisfy the requirements on the proxy that come from the presence of
a block option. a Block option.
This is particularly useful to proxies that strive for stateless This is particularly useful to proxies that strive for stateless
operation as described in [RFC8974] Section 4. operations, as described in [RFC8974], Section 4.
The precise classification of cases in which such a Request-Tag The precise classification of cases in which such a Request-Tag
option is sufficient is not trivial, especially when both request and option is sufficient is not trivial, especially when both request and
response body are fragmented, and out of scope for this document. response body are fragmented, and is out of scope for this document.
3.6. Rationale for the Option Properties 3.6. Rationale for the Option Properties
The Request-Tag option can be elective, because to servers unaware of The Request-Tag option can be elective, because to servers unaware of
the Request-Tag option, operations with differing request tags will the Request-Tag option, operations with differing request tags will
not be matchable. not be matchable.
The Request-Tag option can be safe to forward but part of the cache The Request-Tag option can be safe to forward but part of the cache
key, because proxies unaware of the Request-Tag option will consider key, because proxies unaware of the Request-Tag option will consider
operations with differing request tags unmatchable but can still operations with differing request tags unmatchable but can still
forward them. forward them.
The Request-Tag option is repeatable because this easily allows The Request-Tag option is repeatable because this easily allows
several cascaded stateless proxies to each put in an origin address. several cascaded stateless proxies to each put in an origin address.
They can perform the steps of Section 3.5.3 without the need to They can perform the steps of Section 3.5.3 without the need to
create an option value that is the concatenation of the received create an option value that is the concatenation of the received
option and their own value, and can simply add a new Request-Tag option and their own value and can simply add a new Request-Tag
option unconditionally. option unconditionally.
In draft versions of this document, the Request-Tag option used to be In draft versions of this document, the Request-Tag option used to be
critical and unsafe to forward. That design was based on an critical and unsafe to forward. That design was based on an
erroneous understanding of which blocks could be composed according erroneous understanding of which blocks could be composed according
to [RFC7959]. to [RFC7959].
3.7. Rationale for Introducing the Option 3.7. Rationale for Introducing the Option
An alternative that was considered to the Request-Tag option for An alternative that was considered to the Request-Tag option for
coping with the problem of fragmented message body integrity coping with the problem of fragmented message body integrity
(Section 3.5.1) was to update [RFC7959] to say that blocks could only (Section 3.5.1) was to update [RFC7959] to say that blocks could only
be assembled if their fragments' order corresponded to the sequence be assembled if their fragments' order corresponded to the sequence
numbers. numbers.
That approach would have been difficult to roll out reliably on DTLS That approach would have been difficult to roll out reliably on DTLS,
where many implementations do not expose sequence numbers, and would where many implementations do not expose sequence numbers, and would
still not prevent attacks like in [I-D.mattsson-core-coap-attacks] still not prevent attacks like in Section 2.5.2 of [COAP-ATTACKS].
Section 2.5.2.
3.8. Block2 / ETag Processing 3.8. Block2 and ETag Processing
The same security properties as in Section 3.5.1 can be obtained for The same security properties as in Section 3.5.1 can be obtained for
block-wise response operations. The threat model here does not block-wise response operations. The threat model here does not
depend on an attacker: a client can construct a wrong representation depend on an attacker; a client can construct a wrong representation
by assembling it from blocks from different resource states. That by assembling it from blocks from different resource states. That
can happen when a resource is modified during a transfer, or when can happen when a resource is modified during a transfer or when some
some blocks are still valid in the client's cache. blocks are still valid in the client's cache.
Rules stating that response body reassembly is conditional on Rules stating that response body reassembly is conditional on
matching ETag values are already in place from Section 2.4 of matching ETag values are already in place from Section 2.4 of
[RFC7959]. [RFC7959].
To gain equivalent protection to Section 3.5.1, a server MUST use the To gain protection equivalent to that described in Section 3.5.1, a
Block2 option in conjunction with the ETag option ([RFC7252], server MUST use the Block2 option in conjunction with the ETag option
Section 5.10.6), and MUST NOT use the same ETag value for different ([RFC7252], Section 5.10.6) and MUST NOT use the same ETag value for
representations of a resource. different representations of a resource.
4. Token Processing for Secure Request-Response Binding 4. Token Processing for Secure Request-Response Binding
4.1. Request-Response Binding 4.1. Request-Response Binding
A fundamental requirement of secure REST operations is that the A fundamental requirement of secure REST operations is that the
client can bind a response to a particular request. If this is not client can bind a response to a particular request. If this is not
ensured, a client may erroneously associate the wrong response to a ensured, a client may erroneously associate the wrong response to a
request. The wrong response may be an old response for the same request. The wrong response may be an old response for the same
resource or a response for a completely different resource (see e.g. resource or a response for a completely different resource (e.g., see
Section 2.3 of [I-D.mattsson-core-coap-attacks]). For example, a Section 2.3 of [COAP-ATTACKS]). For example, a request for the alarm
request for the alarm status "GET /status" may be associated to a status "GET /status" may be associated to a prior response "on",
prior response "on", instead of the correct response "off". instead of the correct response "off".
In HTTP/1.1, this type of binding is always assured by the ordered In HTTP/1.1, this type of binding is always assured by the ordered
and reliable delivery as well as mandating that the server sends and reliable delivery, as well as mandating that the server sends
responses in the same order that the requests were received. The responses in the same order that the requests were received. The
same is not true for CoAP where the server (or an attacker) can same is not true for CoAP, where the server (or an attacker) can
return responses in any order and where there can be any number of return responses in any order and where there can be any number of
responses to a request (see e.g. [RFC7641]). In CoAP, concurrent responses to a request (e.g., see [RFC7641]). In CoAP, concurrent
requests are differentiated by their Token. Note that the CoAP requests are differentiated by their Token. Note that the CoAP
Message ID cannot be used for this purpose since those are typically Message ID cannot be used for this purpose since those are typically
different for REST request and corresponding response in case of different for the REST request and corresponding response in case of
"separate response", see Section 2.2 of [RFC7252]. "separate response" (see Section 2.2 of [RFC7252]).
CoAP [RFC7252] does not treat Token as a cryptographically important CoAP [RFC7252] does not treat the Token as a cryptographically
value and does not give stricter guidelines than that the Tokens important value and does not give stricter guidelines than that the
currently "in use" SHOULD (not SHALL) be unique. If used with a Tokens currently "in use" SHOULD (not SHALL) be unique. If used with
security protocol not providing bindings between requests and a security protocol not providing bindings between requests and
responses (e.g. DTLS and TLS) Token reuse may result in situations responses (e.g., DTLS and TLS), Token reuse may result in situations
where a client matches a response to the wrong request. Note that where a client matches a response to the wrong request. Note that
mismatches can also happen for other reasons than a malicious mismatches can also happen for other reasons than a malicious
attacker, e.g. delayed delivery or a server sending notifications to attacker, e.g., delayed delivery or a server sending notifications to
an uninterested client. an uninterested client.
A straightforward mitigation is to mandate clients to not reuse A straightforward mitigation is to mandate clients to not reuse
Tokens until the traffic keys have been replaced. The following Tokens until the traffic keys have been replaced. The following
section formalizes that. section formalizes that.
4.2. Updated Token Processing Requirements for Clients 4.2. Updated Token Processing Requirements for Clients
As described in Section 4.1, the client must be able to verify that a As described in Section 4.1, the client must be able to verify that a
response corresponds to a particular request. This section updates response corresponds to a particular request. This section updates
the Token processing requirements for clients in [RFC7252] to always the Token processing requirements for clients in [RFC7252] to always
assure a cryptographically secure binding of responses to requests assure a cryptographically secure binding of responses to requests
for secure REST operations like "coaps". The Token processing for for secure REST operations like "coaps". The Token processing for
servers is not updated. Token processing in Section 5.3.1 of servers is not updated. Token processing in Section 5.3.1 of
[RFC7252] is updated by adding the following text: [RFC7252] is updated by adding the following text:
When CoAP is used with a security protocol not providing bindings | When CoAP is used with a security protocol not providing bindings
between requests and responses, the Tokens have cryptographic | between requests and responses, the Tokens have cryptographic
importance. The client MUST make sure that Tokens are not used in a | importance. The client MUST make sure that Tokens are not used in
way so that responses risk being associated with the wrong request. | a way so that responses risk being associated with the wrong
| request.
One easy way to accomplish this is to implement the Token (or part of |
the Token) as a sequence number starting at zero for each new or | One easy way to accomplish this is to implement the Token (or part
rekeyed secure connection. This approach SHOULD be followed. | of the Token) as a sequence number, starting at zero for each new
| or rekeyed secure connection. This approach SHOULD be followed.
5. Security Considerations 5. Security Considerations
The freshness assertion of the Echo option comes from the client The freshness assertion of the Echo option comes from the client
reproducing the same value of the Echo option in a request as it reproducing the same value of the Echo option in a request as it
received in a previous response. If the Echo value is a large random received in a previous response. If the Echo option value is a large
number then there is a high probability that the request is generated random number, then there is a high probability that the request is
after having seen the response. If the Echo value of the response generated after having seen the response. If the Echo option value
can be guessed, e.g. if based on a small random number or a counter of the response can be guessed, e.g., if based on a small random
(see Appendix A), then it is possible to compose a request with the number or a counter (see Appendix A), then it is possible to compose
right Echo value ahead of time. Using guessable Echo values is only a request with the right Echo option value ahead of time. Using
permissible in a narrow set of cases described in Section 2.5.2. guessable Echo option values is only permissible in a narrow set of
Echo values MUST be set by the CoAP server such that the risk cases described in Section 2.5.2. Echo option values MUST be set by
associated with unintended reuse can be managed. the CoAP server such that the risk associated with unintended reuse
can be managed.
If uniqueness of the Echo value is based on randomness, then the If uniqueness of the Echo option value is based on randomness, then
availability of a secure pseudorandom number generator and truly the availability of a secure pseudorandom number generator and truly
random seeds are essential for the security of the Echo option. If random seeds are essential for the security of the Echo option. If
no true random number generator is available, a truly random seed no true random number generator is available, a truly random seed
must be provided from an external source. As each pseudorandom must be provided from an external source. As each pseudorandom
number must only be used once, an implementation needs to get a new number must only be used once, an implementation needs to get a new
truly random seed after reboot, or continuously store state in truly random seed after reboot or continuously store the state in
nonvolatile memory. See ([RFC8613], Appendix B.1.1) for issues and nonvolatile memory. See [RFC8613], Appendix B.1.1 for issues and
approaches for writing to nonvolatile memory. approaches for writing to nonvolatile memory.
A single active Echo value with 64 (pseudo-)random bits gives the A single active Echo option value with 64 (pseudo)random bits gives
same theoretical security level as a 64-bit MAC (as used in e.g. the same theoretical security level as a 64-bit MAC (as used in,
AES_128_CCM_8). If a random unique Echo value is intended, the Echo e.g., AES_128_CCM_8). If a random unique Echo option value is
option value SHOULD contain 64 (pseudo-)random bits that are not intended, the Echo option value SHOULD contain 64 (pseudo)random bits
predictable for any other party than the server. A server MAY use that are not predictable for any other party than the server. A
different security levels for different uses cases (client aliveness, server MAY use different security levels for different use cases
request freshness, state synchronization, network address (client aliveness, request freshness, state synchronization, network
reachability, etc.). address reachability, etc.).
The security provided by the Echo and Request-Tag options depends on The security provided by the Echo and Request-Tag options depends on
the security protocol used. CoAP and HTTP proxies require (D)TLS to the security protocol used. CoAP and HTTP proxies require (D)TLS to
be terminated at the proxies. The proxies are therefore able to be terminated at the proxies. The proxies are therefore able to
manipulate, inject, delete, or reorder options or packets. The manipulate, inject, delete, or reorder options or packets. The
security claims in such architectures only hold under the assumption security claims in such architectures only hold under the assumption
that all intermediaries are fully trusted and have not been that all intermediaries are fully trusted and have not been
compromised. compromised.
Echo values without the protection of randomness or a MAC are limited Echo option values without the protection of randomness or a MAC are
to cases when the client is the trusted source of all derived limited to cases when the client is the trusted source of all derived
properties (as per Section 2.5.2). Using them needs per-application properties (as per Section 2.5.2). Using them needs per-application
consideration of both the impact of a malicious client and of consideration of both the impact of a malicious client and of
implementation errors in clients. These Echo values are the only implementation errors in clients. These Echo option values are the
legitimate case for Echo values shorter than four bytes, which are only legitimate case for Echo option values shorter than four bytes,
not necessarily secret. They MUST NOT be used unless the request which are not necessarily secret. They MUST NOT be used unless the
Echo values are integrity protected as per Section 2.3. Echo option values in the request are integrity protected, as per
Section 2.3.
Servers SHOULD use a monotonic clock to generate timestamps and Servers SHOULD use a monotonic clock to generate timestamps and
compute round-trip times. Use of non-monotonic clocks is not secure compute round-trip times. Use of non-monotonic clocks is not secure,
as the server will accept expired Echo option values if the clock is as the server will accept expired Echo option values if the clock is
moved backward. The server will also reject fresh Echo option values moved backward. The server will also reject fresh Echo option values
if the clock is moved forward. Non-monotonic clocks MAY be used as if the clock is moved forward. Non-monotonic clocks MAY be used as
long as they have deviations that are acceptable given the freshness long as they have deviations that are acceptable given the freshness
requirements. If the deviations from a monotonic clock are known, it requirements. If the deviations from a monotonic clock are known, it
may be possible to adjust the threshold accordingly. may be possible to adjust the threshold accordingly.
An attacker may be able to affect the server's system time in various An attacker may be able to affect the server's system time in various
ways such as setting up a fake NTP server or broadcasting false time ways, such as setting up a fake NTP server or broadcasting false time
signals to radio-controlled clocks. signals to radio-controlled clocks.
For the purpose of generating timestamps for Echo a server MAY set a For the purpose of generating timestamps for the Echo option, a
timer at reboot and use the time since reboot, choosing the server MAY set a timer at reboot and use the time since reboot,
granularity such that different requests arrive at different times. choosing the granularity such that different requests arrive at
Servers MAY intermittently reset the timer and MAY generate a random different times. Servers MAY intermittently reset the timer and MAY
offset applied to all timestamps. When resetting the timer, the generate a random offset applied to all timestamps. When resetting
server MUST reject all Echo values that were created before the the timer, the server MUST reject all Echo option values that were
reset. created before the reset.
Servers that use the List of Cached Random Values and Timestamps Servers that use the "List of Cached Random Values and Timestamps"
method described in Appendix A may be vulnerable to resource method described in Appendix A may be vulnerable to resource
exhaustion attacks. One way to minimize state is to use the exhaustion attacks. One way to minimize the state is to use the
Integrity Protected Timestamp method described in Appendix A. "Integrity-Protected Timestamp" method described in Appendix A.
5.1. Token reuse 5.1. Token Reuse
Reusing Tokens in a way so that responses are guaranteed to not be Reusing Tokens in a way so that responses are guaranteed to not be
associated with the wrong request is not trivial: The server may associated with the wrong request is not trivial. The server may
process requests in any order, and send multiple responses to the process requests in any order and send multiple responses to the same
same request. An attacker may block, delay, and reorder messages. request. An attacker may block, delay, and reorder messages. The
The use of a sequence number is therefore recommended when CoAP is use of a sequence number is therefore recommended when CoAP is used
used with a security protocol that does not provide bindings between with a security protocol that does not provide bindings between
requests and responses such as DTLS or TLS. requests and responses, such as DTLS or TLS.
For a generic response to a Confirmable request over DTLS, binding For a generic response to a Confirmable request over DTLS, binding
can only be claimed without out-of-band knowledge if can only be claimed without out-of-band knowledge if:
* the original request was never retransmitted, * the original request was never retransmitted and
* the response was piggybacked in an Acknowledgement message (as a * the response was piggybacked in an Acknowledgement message (as a
Confirmable or Non-confirmable response may have been transmitted Confirmable or Non-confirmable response may have been transmitted
multiple times), and multiple times).
* if observation was used, the same holds for the registration, all If observation was used, the same holds for the registration, all
re-registrations, and the cancellation. reregistrations, and the cancellation.
(In addition, for observations, any responses using that Token and a (In addition, for observations, any responses using that Token and a
DTLS sequence number earlier than the cancellation Acknowledgement DTLS sequence number earlier than the cancellation Acknowledgement
message need to be discarded. This is typically not supported in message need to be discarded. This is typically not supported in
DTLS implementations.) DTLS implementations.)
In some setups, Tokens can be reused without the above constraints, In some setups, Tokens can be reused without the above constraints,
as a different component in the setup provides the associations: as a different component in the setup provides the associations:
* In CoAP over TLS, retransmissions are not handled by the CoAP * In CoAP over TLS, retransmissions are not handled by the CoAP
layer and behaves like a replay window size of 1. When a client layer and behave like a replay window size of 1. When a client is
is sending TLS-protected requests without Observe to a single sending TLS-protected requests without Observe to a single server,
server, the client can reuse a Token as soon as the previous the client can reuse a Token as soon as the previous response with
response with that Token has been received. that Token has been received.
* Requests whose responses are cryptographically bound to the * Requests whose responses are cryptographically bound to the
requests (like in OSCORE) can reuse Tokens indefinitely. requests (like in OSCORE) can reuse Tokens indefinitely.
In all other cases, a sequence number approach is RECOMMENDED as per In all other cases, a sequence number approach is RECOMMENDED, as per
Section 4. Section 4.
Tokens that cannot be reused need to be handled appropriately. This Tokens that cannot be reused need to be handled appropriately. This
could be solved by increasing the Token as soon as the currently used could be solved by increasing the Token as soon as the currently used
Token cannot be reused, or by keeping a list of all Tokens unsuitable Token cannot be reused or by keeping a list of all Tokens unsuitable
for reuse. for reuse.
When the Token (or part of the Token) contains a sequence number, the When the Token (or part of the Token) contains a sequence number, the
encoding of the sequence number has to be chosen in a way to avoid encoding of the sequence number has to be chosen in a way to avoid
any collisions. This is especially true when the Token contains more any collisions. This is especially true when the Token contains more
information than just the sequence number, e.g. serialized state as information than just the sequence number, e.g., the serialized
in [RFC8974]. state, as in [RFC8974].
6. Privacy Considerations 6. Privacy Considerations
Implementations SHOULD NOT put any privacy-sensitive information in Implementations SHOULD NOT put any privacy-sensitive information in
the Echo or Request-Tag option values. Unencrypted timestamps could the Echo or Request-Tag option values. Unencrypted timestamps could
reveal information about the server such as location or time since reveal information about the server, such as location, time since
reboot, or that the server will accept expired certificates. reboot, or that the server will accept expired certificates.
Timestamps MAY be used if Echo is encrypted between the client and Timestamps MAY be used if the Echo option is encrypted between the
the server, e.g. in the case of DTLS without proxies or when using client and the server, e.g., in the case of DTLS without proxies or
OSCORE with an Inner Echo option. when using OSCORE with an Inner Echo option.
Like HTTP cookies, the Echo option could potentially be abused as a Like HTTP cookies, the Echo option could potentially be abused as a
tracking mechanism that identifies a client across requests. This is tracking mechanism that identifies a client across requests. This is
especially true for preemptive Echo values. Servers MUST NOT use the especially true for preemptive Echo option values. Servers MUST NOT
Echo option to correlate requests for other purposes than freshness use the Echo option to correlate requests for other purposes than
and reachability. Clients only send Echo values to the same server freshness and reachability. Clients only send Echo option values to
from which the values were received. Compared to HTTP, CoAP clients the same server from which the values were received. Compared to
are often authenticated and non-mobile, and servers can therefore HTTP, CoAP clients are often authenticated and non-mobile, and
often correlate requests based on the security context, the client servers can therefore often correlate requests based on the security
credentials, or the network address. Especially when the Echo option context, the client credentials, or the network address. Especially
increases a server's ability to correlate requests, clients MAY when the Echo option increases a server's ability to correlate
discard all preemptive Echo values. requests, clients MAY discard all preemptive Echo option values.
Publicly visible generated identifiers, even when opaque (as all Publicly visible generated identifiers, even when opaque (as all
defined in this document are), can leak information as described in defined in this document are), can leak information as described in
[I-D.irtf-pearg-numeric-ids-generation]. To avoid effects described [NUMERIC-IDS]. To avoid the effects described there, the absent
there, the absent Request-Tag option should be recycled as much as Request-Tag option should be recycled as much as possible. (That is
possible. (That is generally possible as long as a security generally possible as long as a security mechanism is in place --
mechanism is in place - even in the case of OSCORE outer block-wise even in the case of OSCORE outer block-wise transfers, as the OSCORE
transfers, as the OSCORE option's variation ensures that no matchable option's variation ensures that no matchable requests are created by
requests are created by different clients). When an unprotected Echo different clients.) When an unprotected Echo option is used to
option is used to demonstrate reachability, the recommended mechanism demonstrate reachability, the recommended mechanism of Section 2.3
of Section 2.3 keeps the effects to a minimum. keeps the effects to a minimum.
7. IANA Considerations 7. IANA Considerations
IANA is requested to add the following option numbers to the "CoAP IANA has added the following option numbers to the "CoAP Option
Option Numbers" registry defined by [RFC7252]: Numbers" registry defined by [RFC7252]:
[
The editor is asked to suggest the numbers after TBD, as those
satisfy the construction requirements set out in RFC7252: Echo is
NoCacheKey but not Unsafe or Critical, so it needs to end with 11100
in binary representation; Request-Tag has no properties so it needs
to end with 00 and not with 11100).
Request-Tag was picked to not waste the precious space of less-than-
one-byte options, but such that its offset from the Block1 option it
regularly occurs with can still be expressed in an 1-byte offset (27
+ (13 + 255) > 292).
Echo was picked to be the shortest it can be in an empty message as a
NoCacheKey option (11100 in binary does not fit in a nibble, and two
lower ones are already taken), and as high as possible to keep room
for other options that might typically occur in pairs and might still
use optimization around low numbers.
]
+--------+-------------+-------------------+ +========+=============+===========+
| Number | Name | Reference | | Number | Name | Reference |
+--------+-------------+-------------------+ +========+=============+===========+
| TBD252 | Echo | [[this document]] | | 252 | Echo | RFC 9175 |
| | | | +--------+-------------+-----------+
| TBD292 | Request-Tag | [[this document]] | | 292 | Request-Tag | RFC 9175 |
+--------+-------------+-------------------+ +--------+-------------+-----------+
Figure 5: CoAP Option Numbers Table 3: Additions to CoAP
Option Numbers Registry
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://doi.org/10.17487/RFC2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://doi.org/10.17487/RFC6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://doi.org/10.17487/RFC7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in
the Constrained Application Protocol (CoAP)", RFC 7959, the Constrained Application Protocol (CoAP)", RFC 7959,
DOI 10.17487/RFC7959, August 2016, DOI 10.17487/RFC7959, August 2016,
<https://doi.org/10.17487/RFC7959>. <https://www.rfc-editor.org/info/rfc7959>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://doi.org/10.17487/RFC8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8470] Thomson, M., Nottingham, M., and W. Tarreau, "Using Early [RFC8470] Thomson, M., Nottingham, M., and W. Tarreau, "Using Early
Data in HTTP", RFC 8470, DOI 10.17487/RFC8470, September Data in HTTP", RFC 8470, DOI 10.17487/RFC8470, September
2018, <https://doi.org/10.17487/RFC8470>. 2018, <https://www.rfc-editor.org/info/rfc8470>.
[RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
<https://doi.org/10.17487/RFC8613>. <https://www.rfc-editor.org/info/rfc8613>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-core-groupcomm-bis] [COAP-ATTACKS]
Preuß Mattsson, J., Fornehed, J., Selander, G., Palombini,
F., and C. Amsüss, "Attacks on the Constrained Application
Protocol (CoAP)", Work in Progress, Internet-Draft, draft-
mattsson-core-coap-attacks-01, 27 July 2021,
<https://datatracker.ietf.org/doc/html/draft-mattsson-
core-coap-attacks-01>.
[GROUP-COAP]
Dijk, E., Wang, C., and M. Tiloca, "Group Communication Dijk, E., Wang, C., and M. Tiloca, "Group Communication
for the Constrained Application Protocol (CoAP)", Work in for the Constrained Application Protocol (CoAP)", Work in
Progress, Internet-Draft, draft-ietf-core-groupcomm-bis- Progress, Internet-Draft, draft-ietf-core-groupcomm-bis-
04, 12 July 2021, <https://datatracker.ietf.org/doc/html/ 05, 25 October 2021,
draft-ietf-core-groupcomm-bis-04>. <https://datatracker.ietf.org/doc/html/draft-ietf-core-
groupcomm-bis-05>.
[I-D.ietf-core-oscore-groupcomm] [GROUP-OSCORE]
Tiloca, M., Selander, G., Palombini, F., Mattsson, J. P., Tiloca, M., Selander, G., Palombini, F., Preuß Mattsson,
and J. Park, "Group OSCORE - Secure Group Communication J., and J. Park, "Group OSCORE - Secure Group
for CoAP", Work in Progress, Internet-Draft, draft-ietf- Communication for CoAP", Work in Progress, Internet-Draft,
core-oscore-groupcomm-12, 12 July 2021, draft-ietf-core-oscore-groupcomm-13, 25 October 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-core- <https://datatracker.ietf.org/doc/html/draft-ietf-core-
oscore-groupcomm-12>. oscore-groupcomm-13>.
[I-D.irtf-pearg-numeric-ids-generation] [NUMERIC-IDS]
Gont, F. and I. Arce, "On the Generation of Transient Gont, F. and I. Arce, "On the Generation of Transient
Numeric Identifiers", Work in Progress, Internet-Draft, Numeric Identifiers", Work in Progress, Internet-Draft,
draft-irtf-pearg-numeric-ids-generation-07, 2 February draft-irtf-pearg-numeric-ids-generation-08, 31 January
2021, <https://datatracker.ietf.org/doc/html/draft-irtf- 2022, <https://datatracker.ietf.org/doc/html/draft-irtf-
pearg-numeric-ids-generation-07>. pearg-numeric-ids-generation-08>.
[I-D.mattsson-core-coap-attacks]
Mattsson, J. P., Fornehed, J., Selander, G., Palombini,
F., and C. Amsüss, "CoAP Attacks", Work in Progress,
Internet-Draft, draft-mattsson-core-coap-attacks-01, 27
July 2021, <https://datatracker.ietf.org/doc/html/draft-
mattsson-core-coap-attacks-01>.
[REST] Fielding, R., "Architectural Styles and the Design of [REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", 2000, Network-based Software Architectures", 2000,
<https://www.ics.uci.edu/~fielding/pubs/dissertation/ <https://www.ics.uci.edu/~fielding/pubs/dissertation/
fielding_dissertation.pdf>. fielding_dissertation.pdf>.
[RFC7641] Hartke, K., "Observing Resources in the Constrained [RFC7641] Hartke, K., "Observing Resources in the Constrained
Application Protocol (CoAP)", RFC 7641, Application Protocol (CoAP)", RFC 7641,
DOI 10.17487/RFC7641, September 2015, DOI 10.17487/RFC7641, September 2015,
<https://doi.org/10.17487/RFC7641>. <https://www.rfc-editor.org/info/rfc7641>.
[RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets", Application Protocol) over TCP, TLS, and WebSockets",
RFC 8323, DOI 10.17487/RFC8323, February 2018, RFC 8323, DOI 10.17487/RFC8323, February 2018,
<https://doi.org/10.17487/RFC8323>. <https://www.rfc-editor.org/info/rfc8323>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://doi.org/10.17487/RFC8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8974] Hartke, K. and M. Richardson, "Extended Tokens and [RFC8974] Hartke, K. and M. Richardson, "Extended Tokens and
Stateless Clients in the Constrained Application Protocol Stateless Clients in the Constrained Application Protocol
(CoAP)", RFC 8974, DOI 10.17487/RFC8974, January 2021, (CoAP)", RFC 8974, DOI 10.17487/RFC8974, January 2021,
<https://doi.org/10.17487/RFC8974>. <https://www.rfc-editor.org/info/rfc8974>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000, Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021, DOI 10.17487/RFC9000, May 2021,
<https://doi.org/10.17487/RFC9000>. <https://www.rfc-editor.org/info/rfc9000>.
Appendix A. Methods for Generating Echo Option Values Appendix A. Methods for Generating Echo Option Values
The content and structure of the Echo option value are implementation The content and structure of the Echo option value are implementation
specific and determined by the server. Two simple mechanisms for specific and determined by the server. Two simple mechanisms for
time-based freshness and one for event-based freshness are outlined time-based freshness and one for event-based freshness are outlined
in this section, the first is RECOMMENDED in general, and the second in this appendix. The "List of Cached Random Values and Timestamps"
is RECOMMENDED in case the Echo option is encrypted between the mechanism is RECOMMENDED in general. The "Integrity-Protected
client and the server. Timestamp" mechanism is RECOMMENDED in case the Echo option is
encrypted between the client and the server.
Different mechanisms have different tradeoffs between the size of the Different mechanisms have different trade-offs between the size of
Echo option value, the amount of server state, the amount of the Echo option value, the amount of server state, the amount of
computation, and the security properties offered. A server MAY use computation, and the security properties offered. A server MAY use
different methods and security levels for different uses cases different methods and security levels for different use cases (client
(client aliveness, request freshness, state synchronization, network aliveness, request freshness, state synchronization, network address
address reachability, etc.). reachability, etc.).
1. List of Cached Random Values and Timestamps. The Echo option 1. List of Cached Random Values and Timestamps. The Echo option
value is a (pseudo-)random byte string called r. The server caches a value is a (pseudo)random byte string called r. The server
list containing the random byte strings and their transmission times. caches a list containing the random byte strings and their
Assuming 72-bit random values and 32-bit timestamps, the size of the initial transmission times. Assuming 72-bit random values and
Echo option value is 9 bytes and the amount of server state is 13n 32-bit timestamps, the size of the Echo option value is 9 bytes
bytes, where n is the number of active Echo Option values. The and the amount of server state is 13n bytes, where n is the
security against an attacker guessing echo values is given by s = bit number of active Echo option values. The security against an
length of r - log2(n). The length of r and the maximum allowed n attacker guessing Echo option values is given by s = bit length
should be set so that the security level is harmonized with other of r - log2(n). The length of r and the maximum allowed n should
parts of the deployment, e.g., s >= 64. If the server loses time be set so that the security level is harmonized with other parts
continuity, e.g. due to reboot, the entries in the old list MUST be of the deployment, e.g., s >= 64. If the server loses time
deleted. continuity, e.g., due to reboot, the entries in the old list MUST
be deleted.
Echo option value: random value r Echo option value: random value r
Server State: random value r, timestamp t0
This method is suitable both for time- and for event-based freshness Server State: random value r, timestamp t0
(e.g. by clearing the cache when an event occurs), and independent of
the client authority.
2. Integrity Protected Timestamp. The Echo option value is an This method is suitable for both time-based and event-based
integrity protected timestamp. The timestamp can have different freshness (e.g., by clearing the cache when an event occurs) and
resolution and range. A 32-bit timestamp can e.g. give a resolution is independent of the client authority.
of 1 second with a range of 136 years. The (pseudo-)random secret
key is generated by the server and not shared with any other party.
The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit
timestamp and a 64-bit MAC, the size of the Echo option value is 12
bytes and the Server state is small and constant. The security
against an attacker guessing echo values is given by the MAC length.
If the server loses time continuity, e.g. due to reboot, the old key
MUST be deleted and replaced by a new random secret key. Note that
the privacy considerations in Section 6 may apply to the timestamp.
Therefore, it might be important to encrypt it. Depending on the
choice of encryption algorithms, this may require an initialization
vector to be included in the Echo option value, see below.
Echo option value: timestamp t0, MAC(k, t0) 2. Integrity-Protected Timestamp. The Echo option value is an
Server State: secret key k integrity-protected timestamp. The timestamp can have a
different resolution and range. A 32-bit timestamp can, e.g.,
give a resolution of 1 second with a range of 136 years. The
(pseudo)random secret key is generated by the server and not
shared with any other party. The use of truncated HMAC-SHA-256
is RECOMMENDED. With a 32-bit timestamp and a 64-bit MAC, the
size of the Echo option value is 12 bytes, and the server state
is small and constant. The security against an attacker guessing
Echo option values is given by the MAC length. If the server
loses time continuity, e.g., due to reboot, the old key MUST be
deleted and replaced by a new random secret key. Note that the
privacy considerations in Section 6 may apply to the timestamp.
Therefore, it might be important to encrypt it. Depending on the
choice of encryption algorithms, this may require an
initialization vector to be included in the Echo option value
(see below).
This method is suitable both for time- and for event-based freshness Echo option value: timestamp t0, MAC(k, t0)
(by the server remembering the time at which the event took place),
and independent of the client authority.
If this method is used to additionally obtain network reachability of Server State: secret key k
the client, the server MUST use the client's network address too,
e.g. as in MAC(k, t0, apparent network address). This method is suitable for both time-based and event-based
freshness (by the server remembering the time at which the event
took place) and independent of the client authority.
If this method is used to additionally obtain network
reachability of the client, the server MUST use the client's
network address too, e.g., as in MAC(k, t0, claimed network
address).
3. Persistent Counter. This can be used in OSCORE for sequence 3. Persistent Counter. This can be used in OSCORE for sequence
number recovery per Appendix B.1.2 of [RFC8613]. The Echo option number recovery, per Appendix B.1.2 of [RFC8613]. The Echo
value is a simple counter without integrity protection of its own, option value is a simple counter without integrity protection of
serialized in uint format. The counter is incremented in a its own, serialized in uint format. The counter is incremented
persistent way every time the state that needs to be synchronized is in a persistent way every time the state that needs to be
changed (in the B.1.2 case: when a reboot indicates that volatile synchronized is changed (in the case described in Appendix B.1.2
state may have been lost). An example of how such a persistent of [RFC8613], when a reboot indicates that volatile state may
counter can be implemented efficiently is the OSCORE server Sender have been lost). An example of how such a persistent counter can
Sequence Number mechanism described in Appendix B.1.1 of [RFC8613]. be implemented efficiently is the OSCORE server Sender Sequence
Number mechanism described in Appendix B.1.1 of [RFC8613].
Echo option value: counter Echo option value: counter
Server State: counter
This method is suitable only if the client is the authority over the Server State: counter
synchronized property. Consequently, it cannot be used to show
client aliveness. It provides statements from the client similar to This method is suitable only if the client is the authority over
event based freshness (but without a proof of freshness). the synchronized property. Consequently, it cannot be used to
show client aliveness. It provides statements from the client
similar to event-based freshness (but without a proof of
freshness).
Other mechanisms complying with the security and privacy Other mechanisms complying with the security and privacy
considerations may be used. The use of encrypted timestamps in the considerations may be used. The use of encrypted timestamps in the
Echo option provides additional protection, but typically requires an Echo option provides additional protection but typically requires an
initialization vector (a.k.a. nonce) as input to the encryption initialization vector (a.k.a. nonce) as input to the encryption
algorithm, which adds a slight complication to the procedure as well algorithm, which adds a slight complication to the procedure as well
as overhead. as overhead.
Appendix B. Request-Tag Message Size Impact Appendix B. Request-Tag Message Size Impact
In absence of concurrent operations, the Request-Tag mechanism for In absence of concurrent operations, the Request-Tag mechanism for
body integrity (Section 3.5.1) incurs no overhead if no messages are body integrity (Section 3.5.1) incurs no overhead if no messages are
lost (more precisely: in OSCORE, if no operations are aborted due to lost (more precisely, in OSCORE, if no operations are aborted due to
repeated transmission failure; in DTLS, if no packets are lost and repeated transmission failure and, in DTLS, if no packets are lost
replay protection is active), or when block-wise request operations and replay protection is active) or when block-wise request
happen rarely (in OSCORE, if there is always only one request block- operations happen rarely (in OSCORE, if there is always only one
wise operation in the replay window). request block-wise operation in the replay window).
In those situations, no message has any Request-Tag option set, and In those situations, no message has any Request-Tag option set, and
that can be recycled indefinitely. the Request-Tag value can be recycled indefinitely.
When the absence of a Request-Tag option cannot be recycled any more When the absence of a Request-Tag option cannot be recycled any more
within a security context, the messages with a present but empty within a security context, the messages with a present but empty
Request-Tag option can be used (1 Byte overhead), and when that is Request-Tag option can be used (1 byte overhead), and when that is
used-up, 256 values from one byte long options (2 Bytes overhead) are used up, 256 values from 1-byte options (2 bytes overhead) are
available. available.
In situations where those overheads are unacceptable (e.g. because In situations where that overhead is unacceptable (e.g., because the
the payloads are known to be at a fragmentation threshold), the payloads are known to be at a fragmentation threshold), the absent
absent Request-Tag value can be made usable again: Request-Tag value can be made usable again:
* In DTLS, a new session can be established. * In DTLS, a new session can be established.
* In OSCORE, the sequence number can be artificially increased so * In OSCORE, the sequence number can be artificially increased so
that all lost messages are outside of the replay window by the that all lost messages are outside of the replay window by the
time the first request of the new operation gets processed, and time the first request of the new operation gets processed, and
all earlier operations can therefore be regarded as concluded. all earlier operations can therefore be regarded as concluded.
Appendix C. Change Log Acknowledgements
[ The editor is asked to remove this section before publication. ]
* Changes since draft-ietf-core-echo-request-tag-13
- Minor editorial fixes.
- Wording enhancements:
o nonce -> initialization vector
o information extracted by the sever -> information conveyed
to the server
- Acknowledgements updated.
- Changelog for -13 added (previous upload just pointed to other
resources).
- Short title is "Echo, Request-Tag, and Token Processing" now
instead of outdated acronym.
- Informative reference to RFC 7390 is now to draft-ietf-core-
groupcomm-bis
* Changes since draft-ietf-core-echo-request-tag-12 (addressing
comments from IESG review)
See CoRE point-to-point responses at https://github.com/core-wg/
echo-request-tag/blob/master/point-to-point.md
(https://github.com/core-wg/echo-request-tag/blob/master/point-to-
point.md) and on CoRE mailing list.
- Add subsection "Characterization of Echo Applications".
o Changes in applications and appendices to use the newly
introduced terms.
o In particular, some of the legitimization for using short
Echo values was drawn from the applications being event
based; the concept of the client being the "Authority over
[the] Used Information" now legitimizes these more
precisely.
- Add subsection "Updated Amplification Mitigation Requirements
for Servers". It contains the normative text updating RFC 7252
w/rt recommended mitigation methods, which previously happened
in passing.
- Amplification mitigation:
o Increase precision: Reachability check is performed once per
endpoint (was: peer).
o State that amplification factor applies to the sum of all
(previously: "the size of the", implicitly, single) returned
packets.
o Fix odd wording around how the Echo value would "contain"
the claimed address: was meant to contain in a cryptographic
sense, now clarified in that a MAC is recommended
- Define "preemptive Echo value" that was previously used without
definition; another occurrence of the concept was simplified
using the term.
- Add considerations for the use of DTLS without replay
protection.
- Privacy considerations: Address concerns raised in various
numeric-ids documents.
- Explicitly state expected security modes for Echo applications
and examples.
- Fix of requirements for H-C proxies: They _MUST NOT_ relay
unsafe requests. (Previously, it only said that they SHOULD
use a particular method, but not clearly that some method is
mandated.)
- Clarify that state synchonization is an application of the
freshness results in combination with some transported
application data, and not an immediate result of using Echo
alone.
- Add text to tie together applications and suggested mechanisms
- Restrict C-C proxy allowed behavior: Only safe requests
(incorrectly said "idempotent") may be used to proactively
populate the proxy's cache.
- Justify some "SHOULD"s by outlining justification for different
behavior.
o Normatively require H-C proxies to process Echo if they're
justified to do so, as no alternatives are available.
- Reference updates:
o QUIC is now RFC9000; precise section given as amplification
reference.
o Add note for RFC editor that RFC6347 can be upgraded to DTLS
1.3 if C321 overtakes C280
o Follow the core-coap-actuators to core-coap-attacks update
o RFC8470 reference is now normative (as using what's defined
there has been RECOMMENDED already)
- Editorial fixes
o Rewording of confusing sentences in amplification mitigation
and inner-/outer Echo values
o Replace "blacklist" terminology with "deny-list" where left
after other changes
o Removed sloppy use of Echo as a verb
o Minor clarifications
o Remove duplicate statements
o Typography and spelling fixes
- Fixes that are not editorial but minor
o Freshness is about time, of which round-trip time
(specialization now removed) is only a part.
o Reference how HTTP _1.1_ does it when explaining token
requirements, as that's an easily and widely understood
baseline.
* Changes since draft-ietf-core-echo-request-tag-11 (addressing
GenART, TSVART, OpsDir comments)
- Explain the size permissible for responses before amplification
mitigation by referring to the QUIC draft for an OK factor, and
giving the remaining numbers that led to it. The actual number
is reduced from 152 to 136 because the more conservative case
of the attacker not sending a token is considered now.
- Added a definition for "freshness"
- Give more concrete example values in figures 2 and 3 (based on
the appendix suggestions), highlighting the differences between
the figures by telling how they are processed in the examples.
- Figure with option summary: E/U columns removed (for duplicate
headers and generally not contributing)
- MAY capitalization changed for consistency.
- Editorial changes (IV acronym expanded, s/can not/cannot/g)
- Draft ietf-core-stateless has become RFC8974
* Changes since draft-ietf-core-echo-request-tag-10 (Barry's
comments)
- Align terminology on attacker
- A number of clarifications and editorial fixes
- Promote DTLS and OSCORE to normative references
- Add counter-based version to the Methods for Generating Echo
Option Values appendix
- Use 64-bit randomness recommendation throughout (but keep it as
SHOULD so applications with strict requirements can reduce if
if really needed)
- Speling and Capitalization
* Changes since draft-ietf-core-echo-request-tag-09:
- Allow intermediaries to do Echo processing, provided they ask
at least as much freshness as they forward
- Emphasize that clients can forget Echo to further discourage
abuse as cookies
- Emphasize that RESTful application design can avoid the need
for a Request-Tag
- Align with core-oscore-groupcomm-09
- Add interaction with HTTP Early Data / 425 Too Early
- Abstract: Explicitly mention both updates to 7252
- Change requested option number of Echo to 252 (previous
property calculation was erroneous)
* Changes since draft-ietf-core-echo-request-tag-08:
- Make amplification attack mitigation by Echo an RFC7252
updating recommendation
- Give some more concrete guidance to that use case in terms of
sizes and message types
- Allow short (1-3 byte) Echo values for deterministic cases,
with according security considerations
- Point out the tricky parts around Request-Tag for stateless
proxies, and make that purely an outlook example with out-of-
scope details
- Lift ban on Request-Tag options without Block1 (as they can
legitimately be generated by an unaware proxy)
- Suggest concrete numbers for the options
* Changes since draft-ietf-core-echo-request-tag-07 (largely
addressing Francesca's review):
- Request tag: Explicitly limit "MUST NOT recycle" requirement to
particular applications
- Token reuse: upper-case RECOMMEND sequence number approach
- Structure: Move per-topic introductions to respective chapters
(this avoids long jumps by the reader)
- Structure: Group Block2 / ETag section inside new fragmentation
(formerly Request-Tag) section
- More precise references into other documents
- "concurrent operations": Emphasise that all here only matters
between endpoint pairs
- Freshness: Generalize wording away from time-based freshness
- Echo: Emphasise that no binding between any particular pair of
responses and requests is established
- Echo: Add event-based example
- Echo: Clarify when protection is needed
- Request tag: Enhance wording around "not sufficient condition"
- Request tag: Explicitly state when a tag needs to be set
- Request tag: Clarification about permissibility of leaving the
option absent
- Security considerations: wall clock time -> system time (and
remove inaccurate explanations)
- Token reuse: describe deny-listing in a more implementation-
independent way
* Changes since draft-ietf-core-echo-request-tag-06:
- Removed visible comment that should not be visible in Token
reuse considerations.
* Changes since draft-ietf-core-echo-request-tag-05:
- Add privacy considerations on cookie-style use of Echo values
- Add security considerations for token reuse
- Add note in security considerations on use of nonvolatile
memory when dealing with pseudorandom numbers
- Appendix on echo generation: add a few words on up- and
downsides of the encrypted timestamp alternative
- Clarifications around Outer Echo:
o Could be generated by the origin server to prove network
reachability (but for most applications it MUST be inner)
o Could be generated by intermediaries
o Is answered by the client to the endpoint from which it
received it (ie. Outer if received as Outer)
- Clarification that a server can send Echo preemtively
- Refer to stateless to explain what "more information than just
the sequence number" could be
- Remove explanations around 0.00 empty messags
- Rewordings:
o the attack: from "forging" to "guessing"
o "freshness tokens" to "freshness indicators" (to avoid
confusion with the Token)
- Editorial fixes:
o Abstract and introduction mention what is updated in RFC7252
o Reference updates
o Capitalization, spelling, terms from other documents
* Changes since draft-ietf-core-echo-request-tag-04:
- Editorial fixes
o Moved paragraph on collision-free encoding of data in the
Token to Security Considerations and rephrased it
o "easiest" -> "one easy"
* Changes since draft-ietf-core-echo-request-tag-03:
- Mention Token processing changes in title
- Abstract reworded
- Clarify updates to Token processing
- Describe security levels from Echo length
- Allow non-monotonic clocks under certain conditions for
freshness
- Simplify freshness expressions
- Describe when a Request-Tag can be set
- Add note on application-level freshness mechanisms
- Minor editorial changes
* Changes since draft-ietf-core-echo-request-tag-02:
- Define "freshness"
- Note limitations of "aliveness"
- Clarify proxy and OSCORE handling in presence of "echo"
- Clarify when Echo values may be reused
- Update security considerations
- Various minor clarifications
- Minor editorial changes
* Major changes since draft-ietf-core-echo-request-tag-01:
- Follow-up changes after the "relying on block-wise" change in
-01:
o Simplify the description of Request-Tag and matchability
o Do not update RFC7959 any more
- Make Request-Tag repeatable.
- Add rationale on not relying purely on sequence numbers.
* Major changes since draft-ietf-core-echo-request-tag-00:
- Reworded the Echo section.
- Added rules for Token processing.
- Added security considerations.
- Added actual IANA section.
- Made Request-Tag optional and safe-to-forward, relying on
block-wise to treat it as part of the cache-key
- Dropped use case about OSCORE Outer-block-wise (the case went
away when its Partial IV was moved into the Object-Security
option)
* Major changes since draft-amsuess-core-repeat-request-tag-00:
- The option used for establishing freshness was renamed from
"Repeat" to "Echo" to reduce confusion about repeatable
options.
- The response code that goes with Echo was changed from 4.03 to
4.01 because the client needs to provide better credentials.
- The interaction between the new option and (cross) proxies is
now covered.
- Two messages being "Request-Tag matchable" was introduced to
replace the older concept of having a request tag value with
its slightly awkward equivalence definition.
Acknowledgments
The authors want to thank Carsten Bormann, Roman Danyliw, Benjamin The authors want to thank Carsten Bormann, Roman Danyliw, Benjamin
Kaduk, Murray Kucherawy, Francesca Palombini and Jim Schaad for Kaduk, Murray Kucherawy, Francesca Palombini, and Jim Schaad for
providing valuable input to the draft. providing valuable input to the document.
Authors' Addresses Authors' Addresses
Christian Amsüss Christian Amsüss
Email: christian@amsuess.com Email: christian@amsuess.com
John Preuß Mattsson John Preuß Mattsson
Ericsson AB Ericsson AB
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Göran Selander Göran Selander
Ericsson AB Ericsson AB
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
 End of changes. 220 change blocks. 
1060 lines changed or deleted 639 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/