Universitaet Bremen TZI

Postfach 330440 Bremen D-28359 Germany +49-421-218-63921 cabo@tzi.org

Zebra Technologies

820 W. Jackson Blvd.suite 700 Chicago 60607 United States of America +1-847-634-6700 slemay@zebra.com

Zebra Technologies

820 W. Jackson Blvd. suite 700 Chicago 60607 United States of America +1-847-634-6700 vsolorzanobarboza@zebra.com

ARM Ltd.

110 Fulbourn Rd Cambridge CB1 9NJ Great Britain Hannes.tschofenig@gmx.net http://www.tschofenig.priv.at

Applications Area (app) CORE The Hypertext Transfer Protocol (HTTP) has been designed with TCP as an underlying transport protocol. The Constrained Application Protocol (CoAP), which has been inspired by HTTP, has on the other hand been defined to make use of UDP. Therefore, reliable delivery and a simple congestion control and flow control mechanism are provided by the message layer of the CoAP protocol. A number of environments benefit from the use of CoAP directly over a reliable byte stream that already provides these services. This document defines the use of CoAP over TCP as well as CoAP over TLS.

The Constrained Application Protocol (CoAP) was designed for Internet of Things (IoT) deployments, assuming that UDP can be used freely – UDP , or DTLS over UDP, is a good choice for transferring small amounts of data in networks that follow the IP architecture. Some CoAP deployments, however, may have to integrate well with existing enterprise infrastructure, where the use of UDP-based protocols may not be well-received or even blocked by firewalls. Middleboxes that are unaware of CoAP usage for IoT can make the use of UDP brittle. CoAP over TCP can also help with NAT traversal too. NATs often calculate expiration timers based on the transport layer protocol being used by application protocols. A transport layer protocol like TCP gives NAT implementations additional information about the session semantic and this allows NATs to keep NAT bindings around for a longer period. UDP on the other hand does not provide such session semantics to a NAT and timeouts tend to be much shorter, as research confirms . As an additional usage scenario, some environments benefit from the more advanced congestion control and flow control capabilities provided by TCP. While there is ongoing work to add more sophisticated congestion control to CoAP, see , it is still far less efficient than functionality provided by TCP. Finally, CoAP may be integrated into a Web environment where the front-end uses CoAP from IoT devices to a cloud infrastructure but the CoAP messages are then piggybacked on top of TCP in the back-end to other Web services. A TCP-to-UDP gateway can be used at the cloud boundary to talk to the UDP-based IoT. To make both IoT devices work smoothly in these demanding environments, CoAP needs to make use of a different transport protocol, namely TCP and in some situations even TLS . The present document document describes a shim header that conveys length information about each CoAP message included. Modifications to CoAP beyond the replacement of the message layer (e.g., to introduce further optimizations) are intentionally avoided.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

The interaction model of CoAP over TCP is very similar to the one for CoAP over UDP with the key difference that TCP voids the need to provide certain transport layer protocol features, such as reliable delivery, fragmentation and reassembly, as well as congestion control, at the CoAP level. The protocol stack is illustrated in (derived from , Figure 1).

TCP offers features that are not available in UDP and consequently have been provided in the message layer of CoAP. Since TCP offers reliable delivery, there is no need to offer a redundant acknowledgement at the CoAP messaging layer. Hence, the only message type supported when using CoAP over TCP is the Non-confirmable message (NON). By nature of TCP, a NON over TCP is still transmitted reliably. (derived from , Figure 3) shows this message exchange graphically. A UDP-to-TCP gateway will therefore discard all empty messages, such as empty ACKs (after operating on them at the message layer), and re-pack the contents of all non-empty CON, NON, or ACK messages (i.e., those ACK messages that have a piggy-backed response) into NON messages. Similarly, there is no need to detect duplicate delivery of a message. In UDP CoAP, the Message ID is used for relating acknowledgements to Confirmable messages as well as for duplicate detection. Since the Message ID thus is not meaningful over TCP, it is elided (as indicated by the dashes in ).

| | | ]]>

As a result of removing the message layer in CoAP over TCP, the only supported message type from the ones CoAP over UDP provides is the NON type. A response is sent back as defined in , as illustrated in (derived from , Figure 6).

| | | | NON [------] | | 2.05 Content | | (Token 0x74) | | "22.5 C" | |<-----------------+ | | ]]>

The CoAP message format defined in , as shown in , relies on the datagram transport (UDP, or DTLS over UDP) for keeping the individual messages separate.

In a stream oriented transport protocol such as TCP, some other form of delimiting messages is needed. For this purpose, CoAP over TCP introduces a length field. shows the 2-byte shim header carrying length information prepending the CoAP message header.

The ‘Message Length' field is a 16-bit unsigned integer in network byte order. It provides the length of the subsequent CoAP message (including the CoAP header but excluding this message length field) in bytes. T is always the code for NON (1). The Message ID is meaningless and thus elided. The semantics of the other CoAP header fields is left unchanged.

One might wish that, when CoAP is used over TLS, then the TLS record layer length field could be used in place of the shim header length. Each CoAP message would be transported in a separate TLS record layer message, making the shim header that includes the length information redundant. However, RFC 5246 says that "Client message boundaries are not preserved in the record layer (i.e., multiple client messages of the same ContentType MAY be coalesced into a single TLSPlaintext record, or a single message MAY be fragmented across several records)." While the Record Layer provides length information about of subsequent application data and handshaking payloads TLS implementations typically do not support an API interface that would provide access to the record layer delimiting information. An additional problem with this approach is that this approach would remove the potential optimization of packing several CoAP messages into one record layer message, which is normally a way to amortize the record layer and MAC overhead over all these messages. In summary, we are not pursuing this idea for an optimization. One other observation is that the message size limitations defined in Section 4.6 of are no longer strictly necessary. Consenting [how?] implementations may want to interchange messages with payload sizes than 1024 bytes, potentially also obviating the need for the Block protocol . It must be noted that entirely getting rid of the block protocol is not a generally applicable solution, as: a UDP-to-TCP gateway may simply not have the context to convert a message with a Block option into the equivalent exchange without any use of a Block option. large messages might also cause undesired head-of-line blocking. The general assumption is therefore that the block protocol will continue to be used over TCP, even if applications occasionally do exchange messages with payload sizes larger than desirable in UDP.

CoAP defines the "coap" and "coaps" URI schemes for identifying CoAP resources and providing a means of locating the resource. RFC 7252 defines these resources for use with CoAP over UDP. The present specification introduces two new URI schemes, namely "coap+tcp" and "coaps+tcp". The rules from Section 6 of apply to these two new URI schemes. , Section 8 (Multicast CoAP), does not apply to the URI schemes defined in the present specification. Resources made available via one of the "coap+tcp" or "coaps+tcp" schemes have no shared identity with the other scheme or with the "coap" or "coaps" scheme, even if their resource identifiers indicate the same authority (the same host listening to the same port). The schemes constitute distinct namespaces and, in combination with the authority, are considered to be distinct origin servers.

The semantics defined in , Section 6.1, applies to this URI scheme, with the following changes: The port subcomponent indicates the TCP port at which the CoAP server is located. (If it is empty or not given, then the default port 5683 is assumed, as with UDP.)

The semantics defined in , Section 6.2, applies to this URI scheme, with the following changes: The port subcomponent indicates the TCP port at which the TLS server for the CoAP server is located. If it is empty or not given, then the default port 443 is assumed (this is different from the default port for "coaps", i.e., CoAP over DTLS over UDP). When CoAP is exchanged over TLS port 443 then the "TLS Application Layer Protocol Negotiation Extension" MUST be used to allow demultiplexing at the server-side unless out-of-band information ensures that the client only interacts with a server that is able to demultiplex CoAP messages over port 443. This would, for example, be true for many Internet of Things deployments where clients are pre-configured to only ever talk with specific servers. Shouldn't we simply always require ALPN?

This document defines how to convey CoAP over TCP and TLS. It does not introduce new vulnerabilities beyond those described already in the CoAP specification. CoAP makes use of DTLS 1.2 and this specification consequently uses TLS 1.2 . CoAP MUST NOT be used with older versions of TLS. Guidelines for use of cipher suites and TLS extensions can be found in .

IANA is requested to assign the port number 5683 and the service name "coap+tcp", in accordance with . coap+tcp tcp IESG <iesg@ietf.org> IETF Chair <chair@ietf.org> Constrained Application Protocol (CoAP) [RFCthis] 5683 Similarly, IANA is requested to assign the service name "coaps+tcp", in accordance with . However, no separate port number is used for coaps over TCP; instead, the ALPN protocol ID defined in is used over port 443. coaps+tcp tcp IESG <iesg@ietf.org> IETF Chair <chair@ietf.org> Constrained Application Protocol (CoAP) , [RFCthis] 443 (see also of [RFCthis]})

This document registers two new URI schemes, namely "coap+tcp" and "coaps+tcp", for the use of CoAP over TCP and for CoAP over TLS over TCP, respectively. The "coap+tcp" and "coaps+tcp" URI schemes can thus be compared to the "http" and "https" URI schemes. The syntax of the "coap" and "coaps" URI schemes is specified in Section 6 of and the present document re-uses their semantics for "coap+tcp" and "coaps+tcp", respectively, with the exception that TCP, or TLS over TCP is used as a transport protocol. IANA is requested to add these new URI schemes to the registry established with .

This document requests a value from the "Application Layer Protocol Negotiation (ALPN) Protocol IDs" created by : CoAP 0x63 0x6f 0x61 0x70 ("coap") [RFCthis]

We would like to thank Stephen Berard, Geoffrey Cristallo, Olivier Delaby, Michael Koster, Matthias Kovatsch, Szymon Sasin, and Zach Shelby for their feedback.

This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK] The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t><t> CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. Harvard University

1350 Mass. Ave. Cambridge MA 02138 - +1 617 495 3864 sob@harvard.edu

General keyword In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Note that the force of these words is modified by the requirement level of the document in which they are used. This document provides guidelines and recommendations for the definition of Uniform Resource Identifier (URI) schemes. It also updates the process and IANA registry for URI schemes. It obsoletes both RFC 2717 and RFC 2718. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. University of Southern California (USC)/Information Sciences Institute

4676 Admiralty Way Marina del Rey CA 90291 US

This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection. University of Southern California (USC)/Information Sciences Institute

4676 Admiralty Way Marina del Rey CA 90291 US +1 213 822 1511

This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK] This document defines the procedures that the Internet Assigned Numbers Authority (IANA) uses when handling assignment and other requests related to the Service Name and Transport Protocol Port Number registry. It also discusses the rationale and principles behind these procedures and how they facilitate the long-term sustainability of the registry.</t><t> This document updates IANA's procedures by obsoleting the previous UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the IANA Allocation Guidelines, and it updates the IANA service name and port assignment procedures for UDP-Lite, the Datagram Congestion Control Protocol (DCCP), and the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV specification to clarify what a service name is and how it is registered. This memo documents an Internet Best Current Practice.