< draft-ietf-dice-profile-03.txt   draft-ietf-dice-profile-04.txt >
dice H. Tschofenig, Ed. dice H. Tschofenig, Ed.
Internet-Draft ARM Ltd. Internet-Draft ARM Ltd.
Intended status: Standards Track July 4, 2014 Intended status: Standards Track August 31, 2014
Expires: January 5, 2015 Expires: March 4, 2015
A Datagram Transport Layer Security (DTLS) 1.2 Profile for the Internet A Datagram Transport Layer Security (DTLS) 1.2 Profile for the Internet
of Things of Things
draft-ietf-dice-profile-03.txt draft-ietf-dice-profile-04.txt
Abstract Abstract
This document defines a DTLS profile that is suitable for Internet of This document defines a DTLS 1.2 profile that is suitable for
Things applications and is reasonably implementable on many Internet of Things applications and is reasonably implementable on
constrained devices. many constrained devices.
A common design pattern in IoT deployments is the use of a A common design pattern in IoT deployments is the use of a
constrained device (typically providing sensor data) that interacts constrained device (typically providing sensor data) that interacts
with the web infrastructure. This document focuses on this with the web infrastructure. This document focuses on this
particular pattern. particular pattern.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 5, 2015. This Internet-Draft will expire on March 4, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The Communication Model . . . . . . . . . . . . . . . . . . . 5 3. The Communication Model . . . . . . . . . . . . . . . . . . . 5
4. The Ciphersuite Concept . . . . . . . . . . . . . . . . . . . 6 4. The Ciphersuite Concept . . . . . . . . . . . . . . . . . . . 6
5. Pre-Shared Secret Authentication with DTLS . . . . . . . . . 8 5. Credential Types . . . . . . . . . . . . . . . . . . . . . . 8
6. Raw Public Key Use with DTLS . . . . . . . . . . . . . . . . 9 5.1. Pre-Shared Secret . . . . . . . . . . . . . . . . . . . . 8
7. Certificate Use with DTLS . . . . . . . . . . . . . . . . . . 11 5.2. Raw Public Key . . . . . . . . . . . . . . . . . . . . . 9
8. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 12 5.3. Certificates . . . . . . . . . . . . . . . . . . . . . . 11
9. Session Resumption . . . . . . . . . . . . . . . . . . . . . 13 6. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 13
10. Compression . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Session Resumption . . . . . . . . . . . . . . . . . . . . . 14
11. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . 14 8. Compression . . . . . . . . . . . . . . . . . . . . . . . . . 14
12. Keep-Alive . . . . . . . . . . . . . . . . . . . . . . . . . 15 9. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . 15
13. Random Number Generation . . . . . . . . . . . . . . . . . . 16 10. Keep-Alive . . . . . . . . . . . . . . . . . . . . . . . . . 15
14. Client Certificate URLs . . . . . . . . . . . . . . . . . . . 17 11. Random Number Generation . . . . . . . . . . . . . . . . . . 16
15. Trusted CA Indication . . . . . . . . . . . . . . . . . . . . 17 12. Client Certificate URLs . . . . . . . . . . . . . . . . . . . 17
16. Truncated MAC Extension . . . . . . . . . . . . . . . . . . . 17 13. Trusted CA Indication . . . . . . . . . . . . . . . . . . . . 17
17. Server Name Indication (SNI) . . . . . . . . . . . . . . . . 18 14. Truncated MAC Extension . . . . . . . . . . . . . . . . . . . 18
18. Maximum Fragment Length Negotiation . . . . . . . . . . . . . 18 15. Server Name Indication (SNI) . . . . . . . . . . . . . . . . 18
19. Negotiation and Downgrading Attacks . . . . . . . . . . . . . 18 16. Maximum Fragment Length Negotiation . . . . . . . . . . . . . 19
20. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19 17. TLS Session Hash . . . . . . . . . . . . . . . . . . . . . . 19
21. Security Considerations . . . . . . . . . . . . . . . . . . . 19 18. Negotiation and Downgrading Attacks . . . . . . . . . . . . . 19
22. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 19. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20
23. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 20. Security Considerations . . . . . . . . . . . . . . . . . . . 20
24. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 21. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
24.1. Normative References . . . . . . . . . . . . . . . . . . 20 22. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21
24.2. Informative References . . . . . . . . . . . . . . . . . 21 23. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 23 23.1. Normative References . . . . . . . . . . . . . . . . . . 21
23.2. Informative References . . . . . . . . . . . . . . . . . 22
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
This document defines a DTLS 1.2 [RFC6347] profile that offers This document defines a DTLS 1.2 [RFC6347] profile that offers
communication security for Internet of Things (IoT) applications and communication security for Internet of Things (IoT) applications and
is reasonably implementable on many constrained devices. It aims to is reasonably implementable on many constrained devices. The DTLS
1.2 protocol is based on Transport Layer Security (TLS) 1.2 [RFC5246]
and provides equivalent security guarantees. This document aims to
meet the following goals: meet the following goals:
o Serves as a one-stop shop for implementers to know which pieces of o Serves as a one-stop shop for implementers to know which pieces of
the specification jungle contain relevant details. the specification jungle contain relevant details.
o Does not alter the DTLS 1.2 specification. o Does not alter the DTLS 1.2 specification.
o Does not introduce any new extensions. o Does not introduce any new extensions.
o Aligns with the DTLS security modes of the Constrained Application o Aligns with the DTLS security modes of the Constrained Application
Protocol (CoAP) [RFC7252]. Protocol (CoAP) [RFC7252].
DTLS is used to secure a number of applications run over an DTLS is used to secure a number of applications run over an
unreliable datagram transport. CoAP [RFC7252] is one such protocol unreliable datagram transport. CoAP [RFC7252] is one such protocol
and has been designed specifically for use in IoT environments. CoAP and has been designed specifically for use in IoT environments. CoAP
can be secured a number of different ways, also called security can be secured a number of different ways, also called security
modes. These security modes are as follows, see Section 5, modes. These security modes are as follows, see Section 5.1,
Section 6, Section 7 for additional details: Section 5.2, Section 5.3 for additional details:
No Security Protection at the Transport Layer: No DTLS is used but No Security Protection at the Transport Layer: No DTLS is used but
instead application layer security functionality is assumed. instead application layer security functionality is assumed.
Shared Secret-based DTLS Authentication: DTLS supports the use of Shared Secret-based DTLS Authentication: DTLS supports the use of
shared secrets [RFC4279]. This mode is useful if the number of shared secrets [RFC4279]. This mode is useful if the number of
communication relationships between the IoT device and servers is communication relationships between the IoT device and servers is
small and for very constrained devices. Shared secret-based small and for very constrained devices. Shared secret-based
authentication mechanisms offer good performance and require a authentication mechanisms offer good performance and require a
minimum of data to be exchanged. minimum of data to be exchanged.
skipping to change at page 5, line 19 skipping to change at page 5, line 22
architecture. architecture.
The communication architecture shown in Figure 1 assumes a uni-cast The communication architecture shown in Figure 1 assumes a uni-cast
communication interaction with an IoT device utilizing a DTLS client communication interaction with an IoT device utilizing a DTLS client
and that client interacts with one or multiple DTLS servers. and that client interacts with one or multiple DTLS servers.
Clients are preconfigured with the address or addresses of servers Clients are preconfigured with the address or addresses of servers
(e.g., as part of the firmware) they will communicate with as well as (e.g., as part of the firmware) they will communicate with as well as
authentication information: authentication information:
o For PSK-based authentication (see Section 5), this includes the o For PSK-based authentication (see Section 5.1), this includes the
paired "PSK identity" and shared secret to be used with each paired "PSK identity" and shared secret to be used with each
server. server.
o For raw public key-based authentication (see Section 6), this o For raw public key-based authentication (see Section 5.2), this
includes either the server's public key or the hash of the includes either the server's public key or the hash of the
server's public key. server's public key.
o For certificate-based authentication (see Section 7), this may o For certificate-based authentication (see Section 5.3), this may
include a pre-populated trust anchor store that allows the client include a pre-populated trust anchor store that allows the client
to perform path validation for the certificate obtained during the to perform path validation for the certificate obtained during the
handshake with the server. handshake with the server.
This document only focuses on the description of the DTLS client-side This document only focuses on the description of the DTLS client-side
functionality. functionality.
+////////////////////////////////////+ +////////////////////////////////////+
| Configuration | | Configuration |
|////////////////////////////////////| |////////////////////////////////////|
skipping to change at page 8, line 9 skipping to change at page 8, line 9
which have been selected based on implementation and deployment which have been selected based on implementation and deployment
experience from the IoT community. Over time the preference for experience from the IoT community. Over time the preference for
certain algorithms will, however, change. Not all components of a certain algorithms will, however, change. Not all components of a
ciphersuite change at the same speed. Changes are more likely to ciphersuite change at the same speed. Changes are more likely to
expect for ciphers, the mode of operation, and the hash algorithms. expect for ciphers, the mode of operation, and the hash algorithms.
Some deployment environments will also be impacted by local Some deployment environments will also be impacted by local
regulation, which might dictate a certain and less likely for public regulation, which might dictate a certain and less likely for public
key algorithms (such as RSA vs. ECC). key algorithms (such as RSA vs. ECC).
5. Pre-Shared Secret Authentication with DTLS 5. Credential Types
5.1. Pre-Shared Secret
The use of pre-shared secret credentials is one of the most basic The use of pre-shared secret credentials is one of the most basic
techniques for DTLS since it is both computational efficient and techniques for DTLS since it is both computational efficient and
bandwidth conserving. Pre-shared secret based authentication was bandwidth conserving. Pre-shared secret based authentication was
introduced to TLS with RFC 4279 [RFC4279]. The exchange shown in introduced to TLS with RFC 4279 [RFC4279]. The exchange shown in
Figure 2 illustrates the DTLS exchange including the cookie exchange. Figure 2 illustrates the DTLS exchange including the cookie exchange.
While the server is not required to initiate a cookie exchange with While the server is not required to initiate a cookie exchange with
every handshake, the client is required to implement and to react on every handshake, the client is required to implement and to react on
it when challenged. it when challenged.
skipping to change at page 9, line 45 skipping to change at page 9, line 47
profile. profile.
Constrained Application Protocol (CoAP) [RFC7252] currently specifies Constrained Application Protocol (CoAP) [RFC7252] currently specifies
TLS_PSK_WITH_AES_128_CCM_8 as the mandatory to implement ciphersuite TLS_PSK_WITH_AES_128_CCM_8 as the mandatory to implement ciphersuite
for use with shared secrets. This ciphersuite uses the AES algorithm for use with shared secrets. This ciphersuite uses the AES algorithm
with 128 bit keys and CCM as the mode of operation. The label "_8" with 128 bit keys and CCM as the mode of operation. The label "_8"
indicates that an 8-octet authentication tag is used. This indicates that an 8-octet authentication tag is used. This
ciphersuite makes use of the default TLS 1.2 Pseudorandom Function ciphersuite makes use of the default TLS 1.2 Pseudorandom Function
(PRF), which uses HMAC with the SHA-256 hash function. (PRF), which uses HMAC with the SHA-256 hash function.
6. Raw Public Key Use with DTLS 5.2. Raw Public Key
The use of raw public keys with DTLS, as defined in [RFC7250], is the The use of raw public keys with DTLS, as defined in [RFC7250], is the
first entry point into public key cryptography without having to pay first entry point into public key cryptography without having to pay
the price of certificates and a PKI. The specification re-uses the the price of certificates and a PKI. The specification re-uses the
existing Certificate message to convey the raw public key encoded in existing Certificate message to convey the raw public key encoded in
the SubjectPublicKeyInfo structure. To indicate support two new TLS the SubjectPublicKeyInfo structure. To indicate support two new TLS
extensions had been defined, as shown in Figure 3, namely the extensions had been defined, as shown in Figure 3, namely the
server_certificate_type and the client_certificate_type. To operate server_certificate_type and the client_certificate_type. To operate
this mechanism securely it is necessary to authenticate and authorize this mechanism securely it is necessary to authenticate and authorize
the public keys out-of-band. This document therefore assumes that a the public keys out-of-band. This document therefore assumes that a
skipping to change at page 10, line 48 skipping to change at page 11, line 4
[ChangeCipherSpec] [ChangeCipherSpec]
Finished --------> Finished -------->
[ChangeCipherSpec] [ChangeCipherSpec]
<-------- Finished <-------- Finished
Figure 3: DTLS Raw Public Key Exchange including the Cookie Exchange. Figure 3: DTLS Raw Public Key Exchange including the Cookie Exchange.
The CoAP recommended ciphersuite for use with this credential type is The CoAP recommended ciphersuite for use with this credential type is
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251]. This elliptic curve TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251]. This elliptic curve
cryptography (ECC) based AES-CCM TLS ciphersuite uses the Elliptic cryptography (ECC) based AES-CCM TLS ciphersuite uses the Ephemeral
Curve Diffie-Hellman (ECDHE) as the key establishment mechanism and Elliptic Curve Diffie-Hellman (ECDHE) as the key establishment
an Elliptic Curve Digital Signature Algorithm (ECDSA) for mechanism and an Elliptic Curve Digital Signature Algorithm (ECDSA)
authentication. This ciphersuite make use of the AEAD capability in for authentication. Due to the use of Ephemeral Elliptic Curve
DTLS 1.2 and utilizes an eight-octet authentication tag. The use of Diffie-Hellman (ECDHE) the recently introduced named Diffie-Hellman
a Diffie-Hellman key exchange adds perfect forward secrecy (PFS). groups [I-D.ietf-tls-negotiated-dl-dhe] are not applicable to this
More details about PFS can be found in Section 11. profile. This ciphersuite make use of the AEAD capability in DTLS
1.2 and utilizes an eight-octet authentication tag. The use of a
Diffie-Hellman key exchange adds perfect forward secrecy (PFS). More
details about PFS can be found in Section 9.
RFC 6090 [RFC6090] provides valuable information for implementing RFC 6090 [RFC6090] provides valuable information for implementing
Elliptic Curve Cryptography algorithms. Elliptic Curve Cryptography algorithms, particularly for choosing
methods that have been published more than 20 years ago.
Since many IoT devices will either have limited ways to log error or Since many IoT devices will either have limited ways to log error or
no ability at all, any error will lead to implementations attempting no ability at all, any error will lead to implementations attempting
to re-try the exchange. to re-try the exchange.
7. Certificate Use with DTLS 5.3. Certificates
The use of mutual certificate-based authentication is shown in The use of mutual certificate-based authentication is shown in
Figure 4, which makes use of the cached info extension Figure 4, which makes use of the cached info extension
[I-D.ietf-tls-cached-info]. Support of the cached info extension is [I-D.ietf-tls-cached-info]. Support of the cached info extension is
required. Caching certificate chains allows the client to reduce the required. Caching certificate chains allows the client to reduce the
communication overhead significantly since otherwise the server would communication overhead significantly since otherwise the server would
provide the end entity certificate, and the certificate chain. provide the end entity certificate, and the certificate chain.
Because certificate validation requires that root keys be distributed Because certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root independently, the self-signed certificate that specifies the root
certificate authority is omitted from the chain. Client certificate authority is omitted from the chain. Client
skipping to change at page 12, line 36 skipping to change at page 12, line 42
ClientKeyExchange ClientKeyExchange
CertificateVerify CertificateVerify
[ChangeCipherSpec] [ChangeCipherSpec]
Finished --------> Finished -------->
[ChangeCipherSpec] [ChangeCipherSpec]
<-------- Finished <-------- Finished
Figure 4: DTLS Mutual Certificate-based Authentication. Figure 4: DTLS Mutual Certificate-based Authentication.
Regarding the ciphersuite choice the discussion in Section 6 applies. Regarding the ciphersuite choice the discussion in Section 5.2
Further details about X.509 certificates can be found in applies. Further details about X.509 certificates can be found in
Section 9.1.3.3 of [RFC7252]. Section 9.1.3.3 of [RFC7252]. The TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
ciphersuite description in Section 5.2 is also applicable to this
section.
8. Error Handling It is RECOMMENDED to limit the depth of the certificate chain to a
maximum of three (3).
6. Error Handling
DTLS uses the Alert protocol to convey error messages and specifies a DTLS uses the Alert protocol to convey error messages and specifies a
longer list of errors. However, not all error messages defined in longer list of errors. However, not all error messages defined in
the TLS specification are applicable to this profile. All error the TLS specification are applicable to this profile. All error
messages marked as RESERVED are only supported for backwards messages marked as RESERVED are only supported for backwards
compatibility with SSL and are therefore not applicable to this compatibility with SSL and are therefore not applicable to this
profile. Those include decryption_failed_RESERVED, profile. Those include decryption_failed_RESERVED,
no_certificate_RESERVE, and export_restriction_RESERVED. no_certificate_RESERVE, and export_restriction_RESERVED.
A number of the error messages are applicable only for certificate- A number of the error messages are applicable only for certificate-
skipping to change at page 13, line 46 skipping to change at page 14, line 8
DTLS protocol. DTLS protocol.
insufficient_security: This error message indicates that the server insufficient_security: This error message indicates that the server
requires ciphers to be more secure. This document does, however, requires ciphers to be more secure. This document does, however,
specify the only acceptable ciphersuites and client specify the only acceptable ciphersuites and client
implementations must support them. implementations must support them.
user_canceled: The IoT devices in focus of this specification are user_canceled: The IoT devices in focus of this specification are
assumed to be unattended. assumed to be unattended.
9. Session Resumption 7. Session Resumption
Session resumption is a feature of DTLS that allows a client to Session resumption is a feature of DTLS that allows a client to
continue with an earlier established session state. The resulting continue with an earlier established session state. The resulting
exchange is shown in Figure 5. In addition, the server may choose exchange is shown in Figure 5. In addition, the server may choose
not to do a cookie exchange when a session is resumed. Still, not to do a cookie exchange when a session is resumed. Still,
clients have to be prepared to do a cookie exchange with every clients have to be prepared to do a cookie exchange with every
handshake. handshake.
Client Server Client Server
------ ------ ------ ------
skipping to change at page 14, line 29 skipping to change at page 14, line 39
Clients MUST implement session resumption to improve the performance Clients MUST implement session resumption to improve the performance
of the handshake (in terms of reduced number of message exchanges, of the handshake (in terms of reduced number of message exchanges,
lower computational overhead, and less bandwidth conserved). lower computational overhead, and less bandwidth conserved).
Since the communication model described in Section 3 does not assume Since the communication model described in Section 3 does not assume
that the server is constrained. RFC 5077 [RFC5077] describing TLS that the server is constrained. RFC 5077 [RFC5077] describing TLS
session resumption without server-side state is not utilized by this session resumption without server-side state is not utilized by this
profile. profile.
10. Compression 8. Compression
[I-D.ietf-uta-tls-bcp] recommends to always disable DTLS-level [I-D.ietf-uta-tls-bcp] recommends to always disable DTLS-level
compression due to attacks. For IoT applications compression at the compression due to attacks. For IoT applications compression at the
DTLS is not needed since application layer protocols are highly DTLS is not needed since application layer protocols are highly
optimized and the compression algorithms at the DTLS layer increase optimized and the compression algorithms at the DTLS layer increase
code size and complexity. code size and complexity.
This DTLS client profile does not include DTLS layer compression. This DTLS client profile does not include DTLS layer compression.
11. Perfect Forward Secrecy 9. Perfect Forward Secrecy
Perfect forward secrecy (PFS) is designed to prevent the compromise Perfect forward secrecy (PFS) is designed to prevent the compromise
of a long-term secret key from affecting the confidentiality of past of a long-term secret key from affecting the confidentiality of past
conversations. The PSK ciphersuite recommended in the CoAP conversations. The PSK ciphersuite recommended in the CoAP
specification [RFC7252] does not offer this property since it does specification [RFC7252] does not offer this property since it does
not utilize a Diffie-Hellman exchange. [I-D.ietf-uta-tls-bcp] on the not utilize a Diffie-Hellman exchange. [I-D.ietf-uta-tls-bcp] on the
other hand recommends using ciphersuites offering this security other hand recommends using ciphersuites offering this security
property and so do the public key-based ciphersuites recommended by property and so do the public key-based ciphersuites recommended by
the CoAP specification. the CoAP specification.
skipping to change at page 15, line 20 skipping to change at page 15, line 31
the impact of the disclosure of past conversations and the desire to the impact of the disclosure of past conversations and the desire to
increase the cost for pervasive monitoring (see [RFC7258]) has to be increase the cost for pervasive monitoring (see [RFC7258]) has to be
taken into account. taken into account.
Our recommendation is to stick with the ciphersuite suggested in the Our recommendation is to stick with the ciphersuite suggested in the
CoAP specification. New ciphersuites support PFS for pre-shared CoAP specification. New ciphersuites support PFS for pre-shared
secret-based authentication, such as secret-based authentication, such as
[I-D.schmertmann-dice-ccm-psk-pfs], and might be available as a [I-D.schmertmann-dice-ccm-psk-pfs], and might be available as a
standardized ciphersuite in the future. standardized ciphersuite in the future.
12. Keep-Alive 10. Keep-Alive
RFC 6520 [RFC6520] defines a heartbeat mechanism to test whether the RFC 6520 [RFC6520] defines a heartbeat mechanism to test whether the
other peer is still alive. The same mechanism can also be used to other peer is still alive. The same mechanism can also be used to
perform Path Maximum Transmission Unit (MTU) Discovery. perform Path Maximum Transmission Unit (MTU) Discovery.
A recommendation about the use of RFC 6520 depends on the type of A recommendation about the use of RFC 6520 depends on the type of
message exchange an IoT device performs. There are three types of message exchange an IoT device performs. There are three types of
exchanges that need to be analysed: exchanges that need to be analysed:
Client-Initiated, One-Shot Messages Client-Initiated, One-Shot Messages
skipping to change at page 16, line 33 skipping to change at page 16, line 45
messages is quite useful. The MTU discovery mechanism, on the messages is quite useful. The MTU discovery mechanism, on the
other hand, is less likely to be relevant since for many IoT other hand, is less likely to be relevant since for many IoT
deployments the must constrained link is the wireless interface at deployments the must constrained link is the wireless interface at
the IoT device itself rather than somewhere in the network. Only the IoT device itself rather than somewhere in the network. Only
in more complex network topologies the situation might be in more complex network topologies the situation might be
different. different.
For server-initiated messages the heartbeat extension can be For server-initiated messages the heartbeat extension can be
recommended. recommended.
13. Random Number Generation 11. Random Number Generation
The DTLS protocol requires random numbers to be available during the The DTLS protocol requires random numbers to be available during the
protocol run. For example, during the ClientHello and the protocol run. For example, during the ClientHello and the
ServerHello exchange the client and the server exchange random ServerHello exchange the client and the server exchange random
numbers. Also, the use of the Diffie-Hellman exchange requires numbers. Also, the use of the Diffie-Hellman exchange requires
random numbers during the key pair generation. Special care has to random numbers during the key pair generation. Special care has to
be paid when generating random numbers in embedded systems as many be paid when generating random numbers in embedded systems as many
entropy sources available on desktop operating systems or mobile entropy sources available on desktop operating systems or mobile
devices might be missing, as described in [Heninger]. Consequently, devices might be missing, as described in [Heninger]. Consequently,
if not enough time is given during system start time to fill the if not enough time is given during system start time to fill the
skipping to change at page 17, line 11 skipping to change at page 17, line 20
Recommendation: IoT devices using DTLS MUST offer ways to generate Recommendation: IoT devices using DTLS MUST offer ways to generate
quality random numbers. Guidelines and requirements for random quality random numbers. Guidelines and requirements for random
number generation can be found in RFC 4086 [RFC4086]. number generation can be found in RFC 4086 [RFC4086].
It is important to note that sources contributing to the randomness It is important to note that sources contributing to the randomness
pool on laptops, or desktop PCs are not available on many IoT device, pool on laptops, or desktop PCs are not available on many IoT device,
such as mouse movement, timing of keystrokes, air turbulence on the such as mouse movement, timing of keystrokes, air turbulence on the
movement of hard drive heads, etc. Other sources have to be found or movement of hard drive heads, etc. Other sources have to be found or
dedicated hardware has to be added. dedicated hardware has to be added.
14. Client Certificate URLs The ClientHello and the ServerHello message contains the 'Random'
structure, which has two components: gmt_unix_time and a random
sequence of 28 random bytes. gmt_unix_time holds the current time
and date in standard UNIX 32-bit format (seconds since the midnight
starting Jan 1, 1970, GMT). [I-D.mathewson-no-gmtunixtime] argues
that the entire value the ClientHello.Random and ServerHello.Random
fields, including gmt_unix_time, should be set to a cryptographically
random sequence because of privacy concerns (fingerprinting). Since
many IoT devices do not have access to a real-time clock this
recommendation is even more relevant in the embedded systems
environment.
12. Client Certificate URLs
This RFC 6066 [RFC6066] extension allows to avoid sending client-side This RFC 6066 [RFC6066] extension allows to avoid sending client-side
certificates and URLs instead. This reduces the over-the-air certificates and URLs instead. This reduces the over-the-air
transmission. transmission.
This is certainly a useful extension when a certificate-based mode This is certainly a useful extension when a certificate-based mode
for DTLS is used since the TLS cached info extension does not provide for DTLS is used since the TLS cached info extension does not provide
any help with caching information on the server side. any help with caching information on the server side.
Recommendation: Add support for client certificate URLs for those Recommendation: Add support for client certificate URLs for those
environments where client-side certificates are used. environments where client-side certificates are used.
15. Trusted CA Indication 13. Trusted CA Indication
This RFC 6066 extension allows clients to indicate what trust anchor This RFC 6066 extension allows clients to indicate what trust anchor
they support. With certificate-based authentication a DTLS server they support. With certificate-based authentication a DTLS server
conveys its end entity certificate to the client during the DTLS conveys its end entity certificate to the client during the DTLS
exchange provides. Since the server does not necessarily know what exchange provides. Since the server does not necessarily know what
trust anchors the client has stored it includes intermediate CA certs trust anchors the client has stored it includes intermediate CA certs
in the certificate payload as well to facilitate with certification in the certificate payload as well to facilitate with certification
path construction and path validation. path construction and path validation.
Today, in most IoT deployments there is a fairly static relationship Today, in most IoT deployments there is a fairly static relationship
skipping to change at page 17, line 48 skipping to change at page 18, line 21
Recommendation: For IoT deployments where clients talk to a fixed, Recommendation: For IoT deployments where clients talk to a fixed,
pre-configured set of servers and where a software update mechanism pre-configured set of servers and where a software update mechanism
is available this extension is not recommended. Environments where is available this extension is not recommended. Environments where
the client needs to interact with dynamically discovered DTLS servers the client needs to interact with dynamically discovered DTLS servers
this extension may be useful to reduce the communication overhead. this extension may be useful to reduce the communication overhead.
Note, however, in that case the TLS cached info extension may help to Note, however, in that case the TLS cached info extension may help to
reduce the communication overhead for everything but the first reduce the communication overhead for everything but the first
protocol interaction. protocol interaction.
16. Truncated MAC Extension 14. Truncated MAC Extension
This RFC 6066 extension was introduced to reduces the size of the MAC The truncated MAC extension was introduced with RFC 6066 with the
used at the Record Layer. This extension was developed for TLS goal to reduces the size of the MAC used at the Record Layer. This
ciphersuites that used older modes of operation where the MAC and the extension was developed for TLS ciphersuites that used older modes of
encryption operation was performed independently. operation where the MAC and the encryption operation was performed
independently.
For CoAP, however, the recommended ciphersuites use the newer For CoAP, however, the recommended ciphersuites use the newer
Authenticated Encryption with Associated Data (AEAD) construct, Authenticated Encryption with Associated Data (AEAD) construct,
namely the CBC-MAC mode (CCM) with eight-octet authentication tags. namely the CBC-MAC mode (CCM) with eight-octet authentication tags.
Furthermore, the extension [I-D.ietf-tls-encrypt-then-mac]
introducing the encrypt-then-MAC security mechanism (instead of the
MAC-then-encrypt) is also not applicable for this profile.
Recommendation: Since this profile only supports AEAD ciphersuites Recommendation: Since this profile only supports AEAD ciphersuites
this extension is not applicable. this extension is not applicable.
17. Server Name Indication (SNI) 15. Server Name Indication (SNI)
This RFC 6066 extension defines a mechanism for a client to tell a This RFC 6066 extension defines a mechanism for a client to tell a
TLS server the name of the server it wants to contact. This is a TLS server the name of the server it wants to contact. This is a
useful extension for many hosting environments where multiple virtual useful extension for many hosting environments where multiple virtual
servers are run on single IP address. servers are run on single IP address.
Recommendation: Unless it is known that a DTLS client does not Recommendation: Unless it is known that a DTLS client does not
interact with a server in a hosting environment that requires such an interact with a server in a hosting environment that requires such an
extension we advice to offer support for the SNI extension in this extension we advice to offer support for the SNI extension in this
profile. profile.
18. Maximum Fragment Length Negotiation 16. Maximum Fragment Length Negotiation
This RFC 6066 extension lowers the maximum fragment length support This RFC 6066 extension lowers the maximum fragment length support
needed for the Record Layer from 2^14 bytes to 2^9 bytes. needed for the Record Layer from 2^14 bytes to 2^9 bytes.
This is a very useful extension that allows the client to indicate to This is a very useful extension that allows the client to indicate to
the server how much maximum memory buffers it uses for incoming the server how much maximum memory buffers it uses for incoming
messages. Ultimately, the main benefit of this extension is it to messages. Ultimately, the main benefit of this extension is it to
allows client implementations to lower their RAM requirements since allows client implementations to lower their RAM requirements since
the client does not need to accept packets of large size (such as 16k the client does not need to accept packets of large size (such as 16k
packets as required by plain TLS/DTLS). packets as required by plain TLS/DTLS).
Recommendation: Client implementations must support this extension. Recommendation: Client implementations MUST support this extension.
19. Negotiation and Downgrading Attacks 17. TLS Session Hash
The TLS master secret is not cryptographically bound to important
session parameters such as the client and server identities. This
can be utilized by an attacker to mount a man-in-the-middle attack
since the master secret is not guaranteed to be unique across
sessions.
[I-D.ietf-tls-session-hash] defines a TLS extension that binds the
master secret to a log of the full handshake that computes it, thus
preventing such attacks.
Recommendation: Client implementations SHOULD implement this
extension support this extension even though the ciphersuites
recommended by this profile are not vulnerable this attack. For
Diffie-Hellman-based ciphersuites the keying material is contributed
by both parties and in case of the pre-shared secret key ciphersuite
both parties need to be in possession of the shared secret to ensure
that the handshake completes successfully. It is, however, possible
that some application layer protocols will tunnel other
authentication protocols on top of DTLS making this attack relevant
again.
18. Negotiation and Downgrading Attacks
CoAP demands version 1.2 of DTLS to be used and the earlier version CoAP demands version 1.2 of DTLS to be used and the earlier version
of DTLS is not supported. As such, there is no risk of downgrading of DTLS is not supported. As such, there is no risk of downgrading
to an older version of DTLS. The work described in to an older version of DTLS. The work described in
[I-D.bmoeller-tls-downgrade-scsv] is therefore also not applicable to [I-D.bmoeller-tls-downgrade-scsv] is therefore also not applicable to
this environment since there is no legacy server infrastructure to this environment since there is no legacy server infrastructure to
worry about. worry about.
To prevent the TLS renegotiation attack [RFC5746] clients MUST To prevent the TLS renegotiation attack [RFC5746] clients MUST
respond to server-initiated renegotiation attempts with an Alert respond to server-initiated renegotiation attempts with an Alert
message (no_renegotiation) and clients MUST NOT initiate them. TLS message (no_renegotiation) and clients MUST NOT initiate them. TLS
and DTLS allows a client and a server who already have a TLS and DTLS allows a client and a server who already have a TLS
connection to negotiate new parameters, generate new keys, etc by connection to negotiate new parameters, generate new keys, etc by
initiating a TLS handshake using a ClientHello message. initiating a TLS handshake using a ClientHello message.
Renegotiation happens in the existing TLS connection, with the new Renegotiation happens in the existing TLS connection, with the new
handshake packets being encrypted along with application data. handshake packets being encrypted along with application data.
20. Privacy Considerations 19. Privacy Considerations
The DTLS handshake exchange conveys various identifiers, which can be The DTLS handshake exchange conveys various identifiers, which can be
observed by an on-path eavesdropper. For example, the DTLS PSK observed by an on-path eavesdropper. For example, the DTLS PSK
exchange reveals the PSK identity, the supported extensions, the exchange reveals the PSK identity, the supported extensions, the
session id, algorithm parameters, etc. When session resumption is session id, algorithm parameters, etc. When session resumption is
used then individual TLS sessions can be correlated by an on-path used then individual TLS sessions can be correlated by an on-path
adversary. With many IoT deployments it is likely that keying adversary. With many IoT deployments it is likely that keying
material and their identifiers are persistent over a longer period of material and their identifiers are persistent over a longer period of
time due to the cost of updating software on these devices. time due to the cost of updating software on these devices.
skipping to change at page 19, line 42 skipping to change at page 20, line 43
with other data to be truly useful and this extra data might include with other data to be truly useful and this extra data might include
personal data about the owner of the device or data about the personal data about the owner of the device or data about the
environment it senses. Consequently, the data stored on the server- environment it senses. Consequently, the data stored on the server-
side will be vulnerable to stored data compromise. For the side will be vulnerable to stored data compromise. For the
communication between the client and the server this specification communication between the client and the server this specification
prevents eavesdroppers to gain access to the communication content. prevents eavesdroppers to gain access to the communication content.
While the PSK-based ciphersuite does not provide PFS the asymmetric While the PSK-based ciphersuite does not provide PFS the asymmetric
version does. No explicit techniques, such as extra padding, have version does. No explicit techniques, such as extra padding, have
been provided to make traffic analysis more difficult. been provided to make traffic analysis more difficult.
21. Security Considerations 20. Security Considerations
This entire document is about security. This entire document is about security.
We would also like to point out that designing a software update We would also like to point out that designing a software update
mechanism into an IoT system is crucial to ensure that both mechanism into an IoT system is crucial to ensure that both
functionality can be enhanced and that potential vulnerabilities can functionality can be enhanced and that potential vulnerabilities can
be fixed. This software update mechanism is also useful for changing be fixed. This software update mechanism is also useful for changing
configuration information, for example, trust anchors and other configuration information, for example, trust anchors and other
keying related information. keying related information.
22. IANA Considerations 21. IANA Considerations
This document includes no request to IANA. This document includes no request to IANA.
23. Acknowledgements 22. Acknowledgements
Thanks to Rene Hummen, Sye Loong Keoh, Sandeep Kumar, Eric Rescorla, Thanks to Robert Cragie, Russ Housley, Rene Hummen, Sandeep Kumar,
Russ Housley, Michael Richardson, Zach Shelby, and Sean Turner for Sye Loong Keoh, Eric Rescorla, Michael Richardson, Zach Shelby, and
their helpful comments and discussions that have shaped the document. Sean Turner for their helpful comments and discussions that have
shaped the document.
Big thanks also to Klaus Hartke, who wrote the initial version of Big thanks also to Klaus Hartke, who wrote the initial version of
this document. this document.
24. References 23. References
24.1. Normative References 23.1. Normative References
[EUI64] "GUIDELINES FOR 64-BIT GLOBAL IDENTIFIER (EUI-64) [EUI64] "GUIDELINES FOR 64-BIT GLOBAL IDENTIFIER (EUI-64)
REGISTRATION AUTHORITY", April 2010, REGISTRATION AUTHORITY", April 2010,
<http://standards.ieee.org/regauth/oui/tutorials/ <http://standards.ieee.org/regauth/oui/tutorials/
EUI64.html>. EUI64.html>.
[I-D.ietf-tls-cached-info] [I-D.ietf-tls-cached-info]
Santesson, S. and H. Tschofenig, "Transport Layer Security Santesson, S. and H. Tschofenig, "Transport Layer Security
(TLS) Cached Information Extension", draft-ietf-tls- (TLS) Cached Information Extension", draft-ietf-tls-
cached-info-16 (work in progress), February 2014. cached-info-16 (work in progress), February 2014.
[I-D.ietf-tls-session-hash]
Bhargavan, K., Delignat-Lavaud, A., Pironti, A., Langley,
A., and M. Ray, "Transport Layer Security (TLS) Session
Hash and Extended Master Secret Extension", draft-ietf-
tls-session-hash-01 (work in progress), August 2014.
[I-D.mathewson-no-gmtunixtime]
Mathewson, N. and B. Laurie, "Deprecating gmt_unix_time in
TLS", draft-mathewson-no-gmtunixtime-00 (work in
progress), December 2013.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
for Transport Layer Security (TLS)", RFC 4279, December for Transport Layer Security (TLS)", RFC 4279, December
2005. 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
skipping to change at page 21, line 27 skipping to change at page 22, line 37
[RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and [RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and
T. Kivinen, "Using Raw Public Keys in Transport Layer T. Kivinen, "Using Raw Public Keys in Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", RFC 7250, June 2014. (DTLS)", RFC 7250, June 2014.
[RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES- [RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES-
CCM Elliptic Curve Cryptography (ECC) Cipher Suites for CCM Elliptic Curve Cryptography (ECC) Cipher Suites for
TLS", RFC 7251, June 2014. TLS", RFC 7251, June 2014.
24.2. Informative References 23.2. Informative References
[Heninger] [Heninger]
Heninger, N., Durumeric, Z., Wustrow, E., and A. Heninger, N., Durumeric, Z., Wustrow, E., and A.
Halderman, "Mining Your Ps and Qs: Detection of Widespread Halderman, "Mining Your Ps and Qs: Detection of Widespread
Weak Keys in Network Devices", 21st USENIX Security Weak Keys in Network Devices", 21st USENIX Security
Symposium, Symposium,
https://www.usenix.org/conference/usenixsecurity12/ https://www.usenix.org/conference/usenixsecurity12/
technical-sessions/presentation/heninger, 2012. technical-sessions/presentation/heninger, 2012.
[I-D.bmoeller-tls-downgrade-scsv] [I-D.bmoeller-tls-downgrade-scsv]
Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
Suite Value (SCSV) for Preventing Protocol Downgrade Suite Value (SCSV) for Preventing Protocol Downgrade
Attacks", draft-bmoeller-tls-downgrade-scsv-02 (work in Attacks", draft-bmoeller-tls-downgrade-scsv-02 (work in
progress), May 2014. progress), May 2014.
[I-D.cooper-ietf-privacy-requirements]
Cooper, A., Farrell, S., and S. Turner, "Privacy
Requirements for IETF Protocols", draft-cooper-ietf-
privacy-requirements-01 (work in progress), October 2013.
[I-D.ietf-lwig-tls-minimal] [I-D.ietf-lwig-tls-minimal]
Kumar, S., Keoh, S., and H. Tschofenig, "A Hitchhiker's Kumar, S., Keoh, S., and H. Tschofenig, "A Hitchhiker's
Guide to the (Datagram) Transport Layer Security Protocol Guide to the (Datagram) Transport Layer Security Protocol
for Smart Objects and Constrained Node Networks", draft- for Smart Objects and Constrained Node Networks", draft-
ietf-lwig-tls-minimal-01 (work in progress), March 2014. ietf-lwig-tls-minimal-01 (work in progress), March 2014.
[I-D.ietf-tls-encrypt-then-mac]
Gutmann, P., "Encrypt-then-MAC for TLS and DTLS", draft-
ietf-tls-encrypt-then-mac-03 (work in progress), July
2014.
[I-D.ietf-tls-negotiated-dl-dhe]
Gillmor, D., "Negotiated Discrete Log Diffie-Hellman
Ephemeral Parameters for TLS", draft-ietf-tls-negotiated-
dl-dhe-00 (work in progress), July 2014.
[I-D.ietf-uta-tls-bcp] [I-D.ietf-uta-tls-bcp]
Sheffer, Y., Holz, R., and P. Saint-Andre, Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of TLS and DTLS", draft- "Recommendations for Secure Use of TLS and DTLS", draft-
ietf-uta-tls-bcp-01 (work in progress), June 2014. ietf-uta-tls-bcp-02 (work in progress), August 2014.
[I-D.schmertmann-dice-ccm-psk-pfs] [I-D.schmertmann-dice-ccm-psk-pfs]
Schmertmann, L. and C. Bormann, "ECDHE-PSK AES-CCM Cipher Schmertmann, L. and C. Bormann, "ECDHE-PSK AES-CCM Cipher
Suites with Forward Secrecy for Transport Layer Security Suites with Forward Secrecy for Transport Layer Security
(TLS)", draft-schmertmann-dice-ccm-psk-pfs-00 (work in (TLS)", draft-schmertmann-dice-ccm-psk-pfs-01 (work in
progress), February 2014. progress), August 2014.
[IANA-TLS] [IANA-TLS]
IANA, "TLS Cipher Suite Registry", IANA, "TLS Cipher Suite Registry",
http://www.iana.org/assignments/tls-parameters/ http://www.iana.org/assignments/tls-parameters/
tls-parameters.xhtml#tls-parameters-4, 2014. tls-parameters.xhtml#tls-parameters-4, 2014.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, July
2003.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005. Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
"Transport Layer Security (TLS) Session Resumption without "Transport Layer Security (TLS) Session Resumption without
Server-Side State", RFC 5077, January 2008. Server-Side State", RFC 5077, January 2008.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, January 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-
256/384 and AES Galois Counter Mode (GCM)", RFC 5289,
August 2008.
[RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor [RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
Management Protocol (TAMP)", RFC 5934, August 2010. Management Protocol (TAMP)", RFC 5934, August 2010.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090, February 2011. Curve Cryptography Algorithms", RFC 6090, February 2011.
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
Transport Layer Security (TLS)", RFC 6655, July 2012. Transport Layer Security (TLS)", RFC 6655, July 2012.
[RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS)
Multiple Certificate Status Request Extension", RFC 6961, Multiple Certificate Status Request Extension", RFC 6961,
June 2013. June 2013.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July
2013.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, June 2014. Application Protocol (CoAP)", RFC 7252, June 2014.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, May 2014. Attack", BCP 188, RFC 7258, May 2014.
Author's Address Author's Address
Hannes Tschofenig (editor) Hannes Tschofenig (editor)
ARM Ltd. ARM Ltd.
 End of changes. 48 change blocks. 
102 lines changed or deleted 156 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/