| < draft-msahni-ace-cmpv2-coap-transport-00.txt | draft-msahni-ace-cmpv2-coap-transport-01.txt > | |||
|---|---|---|---|---|
| ACE M. Sahni, Ed. | ACE M. Sahni, Ed. | |||
| Internet-Draft S. Tripathi, Ed. | Internet-Draft S. Tripathi, Ed. | |||
| Intended status: Standards Track Palo Alto Networks | Intended status: Standards Track Palo Alto Networks | |||
| Expires: January 14, 2021 July 13, 2020 | Expires: April 8, 2021 October 5, 2020 | |||
| CoAP Transport for CMPV2 | CoAP Transport for CMPV2 | |||
| draft-msahni-ace-cmpv2-coap-transport-00 | draft-msahni-ace-cmpv2-coap-transport-01 | |||
| Abstract | Abstract | |||
| This document specifies how to use Constrained Application Protocol | This document specifies the use of Constrained Application Protocol | |||
| (CoAP) as a Transport Medium for the Certificate management protocol | (CoAP) as a transport medium for the Certificate Management Protocol | |||
| version 2 (CMPv2) and Lightweight CMP Profile | Version 2 (CMPv2) and Lightweight CMP Profile | |||
| [Lightweight-CMP-Profile] which is a subset of CMPv2 defined for | [Lightweight-CMP-Profile] CMPv2 defines the interaction between | |||
| Constrained devices. The CMPv2 defines the interaction between | ||||
| various PKI entities for the purpose of certificate creation and | various PKI entities for the purpose of certificate creation and | |||
| management. The CoAP is a HTTP like client-server protocol used by | management. CoAP is an HTTP like client-server protocol used by | |||
| various constrained devices in the IoT and industrial scenarios. | various constrained devices in IoT space. | |||
| Constrained devices are devices that have low memory or CPU or power | ||||
| constraints and avoid the use of complex protocols like TCP to save | ||||
| resources. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 14, 2021. | This Internet-Draft will expire on April 8, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 19 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. CoAP Transport For CMPv2 . . . . . . . . . . . . . . . . . . 3 | 2. CoAP Transport For CMPv2 . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Discovery of CMP Entities . . . . . . . . . . . . . . . . 3 | 2.1. Discovery of CMP Entities . . . . . . . . . . . . . . . . 3 | |||
| 2.2. CoAP URI Format . . . . . . . . . . . . . . . . . . . . . 3 | 2.2. CoAP URI Format . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.3. CoAP Request Format . . . . . . . . . . . . . . . . . . . 4 | 2.3. CoAP Request Format . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.4. CoAP Content-Format . . . . . . . . . . . . . . . . . . . 4 | 2.4. CoAP Content-Format . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.5. Announcement PKIMessage . . . . . . . . . . . . . . . . . 4 | 2.5. Announcement PKIMessage . . . . . . . . . . . . . . . . . 4 | |||
| 2.6. CoAP Block Wise Transfer Mode . . . . . . . . . . . . . . 4 | 2.6. CoAP Block Wise Transfer Mode . . . . . . . . . . . . . . 4 | |||
| 2.7. Multicast CoAP . . . . . . . . . . . . . . . . . . . . . 4 | 2.7. Multicast CoAP . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Using CoAP over DTLS . . . . . . . . . . . . . . . . . . . . 5 | 3. Using CoAP over DTLS . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Proxy support . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Proxy support . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. CoAP to HTTP Proxy . . . . . . . . . . . . . . . . . . . 5 | 4.1. CoAP to HTTP Proxy . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. CoAPs to HTTPs Proxy . . . . . . . . . . . . . . . . . . 5 | 4.2. CoAPs to HTTPs Proxy . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| 8.3. URL References . . . . . . . . . . . . . . . . . . . . . 7 | 8.3. URL References . . . . . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| The CMPv2 is used by the entities in PKI for the generation and | The CMPv2 is used by PKI entities for the generation and management | |||
| management of the certificates. One of the requirements of CMPv2 | of the certificates. One of the requirements of CMPv2 [RFC4210] is | |||
| [RFC4210] is to be usable over a variety of transport mechanisms. | to be independent of the transport protocol in use. CMP has | |||
| The CMP is designed to be independent of the transport protocol being | mechanisms to take care of required transactions, error reporting and | |||
| used and has mechanisms to take care of transactions, error reporting | encryption of messages. The CoAP defined in [RFC7252], [RFC7959] and | |||
| and encryption of messages where ever required. The CoAP defined in | [RFC8323] is a client-server protocol, like HTTP, that is designed to | |||
| [RFC7252], [RFC7959] and [RFC8323] is a client-server protocol, like | be used by constrained devices over constrained networks. The | |||
| HTTP, that is designed to be used by constrained devices over | recommended transport for CoAP is UDP, however [RFC8323] specifies | |||
| constrained networks (low power lossy networks). The recommended | the support of CoAP over TCP, TLS and Websockets. This document | |||
| transport for CoAP is UDP, however [RFC8323] specifies the support of | specifies the use of CoAP as a transport medium for the CMPv2 and | |||
| CoAP over TCP, TLS and Websockets. This document specifies the use | Lightweight CMP Profile [Lightweight-CMP-Profile]. This document, in | |||
| of CoAP as a transport medium for the CMPv2 and Lightweight CMP | general, follows the HTTP transport specifications for CMPv2 defined | |||
| Profile [Lightweight-CMP-Profile]. This document, in general, | in [RFC6712] and specifies the additional requirements for CoAP | |||
| follows the HTTP transport specifications for CMPv2 defined in | ||||
| [RFC6712] and specifies the additional requirements for CoAP | ||||
| transport. This document also provides guidance on how to use a | transport. This document also provides guidance on how to use a | |||
| "CoAP to HTTP" proxy for a better adaptation of CoAP transport | "CoAP to HTTP" proxy for a better adaptation of CoAP transport | |||
| without significant changes to the existing PKI entities. Although | without significant changes to the existing PKI entities. Although | |||
| CoAP transport can be used for communication between Registration | CoAP transport can be used for communication between Registration | |||
| Authority (RA) and Certification Authority (CA) or between CAs, the | Authority (RA) and Certification Authority (CA) or between CAs, the | |||
| scope of this document is for communication between End Entity (EE) | scope of this document is for communication between End Entity (EE) | |||
| and RA or EE and CA. This document is applicable only when the CoAP | and RA or EE and CA. This document is applicable only when the CoAP | |||
| transport is being used for the CMPv2 transactions. | transport is being used for the CMPv2 transactions. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| skipping to change at page 4, line 22 ¶ | skipping to change at page 4, line 20 ¶ | |||
| not successful then an appropriate CoAP Client Error 4.xx or a Server | not successful then an appropriate CoAP Client Error 4.xx or a Server | |||
| Error 5.xx response code MUST be returned. | Error 5.xx response code MUST be returned. | |||
| 2.4. CoAP Content-Format | 2.4. CoAP Content-Format | |||
| When transferring CMPv2 PKIMesssage over CoAP the media type | When transferring CMPv2 PKIMesssage over CoAP the media type | |||
| application/pkixcmp MUST be used. | application/pkixcmp MUST be used. | |||
| 2.5. Announcement PKIMessage | 2.5. Announcement PKIMessage | |||
| When using the CoAP protocol, a PKI entity SHOULD poll for the | When using the CoAP protocol, a PKI EE SHOULD poll for the possible | |||
| possible changes via PKI Information request using General Message | changes via PKI Information request using General Message defined in | |||
| defined in a PKIMessage for various type of changes like CA key | the PKIMessage for various type of changes like CA key update or to | |||
| update or to get current CRL to check revocation or using Support | get current CRL to check revocation or using Support messages defined | |||
| messages defined in section 5.4 of Lightweight CMP Profile | in section 5.4 of Lightweight CMP Profile [Lightweight-CMP-Profile]. | |||
| [Lightweight-CMP-Profile]. This will make use of a CoAP to HTTP | This will help constrained devices acting as EEs save resources as | |||
| proxy transparent to the client. | there is no need to open a listening socket for notifications and it | |||
| will also make the use of a CoAP to HTTP proxy transparent to the EE. | ||||
| 2.6. CoAP Block Wise Transfer Mode | 2.6. CoAP Block Wise Transfer Mode | |||
| Since the CMPv2 PKIMesssage consists of a header body and optional | Since the CMPv2 PKIMesssage consists of a header body and optional | |||
| fields a CMPv2 message can be much larger than the MTU of the | fields a CMPv2 message can be much larger than the MTU of the | |||
| outgoing interface of the device. In order to avoid IP fragmentation | outgoing interface of the device. In order to avoid IP fragmentation | |||
| of messages that are exchanged between EEs and RAs or CAs, the Block | of messages that are exchanged between EEs and RAs or CAs, the Block | |||
| Wise transfer [RFC7959] mode MUST be used for the CMPv2 Transactions | Wise transfer [RFC7959] mode MUST be used for the CMPv2 Transactions | |||
| over CoAP. If a CoAP to HTTP proxy is in the path between EEs and CA | over CoAP. If a CoAP to HTTP proxy is in the path between EEs and CA | |||
| or EEs and RA then, it MUST receive the entire body from the client | or EEs and RA then, it MUST receive the entire body from the client | |||
| skipping to change at page 5, line 7 ¶ | skipping to change at page 4, line 49 ¶ | |||
| unnecessary errors in case the entire content of the PKIMesssage is | unnecessary errors in case the entire content of the PKIMesssage is | |||
| not received and Proxy opens a connection with the server. | not received and Proxy opens a connection with the server. | |||
| 2.7. Multicast CoAP | 2.7. Multicast CoAP | |||
| CMPv2 PKIMessage request messages sent from EEs to RAs or from EEs to | CMPv2 PKIMessage request messages sent from EEs to RAs or from EEs to | |||
| CAs over CoAP transport MUST not use a Multicast destination address. | CAs over CoAP transport MUST not use a Multicast destination address. | |||
| 3. Using CoAP over DTLS | 3. Using CoAP over DTLS | |||
| When the end to end secrecy is desired for CoAP transport, CoAP over | Although CPMv2 protocol does not depend upon the underlying transport | |||
| for the encryption and authentication of the messages but in cases | ||||
| when end to end secrecy is desired for the CoAP transport, CoAP over | ||||
| DTLS [RFC6347] as a transport medium SHOULD be used. Section 9.1 of | DTLS [RFC6347] as a transport medium SHOULD be used. Section 9.1 of | |||
| [RFC7252] defines how to use DTLS [RFC6347] for securing the CoAP. | [RFC7252] defines how to use DTLS [RFC6347] for securing the CoAP. | |||
| For CMPv2 and Lightweight CMP Profile [Lightweight-CMP-Profile] the | For CMPv2 and Lightweight CMP Profile [Lightweight-CMP-Profile] the | |||
| clients should follow specifications defined in section 7.1 and | clients should follow specifications defined in section 7.1 and | |||
| section 7.2 of Lightweight CMP Profile [Lightweight-CMP-Profile] for | section 7.2 of Lightweight CMP Profile [Lightweight-CMP-Profile] for | |||
| setting up DTLS [RFC6347] connection either using certificates or | setting up DTLS [RFC6347] connection either using certificates or | |||
| shared secret. Once a DTLS [RFC6347] connection is established it | shared secret. Once a DTLS [RFC6347] connection is established it | |||
| SHOULD be used for as long as possible to avoid the frequent overhead | SHOULD be used for as long as possible to avoid the frequent overhead | |||
| of using DTLS [RFC6347] connection for constrained devices. | of using DTLS [RFC6347] connection for constrained devices. | |||
| 4. Proxy support | 4. Proxy support | |||
| End of changes. 10 change blocks. | ||||
| 38 lines changed or deleted | 35 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||