idnits 2.17.1 draft-ietf-core-echo-request-tag-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC7252, but the abstract doesn't seem to directly say this. It does mention RFC7252 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 18, 2019) is 1675 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-21) exists of draft-ietf-core-oscore-groupcomm-05 == Outdated reference: A later version (-08) exists of draft-ietf-core-stateless-01 -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CoRE Working Group C. Amsuess 3 Internet-Draft 4 Updates: 7252 (if approved) J. Mattsson 5 Intended status: Standards Track G. Selander 6 Expires: March 21, 2020 Ericsson AB 7 September 18, 2019 9 CoAP: Echo, Request-Tag, and Token Processing 10 draft-ietf-core-echo-request-tag-06 12 Abstract 14 This document specifies enhancements to the Constrained Application 15 Protocol (CoAP) that mitigate security issues in particular use 16 cases. The Echo option enables a CoAP server to verify the freshness 17 of a request or to force a client to demonstrate reachability at its 18 claimed network address. The Request-Tag option allows the CoAP 19 server to match block-wise message fragments belonging to the same 20 request. The update to the client Token processing requirements of 21 RFC 7252 forbids non-secure reuse of Tokens to ensure binding of 22 responses to requests when CoAP is used with security. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on March 21, 2020. 41 Copyright Notice 43 Copyright (c) 2019 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.1. Request Freshness . . . . . . . . . . . . . . . . . . . . 3 60 1.2. Fragmented Message Body Integrity . . . . . . . . . . . . 4 61 1.3. Request-Response Binding . . . . . . . . . . . . . . . . 5 62 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 63 2. The Echo Option . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 7 65 2.2. Echo Processing . . . . . . . . . . . . . . . . . . . . . 8 66 2.3. Applications . . . . . . . . . . . . . . . . . . . . . . 10 67 3. The Request-Tag Option . . . . . . . . . . . . . . . . . . . 11 68 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 12 69 3.2. Request-Tag Processing by Servers . . . . . . . . . . . . 12 70 3.3. Setting the Request-Tag . . . . . . . . . . . . . . . . . 13 71 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . 14 72 3.4.1. Body Integrity Based on Payload Integrity . . . . . . 14 73 3.4.2. Multiple Concurrent Block-wise Operations . . . . . . 15 74 3.4.3. Simplified Block-Wise Handling for Constrained 75 Proxies . . . . . . . . . . . . . . . . . . . . . . . 16 76 3.5. Rationale for the Option Properties . . . . . . . . . . . 16 77 3.6. Rationale for Introducing the Option . . . . . . . . . . 16 78 4. Block2 / ETag Processing . . . . . . . . . . . . . . . . . . 17 79 5. Token Processing . . . . . . . . . . . . . . . . . . . . . . 17 80 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 81 6.1. Token reuse . . . . . . . . . . . . . . . . . . . . . . . 18 82 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20 83 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 84 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 85 9.1. Normative References . . . . . . . . . . . . . . . . . . 20 86 9.2. Informative References . . . . . . . . . . . . . . . . . 21 87 Appendix A. Methods for Generating Echo Option Values . . . . . 22 88 Appendix B. Request-Tag Message Size Impact . . . . . . . . . . 23 89 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 24 90 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 27 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 93 1. Introduction 95 The initial Constrained Application Protocol (CoAP) suite of 96 specifications ([RFC7252], [RFC7641], and [RFC7959]) was designed 97 with the assumption that security could be provided on a separate 98 layer, in particular by using DTLS ([RFC6347]). However, for some 99 use cases, additional functionality or extra processing is needed to 100 support secure CoAP operations. This document specifies security 101 enhancements to the Constrained Application Protocol (CoAP). 103 This document specifies two CoAP options, the Echo option and the 104 Request-Tag option: The Echo option enables a CoAP server to verify 105 the freshness of a request, synchronize state, or force a client to 106 demonstrate reachability at its claimed network address. The 107 Request-Tag option allows the CoAP server to match message fragments 108 belonging to the same request, fragmented using the CoAP block-wise 109 Transfer mechanism, which mitigates attacks and enables concurrent 110 block-wise operations. These options in themselves do not replace 111 the need for a security protocol; they specify the format and 112 processing of data which, when integrity protected using e.g. DTLS 113 ([RFC6347]), TLS ([RFC8446]), or OSCORE ([RFC8613]), provide the 114 additional security features. 116 The document also updates the Token processing requirements for 117 clients specified in [RFC7252]. The updated processing forbids non- 118 secure reuse of Tokens to ensure binding of responses to requests 119 when CoAP is used with security, thus mitigating error cases and 120 attacks where the client may erroneously associate the wrong response 121 to a request. 123 1.1. Request Freshness 125 A CoAP server receiving a request is in general not able to verify 126 when the request was sent by the CoAP client. This remains true even 127 if the request was protected with a security protocol, such as DTLS. 128 This makes CoAP requests vulnerable to certain delay attacks which 129 are particularly perilous in the case of actuators 130 ([I-D.mattsson-core-coap-actuators]). Some attacks can be mitigated 131 by establishing fresh session keys, e.g. performing a DTLS handshake 132 for each request, but in general this is not a solution suitable for 133 constrained environments, for example, due to increased message 134 overhead and latency. Additionally, if there are proxies, fresh DTLS 135 session keys between server and proxy does not say anything about 136 when the client made the request. In a general hop-by-hop setting, 137 freshness may need to be verified in each hop. 139 A straightforward mitigation of potential delayed requests is that 140 the CoAP server rejects a request the first time it appears and asks 141 the CoAP client to prove that it intended to make the request at this 142 point in time. The Echo option, defined in this document, specifies 143 such a mechanism which thereby enables a CoAP server to verify the 144 freshness of a request. This mechanism is not only important in the 145 case of actuators, or other use cases where the CoAP operations 146 require freshness of requests, but also in general for synchronizing 147 state between CoAP client and server, cryptographically verify the 148 aliveness of the client, or force a client to demonstrate 149 reachability at its claimed network address. The same functionality 150 can be provided by echoing freshness indicators in CoAP payloads, but 151 this only works for methods and response codes defined to have a 152 payload. The Echo option provides a convention to transfer freshness 153 indicators that works for all methods and response codes. 155 1.2. Fragmented Message Body Integrity 157 CoAP was designed to work over unreliable transports, such as UDP, 158 and include a lightweight reliability feature to handle messages 159 which are lost or arrive out of order. In order for a security 160 protocol to support CoAP operations over unreliable transports, it 161 must allow out-of-order delivery of messages using e.g. a sliding 162 replay window such as described in Section 4.1.2.6 of DTLS 163 ([RFC6347]). 165 The block-wise transfer mechanism [RFC7959] extends CoAP by defining 166 the transfer of a large resource representation (CoAP message body) 167 as a sequence of blocks (CoAP message payloads). The mechanism uses 168 a pair of CoAP options, Block1 and Block2, pertaining to the request 169 and response payload, respectively. The block-wise functionality 170 does not support the detection of interchanged blocks between 171 different message bodies to the same resource having the same block 172 number. This remains true even when CoAP is used together with a 173 security protocol such as DTLS or OSCORE, within the replay window 174 ([I-D.mattsson-core-coap-actuators]), which is a vulnerability of 175 CoAP when using RFC7959. 177 A straightforward mitigation of mixing up blocks from different 178 messages is to use unique identifiers for different message bodies, 179 which would provide equivalent protection to the case where the 180 complete body fits into a single payload. The ETag option [RFC7252], 181 set by the CoAP server, identifies a response body fragmented using 182 the Block2 option. This document defines the Request-Tag option for 183 identifying request bodies, similar to ETag, but ephemeral and set by 184 the CoAP client. The Request-Tag option is only used in requests 185 that carry the Block1 option, and in Block2 requests following these. 187 1.3. Request-Response Binding 189 A fundamental requirement of secure REST operations is that the 190 client can bind a response to a particular request. If this is not 191 ensured, a client may erroneously associate the wrong response to a 192 request. The wrong response may be an old response for the same 193 resource or for a completely different resource (see e.g. 194 Section 2.3 of [I-D.mattsson-core-coap-actuators]). For example, a 195 request for the alarm status "GET /status" may be associated to a 196 prior response "on", instead of the correct response "off". 198 In HTTPS, this type of binding is always assured by the ordered and 199 reliable delivery as well as mandating that the server sends 200 responses in the same order that the requests were received. The 201 same is not true for CoAP where the server (or an attacker) can 202 return responses in any order and where there can be any number of 203 responses to a request (see e.g. [RFC7641]). In CoAP, concurrent 204 requests are differentiated by their Token. Note that the CoAP 205 Message ID cannot be used for this purpose since those are typically 206 different for REST request and corresponding response in case of 207 "separate response", see Section 2.2 of [RFC7252]. 209 CoAP [RFC7252] does not treat Token as a cryptographically important 210 value and does not give stricter guidelines than that the Tokens 211 currently "in use" SHOULD (not SHALL) be unique. If used with a 212 security protocol not providing bindings between requests and 213 responses (e.g. DTLS and TLS) Token reuse may result in situations 214 where a client matches a response to the wrong request. Note that 215 mismatches can also happen for other reasons than a malicious 216 attacker, e.g. delayed delivery or a server sending notifications to 217 an uninterested client. 219 A straightforward mitigation is to mandate clients to not reuse 220 Tokens until the traffic keys have been replaced. One easy way to 221 accomplish this is to implement the Token as a counter starting at 222 zero for each new or rekeyed secure connection. This document 223 updates the Token processing in [RFC7252] to always assure a 224 cryptographically secure binding of responses to requests for secure 225 REST operations like "coaps". 227 1.4. Terminology 229 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 230 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 231 "OPTIONAL" in this document are to be interpreted as described in BCP 232 14 [RFC2119] [RFC8174] when, and only when, they appear in all 233 capitals, as shown here. 235 Unless otherwise specified, the terms "client" and "server" refers to 236 "CoAP client" and "CoAP server", respectively, as defined in 237 [RFC7252]. The term "origin server" is used as in [RFC7252]. The 238 term "origin client" is used in this document to denote the client 239 from which a request originates; to distinguish from clients in 240 proxies. 242 The terms "payload" and "body" of a message are used as in [RFC7959]. 243 The complete interchange of a request and a response body is called a 244 (REST) "operation". An operation fragmented using [RFC7959] is 245 called a "block-wise operation". A block-wise operation which is 246 fragmenting the request body is called a "block-wise request 247 operation". A block-wise operation which is fragmenting the response 248 body is called a "block-wise response operation". 250 Two request messages are said to be "matchable" if they occur between 251 the same endpoint pair, have the same code and the same set of 252 options except for elective NoCacheKey options and options involved 253 in block-wise transfer (Block1, Block2 and Request-Tag). Two 254 operations are said to be matchable if any of their messages are. 256 Two matchable block-wise operations are said to be "concurrent" if a 257 block of the second request is exchanged even though the client still 258 intends to exchange further blocks in the first operation. 259 (Concurrent block-wise request operations are impossible with the 260 options of [RFC7959] because the second operation's block overwrites 261 any state of the first exchange.). 263 The Echo and Request-Tag options are defined in this document. 265 2. The Echo Option 267 A fresh request is one whose age has not yet exceeded the freshness 268 requirements set by the server. The freshness requirements are 269 application specific and may vary based on resource, method, and 270 parameters outside of CoAP such as policies. The Echo option is a 271 lightweight challenge-response mechanism for CoAP, motivated by a 272 need for a server to verify freshness of a request as described in 273 Section 1.1. The Echo option value is a challenge from the server to 274 the client included in a CoAP response and echoed back to the server 275 in one or more CoAP requests. The Echo option provides a convention 276 to transfer freshness indicators that works for all CoAP methods and 277 response codes. 279 2.1. Option Format 281 The Echo Option is elective, safe-to-forward, not part of the cache- 282 key, and not repeatable, see Figure 1, which extends Table 4 of 283 [RFC7252]). 285 +-----+---+---+---+---+-------------+--------+------+---------+---+---+ 286 | No. | C | U | N | R | Name | Format | Len. | Default | E | U | 287 +-----+---+---+---+---+-------------+--------+------+---------+---+---+ 288 | TBD | | | x | | Echo | opaque | 4-40 | (none) | x | x | 289 +-----+---+---+---+---+-------------+--------+------+---------+---+---+ 291 C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, 292 E = Encrypt and Integrity Protect (when using OSCORE) 294 Figure 1: Echo Option Summary 296 The Echo option value is generated by a server, and its content and 297 structure are implementation specific. Different methods for 298 generating Echo option values are outlined in Appendix A. Clients 299 and intermediaries MUST treat an Echo option value as opaque and make 300 no assumptions about its content or structure. 302 When receiving an Echo option in a request, the server MUST be able 303 to verify when the Echo option value was generated. This implies 304 that the server MUST be able to verify that the Echo option value was 305 generated by the server or some other party that the server trusts. 306 Depending on the freshness requirements the server may verify exactly 307 when the Echo option value was generated (time-based freshness) or 308 verify that the Echo option was generated after a specific event 309 (event-based freshness). As the request is bound to the Echo option 310 value, the server can determine that the request is not older that 311 the Echo option value. 313 When the Echo option is used with OSCORE [RFC8613] it MAY be an Inner 314 or Outer option, and the Inner and Outer values are independent. 315 OSCORE servers MUST only produce Inner Echo options unless they are 316 merely testing for reachability of the client (the same as proxies 317 may do). The Inner option is encrypted and integrity protected 318 between the endpoints, whereas the Outer option is not protected by 319 OSCORE and visible between the endpoints to the extent it is not 320 protected by some other security protocol. E.g. in the case of DTLS 321 hop-by-hop between the endpoints, the Outer option is visible to 322 proxies along the path. 324 2.2. Echo Processing 326 The Echo option MAY be included in any request or response (see 327 Section 2.3 for different applications). 329 The application decides under what conditions a CoAP request to a 330 resource is required to be fresh. These conditions can for example 331 include what resource is requested, the request method and other data 332 in the request, and conditions in the environment such as the state 333 of the server or the time of the day. 335 If a certain request is required to be fresh, the request does not 336 contain a fresh Echo option value, and the server cannot verify the 337 freshness of the request in some other way, the server MUST NOT 338 process the request further and SHOULD send a 4.01 Unauthorized 339 response with an Echo option. The server MAY include the same Echo 340 option value in several different responses and to different clients. 342 The server may use request freshness provided by the Echo option to 343 verify the aliveness of a client or to synchronize state. The server 344 may also include the Echo option in a response to force a client to 345 demonstrate reachability at its claimed network address. 347 Upon receiving a 4.01 Unauthorized response with the Echo option, the 348 client SHOULD resend the original request with the addition of an 349 Echo option with the received Echo option value. The client MAY send 350 a different request compared to the original request. Upon receiving 351 any other response with the Echo option, the client SHOULD echo the 352 Echo option value in the next request to the server. The client MAY 353 include the same Echo option value in several different requests to 354 the server. 356 A client MUST only send Echo values to endpoints it received them 357 from (where as defined in [RFC7252] Section 1.2, the security 358 association is part of the endpoint). In OSCORE processing, that 359 means sending Echo values from Outer options (or from non-OSCORE 360 responses) back in Outer options, and those from Inner options in 361 Inner options in the same security context. 363 Upon receiving a request with the Echo option, the server determines 364 if the request is required to be fresh. If not, the Echo option MAY 365 be ignored. If the request is required to be fresh and the server 366 cannot verify the freshness of the request in some other way, the 367 server MUST use the Echo option to verify that the request is fresh 368 enough. If the server cannot verify that the request is fresh 369 enough, the request is not processed further, and an error message 370 MAY be sent. The error message SHOULD include a new Echo option. 372 One way for the server to verify freshness is that to bind the Echo 373 value to a specific point in time and verify that the request is not 374 older than a certain threshold T. The server can verify this by 375 checking that (t1 - t0) < T, where t1 is the request receive time and 376 t0 is the time when the Echo option value was generated. An example 377 message flow is illustrated in Figure 2. 379 Client Server 380 | | 381 +------>| Code: 0.03 (PUT) 382 | PUT | Token: 0x41 383 | | Uri-Path: lock 384 | | Payload: 0 (Unlock) 385 | | 386 |<------+ Code: 4.01 (Unauthorized) 387 | 4.01 | Token: 0x41 388 | | Echo: 0x437468756c687521 (t0) 389 | | 390 +------>| t1 Code: 0.03 (PUT) 391 | PUT | Token: 0x42 392 | | Uri-Path: lock 393 | | Echo: 0x437468756c687521 (t0) 394 | | Payload: 0 (Unlock) 395 | | 396 |<------+ Code: 2.04 (Changed) 397 | 2.04 | Token: 0x42 398 | | 400 Figure 2: Example Echo Option Message Flow 402 When used to serve freshness requirements (including client aliveness 403 and state synchronizing), CoAP messages containing the Echo option 404 MUST be integrity protected between the intended endpoints, e.g. 405 using DTLS, TLS, or an OSCORE Inner option ([RFC8613]). When used to 406 demonstrate reachability at a claimed network address, the Echo 407 option SHOULD contain the client's network address, but MAY be 408 unprotected. 410 A CoAP-to-CoAP proxy MAY set an Echo option on responses, both on 411 forwarded ones that had no Echo option or ones generated by the proxy 412 (from cache or as an error). If it does so, it MUST remove the Echo 413 option it recognizes as one generated by itself on follow-up 414 requests. However, it MUST relay the Echo option of responses 415 unmodified, and MUST relay the Echo option of requests it does not 416 recognize as generated by itself unmodified. 418 The CoAP server side of CoAP-to-HTTP proxies MAY request freshness, 419 especially if they have reason to assume that access may require it 420 (e.g. because it is a PUT or POST); how this is determined is out of 421 scope for this document. The CoAP client side of HTTP-to-CoAP 422 proxies SHOULD respond to Echo challenges themselves if they know 423 from the recent establishing of the connection that the HTTP request 424 is fresh. Otherwise, they SHOULD respond with 503 Service 425 Unavailable, Retry-After: 0 and terminate any underlying Keep-Alive 426 connection. They MAY also use other mechanisms to establish 427 freshness of the HTTP request that are not specified here. 429 2.3. Applications 431 1. Actuation requests often require freshness guarantees to avoid 432 accidental or malicious delayed actuator actions. In general, 433 all non-safe methods (e.g. POST, PUT, DELETE) may require 434 freshness guarantees for secure operation. 436 * The same Echo value may be used for multiple actuation 437 requests to the same server, as long as the total round-trip 438 time since the Echo option value was generated is below the 439 freshness threshold. 441 * For actuator applications with low delay tolerance, to avoid 442 additional round-trips for multiple requests in rapid 443 sequence, the server may include the Echo option with a new 444 value even in a successful response to a request, 445 irrespectively of whether the request contained an Echo option 446 or not. The client then uses the Echo option with the new 447 value in the next actuation request, and the server compares 448 the receive time accordingly. 450 2. A server may use the Echo option to synchronize state or time 451 with a requesting client. A server MUST NOT synchronize state or 452 time with clients which are not the authority of the property 453 being synchronized. E.g. if access to a server resource is 454 dependent on time, then the client MUST NOT set the time of the 455 server. 457 * If a server reboots during operation it may need to 458 synchronize state or time before continuing the interaction. 459 For example, with OSCORE it is possible to reuse a partly 460 persistently stored security context by synchronizing the 461 Partial IV (sequence number) using the Echo option, see 462 Section 7.5 of [RFC8613]. 464 * A device joining a CoAP group communication [RFC7390] 465 protected with OSCORE [I-D.ietf-core-oscore-groupcomm] may be 466 required to initially verify freshness and synchronize state 467 or time with a client by using the Echo option in a unicast 468 response to a multicast request. The client receiving the 469 response with the Echo option includes the Echo option with 470 the same value in a request, either in a unicast request to 471 the responding server, or in a subsequent group request. In 472 the latter case, the Echo option will be ignored except by the 473 responding server. 475 3. A server that sends large responses to unauthenticated peers 476 SHOULD mitigate amplification attacks such as described in 477 Section 11.3 of [RFC7252] (where an attacker would put a victim's 478 address in the source address of a CoAP request). For this 479 purpose, a server MAY ask a client to Echo its request to verify 480 its source address. This needs to be done only once per peer and 481 limits the range of potential victims from the general Internet 482 to endpoints that have been previously in contact with the 483 server. For this application, the Echo option can be used in 484 messages that are not integrity protected, for example during 485 discovery. 487 * In the presence of a proxy, a server will not be able to 488 distinguish different origin client endpoints. Following from 489 the recommendation above, a proxy that sends large responses 490 to unauthenticated peers SHOULD mitigate amplification 491 attacks. The proxy MAY use Echo to verify origin reachability 492 as described in Section 2.2. The proxy MAY forward idempotent 493 requests immediately to have a cached result available when 494 the client's Echoed request arrives. 496 4. A server may want to use the request freshness provided by the 497 Echo to verify the aliveness of a client. Note that in a 498 deployment with hop-by-hop security and proxies, the server can 499 only verify aliveness of the closest proxy. 501 3. The Request-Tag Option 503 The Request-Tag is intended for use as a short-lived identifier for 504 keeping apart distinct block-wise request operations on one resource 505 from one client, addressing the issue described in Section 1.2. It 506 enables the receiving server to reliably assemble request payloads 507 (blocks) to their message bodies, and, if it chooses to support it, 508 to reliably process simultaneous block-wise request operations on a 509 single resource. The requests must be integrity protected if they 510 should protect against interchange of blocks between different 511 message bodies. 513 In essence, it is an implementation of the "proxy-safe elective 514 option" used just to "vary the cache key" as suggested in [RFC7959] 515 Section 2.4. 517 3.1. Option Format 519 The Request-Tag option is not critical, is safe to forward, 520 repeatable, and part of the cache key, see Figure 3, which extends 521 Table 4 of [RFC7252]). 523 +-----+---+---+---+---+-------------+--------+------+---------+---+---+ 524 | No. | C | U | N | R | Name | Format | Len. | Default | E | U | 525 +-----+---+---+---+---+-------------+--------+------+---------+---+---+ 526 | TBD | | | | x | Request-Tag | opaque | 0-8 | (none) | x | x | 527 +-----+---+---+---+---+-------------+--------+------+---------+---+---+ 529 C = Critical, U = Unsafe, N = NoCacheKey, R = Repeatable, 530 E = Encrypt and Integrity Protect (when using OSCORE) 532 Figure 3: Request-Tag Option Summary 534 Request-Tag, like the block options, is both a class E and a class U 535 option in terms of OSCORE processing (see Section 4.1 of [RFC8613]): 536 The Request-Tag MAY be an Inner or Outer option. It influences the 537 Inner or Outer block operation, respectively. The Inner and Outer 538 values are therefore independent of each other. The Inner option is 539 encrypted and integrity protected between client and server, and 540 provides message body identification in case of end-to-end 541 fragmentation of requests. The Outer option is visible to proxies 542 and labels message bodies in case of hop-by-hop fragmentation of 543 requests. 545 The Request-Tag option is only used in the request messages of block- 546 wise operations. 548 The Request-Tag mechanism can be applied independently on the server 549 and client sides of CoAP-to-CoAP proxies as are the block options, 550 though given it is safe to forward, a proxy is free to just forward 551 it when processing an operation. CoAP-to-HTTP proxies and HTTP-to- 552 CoAP proxies can use Request-Tag on their CoAP sides; it is not 553 applicable to HTTP requests. 555 3.2. Request-Tag Processing by Servers 557 The Request-Tag option does not require any particular processing on 558 the server side outside of the processing already necessary for any 559 unknown elective proxy-safe cache-key option: The option varies the 560 properties that distinguish block-wise operations (which includes all 561 options except elective NoCacheKey and except Block1/2), and thus the 562 server can not treat messages with a different list of Request-Tag 563 options as belonging to the same operation. 565 To keep utilizing the cache, a server (including proxies) MAY discard 566 the Request-Tag option from an assembled block-wise request when 567 consulting its cache, as the option relates to the operation-on-the- 568 wire and not its semantics. For example, a FETCH request with the 569 same body as an older one can be served from the cache if the older's 570 Max-Age has not expired yet, even if the second operation uses a 571 Request-Tag and the first did not. (This is similar to the situation 572 about ETag in that it is formally part of the cache key, but 573 implementations that are aware of its meaning can cache more 574 efficiently, see [RFC7252] Section 5.4.2). 576 A server receiving a Request-Tag MUST treat it as opaque and make no 577 assumptions about its content or structure. 579 Two messages carrying the same Request-Tag is a necessary but not 580 sufficient condition for being part of the same operation. They can 581 still be treated as independent messages by the server (e.g. when it 582 sends 2.01/2.04 responses for every block), or initiate a new 583 operation (overwriting kept context) when the later message carries 584 Block1 number 0. 586 As it has always been, a server that can only serve a limited number 587 of block-wise operations at the same time can delay the start of the 588 operation by replying with 5.03 (Service unavailable) and a Max-Age 589 indicating how long it expects the existing operation to go on, or it 590 can forget about the state established with the older operation and 591 respond with 4.08 (Request Entity Incomplete) to later blocks on the 592 first operation. 594 3.3. Setting the Request-Tag 596 For each separate block-wise request operation, the client can choose 597 a Request-Tag value, or choose not to set a Request-Tag. Starting a 598 request operation matchable to a previous operation and even using 599 the same Request-Tag value is called request tag recycling. The 600 absence of a Request-Tag option is viewed as a value distinct from 601 all values with a single Request-Tag option set; starting a request 602 operation matchable to a previous operation where neither has a 603 Request-Tag option therefore constitutes request tag recycling just 604 as well (also called "recycling the absent option"). 606 Clients MUST NOT recycle a request tag unless the first operation has 607 concluded. What constitutes a concluded operation depends on the 608 application, and is outlined individually in Section 3.4. 610 When Block1 and Block2 are combined in an operation, the Request-Tag 611 of the Block1 phase is set in the Block2 phase as well for otherwise 612 the request would have a different set of options and would not be 613 recognized any more. 615 Clients are encouraged to generate compact messages. This means 616 sending messages without Request-Tag options whenever possible, and 617 using short values when the absent option can not be recycled. 619 The Request-Tag options MAY be present in request messages that carry 620 a Block2 option even if those messages are not part of a blockwise 621 request operation (this is to allow the operation described in 622 Section 3.4.3). The Request-Tag option MUST NOT be present in 623 response messages, and MUST NOT be present if neither the Block1 nor 624 the Block2 option is present. 626 3.4. Applications 628 3.4.1. Body Integrity Based on Payload Integrity 630 When a client fragments a request body into multiple message 631 payloads, even if the individual messages are integrity protected, it 632 is still possible for a man-in-the-middle to maliciously replace a 633 later operation's blocks with an earlier operation's blocks (see 634 Section 2.5 of [I-D.mattsson-core-coap-actuators]). Therefore, the 635 integrity protection of each block does not extend to the operation's 636 request body. 638 In order to gain that protection, use the Request-Tag mechanism as 639 follows: 641 o The individual exchanges MUST be integrity protected end-to-end 642 between client and server. 644 o The client MUST NOT recycle a request tag in a new operation 645 unless the previous operation matchable to the new one has 646 concluded. 648 If any future security mechanisms allow a block-wise transfer to 649 continue after an endpoint's details (like the IP address) have 650 changed, then the client MUST consider messages sent to _any_ 651 endpoint address within the new operation's security context. 653 o The client MUST NOT regard a block-wise request operation as 654 concluded unless all of the messages the client previously sent in 655 the operation have been confirmed by the message integrity 656 protection mechanism, or are considered invalid by the server if 657 replayed. 659 Typically, in OSCORE, these confirmations can result either from 660 the client receiving an OSCORE response message matching the 661 request (an empty ACK is insufficient), or because the message's 662 sequence number is old enough to be outside the server's receive 663 window. 665 In DTLS, this can only be confirmed if the request message was not 666 retransmitted, and was responded to. 668 Authors of other documents (e.g. applications of [RFC8613]) are 669 invited to mandate this behavior for clients that execute block-wise 670 interactions over secured transports. In this way, the server can 671 rely on a conforming client to set the Request-Tag option when 672 required, and thereby conclude on the integrity of the assembled 673 body. 675 Note that this mechanism is implicitly implemented when the security 676 layer guarantees ordered delivery (e.g. CoAP over TLS [RFC8323]). 677 This is because with each message, any earlier message can not be 678 replayed any more, so the client never needs to set the Request-Tag 679 option unless it wants to perform concurrent operations. 681 3.4.2. Multiple Concurrent Block-wise Operations 683 CoAP clients, especially CoAP proxies, may initiate a block-wise 684 request operation to a resource, to which a previous one is already 685 in progress, which the new request should not cancel. A CoAP proxy 686 would be in such a situation when it forwards operations with the 687 same cache-key options but possibly different payloads. 689 For those cases, Request-Tag is the proxy-safe elective option 690 suggested in [RFC7959] Section 2.4 last paragraph. 692 When initializing a new block-wise operation, a client has to look at 693 other active operations: 695 o If any of them is matchable to the new one, and the client neither 696 wants to cancel the old one nor postpone the new one, it can pick 697 a Request-Tag value that is not in use by the other matchable 698 operations for the new operation. 700 o Otherwise, it can start the new operation without setting the 701 Request-Tag option on it. 703 3.4.3. Simplified Block-Wise Handling for Constrained Proxies 705 The Block options were defined to be unsafe to forward because a 706 proxy that would forward blocks as plain messages would risk mixing 707 up clients' requests. 709 The Request-Tag option provides a very simple way for a proxy to keep 710 them separate: if it appends a Request-Tag that is particular to the 711 requesting endpoint to all request carrying any Block option, it does 712 not need to keep track of any further block state. 714 This is particularly useful to proxies that strive for stateless 715 operation as described in [I-D.ietf-core-stateless] Section 3.1. 717 3.5. Rationale for the Option Properties 719 The Request-Tag option can be elective, because to servers unaware of 720 the Request-Tag option, operations with differing request tags will 721 not be matchable. 723 The Request-Tag option can be safe to forward but part of the cache 724 key, because to proxies unaware of the Request-Tag option will 725 consider operations with differing request tags unmatchable but can 726 still forward them. 728 The Request-Tag option is repeatable because this easily allows 729 stateless proxies to "chain" their origin address. They can perform 730 the steps of Section 3.4.3 without the need to create an option value 731 that is the concatenation of the received option and their own value, 732 and can simply add a new Request-Tag option unconditionally. 734 In draft versions of this document, the Request-Tag option used to be 735 critical and unsafe to forward. That design was based on an 736 erroneous understanding of which blocks could be composed according 737 to [RFC7959]. 739 3.6. Rationale for Introducing the Option 741 An alternative that was considered to the Request-Tag option for 742 coping with the problem of fragmented message body integrity 743 (Section 3.4.1) was to update [RFC7959] to say that blocks could only 744 be assembled if their fragments' order corresponded to the sequence 745 numbers. 747 That approach would have been difficult to roll out reliably on DTLS 748 where many implementations do not expose sequence numbers, and would 749 still not prevent attacks like in [I-D.mattsson-core-coap-actuators] 750 Section 2.5.2. 752 4. Block2 / ETag Processing 754 The same security properties as in Section 3.4.1 can be obtained for 755 blockwise response operations. The threat model here is not an 756 attacker (because the response is made sure to belong to the current 757 request by the security layer), but blocks in the client's cache. 759 Rules stating that response body reassembly is conditional on 760 matching ETag values are already in place from Section 2.4 of 761 [RFC7959]. 763 To gain equivalent protection to Section 3.4.1, a server MUST use the 764 Block2 option in conjunction with the ETag option ([RFC7252], 765 Section 5.10.6), and MUST NOT use the same ETag value for different 766 representations of a resource. 768 5. Token Processing 770 As described in Section 1.3, the client must be able to verify that a 771 response corresponds to a particular request. This section updates 772 the CoAP Token processing requirements for clients. The Token 773 processing for servers is not updated. Token processing in 774 Section 5.3.1 of [RFC7252] is updated by adding the following text: 776 When CoAP is used with a security protocol not providing bindings 777 between requests and responses, the Tokens have cryptographic 778 importance. The client MUST make sure that Tokens are not used in a 779 way so that responses risk being associated with the wrong request. 780 One easy way to accomplish this is to implement the Token (or part of 781 the Token) as a sequence number starting at zero for each new or 782 rekeyed secure connection, this approach SHOULD be followed. 784 6. Security Considerations 786 The availability of a secure pseudorandom number generator and truly 787 random seeds are essential for the security of the Echo option. If 788 no true random number generator is available, a truly random seed 789 must be provided from an external source. As each pseudoranom number 790 must only be used once, an implementation need to get a new truly 791 random seed after reboot, or continously store state in nonvolatile 792 memory, see ([RFC8613], Appendix B.1.1) for issues and solution 793 approaches for writing to nonvolatile memory. 795 A single active Echo value with 64 (pseudo-)random bits gives the 796 same theoretical security level as a 64-bit MAC (as used in e.g. 797 AES_128_CCM_8). The Echo option value MUST contain 32 798 (pseudo-)random bits that are not predictable for any other party 799 than the server, and SHOULD contain 64 (pseudo-)random bits. A 800 server MAY use different security levels for different uses cases 801 (client aliveness, request freshness, state synchronization, network 802 address reachability, etc.). 804 The security provided by the Echo and Request-Tag options depends on 805 the security protocol used. CoAP and HTTP proxies require (D)TLS to 806 be terminated at the proxies. The proxies are therefore able to 807 manipulate, inject, delete, or reorder options or packets. The 808 security claims in such architectures only hold under the assumption 809 that all intermediaries are fully trusted and have not been 810 compromised. 812 Servers SHOULD use a monotonic clock to generate timestamps and 813 compute round-trip times. Use of non-monotonic clocks is not secure 814 as the server will accept expired Echo option values if the clock is 815 moved backward. The server will also reject fresh Echo option values 816 if the clock is moved forward. Non-monotonic clocks MAY be used as 817 long as they have deviations that are acceptable given the freshness 818 requirements. If the deviations from a monotonic clock are known, it 819 may be possible to adjust the threshold accordingly. 821 Servers SHOULD NOT use wall clock time for timestamps, as wall clock 822 time have large deviations from a monotonic clock. Furthermore, an 823 attacker may be able to affect the server's wall clock time in 824 various ways such as setting up a fake NTP server or broadcasting 825 false time signals to radio-controlled clocks. 827 Servers MAY use the time since reboot measured in some unit of time. 828 Servers MAY reset the timer at certain times and MAY generate a 829 random offset applied to all timestamps. When resetting the timer, 830 the server MUST reject all Echo values that was created before the 831 reset. 833 Servers that use the List of Cached Random Values and Timestamps 834 method described in Appendix A may be vulnerable to resource 835 exhaustion attacks. One way to minimize state is to use the 836 Integrity Protected Timestamp method described in Appendix A. 838 6.1. Token reuse 840 Reusing Tokens in a way so that responses are guaranteed to not be 841 associated with the wrong request is not trivial as on-path attackers 842 may block, delay, and reorder messages, requests may be sent to 843 several servers, and servers may process requests in any order and 844 send many responses to the same request. The use of a sequence 845 number is therefore recommended when CoAP is used with a security 846 protocol that does not providing bindings between requests and 847 responses such as DTLS or TLS. 849 For a generic response to a confirmable request over DTLS, binding 850 can only be claimed without out-of-band knowledge if 852 o the original request was never retransmitted, 854 o the response was piggybacked in an Acknowledgement message (as a 855 confirmable or non-confirmable response may have been transmitted 856 multiple times), and 858 o if observation was used, the same holds for the registration, all 859 re-registrations, and the cancellation. 861 (In addition, for observations, any responses using that Token and a 862 DTLS sequence number earlier than the cancellation Acknowledgement 863 message must be discarded. This is typically not supported in DTLS 864 implementations.) 866 In some setups, Tokens can be reused without the above constraints, 867 as a different component in the setup provides the associations: 869 o In CoAP over TLS, retransmissions are not handled by the CoAP 870 layer and the replay window size is always exactly 1. When a 871 client is sending TLS protected requests without Observe to a 872 single server, the client can reuse a Token as soon as the 873 previous response with that Token has been received. 875 o Requests whose responses are cryptographically bound to the 876 requests (like in OSCORE) can reuse Tokens indefinitely. 887 In all other cases, a sequence number approach is recommended as per 888 Section 5. 890 Tokens that cannot be reused need to be blacklisted. This could be 891 solved by increasing the Token as soon as the currently used Token 892 cannot be reused, or by keeping a list of all blacklisted Tokens. 894 When the Token (or part of the Token) contains a sequence number, the 895 encoding of the sequence number has to be chosen in a way to avoid 896 any collisions. This is especially true when the Token contains more 897 information than just the sequence number, e.g. serialized state as 898 in [I-D.ietf-core-stateless]. 900 7. Privacy Considerations 902 Implementations SHOULD NOT put any privacy sensitive information in 903 the Echo or Request-Tag option values. Unencrypted timestamps MAY 904 reveal information about the server such as location or time since 905 reboot. The use of wall clock time is not allowed (see Section 6) 906 and there also privacy reasons, e.g. it may reveal that the server 907 will accept expired certificates. Timestamps MAY be used if Echo is 908 encrypted between the client and the server, e.g. in the case of DTLS 909 without proxies or when using OSCORE with an Inner Echo option. 911 Like HTTP cookies, the Echo option could potentially be abused as a 912 tracking mechanism to link to different requests to the same client. 913 This is especially true for pre-emptive Echo values. Servers MUST 914 NOT use the Echo option to correlate requests for other purposes than 915 freshness and reachability. Clients only send Echo to the same from 916 which they were received. Compared to HTTP, CoAP clients are often 917 authenticated and non-mobile, and servers can therefore often 918 correlate requests based on the security context, the client 919 credentials, or the network address. When the Echo option increases 920 a server's ability to correlate requests, clients MAY discard all 921 pre-emptive Echo values. 923 8. IANA Considerations 925 This document adds the following option numbers to the "CoAP Option 926 Numbers" registry defined by [RFC7252]: 928 +--------+-------------+-------------------+ 929 | Number | Name | Reference | 930 +--------+-------------+-------------------+ 931 | TBD1 | Echo | [[this document]] | 932 | | | | 933 | TBD2 | Request-Tag | [[this document]] | 934 +--------+-------------+-------------------+ 936 Figure 4: CoAP Option Numbers 938 9. References 940 9.1. Normative References 942 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 943 Requirement Levels", BCP 14, RFC 2119, 944 DOI 10.17487/RFC2119, March 1997, 945 . 947 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 948 Application Protocol (CoAP)", RFC 7252, 949 DOI 10.17487/RFC7252, June 2014, 950 . 952 [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in 953 the Constrained Application Protocol (CoAP)", RFC 7959, 954 DOI 10.17487/RFC7959, August 2016, 955 . 957 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 958 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 959 May 2017, . 961 9.2. Informative References 963 [I-D.ietf-core-oscore-groupcomm] 964 Tiloca, M., Selander, G., Palombini, F., and J. Park, 965 "Group OSCORE - Secure Group Communication for CoAP", 966 draft-ietf-core-oscore-groupcomm-05 (work in progress), 967 July 2019. 969 [I-D.ietf-core-stateless] 970 Hartke, K., "Extended Tokens and Stateless Clients in the 971 Constrained Application Protocol (CoAP)", draft-ietf-core- 972 stateless-01 (work in progress), March 2019. 974 [I-D.mattsson-core-coap-actuators] 975 Mattsson, J., Fornehed, J., Selander, G., Palombini, F., 976 and C. Amsuess, "Controlling Actuators with CoAP", draft- 977 mattsson-core-coap-actuators-06 (work in progress), 978 September 2018. 980 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 981 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 982 January 2012, . 984 [RFC7390] Rahman, A., Ed. and E. Dijk, Ed., "Group Communication for 985 the Constrained Application Protocol (CoAP)", RFC 7390, 986 DOI 10.17487/RFC7390, October 2014, 987 . 989 [RFC7641] Hartke, K., "Observing Resources in the Constrained 990 Application Protocol (CoAP)", RFC 7641, 991 DOI 10.17487/RFC7641, September 2015, 992 . 994 [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 995 Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained 996 Application Protocol) over TCP, TLS, and WebSockets", 997 RFC 8323, DOI 10.17487/RFC8323, February 2018, 998 . 1000 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1001 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1002 . 1004 [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 1005 "Object Security for Constrained RESTful Environments 1006 (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, 1007 . 1009 Appendix A. Methods for Generating Echo Option Values 1011 The content and structure of the Echo option value are implementation 1012 specific and determined by the server. Two simple mechanisms are 1013 outlined in this section, the first is RECOMMENDED in general, and 1014 the second is RECOMMENDED in case the Echo option is encrypted 1015 between the client and the server. 1017 Different mechanisms have different tradeoffs between the size of the 1018 Echo option value, the amount of server state, the amount of 1019 computation, and the security properties offered. A server MAY use 1020 different methods and security levels for different uses cases 1021 (client aliveness, request freshness, state synchronization, network 1022 address reachability, etc.). 1024 1. List of Cached Random Values and Timestamps. The Echo option 1025 value is a (pseudo-)random byte string. The server caches a list 1026 containing the random byte strings and their transmission times. 1027 Assuming 72-bit random values and 32-bit timestamps, the size of the 1028 Echo option value is 9 bytes and the amount of server state is 13n 1029 bytes, where n is the number of active Echo Option values. The 1030 security against an attacker guessing echo values is given by s = bit 1031 length of r - log2(n). The length of r and the maximum allowed n 1032 should be set so that the security level is harmonized with other 1033 parts of the deployment, e.g., s >= 64. If the server loses time 1034 continuity, e.g. due to reboot, the entries in the old list MUST be 1035 deleted. 1037 Echo option value: random value r 1038 Server State: random value r, timestamp t0 1040 2. Integrity Protected Timestamp. The Echo option value is an 1041 integrity protected timestamp. The timestamp can have different 1042 resolution and range. A 32-bit timestamp can e.g. give a resolution 1043 of 1 second with a range of 136 years. The (pseudo-)random secret 1044 key is generated by the server and not shared with any other party. 1045 The use of truncated HMAC-SHA-256 is RECOMMENDED. With a 32-bit 1046 timestamp and a 64-bit MAC, the size of the Echo option value is 12 1047 bytes and the Server state is small and constant. The security 1048 against an attacker guessing echo values is given by the MAC length. 1049 If the server loses time continuity, e.g. due to reboot, the old key 1050 MUST be deleted and replaced by a new random secret key. Note that 1051 the privacy considerations in Section 7 may apply to the timestamp. 1052 A server MAY want to encrypt its timestamps, and, depending on the 1053 choice of encryption algorithms, this may require a nonce to be 1054 included in the Echo option value. 1056 Echo option value: timestamp t0, MAC(k, t0) 1057 Server State: secret key k 1059 Other mechanisms complying with the security and privacy 1060 considerations may be used. The use of encrypted timestamps in the 1061 Echo option increases security, but typically requires an IV to be 1062 included in the Echo option value, which adds overhead and makes the 1063 specification of such a mechanism slightly more complicated than the 1064 two mechanisms specified here. 1066 Appendix B. Request-Tag Message Size Impact 1068 In absence of concurrent operations, the Request-Tag mechanism for 1069 body integrity (Section 3.4.1) incurs no overhead if no messages are 1070 lost (more precisely: in OSCORE, if no operations are aborted due to 1071 repeated transmission failure; in DTLS, if no packages are lost), or 1072 when block-wise request operations happen rarely (in OSCORE, if there 1073 is always only one request block-wise operation in the replay 1074 window). 1076 In those situations, no message has any Request-Tag option set, and 1077 that can be recycled indefinitely. 1079 When the absence of a Request-Tag option can not be recycled any more 1080 within a security context, the messages with a present but empty 1081 Request-Tag option can be used (1 Byte overhead), and when that is 1082 used-up, 256 values from one byte long options (2 Bytes overhead) are 1083 available. 1085 In situations where those overheads are unacceptable (e.g. because 1086 the payloads are known to be at a fragmentation threshold), the 1087 absent Request-Tag value can be made usable again: 1089 o In DTLS, a new session can be established. 1091 o In OSCORE, the sequence number can be artificially increased so 1092 that all lost messages are outside of the replay window by the 1093 time the first request of the new operation gets processed, and 1094 all earlier operations can therefore be regarded as concluded. 1096 Appendix C. Change Log 1098 [ The editor is asked to remove this section before publication. ] 1100 o Changes since draft-ietf-core-echo-request-tag-05: 1102 * Add privacy considerations on cookie-style use of Echo values 1104 * Add security considerations for token reuse 1106 * Add note in security considerations on use of nonvolatile 1107 memory when dealing with pseudorandom numbers 1109 * Appendix on echo generation: add a few words on up- and 1110 downsides of the encrypted timestamp alternative 1112 * Clarifications around Outer Echo: 1114 + Could be generated by the origin server to prove network 1115 reachability (but for most applications it MUST be inner) 1117 + Could be generated by intermediaries 1119 + Is answered by the client to the endpoint from which it 1120 received it (ie. Outer if received as Outer) 1122 * Clarification that a server can send Echo preemtively 1124 * Refer to stateless to explain what "more information than just 1125 the sequence number" could be 1127 * Remove explanations around 0.00 empty messags 1129 * Rewordings: 1131 + the attack: from "forging" to "guessing" 1132 + "freshness tokens" to "freshness indicators" (to avoid 1133 confusion with the Token) 1135 * Editorial fixes: 1137 + Abstract and introduction mention what is updated in RFC7252 1139 + Reference updates 1141 + Capitalization, spelling, terms from other documents 1143 o Changes since draft-ietf-core-echo-request-tag-04: 1145 * Editorial fixes 1147 + Moved paragraph on collision-free encoding of data in the 1148 Token to Security Considerations and rephrased it 1150 + "easiest" -> "one easy" 1152 o Changes since draft-ietf-core-echo-request-tag-03: 1154 * Mention Token processing changes in title 1156 * Abstract reworded 1158 * Clarify updates to Token processing 1160 * Describe security levels from Echo length 1162 * Allow non-monotonic clocks under certain conditions for 1163 freshness 1165 * Simplify freshness expressions 1167 * Describe when a Request-Tag can be set 1169 * Add note on application-level freshness mechanisms 1171 * Minor editorial changes 1173 o Changes since draft-ietf-core-echo-request-tag-02: 1175 * Define "freshness" 1177 * Note limitations of "aliveness" 1179 * Clarify proxy and OSCORE handling in presence of "echo" 1180 * Clarify when Echo values may be reused 1182 * Update security considerations 1184 * Various minor clarifications 1186 * Minor editorial changes 1188 o Major changes since draft-ietf-core-echo-request-tag-01: 1190 * Follow-up changes after the "relying on block-wise" change in 1191 -01: 1193 + Simplify the description of Request-Tag and matchability 1195 + Do not update RFC7959 any more 1197 * Make Request-Tag repeatable. 1199 * Add rationale on not relying purely on sequence numbers. 1201 o Major changes since draft-ietf-core-echo-request-tag-00: 1203 * Reworded the Echo section. 1205 * Added rules for Token processing. 1207 * Added security considerations. 1209 * Added actual IANA section. 1211 * Made Request-Tag optional and safe-to-forward, relying on 1212 block-wise to treat it as part of the cache-key 1214 * Dropped use case about OSCORE Outer-block-wise (the case went 1215 away when its Partial IV was moved into the Object-Security 1216 option) 1218 o Major changes since draft-amsuess-core-repeat-request-tag-00: 1220 * The option used for establishing freshness was renamed from 1221 "Repeat" to "Echo" to reduce confusion about repeatable 1222 options. 1224 * The response code that goes with Echo was changed from 4.03 to 1225 4.01 because the client needs to provide better credentials. 1227 * The interaction between the new option and (cross) proxies is 1228 now covered. 1230 * Two messages being "Request-Tag matchable" was introduced to 1231 replace the older concept of having a request tag value with 1232 its slightly awkward equivalence definition. 1234 Acknowledgments 1236 The authors want to thank Jim Schaad and Carsten Bormann for 1237 providing valuable input to the draft. 1239 Authors' Addresses 1241 Christian Amsuess 1243 Email: christian@amsuess.com 1245 John Preuss Mattsson 1246 Ericsson AB 1248 Email: john.mattsson@ericsson.com 1250 Goeran Selander 1251 Ericsson AB 1253 Email: goran.selander@ericsson.com