idnits 2.17.1 draft-ietf-core-groupcomm-25.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 3 instances of too long lines in the document, the longest one being 12 characters in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 12, 2014) is 3513 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'RFC 3986' is mentioned on line 1996, but not defined == Missing Reference: 'RFC 7320' is mentioned on line 2142, but not defined ** Obsolete undefined reference: RFC 7320 (Obsoleted by RFC 8820) == Missing Reference: 'RFC 7252' is mentioned on line 2144, but not defined == Missing Reference: 'RFC 2616' is mentioned on line 2139, but not defined ** Obsolete undefined reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) == Missing Reference: 'RFC 7230' is mentioned on line 2139, but not defined ** Obsolete undefined reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) == Missing Reference: 'RFC 1033' is mentioned on line 2146, but not defined ** Obsolete normative reference: RFC 4601 (Obsoleted by RFC 7761) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7320 (Obsoleted by RFC 8820) == Outdated reference: A later version (-21) exists of draft-ietf-core-block-15 == Outdated reference: A later version (-28) exists of draft-ietf-core-resource-directory-01 == Outdated reference: A later version (-16) exists of draft-ietf-core-observe-14 == Outdated reference: A later version (-12) exists of draft-ietf-roll-trickle-mcast-09 Summary: 8 errors (**), 0 flaws (~~), 13 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CoRE Working Group A. Rahman, Ed. 3 Internet-Draft InterDigital Communications, LLC 4 Intended status: Experimental E. Dijk, Ed. 5 Expires: March 16, 2015 Philips Research 6 September 12, 2014 8 Group Communication for CoAP 9 draft-ietf-core-groupcomm-25 11 Abstract 13 The Constrained Application Protocol (CoAP) is a specialized web 14 transfer protocol for constrained devices and constrained networks. 15 It is anticipated that constrained devices will often naturally 16 operate in groups (e.g., in a building automation scenario all lights 17 in a given room may need to be switched on/off as a group). This 18 specification defines how the CoAP protocol should be used in a group 19 communication context. An approach for using CoAP on top of IP 20 multicast is detailed based on both existing CoAP functionality as 21 well as new features introduced in this specification. Also, various 22 use cases and corresponding protocol flows are provided to illustrate 23 important concepts. Finally, guidance is provided for deployment in 24 various network topologies. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on March 16, 2015. 43 Copyright Notice 45 Copyright (c) 2014 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 1.3. Conventions and Terminology . . . . . . . . . . . . . . . 4 64 2. Protocol Considerations . . . . . . . . . . . . . . . . . . . 5 65 2.1. IP Multicast Background . . . . . . . . . . . . . . . . . 5 66 2.2. Group Definition and Naming . . . . . . . . . . . . . . . 6 67 2.3. Port and URI Configuration . . . . . . . . . . . . . . . 7 68 2.4. RESTful Methods . . . . . . . . . . . . . . . . . . . . . 9 69 2.5. Request and Response Model . . . . . . . . . . . . . . . 9 70 2.6. Membership Configuration . . . . . . . . . . . . . . . . 10 71 2.6.1. Background . . . . . . . . . . . . . . . . . . . . . 10 72 2.6.2. Membership Configuration RESTful Interface . . . . . 11 73 2.7. Request Acceptance and Response Suppression Rules . . . . 17 74 2.8. Congestion Control . . . . . . . . . . . . . . . . . . . 19 75 2.9. Proxy Operation . . . . . . . . . . . . . . . . . . . . . 20 76 2.10. Exceptions . . . . . . . . . . . . . . . . . . . . . . . 21 77 3. Use Cases and Corresponding Protocol Flows . . . . . . . . . 22 78 3.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 22 79 3.2. Network Configuration . . . . . . . . . . . . . . . . . . 22 80 3.3. Discovery of Resource Directory . . . . . . . . . . . . . 24 81 3.4. Lighting Control . . . . . . . . . . . . . . . . . . . . 26 82 3.5. Lighting Control in MLD Enabled Network . . . . . . . . . 30 83 3.6. Commissioning the Network Based On Resource Directory . . 31 84 4. Deployment Guidelines . . . . . . . . . . . . . . . . . . . . 32 85 4.1. Target Network Topologies . . . . . . . . . . . . . . . . 32 86 4.2. Networks Using the MLD Protocol . . . . . . . . . . . . . 33 87 4.3. Networks Using RPL Multicast Without MLD . . . . . . . . 33 88 4.4. Networks Using MPL Forwarding Without MLD . . . . . . . . 34 89 4.5. 6LoWPAN Specific Guidelines for the 6LBR . . . . . . . . 35 90 5. Security Considerations . . . . . . . . . . . . . . . . . . . 35 91 5.1. Security Configuration . . . . . . . . . . . . . . . . . 35 92 5.2. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 36 93 5.3. Threat Mitigation . . . . . . . . . . . . . . . . . . . . 36 94 5.3.1. WiFi Scenario . . . . . . . . . . . . . . . . . . . . 37 95 5.3.2. 6LoWPAN Scenario . . . . . . . . . . . . . . . . . . 37 96 5.3.3. Future Evolution . . . . . . . . . . . . . . . . . . 37 97 5.4. Monitoring Considerations . . . . . . . . . . . . . . . . 38 98 5.4.1. General Monitoring . . . . . . . . . . . . . . . . . 38 99 5.4.2. Pervasive Monitoring . . . . . . . . . . . . . . . . 38 100 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 101 6.1. New 'core.gp' Resource Type . . . . . . . . . . . . . . . 39 102 6.2. New 'coap-group+json' Internet Media Type . . . . . . . . 39 103 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 41 104 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 105 8.1. Normative References . . . . . . . . . . . . . . . . . . 41 106 8.2. Informative References . . . . . . . . . . . . . . . . . 43 107 Appendix A. Multicast Listener Discovery (MLD) . . . . . . . . . 44 108 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 44 109 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 111 1. Introduction 113 1.1. Background 115 Constrained Application Protocol (CoAP) is a Representational State 116 Transfer (REST) based web transfer protocol for resource constrained 117 devices operating in an IP network [RFC7252]. CoAP has many 118 similarities to HTTP [RFC7230] but also has some key differences. 119 Constrained devices can be large in numbers, but are often related to 120 each other in function or by location. For example, all the light 121 switches in a building may belong to one group and all the 122 thermostats may belong to another group. Groups may be pre- 123 configured before deployment or dynamically formed during operation. 124 If information needs to be sent to or received from a group of 125 devices, group communication mechanisms can improve efficiency and 126 latency of communication and reduce bandwidth requirements for a 127 given application. HTTP does not support any equivalent 128 functionality to CoAP group communication. 130 1.2. Scope 132 Group communication involves a one-to-many relationship between CoAP 133 endpoints. Specifically, a single CoAP client can simultaneously get 134 (or set) resources from multiple CoAP servers using CoAP over IP 135 multicast. An example would be a CoAP light switch turning on/off 136 multiple lights in a room with a single CoAP group communication PUT 137 request, and handling the potential multitude of (unicast) responses. 139 The base protocol aspects of sending CoAP requests on top of IP 140 multicast, and processing the (unicast IP) responses are given in 141 Section 8 of [RFC7252]. To provide a more complete CoAP group 142 communication functionality, this specification introduces new CoAP 143 protocol processing functionality (e.g., new rules for re-use of 144 Token values, request suppression, and proxy operation) and a new 145 management interface for RESTful group membership configuration. 147 CoAP group communication will run in Any Source Multicast (ASM) mode 148 [RFC5110] of IP multicast operation. This means that there is no 149 restriction on the source node which sends (originates) the CoAP 150 messages to the IP multicast group. For example, the source node may 151 be part of the IP multicast group or not. Also, there is no 152 restriction on the number of source nodes. 154 While Section 9.1 of [RFC7252] supports various modes of DTLS-based 155 security for CoAP over unicast IP, it does not specify any security 156 modes for CoAP over IP multicast. That is, [RFC7252] assumes that 157 CoAP over IP multicast is not encrypted, nor authenticated, nor 158 access controlled. This document assumes the same security model 159 (see Section 5.1). However, there are several promising security 160 approaches being developed that should be considered in the future 161 for protecting CoAP group communications (see Section 5.3.3). 163 1.3. Conventions and Terminology 165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 167 "OPTIONAL" in this document are to be interpreted as described in 168 [RFC2119] when they appear in ALL CAPS. When these words are not in 169 ALL CAPS (such as "should" or "Should"), they have their usual 170 English meanings, and are not to be interpreted as [RFC2119] key 171 words. 173 Note that this document refers back to other RFCs, and especially 174 [RFC7252], to help explain overall CoAP group communication features. 175 However use of [RFC2119] key words is reserved for new CoAP 176 functionality introduced by this specification. 178 This document assumes readers are familiar with the terms and 179 concepts that are used in [RFC7252]. In addition, this document 180 defines the following terminology: 182 Group Communication 183 A source node sends a single application layer (e.g., CoAP) 184 message which is delivered to multiple destination nodes, where 185 all destinations are identified to belong to a specific group. 186 The source node itself may be part of the group. The underlying 187 mechanisms for CoAP group communication are UDP/IP multicast for 188 the requests, and unicast UDP/IP for the responses. The network 189 involved may be a constrained network such as a low-power, lossy 190 network. 192 Reliable Group Communication 193 A special case of group communication where for each destination 194 node it is guaranteed that the node either 1) eventually receives 195 the message sent by the source node, or 2) does not receive the 196 message and the source node is notified of the non-reception 197 event. An example of a reliable group communication protocol is 198 [RFC5740]. 200 Multicast 201 Sending a message to multiple destination nodes with one network 202 invocation. There are various options to implement multicast 203 including layer 2 (Media Access Control) and layer 3 (IP) 204 mechanisms. 206 IP Multicast 207 A specific multicast approach based on the use of IP multicast 208 addresses as defined in "IANA Guidelines for IPv4 Multicast 209 Address Assignments" [RFC5771] and "IP Version 6 Addressing 210 Architecture" [RFC4291]. A complete IP multicast solution may 211 include support for managing group memberships, and IP multicast 212 routing/forwarding (see Section 2.1). 214 Low power and Lossy Network (LLN) 215 A type of constrained IP network where devices are interconnected 216 by low-power and lossy links. The links may be may composed of 217 one or more technologies such as IEEE 802.15.4, Bluetooth Low 218 Energy (BLE), Digital Enhanced Cordless Telecommunication (DECT), 219 and IEEE P1901.2 power-line communication. 221 2. Protocol Considerations 223 2.1. IP Multicast Background 225 IP multicast protocols have been evolving for decades, resulting in 226 standards such as Protocol Independent Multicast - Sparse Mode (PIM- 227 SM) [RFC4601]. IP multicast is very popular in specific deployments 228 such as in enterprise networks (e.g., for video conferencing), smart 229 home networks (e.g., Universal Plug and Play (UPnP)) and carrier IPTV 230 deployments. The packet economy and minimal host complexity of IP 231 multicast make it attractive for group communication in constrained 232 environments. 234 To achieve IP multicast beyond link-local scope, an IP multicast 235 routing or forwarding protocol needs to be active on IP routers. An 236 example of a routing protocol specifically for LLNs is the IPv6 237 Routing Protocol for Low-Power and Lossy Networks (RPL) (Section 12 238 of [RFC6550]) and an example of a forwarding protocol for LLNs is 239 Multicast Protocol for Low power and Lossy Networks (MPL) 241 [I-D.ietf-roll-trickle-mcast]. RPL and MPL do not depend on each 242 other; each can be used in isolation and both can be used in 243 combination in a network. Finally, PIM-SM [RFC4601] is often used 244 for multicast routing in traditional IP networks (i.e., networks that 245 are not constrained). 247 IP multicast can also be run in a Link-Local (LL) scope. This means 248 that there is no routing involved and an IP multicast message is only 249 received over the link on which it was sent. 251 For a complete IP multicast solution, in addition to a routing/ 252 forwarding protocol, a "listener" protocol may be needed for the 253 devices to subscribe to groups (see Section 4.2). Also, a multicast 254 forwarding proxy node [RFC4605] may be required. 256 IP multicast is generally classified as an unreliable service in that 257 packets are not guaranteed to be delivered to each and every member 258 of the group. In other words, it cannot be directly used as a basis 259 for "reliable group communication" as defined in Section 1.3. 260 However, the level of reliability can be increased by employing a 261 multicast protocol that performs periodic retransmissions as is done, 262 for example, in MPL. 264 2.2. Group Definition and Naming 266 A CoAP group is defined as a set of CoAP endpoints, where each 267 endpoint is configured to receive CoAP group communication requests 268 that are sent to the group's associated IP multicast address. The 269 individual response by each endpoint receiver to a CoAP group 270 communication request is always sent back as unicast. An endpoint 271 may be a member of multiple groups. Group membership of an endpoint 272 may dynamically change over time. 274 All CoAP server nodes SHOULD join the "All CoAP Nodes" multicast 275 group (Section 12.8 of [RFC7252]) by default to enable CoAP 276 discovery. For IPv4, the address is 224.0.1.187 and for IPv6 a 277 server node joins at least both the link-local scoped address 278 FF02::FD and the site-local scoped address FF05::FD. IPv6 addresses 279 of other scopes MAY be enabled. 281 A CoAP group URI has the scheme 'coap' and includes in the authority 282 part either a group IP multicast address, or a hostname (e.g., Group 283 Fully Qualified Domain Name (FQDN)) that can be resolved to the group 284 IP multicast address. A group URI also contains an optional CoAP 285 port number in the authority part. Group URIs follow the regular 286 CoAP URI syntax (Section 6 of [RFC7252]. 288 Note: A group URI is needed to initiate CoAP group communications. 289 For CoAP client implementations it is recommended to use the URI 290 decomposition method of Section 6.4 of [RFC7252] in such way that, 291 from a group URI, a CoAP group communication request is generated. 293 For sending nodes, it is recommended to use the IP multicast address 294 literal in a group URI. (This is because DNS infrastructure may not 295 be deployed in many constrained network deployments). However, in 296 case a group hostname is used, it can be uniquely mapped to an IP 297 multicast address via DNS resolution (if supported). Some examples 298 of hierarchical group FQDN naming (and scoping) for a building 299 control application are shown below: 301 URI authority Targeted group of nodes 302 --------------------------------------- -------------------------- 303 all.bldg6.example.com "all nodes in building 6" 304 all.west.bldg6.example.com "all nodes in west wing, 305 building 6" 306 all.floor1.west.bldg6.example.com "all nodes in floor 1, 307 west wing, building 6" 308 all.bu036.floor1.west.bldg6.example.com "all nodes in office bu036, 309 floor1, west wing, 310 building 6" 312 Similarly, if supported, reverse mapping (from IP multicast address 313 to Group FQDN) is possible using the reverse DNS resolution technique 314 ([RFC1033]). Reverse mapping is important, for example, in trouble 315 shooting to translate IP multicast addresses back to human readable 316 hostnames to show in a diagnostics user interface. 318 2.3. Port and URI Configuration 320 A CoAP server that is a member of a group listens for CoAP messages 321 on the group's IP multicast address, usually on the CoAP default UDP 322 port, 5683. If the group uses a specified non-default UDP port, be 323 careful to ensure that all group members are configured to use that 324 same port. 326 Different ports for the same IP multicast address are preferably not 327 used to specify different CoAP groups. If disjoint groups share the 328 same IP multicast address, then all the devices interested in one 329 group will accept IP traffic also for the other disjoint groups, only 330 to ultimately discard the traffic higher in their IP stack (based on 331 UDP port discrimination). 333 CoAP group communication will not work if there is diversity in the 334 authority port (e.g., different dynamic port addresses across the 335 group) or if other parts of the group URI such as the path, or the 336 query, differ on different endpoints. Therefore, some measures must 337 be present to ensure uniformity in port number and resource names/ 338 locations within a group. All CoAP group communication requests MUST 339 be sent using a port number according to one of below options: 341 1. A pre-configured port number. 343 2. If the client is configured to use service discovery including 344 URI and port discovery, it uses the port number obtained via a 345 service discovery lookup operation for the targeted CoAP group. 347 3. Use the default CoAP UDP port (5683). 349 For a CoAP server node that supports resource discovery, the default 350 port 5683 must be supported (Section 7.1 of [RFC7252]) for the "All 351 CoAP Nodes" group. Regardless of the method of selecting the port 352 number, the same port MUST be used across all CoAP servers in a group 353 and across all CoAP clients performing the group requests. 355 All CoAP group communication requests SHOULD operate on group URI 356 paths in one of the following ways: 358 1. Pre-configured group URI paths, if available. Implementers are 359 free to define the paths as they see fit. However, note that 360 [RFC7320] prescribes that a specification must not constrain, 361 define structure or semantics for any path component. So for 362 this reason, a pre-defined URI path is not specified in this 363 document and also must not be provided in other specifications. 365 2. If the client is configured to use default CoRE resource 366 discovery, it uses URI paths retrieved from a "/.well-known/core" 367 lookup on a group member. The URI paths the client will use MUST 368 be known to be available also in all other endpoints in the 369 group. The URI path configuration mechanism on servers MUST 370 ensure that these URIs (identified as being supported by the 371 group) are configured on all group endpoints. 373 3. If the client is configured to use another form of service 374 discovery, it uses group URI paths from an equivalent service 375 discovery lookup which returns the resources supported by all 376 group members. 378 4. If the client has received a group URI through a previous RESTful 379 interaction with a trusted server it can use this URI in a CoAP 380 group communication request. For example, a commissioning tool 381 may instruct a sensor device in this way to which target group 382 (group URI) it should report sensor events. 384 However the URI path is selected, the same path MUST be used across 385 all CoAP servers in a group and all CoAP clients performing the group 386 requests. 388 2.4. RESTful Methods 390 Group communication most often uses the idempotent CoAP methods GET 391 and PUT. The idempotent method DELETE can also be used. The non- 392 idempotent CoAP method POST may only be used for group communication 393 if the resource being POSTed to has been designed to cope with the 394 unreliable and lossy nature of IP multicast. For example, a client 395 may re-send a multicast POST request for additional reliability. 396 Some servers will receive the request two times while others may 397 receive it only once. For idempotent methods all these servers will 398 be in the same state, while for POST this is not guaranteed; so the 399 resource POST operation must be specifically designed to take message 400 loss into account. 402 2.5. Request and Response Model 404 All CoAP requests that are sent via IP multicast must be Non- 405 confirmable (Section 8.1 of [RFC7252]). The Message ID in an IP 406 multicast CoAP message is used for optional message de-duplication as 407 detailed in Section 4.5 of [RFC7252]. 409 A server optionally sends back a unicast response to the CoAP group 410 communication request (e.g., response "2.05 Content" to a group GET 411 request). The unicast responses received by the CoAP client may be a 412 mixture of success (e.g., 2.05 Content) and failure (e.g., 4.04 Not 413 Found) codes depending on the individual server processing results. 414 Detailed processing rules for IP multicast request acceptance and 415 unicast response suppression are given in Section 2.7. 417 A CoAP request sent over IP multicast and any unicast response it 418 causes must take into account the congestion control rules defined in 419 Section 2.8. 421 The CoAP client can distinguish the origin of multiple server 422 responses by source IP address of the UDP message containing the CoAP 423 response, or any other available unique identifier (e.g., contained 424 in the CoAP payload). In case a CoAP client sent multiple group 425 requests, the responses are as usual matched to a request using the 426 CoAP Token. 428 For multicast CoAP requests there are additional constraints on the 429 re-use of Token values, compared to the unicast case. In the unicast 430 case, receiving a response effectively frees up its Token value for 431 re-use since no more responses will follow. However, for multicast 432 CoAP the number of responses is not bounded a-priori. Therefore the 433 reception of a response cannot be used as a trigger to "free up" a 434 Token value for re-use. Re-using a Token value too early could lead 435 to incorrect response/request matching in the client, which is a 436 protocol error. Therefore the time between re-use of Token values 437 used in multicast requests MUST be greater than: 439 NON_LIFETIME + MAX_LATENCY + MAX_SERVER_RESPONSE_DELAY 441 where NON_LIFETIME and MAX_LATENCY are defined in Section 4.8 of 442 [RFC7252]. MAX_SERVER_RESPONSE_DELAY is defined here as the expected 443 maximum response delay over all servers that the client can send a 444 multicast request to. This delay includes the maximum Leisure time 445 period as defined in Section 8.2 of [RFC7252]. The CoAP protocol 446 does not define a time limit for the server response delay. Using 447 the default CoAP protocol parameters, the Token re-use time MUST be 448 greater than 250 seconds plus MAX_SERVER_RESPONSE_DELAY. A preferred 449 solution to meet this requirement is to generate a new unique Token 450 for every multicast request, such that a Token value is never re- 451 used. If a client has to re-use Token values for some reason, and 452 also MAX_SERVER_RESPONSE_DELAY is unknown, then using 453 MAX_SERVER_RESPONSE_DELAY = 250 seconds is a reasonable guideline. 454 The time between Token re-uses is in that case set to a value greater 455 than 500 seconds. 457 2.6. Membership Configuration 459 2.6.1. Background 461 2.6.1.1. Member Discovery 463 CoAP Groups, and the membership of these groups, can be discovered 464 via the lookup interfaces in the Resource Directory (RD) defined in 465 [I-D.ietf-core-resource-directory]. This discovery interface is not 466 required to invoke CoAP group communications. However, it is a 467 potential complementary interface useful for overall management of 468 CoAP groups. Other methods to discover groups (e.g., proprietary 469 management systems) can also be used. An example of doing some of 470 the RD based lookups is given in Section 3.6. 472 2.6.1.2. Configuring Members 474 The group membership of a CoAP endpoint may be configured in one of 475 the following ways. First, the group membership may be pre- 476 configured before node deployment. Second, a node may be programmed 477 to discover (query) its group membership using a specific service 478 discovery means. Third, it may be configured by another node (e.g., 479 a commissioning device). 481 In the first case, the pre-configured group information may be either 482 an IP multicast address or a hostname (FQDN) which is resolved later 483 (during operation) to an IP multicast address by the endpoint using 484 DNS (if supported). 486 For the second case, a CoAP endpoint may look up its group membership 487 using techniques such as DNS-SD and Resource Directory 488 [I-D.ietf-core-resource-directory]. 490 In the third case, typical in scenarios such as building control, a 491 dynamic commissioning tool determines to which group(s) a sensor or 492 actuator node belongs, and writes this information to the node, which 493 can subsequently join the correct IP multicast group(s) on its 494 network interface. The information written per group may again be an 495 IP multicast address or a hostname. 497 2.6.2. Membership Configuration RESTful Interface 499 To achieve better interoperability between endpoints from different 500 manufacturers, an OPTIONAL CoAP membership configuration RESTful 501 interface for configuring endpoints with relevant group information 502 is described here. This interface provides a solution for the third 503 case mentioned above. To access this interface a client will use 504 unicast CoAP methods (GET/PUT/POST/DELETE). This interface is a 505 method of configuring group information in individual endpoints. 507 Also, a form of authorization (preferably making use of unicast DTLS- 508 secured CoAP of Section 9.1 of [RFC7252]) should be used such that 509 only authorized controllers are allowed by an endpoint to configure 510 its group membership. 512 It is important to note that other approaches may be used to 513 configure CoAP endpoints with relevant group information. These 514 alternative approaches may support a subset or super-set of the 515 membership configuration RESTful interface described in this 516 document. For example, a simple interface to just read the endpoint 517 group information may be implemented via a classical Management 518 Information Base (MIB) approach (e.g., following approach of 519 [RFC3433]). 521 2.6.2.1. CoAP-Group Resource Type and Media Type 523 CoAP endpoints implementing the membership configuration RESTful 524 interface MUST support the CoAP group configuration Internet Media 525 Type "application/coap-group+json" (Section 6.2). 527 A resource offering this representation can be annotated for direct 528 discovery [RFC6690] using the resource type (rt) "core.gp" where "gp" 529 is shorthand for "group" (Section 6.1). An authorized client uses 530 this media type to query/manage group membership of a CoAP endpoint 531 as defined in the following subsections. 533 The group configuration resource and its sub-resources have a 534 JavaScript Object Notation (JSON) based content format (as indicated 535 by the "application/coap-group+json" media type). The resource 536 includes zero or more group membership JSON objects [RFC7159] in a 537 format as defined in Section 2.6.2.4. A group membership JSON object 538 contains one or more key/value pairs as defined below, and represents 539 a single IP multicast group membership for the CoAP endpoint. Each 540 key/value pair is encoded as a member of the JSON object, where the 541 key is the member name and the value is the member's value. 543 Examples of four different group membership objects are: 545 { "n": "All-Devices.floor1.west.bldg6.example.com", 546 "a": "[ff15::4200:f7fe:ed37:abcd]:4567" } 548 { "n": "sensors.floor2.east.bldg6.example.com" } 550 { "n": "coap-test", 551 "a": "224.0.1.187:56789" } 553 { "a": "[ff15::c0a7:15:c001]" } 555 The OPTIONAL "n" key/value pair stands for "name" and identifies the 556 group with a hostname (and optionally the port number), for example, 557 a FQDN. The OPTIONAL "a" key/value pair specifies the IP multicast 558 address (and optionally the port number) of the group. It contains 559 an IPv4 address (in dotted decimal notation) or an IPv6 address. The 560 following ABNF rule can be used for parsing the address, referring to 561 the definitions in Section 3.2.2 of [RFC3986] which are also used in 562 the base CoAP protocol (Section 6 of [RFC7252]. 564 group-address = IPv4address [ ":" port ] 565 / "[" IPv6address "]" [":" port ] 567 In any group membership object, if the IP address is known when the 568 object is created, it is included in the "a" key/value pair. If the 569 "a" value cannot be provided, the "n" value MUST be included, 570 containing a valid hostname with optional port number that can be 571 translated to an IP multicast address via DNS. 573 group-name = host [ ":" port ] 575 If the port number is not provided, then the endpoint will attempt to 576 look up the port number from DNS if it supports a method to do this. 578 The possible DNS methods include DNS-SRV [RFC2782] or DNS-SD 579 [RFC6763]. If port lookup is not supported or not provided by DNS, 580 the default CoAP port (5683) is assumed. 582 After any change on a Group configuration resource, the endpoint MUST 583 effect registration/de-registration from the corresponding IP 584 multicast group(s) by making use of APIs such as IPV6_RECVPKTINFO 585 [RFC3542]. 587 2.6.2.2. Creating a new multicast group membership (POST) 589 Method: POST 590 URI Template: /{+gp} 591 Location-URI Template: /{+gp}/{index} 592 URI Template Variables: 593 gp - Group Configuration Function Set path (mandatory). 594 index - Group index. Index MUST be a string of maximum two (2) alphanumeric ASCII 595 characters (case insensitive). It MUST be locally unique to the endpoint server. 596 It indexes the particular endpoint's list of group memberships. 598 Example: 599 Req: POST /coap-group 600 Content-Format: application/coap-group+json 601 { "n": "All-Devices.floor1.west.bldg6.example.com", 602 "a": "[ff15::4200:f7fe:ed37:abcd]:4567" } 603 Res: 2.01 Created 604 Location-Path: /coap-group/12 606 For the 'gp' variable it is recommended to use the path "coap-group" 607 by default. The "a" key/value pair is always used if it is given. 608 The "n" pair is only used when there is no "a" pair. If only the "n" 609 pair is given, the CoAP endpoint performs DNS resolution to obtain 610 the IP multicast address from the hostname in the "n" pair. If DNS 611 resolution is not successful, then the endpoint does not attempt 612 joining or listening to any multicast group for this case since the 613 IP multicast address is unknown. 615 After any change on a Group configuration resource, the endpoint MUST 616 effect registration/de-registration from the corresponding IP 617 multicast group(s) by making use of APIs such as IPV6_RECVPKTINFO 618 [RFC3542]. When a POST payload contains in "a" an IP multicast 619 address to which the endpoint is already subscribed, no change to 620 that subscription is needed. 622 2.6.2.3. Deleting a single group membership (DELETE) 624 Method: DELETE 625 URI Template: {+location} 626 URI Template Variables: 627 location - The Location-Path returned by the CoAP server as a result 628 of a successful group creation. 630 Example: 631 Req: DELETE /coap-group/12 632 Res: 2.02 Deleted 634 2.6.2.4. Reading all group memberships at once (GET) 636 A (unicast) GET on the CoAP-group resource returns a JSON object 637 containing multiple keys and values. The keys (member names) are 638 group indices and the values (member values) are the corresponding 639 group membership objects. Each group membership object describes one 640 IP multicast group membership. If no group memberships are 641 configured then an empty JSON object is returned. 643 Method: GET 645 URI Template: /{+gp} 647 URI Template Variables: 649 gp - see Section 2.6.2.2 651 Example: 652 Req: GET /coap-group 653 Res: 2.05 Content 654 Content-Format: application/coap-group+json 655 { "8" :{ "a": "[ff15::4200:f7fe:ed37:14ca]" }, 656 "11":{ "n": "sensors.floor1.west.bldg6.example.com", 657 "a": "[ff15::4200:f7fe:ed37:25cb]" }, 658 "12":{ "n": "All-Devices.floor1.west.bldg6.example.com", 659 "a": "[ff15::4200:f7fe:ed37:abcd]:4567" } 660 } 662 Note: the returned IPv6 address string will represent the same IPv6 663 address that was originally submitted in group membership creation, 664 though it might be a different string because of different choices in 665 IPv6 string representation formatting that may be allowed for the 666 same address (see [RFC5952]). 668 2.6.2.5. Reading a single group membership (GET) 670 Similar to Section 2.6.2.4 but only a single group membership is 671 read. If the requested group index does not exist then a 4.04 Not 672 Found response is returned. 674 Method: GET 676 URI Template 1: {+location} 678 URI Template 2: /{+gp}/{index} 680 URI Template Variables: 682 location - see Section 2.6.2.3 684 gp, index - see Section 2.6.2.2 686 Example: 687 Req: GET /coap-group/12 688 Res: 2.05 Content 689 Content-Format: application/coap-group+json 690 {"n": "All-Devices.floor1.west.bldg6.example.com", 691 "a": "[ff15::4200:f7fe:ed37:abcd]:4567"} 693 2.6.2.6. Creating/updating all group memberships at once (PUT) 695 A (unicast) PUT with a group configuration media type as payload will 696 replace all current group memberships in the endpoint with the new 697 ones defined in the PUT request. This operation MUST only be used to 698 delete or update group membership objects for which the CoAP client, 699 invoking this operation, is responsible. The responsibility is based 700 on application level knowledge. For example, a commissioning tool 701 will be responsible for any group membership objects that it created. 703 Method: PUT 705 URI Template: /{+gp} 707 URI Template Variables: 709 gp - see Section 2.6.2.2 711 Example: (replacing all existing group memberships with two new group memberships) 712 Req: PUT /coap-group 713 Content-Format: application/coap-group+json 714 { "1":{ "a": "[ff15::4200:f7fe:ed37:1234]" }, 715 "2":{ "a": "[ff15::4200:f7fe:ed37:5678]" } 716 } 717 Res: 2.04 Changed 719 Example: (clearing all group memberships at once) 720 Req: PUT /coap-group 721 Content-Format: application/coap-group+json 722 {} 723 Res: 2.04 Changed 725 After a successful PUT on the Group configuration resource, the 726 endpoint MUST effect registration to any new IP multicast group(s) 727 and de-registration from any previous IP multicast group(s), i.e., 728 not any more present in the new memberships. An API such as 729 IPV6_RECVPKTINFO [RFC3542] should be used for this purpose. Also it 730 MUST take into account the group indices present in the new resource 731 during the generation of any new unique group indices in the future. 733 2.6.2.7. Updating a single group membership (PUT) 735 A (unicast) PUT with a group membership JSON object will replace an 736 existing group membership in the endpoint with the new one defined in 737 the PUT request. This can be used to update the group membership. 739 Method: PUT 741 URI Template 1: {+location} 743 URI Template 2: /{+gp}/{index} 745 URI Template Variables: 747 location - see Section 2.6.2.3 749 gp, index - see Section 2.6.2.2 751 Example: (group name and IP multicast port change) 752 Req: PUT /coap-group/12 753 Content-Format: application/coap-group+json 754 {"n": "All-My-Devices.floor1.west.bldg6.example.com", 755 "a": "[ff15::4200:f7fe:ed37:abcd]"} 756 Res: 2.04 Changed 758 After a successful PUT on the Group configuration resource, the 759 endpoint MUST effect registration to any new IP multicast group(s) 760 and de-registration from any previous IP multicast group(s), i.e., 761 not any more present in the new membership. An API such as 762 IPV6_RECVPKTINFO [RFC3542] should be used for this purpose. 764 2.7. Request Acceptance and Response Suppression Rules 766 CoRE Link Format [RFC6690], and Section 8 of CoAP [RFC7252] define 767 behaviors for: 769 1. IP multicast request acceptance - in which cases a CoAP request 770 is accepted and executed, and when not. 772 2. IP multicast response suppression - in which cases the CoAP 773 response to an already-executed request is returned to the 774 requesting endpoint, and when not. 776 A CoAP response differs from a CoAP ACK; ACKs are never sent by 777 servers in response to an IP multicast CoAP request. This section 778 first summarizes these behaviors and then presents additional 779 guidelines for response suppression. Also a number of IP multicast 780 example applications are given to illustrate the overall approach. 782 To apply any rules for request and/or response suppression, a CoAP 783 server must be aware that an incoming request arrived via IP 784 multicast by making use of APIs such as IPV6_RECVPKTINFO [RFC3542]. 786 For IP multicast request acceptance, the behaviors are: 788 o A server should not accept an IP multicast request that cannot be 789 "authenticated" in some way (i.e, cryptographically or by some 790 multicast boundary limiting the potential sources) (Section 11.3 791 of [RFC7252]. See Section 5.3 for examples of multicast boundary 792 limiting methods. 794 o A server should not accept an IP multicast discovery request with 795 a query string (as defined in CoRE Link Format [RFC6690]) if 796 filtering ([RFC6690]) is not supported by the server. 798 o A server should not accept an IP multicast request that acts on a 799 specific resource for which IP multicast support is not required. 800 (Note that for the resource "/.well-known/core", IP multicast 801 support is required if "multicast resource discovery" is supported 802 as specified in Section 1.2.1 of [RFC6690]). Implementers are 803 advised to disable IP multicast support by default on any other 804 resource, until explicitly enabled by an application or by 805 configuration.) 807 o Otherwise accept the IP multicast request. 809 For IP multicast response suppression, the behaviors are: 811 o A server should not respond to an IP multicast discovery request 812 if the filter specified by the request's query string does not 813 match. 815 o A server may choose not to respond to an IP multicast request, if 816 there's nothing useful to respond (e.g., error or empty response). 818 The above response suppression behaviors are complemented by the 819 following guidelines. CoAP servers should implement configurable 820 response suppression, enabling at least the following options per 821 resource that supports IP multicast requests: 823 o Suppression of all 2.xx success responses; 825 o Suppression of all 4.xx client errors; 827 o Suppression of all 5.xx server errors; 829 o Suppression of all 2.05 responses with empty payload. 831 A number of CoAP group communication example applications are given 832 below to illustrate how to make use of response suppression: 834 o CoAP resource discovery: Suppress 2.05 responses with empty 835 payload and all 4.xx and 5.xx errors. 837 o Lighting control: Suppress all 2.xx responses after a lighting 838 change command. 840 o Update configuration data in a group of devices using group 841 communication PUT: No suppression at all. The client uses 842 collected responses to identify which group members did not 843 receive the new configuration; then attempts using CoAP CON 844 unicast to update those specific group members. Note that in this 845 case the client implements a "reliable group communication" (as 846 defined in Section 1.3) function using additional, non- 847 standardized functions above the CoAP layer. 849 o IP multicast firmware update by sending blocks of data: Suppress 850 all 2.xx and 5.xx responses. After having sent all IP multicast 851 blocks, the client checks each endpoint by unicast to identify 852 which data blocks are still missing in each endpoint. 854 o Conditional reporting for a group (e.g., sensors) based on a group 855 URI query: Suppress all 2.05 responses with empty payload (i.e., 856 if a query produces no matching results). 858 2.8. Congestion Control 860 CoAP group communication requests may result in a multitude of 861 responses from different nodes, potentially causing congestion. 862 Therefore both the sending of IP multicast requests, and the sending 863 of the unicast CoAP responses to these multicast requests should be 864 conservatively controlled. 866 CoAP [RFC7252] reduces IP multicast-specific congestion risks through 867 the following measures: 869 o A server may choose not to respond to an IP multicast request if 870 there's nothing useful to respond (e.g., error or empty 871 response)(Section 8.2 [RFC7252]). See Section 2.7 for more 872 detailed guidelines on response suppression. 874 o A server should limit the support for IP multicast requests to 875 specific resources where multicast operation is required 876 (Section 11.3 of [RFC7252]). 878 o An IP multicast request must be Non-confirmable (Section 8.1 of 879 [RFC7252]). 881 o A response to an IP multicast request should be Non-confirmable 882 (Section 5.2.3 of [RFC7252]). 884 o A server does not respond immediately to an IP multicast request, 885 and should first wait for a time that is randomly picked within a 886 predetermined time interval called the Leisure (Section 8.2 887 [RFC7252]). 889 Additional guidelines to reduce congestion risks defined in this 890 document are: 892 o A server in an LLN should only support group communication GET for 893 resources that are small. For example, the payload of the 894 response is limited to approximately 5% of the IP Maximum Transmit 895 Unit (MTU) size so it fits into a single link-layer frame in case 896 6LoWPAN (see Section 4 of [RFC4944]) is used. 898 o A server can minimize the payload length in response to a group 899 communication GET on "/.well-known/core" by using hierarchy in 900 arranging link descriptions for the response. An example of this 901 is given in Section 5 of [RFC6690]. 903 o A server can also minimize the payload length of a response to a 904 group communication GET (e.g., on "/.well-known/core") using CoAP 905 blockwise transfers [I-D.ietf-core-block], returning only a first 906 block of the CoRE Link Format description. For this reason, a 907 CoAP client sending an IP multicast CoAP request to "/.well-known/ 908 core" should support core-block. 910 o A client should use CoAP group communication with the smallest 911 possible IP multicast scope that fulfills the application needs. 912 As an example, site-local scope is always preferred over global 913 scope IP multicast if this fulfills the application needs. 915 More guidelines specific to use of CoAP in 6LoWPAN networks [RFC4919] 916 are given in Section 4.5. 918 2.9. Proxy Operation 920 CoAP (Section 5.7.2 of [RFC7252]) allows a client to request a 921 forward-proxy to process its CoAP request. For this purpose the 922 client either specifies the request group URI as a string in the 923 Proxy-URI option, or it specifies the Proxy-Scheme option with the 924 group URI constructed from the usual Uri-* options. This approach 925 works well for unicast requests. However, there are certain issues 926 and limitations of processing the (unicast) responses to a CoAP group 927 communication request made in this manner through a proxy. 929 A proxy may buffer all the individual (unicast) responses to a CoAP 930 group communication request and then send back only a single 931 (aggregated) response to the client. However there are some issues 932 with this aggregation approach: 934 o Aggregation of (unicast) responses to a CoAP group communication 935 request in a proxy is difficult. This is because the proxy does 936 not know how many members there are in the group, or how many 937 group members will actually respond. Also the proxy does not know 938 how long to wait before deciding to send back the aggregated 939 response to the client. 941 o There is no default format defined in CoAP for aggregation of 942 multiple responses into a single response. 944 Alternatively, if a proxy follows directly the specification for a 945 CoAP Proxy (Section 5.7.2 of [RFC7252]), the proxy would simply 946 forward all the individual (unicast) responses to a CoAP group 947 communication request to the client (i.e., no aggregation). There 948 are also issues with this approach: 950 o The client may be confused as it may not have known that the 951 Proxy-URI contained a group URI target. That is, the client may 952 be expecting only one (unicast) response but instead receives 953 multiple (unicast) responses potentially leading to fault 954 conditions in the application. 956 o Each individual CoAP response will appear to originate (IP Source 957 address) from the CoAP Proxy, and not from the server that 958 produced the response. This makes it impossible for the client to 959 identify the server that produced each response. 961 Due to above issues, a CoAP Proxy SHOULD NOT support processing an IP 962 multicast CoAP request but rather return a 501 (Not Implemented) 963 response in such case. The exception case here (i.e., to process it) 964 is allowed if all the following conditions are met: 966 o The CoAP Proxy MUST be explicitly configured (whitelist) to allow 967 proxied IP multicast requests by specific client(s). 969 o The proxy SHOULD return individual (unicast) CoAP responses to the 970 client (i.e., not aggregated). The exception case here occurs 971 when a (future) standardized aggregation format is being used. 973 o It MUST be known to the person/entity doing the configuration of 974 the proxy, or otherwise verified in some way, that the client 975 configured in the whitelist supports receiving multiple responses 976 to a proxied unicast CoAP request. 978 2.10. Exceptions 980 CoAP group communication using IP multicast offers improved network 981 efficiency and latency among other benefits. However, group 982 communication may not always be implementable in a given network. 983 The primary reason for this will be that IP multicast is not (fully) 984 supported in the network. 986 For example, if only the RPL protocol [RFC6550] is used in a network 987 with its optional multicast support disabled, there will be no IP 988 multicast routing at all. The only multicast that works in this case 989 is link-local IPv6 multicast. This implies that any CoAP group 990 communication request will be delivered to nodes on the local link 991 only, regardless of the scope value used in the IPv6 destination 992 address. 994 CoAP Observe [I-D.ietf-core-observe] is a feature for a client to 995 "observe" resources (i.e. to retrieve a representation of a resource 996 and keep this representation updated by the server over a period of 997 time). CoAP Observe does not support a group communication mode. 998 CoAP Observe only supports a unicast mode of operation. 1000 3. Use Cases and Corresponding Protocol Flows 1002 3.1. Introduction 1004 The use of CoAP group communication is shown in the context of the 1005 following two use cases and corresponding protocol flows: 1007 o Discovery of RD [I-D.ietf-core-resource-directory]: discovering 1008 the local CoAP RD which contains links to resources stored on 1009 other CoAP servers [RFC6690]. 1011 o Lighting Control: synchronous operation of a group of 1012 IPv6-connected lights (e.g., 6LoWPAN [RFC4944] lights). 1014 3.2. Network Configuration 1016 To illustrate the use cases we define two IPv6 network 1017 configurations. Both are based on the topology as shown in Figure 1. 1018 The two configurations using this topology are: 1020 1. Subnets are 6LoWPAN networks; the routers Rtr-1 and Rtr-2 are 1021 6LoWPAN Border Routers (6LBRs, [RFC6775]). 1023 2. Subnets are Ethernet links; the routers Rtr-1 and Rtr-2 are 1024 multicast-capable Ethernet routers. 1026 Both configurations are further specified by the following: 1028 o A large room (Room-A) with three lights (Light-1, Light-2, Light- 1029 3) controlled by a Light Switch. The devices are organized into 1030 two subnets. In reality, there could be more lights (up to 1031 several hundreds) but, for clarity, only three are shown. 1033 o Light-1 and the Light Switch are connected to a router (Rtr-1). 1035 o Light-2 and the Light-3 are connected to another router (Rtr-2). 1037 o The routers are connected to an IPv6 network backbone which is 1038 also multicast enabled. In the general case, this means the 1039 network backbone and Rtr-1/Rtr-2 support a PIM based multicast 1040 routing protocol, and Multicast Listener Discovery (MLD) for 1041 forming groups. 1043 o A CoAP RD is connected to the network backbone. 1045 o The DNS server is optional. If the server is there (connected to 1046 the network backbone) then certain DNS based features are 1047 available (e.g., DNS resolution of hostname to IP multicast 1048 address). If the DNS server is not there, then different 1049 provisioning of the network is required (e.g., IP multicast 1050 addresses are hard-coded into devices, or manually configured, or 1051 obtained via a service discovery method). 1053 o A Controller (CoAP client) is connected to the backbone, which is 1054 able to control various building functions including lighting. 1056 ################################################ 1057 # ********************** Room-A # 1058 # ** Subnet-1 ** # Network 1059 # * ** # Backbone 1060 # * +----------+ * # | 1061 # * | Light |-------+ * # | 1062 # * | Switch | | * # | 1063 # * +----------+ +---------+ * # | 1064 # * | Rtr-1 |-----------------------------+ 1065 # * +---------+ * # | 1066 # * +----------+ | * # | 1067 # * | Light-1 |--------+ * # | 1068 # * +----------+ * # | 1069 # ** ** # | 1070 # ************************** # | 1071 # # | 1072 # ********************** # +------------+ | 1073 # ** Subnet-2 ** # | DNS Server | | 1074 # * ** # | (Optional) |--+ 1075 # * +----------+ * # +------------+ | 1076 # * | Light-2 |-------+ * # | 1077 # * | | | * # | 1078 # * +----------+ +---------+ * # | 1079 # * | Rtr-2 |-----------------------------+ 1080 # * +---------+ * # | 1081 # * +----------+ | * # | 1082 # * | Light-3 |--------+ * # | 1083 # * +----------+ * # +------------+ | 1084 # ** ** # | Controller |--+ 1085 # ************************** # | Client | | 1086 ################################################ +------------+ | 1087 +------------+ | 1088 | CoAP | | 1089 | Resource |-----------------+ 1090 | Directory | 1091 +------------+ 1093 Figure 1: Network Topology of a Large Room (Room-A) 1095 3.3. Discovery of Resource Directory 1097 The protocol flow for discovery of the CoAP RD for the given network 1098 (of Figure 1) is shown in Figure 2: 1100 o Light-2 is installed and powered on for the first time. 1102 o Light-2 will then search for the local CoAP RD by sending out a 1103 group communication GET request (with the "/.well-known/ 1104 core?rt=core.rd" request URI) to the site-local "All CoAP Nodes" 1105 multicast address (FF05:::FD). 1107 o This multicast message will then go to each node in subnet-2. 1108 Rtr-2 will then forward it into to the Network Backbone where it 1109 will be received by the CoAP RD. All other nodes in subnet-2 will 1110 ignore the group communication GET request because it is qualified 1111 by the query string "?rt=core.rd" (which indicates it should only 1112 be processed by the endpoint if it contains a resource of type 1113 "core.rd"). 1115 o The CoAP RD will then send back a unicast response containing the 1116 requested content, which is a CoRE Link Format representation of a 1117 resource of type "core.rd". 1119 o Note that the flow is shown only for Light-2 for clarity. Similar 1120 flows will happen for Light-1, Light-3 and the Light Switch when 1121 they are first installed. 1123 The CoAP RD may also be discovered by other means such as by assuming 1124 a default location (e.g., on a 6LBR), using DHCP, anycast address, 1125 etc. However, these approaches do not invoke CoAP group 1126 communication so are not further discussed here. (See 1127 [I-D.ietf-core-resource-directory] for more details). 1129 For other discovery use cases such as discovering local CoAP servers, 1130 services or resources, CoAP group communication can be used in a 1131 similar fashion as in the above use case. For example, Link-Local 1132 (LL), admin-local or site-local scoped discovery can be done this 1133 way. 1135 Light CoAP 1136 Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 RD 1137 | | | | | | | 1138 | | | | | | | 1139 ********************************** | | | 1140 * Light-2 is installed * | | | 1141 * and powers on for first time * | | | 1142 ********************************** | | | 1143 | | | | | | | 1144 | | | | | | | 1145 | | COAP NON Mcast(GET | | 1146 | | /.well-known/core?rt=core.rd) | | 1147 | |--------->-------------------------------->| | 1148 | | | | | |--------->| 1149 | | | | | | | 1150 | | | | | | | 1151 | | COAP NON (2.05 Content | | 1152 | | ;rt="core.rd";ins="Primary") |<---------| 1153 | |<------------------------------------------| | 1154 | | | | | | | 1156 Figure 2: Resource Directory Discovery via Multicast Request 1158 3.4. Lighting Control 1160 The protocol flow for a building automation lighting control scenario 1161 for the network (Figure 1) is shown in Figure 3. The network is 1162 assumed to be in a 6LoWPAN configuration. Also, it is assumed that 1163 the CoAP servers in each Light are configured to suppress CoAP 1164 responses for any IP multicast CoAP requests related to lighting 1165 control. (See Section 2.7 for more details on response suppression 1166 by a server.) 1168 In addition, Figure 4 shows a protocol flow example for the case that 1169 servers do respond to a lighting control IP multicast request with 1170 (unicast) CoAP NON responses. There are two success responses and 1171 one 5.00 error response. In this particular case, the Light Switch 1172 does not check that all Lights in the group received the IP multicast 1173 request by examining the responses. This is because the Light Switch 1174 is not configured with an exhaustive list of the IP addresses of all 1175 Lights belonging to the group. However, based on received error 1176 responses it could take additional action such as logging a fault or 1177 alerting the user via its LCD display. In case a CoAP message is 1178 delivered multiple times to a Light, the subsequent CoAP messages can 1179 be filtered out as duplicates, based on the CoAP Message ID. 1181 Reliability of IP multicast is not guaranteed. Therefore, one or 1182 more lights in the group may not have received the CoAP control 1183 request due to packet loss. In this use case there is no detection 1184 nor correction of such situations: the application layer expects that 1185 the IP multicast forwarding/routing will be of sufficient quality to 1186 provide on average a very high probability of packet delivery to all 1187 CoAP endpoints in an IP multicast group. An example protocol to 1188 accomplish this using randomized retransmission is the MPL forwarding 1189 protocol for LLNs [I-D.ietf-roll-trickle-mcast]. 1191 We assume the following steps have already occurred before the 1192 illustrated flows: 1194 1) Startup phase: 6LoWPANs are formed. IPv6 addresses assigned to 1195 all devices. The CoAP network is formed. 1197 2) Network configuration (application-independent): 6LBRs are 1198 configured with IP multicast addresses, or address blocks, to 1199 filter out or to pass through to/from the 6LoWPAN. 1201 3a) Commissioning phase (application-related): The IP multicast 1202 address of the group (Room-A-Lights) has been configured in all 1203 the Lights and in the Light Switch. 1205 3b) As an alternative to the previous step, when a DNS server is 1206 available, the Light Switch and/or the Lights have been configured 1207 with a group hostname which each nodes resolves to the above IP 1208 multicast address of the group. 1210 Note for the Commissioning phase: the switch's 6LoWPAN/CoAP software 1211 stack supports sending unicast, multicast or proxied unicast CoAP 1212 requests, including processing of the multiple responses that may be 1213 generated by an IP multicast CoAP request. 1215 Light Network 1216 Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 Backbone 1217 | | | | | | | 1218 | | | | | | | 1219 | | *********************** | | 1220 | | * User flips on * | | 1221 | | * light switch to * | | 1222 | | * turn on all the * | | 1223 | | * lights in Room A * | | 1224 | | *********************** | | 1225 | | | | | | | 1226 | | | | | | | 1227 | | | COAP NON Mcast(PUT, | | 1228 | | | Payload=lights ON) | | 1229 |<-------------------------------+--------->| | | 1230 ON | | | |-------------------->| 1231 | | | | | |<---------| 1232 | |<---------|<-------------------------------| | 1233 | ON ON | | | | 1234 ^ ^ ^ | | | | 1235 *********************** | | | | 1236 * Lights in Room-A * | | | | 1237 * turn on (nearly * | | | | 1238 * simultaneously) * | | | | 1239 *********************** | | | | 1240 | | | | | | | 1242 Figure 3: Light Switch Sends Multicast Control Message 1243 Light Network 1244 Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 Backbone 1245 | | | | | | | 1246 | COAP NON (2.04 Changed) | | | | 1247 |------------------------------->| | | | 1248 | | | | | | | 1249 | | | | | | | 1250 | COAP NON (2.04 Changed) | | | 1251 | |------------------------------------------>| | 1252 | | | | | |--------->| 1253 | | | | |<--------------------| 1254 | | | |<---------| | | 1255 | | | | | | | 1256 | | COAP NON (5.00 Internal Server Error) | 1257 | | |------------------------------->| | 1258 | | | | | |--------->| 1259 | | | | |<--------------------| 1260 | | | |<---------| | | 1261 | | | | | | | 1263 Figure 4: Lights (Optionally) Respond to Multicast CoAP Request 1265 Another, but similar, lighting control use case is shown in Figure 5. 1266 In this case a controller connected to the Network Backbone sends a 1267 CoAP group communication request to turn on all lights in Room-A. 1268 Every Light sends back a CoAP response to the Controller after being 1269 turned on. 1271 Network 1272 Light-1 Light-2 Light-3 Rtr-1 Rtr-2 Backbone Controller 1273 | | | | | | | 1274 | | | | | COAP NON Mcast(PUT, 1275 | | | | | Payload=lights ON) 1276 | | | | | |<-------| 1277 | | | |<----------<---------| | 1278 |<--------------------------------| | | | 1279 ON | | | | | | 1280 | |<----------<---------------------| | | 1281 | ON ON | | | | 1282 ^ ^ ^ | | | | 1283 *********************** | | | | 1284 * Lights in Room-A * | | | | 1285 * turn on (nearly * | | | | 1286 * simultaneously) * | | | | 1287 *********************** | | | | 1288 | | | | | | | 1289 | | | | | | | 1290 | COAP NON (2.04 Changed) | | | | 1291 |-------------------------------->| | | | 1292 | | | |-------------------->| | 1293 | | COAP NON (2.04 Changed) | |------->| 1294 | |-------------------------------->| | | 1295 | | | | |--------->| | 1296 | | | COAP NON (2.04 Changed) |------->| 1297 | | |--------------------->| | | 1298 | | | | |--------->| | 1299 | | | | | |------->| 1300 | | | | | | | 1302 Figure 5: Controller On Backbone Sends Multicast Control Message 1304 3.5. Lighting Control in MLD Enabled Network 1306 The use case of previous section can also apply in networks where 1307 nodes support the MLD protocol [RFC3810]. The Lights then take on 1308 the role of MLDv2 listener and the routers (Rtr-1, Rtr-2) are MLDv2 1309 Routers. In the Ethernet based network configuration, MLD may be 1310 available on all involved network interfaces. Use of MLD in the 1311 6LoWPAN based configuration is also possible, but requires MLD 1312 support in all nodes in the 6LoWPAN. In current 6LoWPAN 1313 implementations, MLD is however not supported. 1315 The resulting protocol flow is shown in Figure 6. This flow is 1316 executed after the commissioning phase, as soon as Lights are 1317 configured with a group address to listen to. The (unicast) MLD 1318 Reports may require periodic refresh activity as specified by the MLD 1319 protocol. In the figure, LL denotes Link Local communication. 1321 After the shown sequence of MLD Report messages has been executed, 1322 both Rtr-1 and Rtr-2 are automatically configured to forward IP 1323 multicast traffic destined to Room-A-Lights onto their connected 1324 subnet. Hence, no manual Network Configuration of routers, as 1325 previously indicated in Section 3.4, is needed anymore. 1327 Light Network 1328 Light-1 Light-2 Light-3 Switch Rtr-1 Rtr-2 Backbone 1329 | | | | | | | 1330 | | | | | | | 1331 | | | | | | | 1332 | MLD Report: Join | | | | | 1333 | Group (Room-A-Lights) | | | | 1334 |---LL------------------------------------->| | | 1335 | | | | |MLD Report: Join | 1336 | | | | |Group (Room-A-Lights)| 1337 | | | | |---LL---->----LL---->| 1338 | | | | | | | 1339 | | MLD Report: Join | | | | 1340 | | Group (Room-A-Lights) | | | 1341 | |---LL------------------------------------->| | 1342 | | | | | | | 1343 | | | MLD Report: Join | | | 1344 | | | Group (Room-A-Lights) | | 1345 | | |---LL-------------------------->| | 1346 | | | | | | | 1347 | | | | |MLD Report: Join | 1348 | | | | |Group (Room-A-Lights)| 1349 | | | | |<--LL-----+---LL---->| 1350 | | | | | | | 1351 | | | | | | | 1353 Figure 6: Joining Lighting Groups Using MLD 1355 3.6. Commissioning the Network Based On Resource Directory 1357 This section outlines how devices in the lighting use case (both 1358 Switches and Lights) can be commissioned, making use of Resource 1359 Directory [I-D.ietf-core-resource-directory] and its group 1360 configuration feature. 1362 Once the Resource Directory (RD) is discovered, the Switches and 1363 Lights need to be discovered and their groups need to be defined. 1365 For the commissioning of these devices, a commissioning tool can be 1366 used that defines the entries in the RD. The commissioning tool has 1367 the authority to change the contents of the RD and the Light/Switch 1368 nodes. DTLS-based unicast security is used by the commissioning tool 1369 to modify operational data in RD, Switches and Lights. 1371 In our particular use case, a group of three lights is defined with 1372 one IP multicast address and hostname: 1374 "Room-A-Lights.floor1.west.bldg6.example.com" 1376 The commissioning tool has a list of the three lights and the 1377 associated IP multicast address. For each light in the list the tool 1378 learns the IP address of the light and instructs the RD with three 1379 (unicast) POST commands to store the endpoints associated with the 1380 three lights as prescribed by the RD specification 1381 [I-D.ietf-core-resource-directory]. Finally the commissioning tool 1382 defines the group in the RD to contain these three endpoints. Also 1383 the commissioning tool writes the IP multicast address in the Light 1384 endpoints with, for example, the (unicast) POST command discussed in 1385 Section 2.6.2.2. 1387 The light switch can discover the group in RD and thus learn the IP 1388 multicast address of the group. The light switch will use this 1389 address to send CoAP group communication requests to the members of 1390 the group. When the message arrives the Lights should recognize the 1391 IP multicast address and accept the message. 1393 4. Deployment Guidelines 1395 This section provides guidelines how IP multicast based CoAP group 1396 communication can be deployed in various network configurations. 1398 4.1. Target Network Topologies 1400 CoAP group communication can be deployed in various network 1401 topologies. First, the target network may be a traditional IP 1402 network, or a LLN such as a 6LoWPAN network, or consist of mixed 1403 traditional/constrained network segments. Second, it may be a single 1404 subnet only or multi-subnet; e.g., multiple 6LoWPAN networks joined 1405 by a single backbone LAN. Third, a wireless network segment may have 1406 all its nodes reachable in a single IP hop (fully connected), or it 1407 may require multiple IP hops for some pairs of nodes to reach each 1408 other. 1410 Each topology may pose different requirements on the configuration of 1411 routers and protocol(s), in order to enable efficient CoAP group 1412 communication. To enable all the above target network topologies, an 1413 implementation of CoAP group communication needs to allow: 1415 1. Routing/forwarding of IP multicast packets over multiple hops 1417 2. Routing/forwarding of IP multicast packets over subnet boundaries 1418 between traditional and constrained (e.g., LLN) networks. 1420 The remainder of this section discusses solutions to enable both 1421 features. 1423 4.2. Networks Using the MLD Protocol 1425 CoAP nodes that are IP hosts (i.e., not IP routers) are generally 1426 unaware of the specific IP multicast routing/forwarding protocol 1427 being used. When such a host needs to join a specific (CoAP) 1428 multicast group, it requires a way to signal to IP multicast routers 1429 which IP multicast traffic it wants to receive. 1431 The Multicast Listener Discovery (MLD) protocol [RFC3810] (see 1432 Appendix A) is the standard IPv6 method to achieve this; therefore 1433 this approach should be used on traditional IP networks. CoAP server 1434 nodes would then act in the role of MLD Multicast Address Listener. 1436 The guidelines from [RFC6636] on tuning of MLD for mobile and 1437 wireless networks may be useful when implementing MLD in LLNs. 1438 However, on LLNs and 6LoWPAN networks the use of MLD may not be 1439 feasible at all due to constraints on code size, memory, or network 1440 capacity. 1442 4.3. Networks Using RPL Multicast Without MLD 1444 It is assumed in this section that the MLD protocol is not 1445 implemented in a network, for example, due to resource constraints. 1446 The RPL routing protocol (see Section 12 of [RFC6550]) defines the 1447 advertisement of IP multicast destinations using Destination 1448 Advertisement Object (DAO) messages and routing of multicast IPv6 1449 packets based on this. It requires the RPL Mode of Operation to be 3 1450 (Storing Mode with multicast support). 1452 Hence, RPL DAO can be used by CoAP nodes that are RPL Routers, or are 1453 RPL Leaf Nodes, to advertise IP multicast group membership to parent 1454 routers. Then, the RPL protocol is used to route IP multicast CoAP 1455 requests over multiple hops to the correct CoAP servers. 1457 The same DAO mechanism can be used to convey IP multicast group 1458 membership information to an edge router (e.g., 6LBR), in case the 1459 edge router is also the root of the RPL DODAG. This is useful 1460 because the edge router then learns which IP multicast traffic it 1461 needs to pass through from the backbone network into the LLN subnet. 1462 In 6LoWPAN networks, such selective "filtering" helps to avoid 1463 congestion of a 6LoWPAN subnet by IP multicast traffic from the 1464 traditional backbone IP network. 1466 4.4. Networks Using MPL Forwarding Without MLD 1468 The MPL forwarding protocol [I-D.ietf-roll-trickle-mcast] can be used 1469 for propagation of IPv6 multicast packets to all MPL Forwarders 1470 within a predefined network domain, over multiple hops. MPL is 1471 designed to work in LLNs. In this section it is again assumed that 1472 Multicast Listener Discovery (MLD) is not implemented in the network, 1473 for example, due to resource limitations in an LLN. 1475 The purpose of MPL is to let a predefined group of Forwarders 1476 collectively work towards the goal of distributing an IPv6 multicast 1477 packet throughout an MPL Domain. (A Forwarder node may be associated 1478 to multiple MPL Domains at the same time.) So it would appear there 1479 is no need for CoAP servers to advertise their multicast group 1480 membership, since any IP multicast packet that enters the MPL Domain 1481 is distributed to all MPL Forwarders without regard to what multicast 1482 addresses the individual nodes are listening to. 1484 However, if an IP multicast request originates just outside the MPL 1485 Domain, the request will not be propagated by MPL. An example of 1486 such a case is the network topology of Figure 1 where the Subnets are 1487 6LoWPAN subnets and per 6LoWPAN subnet one Realm-Local 1488 ([I-D.droms-6man-multicast-scopes]) MPL Domain is defined. The 1489 backbone network in this case is not part of any MPL Domain. 1491 This situation can become a problem in building control use cases. 1492 For example, when the Controller Client needs to send a single IP 1493 multicast request to the group Room-A-Lights. By default, the 1494 request would be blocked by Rtr-1 and by Rtr-2, and not enter the 1495 Realm-Local MPL Domains associated to Subnet-1 and Subnet-2. The 1496 reason is that Rtr-1 and Rtr-2 do not have the knowledge that devices 1497 in Subnet-1/2 want to listen for IP packets destined to IP multicast 1498 group Room-A-Lights. 1500 To solve the above issue, the following solutions could be applied: 1502 1. Extend the MPL Domain. E.g. in above example, include the 1503 Network Backbone to be part of each of the two MPL Domains. Or 1504 in above example, create just a single MPL Domain that includes 1505 both 6LoWPAN subnets plus the backbone link, which is possible 1506 since MPL is not tied to a single link-layer technology. 1508 2. Manual configuration of edge router(s) as MPL Seed(s) for 1509 specific IP multicast traffic. In the above example, this could 1510 be done through the following three steps: First, configure Rtr-1 1511 and Rtr-2 to act as MLD Address Listeners for the Room-A-Lights 1512 IP multicast group. This step allows any (other) routers on the 1513 backbone to learn that at least one node on the backbone link is 1514 interested to receive any IP multicast traffic to Room-A-Lights. 1515 Second, configure both routers to "inject" any IP multicast 1516 packets destined to group Room-A-Lights into the (Realm-Local) 1517 MPL Domain that is associated to that router. Third, configure 1518 both routers to propagate any IPv6 multicast packets originating 1519 from within their associated MPL Domain to the backbone, if at 1520 least one node on the backbone has indicated interest to receive 1521 such IPv6 packets (for which MLD is used on the backbone). 1523 3. Use an additional protocol/mechanism for injection of IP 1524 multicast traffic from outside an MPL Domain into that MPL 1525 Domain, based on IP multicast group subscriptions of Forwarders 1526 within the MPL Domain. Such protocol is currently not defined in 1527 [I-D.ietf-roll-trickle-mcast]. 1529 Concluding, MPL can be used directly in case all sources of IP 1530 multicast CoAP requests (CoAP clients) and also all the destinations 1531 (CoAP servers) are inside a single MPL Domain. Then, each source 1532 node acts as an MPL Seed. In all other cases, MPL can only be used 1533 with additional protocols and/or configuration on how IP multicast 1534 packets can be injected from outside into an MPL Domain. 1536 4.5. 6LoWPAN Specific Guidelines for the 6LBR 1538 To support multi-subnet scenarios for CoAP group communication, it is 1539 recommended that a 6LoWPAN Border Router (6LBR) will act in an MLD 1540 Router role on the backbone link. If this is not possible then the 1541 6LBR should be configured to act as an MLD Multicast Address Listener 1542 (see Appendix A) on the backbone link. 1544 5. Security Considerations 1546 This section describes the relevant security configuration for CoAP 1547 group communication using IP multicast. The threats to CoAP group 1548 communication are also identified and various approaches to mitigate 1549 these threats are summarized. 1551 5.1. Security Configuration 1553 As defined in Sections 8.1 and 9.1 of [RFC7252], CoAP group 1554 communication based on IP multicast: 1556 o Will operate in CoAP NoSec (No Security) mode, until a future 1557 group security solution is developed (see also Section 5.3.3). 1559 o Will use the "coap" scheme. The "coaps" scheme should only be 1560 used when a future group security solution is developed (see also 1561 Section 5.3.3). 1563 Essentially the above configuration means that there is currently no 1564 security at the CoAP layer for group communication. Therefore, for 1565 sensitive and mission critical applications (e.g., health monitoring 1566 systems, alarm monitoring systems) it is currently recommended to 1567 deploy CoAP group communication with an application-layer security 1568 mechanism (e.g, data object security) for improved security. 1570 Application level security has many desirable properties including 1571 maintaining security properties while forwarding traffic through 1572 intermediaries (proxies). Application level security also tends to 1573 more cleanly separate security from the dynamics of group membership 1574 (e.g., the problem of distributing security keys across large groups 1575 with many members that come and go). 1577 Without application-layer security, CoAP group communication should 1578 only be currently deployed in non-critical applications (e.g., read- 1579 only temperature sensors). Only when security solutions at the CoAP 1580 layer are mature enough (see Section 5.3.3) should CoAP group 1581 communication without application-layer security be considered for 1582 sensitive and mission-critical applications. 1584 5.2. Threats 1586 As noted above, there is currently no security at the CoAP layer for 1587 group communication. This is due to the fact that the current DTLS- 1588 based approach for CoAP is exclusively unicast oriented and does not 1589 support group security features such as group key exchange and group 1590 authentication. As a direct consequence of this, CoAP group 1591 communication is vulnerable to all attacks mentioned in Section 11 of 1592 [RFC7252] for IP multicast. 1594 5.3. Threat Mitigation 1596 Section 11 of [RFC7252] identifies various threat mitigation 1597 techniques for CoAP group communication. In addition to those 1598 guidelines, it is recommended that for sensitive data or safety- 1599 critical control, a combination of appropriate link-layer security 1600 and administrative control of IP multicast boundaries should be used. 1601 Some examples are given below. 1603 5.3.1. WiFi Scenario 1605 In a home automation scenario (using WiFi), the WiFi encryption 1606 should be enabled to prevent rogue nodes from joining. The Customer 1607 Premise Equipment (CPE) that enables access to the Internet should 1608 also have its IP multicast filters set so that it enforces multicast 1609 scope boundaries to isolate local multicast groups from the rest of 1610 the Internet (e.g., as per [RFC6092]). In addition, the scope of the 1611 IP multicast should be set to be site-local or smaller scope. For 1612 site-local scope, the CPE will be an appropriate multicast scope 1613 boundary point. 1615 5.3.2. 6LoWPAN Scenario 1617 In a building automation scenario, a particular room may have a 1618 single 6LoWPAN network with a single Edge Router (6LBR). Nodes on 1619 the subnet can use link-layer encryption to prevent rogue nodes from 1620 joining. The 6LBR can be configured so that it blocks any incoming 1621 (6LoWPAN-bound) IP multicast traffic. Another example topology could 1622 be a multi-subnet 6LoWPAN in a large conference room. In this case, 1623 the backbone can implement port authentication (IEEE 802.1X) to 1624 ensure only authorized devices can join the Ethernet backbone. The 1625 access router to this secured network segment can also be configured 1626 to block incoming IP multicast traffic. 1628 5.3.3. Future Evolution 1630 In the future, to further mitigate the threats, security enhancements 1631 need to be developed at IETF for group communications. This will 1632 allow introduction of a secure mode of CoAP group communication, and 1633 use of the "coaps" scheme for that purpose. 1635 At the time of writing of this specification, there are various 1636 approaches being considered for security enhancements for group 1637 communications. Specifically, a lot of the current effort at IETF is 1638 geared towards developing a DTLS-based group communication. This is 1639 primarily motivated by the fact that the unicast CoAP security is 1640 DTLS-based (Section 9.1 of [RFC7252]. For example, 1641 [I-D.keoh-dice-multicast-security] proposes a DTLS-based IP multicast 1642 security. However, it is too early to conclude if this is the best 1643 approach. Alternatively, 1644 [I-D.mglt-dice-ipsec-for-application-payload] proposes an IPSec-based 1645 IP multicast security. This approach also needs further 1646 investigation and validation. 1648 5.4. Monitoring Considerations 1650 5.4.1. General Monitoring 1652 CoAP group communication is meant to be used to control a set of 1653 related devices (e.g., simultaneously turn on all the lights in a 1654 room). This intrinsically exposes the group to some unique 1655 monitoring risks that solitary devices (i.e., devices not in a group) 1656 are not as vulnerable to. For example, assume an attacker is able to 1657 physically see a set of lights turn on in a room. Then the attacker 1658 can correlate a CoAP group communication message to that easily 1659 observable coordinated group action even if the contents of the 1660 message are encrypted by a future security solution (see 1661 Section 5.3.3). This will give the attacker side channel information 1662 to plan further attacks (e.g. by determining the members of the group 1663 then some network topology information may be deduced). 1665 One mitigation to group communication monitoring risks that should be 1666 explored in the future is methods to de-correlate coordinated group 1667 actions. For example, if a CoAP group communication GET is sent to 1668 all the alarm sensors in a house, then their (unicast) responses 1669 should be as de-correlated as possible. This will introduce greater 1670 entropy into the system and will make it harder for an attacker to 1671 monitor and gather side channel information. 1673 5.4.2. Pervasive Monitoring 1675 A key additional threat consideration for group communication is 1676 pointed to by [RFC7258] which warns of the dangers of pervasive 1677 monitoring. CoAP group communication solutions which are built on 1678 top of IP multicast need to pay particular heed to these dangers. 1679 This is because IP multicast is easier to intercept (e.g., and to 1680 secretly record) compared to unicast traffic. Also, CoAP traffic is 1681 meant for the Internet of Things. This means that CoAP traffic (once 1682 future security solutions are developed as in Section 5.3.3) may be 1683 used for the control and monitoring of critical infrastructure (e.g., 1684 lights, alarms, etc.) which may be prime targets for attack. 1686 For example, an attacker may attempt to record all the CoAP traffic 1687 going over the smart grid (i.e., networked electrical utility) of a 1688 country and try to determine critical nodes for further attacks. For 1689 example, the source node (controller) sending out the CoAP group 1690 communication messages. CoAP multicast traffic is inherently more 1691 vulnerable (compared to a unicast packet) as the same packet may be 1692 replicated over many links so there is a much higher probability of 1693 it getting captured by a pervasive monitoring system. 1695 One useful mitigation to pervasive monitoring is to restrict the 1696 scope of the IP multicast to the minimal scope that fulfills the 1697 application need. Thus, for example, site-local IP multicast scope 1698 is always preferred over global scope IP multicast if this fulfills 1699 the application needs. This approach has the added advantage that it 1700 coincides with the guidelines for minimizing congestion control (see 1701 Section 2.8. 1703 In the future, even if all the CoAP multicast traffic is encrypted, 1704 an attacker may still attempt to capture the traffic and perform an 1705 off-line attack. Though of course having the multicast traffic 1706 protected is always desirable as it significantly raises the cost to 1707 an attacker (e.g., to break the encryption) versus unprotected 1708 multicast traffic. 1710 6. IANA Considerations 1712 6.1. New 'core.gp' Resource Type 1714 This memo registers a new resource type (rt) from the CoRE Parameters 1715 Registry called 'core.gp'. 1717 (Note to IANA/RFC Editor: This registration follows the process 1718 described in section 7.4 of [RFC6690]). 1720 Attribute Value: core.gp 1722 Description: Group Configuration resource. This resource is used to 1723 query/manage the group membership of a CoAP server. 1725 Reference: See Section 2.6.2. 1727 6.2. New 'coap-group+json' Internet Media Type 1729 This memo registers a new Internet Media Type for CoAP group 1730 configuration resource called 'application/coap-group+json'. 1732 (Note to IANA/RFC Editor: This registration follows the guidance from 1733 [RFC6838], and (last paragraph) of Section 12.3 of [RFC7252]. 1735 Type name: application 1737 Subtype name: coap-group+json 1739 Required parameters: None 1741 Optional parameters: None 1742 Encoding considerations: 8bit UTF-8. 1744 JSON to be represented using UTF-8 which is 8bit compatible (and most 1745 efficient for resource constrained implementations). 1747 Security considerations: 1749 Denial of Service attacks could be performed by constantly 1750 (re-)setting the group configuration resource of a CoAP endpoint to 1751 different values. This will cause the endpoint to register (or de- 1752 register) from the related IP multicast group. To prevent this it is 1753 recommended that a form of authorization (making use of unicast DTLS- 1754 secured CoAP) be used such that only authorized controllers are 1755 allowed by an endpoint to configure its group membership. 1757 Interoperability considerations: None 1759 Published specification: (This I-D when it becomes an RFC) 1761 Applications that use this media type: 1763 CoAP client and server implementations that wish to set/read the 1764 group configuration resource via 'application/coap-group+json' 1765 payload as described in Section 2.6.2. 1767 Fragment identifier considerations: N/A 1769 Additional Information: 1771 Deprecated alias names for this type: None 1773 Magic number(s): None 1775 File extension(s): *.json 1777 Macintosh file type code(s): TEXT 1779 Person and email address to contact for further information: Esko 1780 Dijk ("Esko.Dijk@Philips.com") 1782 Intended usage: COMMON 1784 Restrictions on usage: None 1786 Author: CoRE WG 1788 Change controller: IETF 1789 Provisional registration? (standards tree only): N/A 1791 7. Acknowledgements 1793 Thanks to Jari Arkko, Peter Bigot, Anders Brandt, Ben Campbell, 1794 Angelo Castellani, Alissa Cooper, Spencer Dawkins, Badis Djamaa, 1795 Adrian Farrel, Stephen Farrell, Thomas Fossati, Brian Haberman, 1796 Bjoern Hoehrmann, Matthias Kovatsch, Guang Lu, Salvatore Loreto, 1797 Kerry Lynn, Andrew McGregor, Kathleen Moriarty, Pete Resnick, Dale 1798 Seed, Martin Stiemerling, Zach Shelby, Peter van der Stok, Gengyu 1799 Wei, and Juan Carlos Zuniga for their helpful comments and 1800 discussions that have helped shape this document. 1802 Special thanks to Carsten Bormann and Barry Leiba for their extensive 1803 and thoughtful Chair and AD reviews of the document. Their reviews 1804 helped to immeasurably improve the document quality. 1806 8. References 1808 8.1. Normative References 1810 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1811 Requirement Levels", BCP 14, RFC 2119, March 1997. 1813 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 1814 specifying the location of services (DNS SRV)", RFC 2782, 1815 February 2000. 1817 [RFC3376] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A. 1818 Thyagarajan, "Internet Group Management Protocol, Version 1819 3", RFC 3376, October 2002. 1821 [RFC3433] Bierman, A., Romascanu, D., and K. Norseth, "Entity Sensor 1822 Management Information Base", RFC 3433, December 2002. 1824 [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, 1825 "Advanced Sockets Application Program Interface (API) for 1826 IPv6", RFC 3542, May 2003. 1828 [RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery 1829 Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. 1831 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1832 Resource Identifier (URI): Generic Syntax", STD 66, RFC 1833 3986, January 2005. 1835 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1836 Architecture", RFC 4291, February 2006. 1838 [RFC4601] Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas, 1839 "Protocol Independent Multicast - Sparse Mode (PIM-SM): 1840 Protocol Specification (Revised)", RFC 4601, August 2006. 1842 [RFC4919] Kushalnagar, N., Montenegro, G., and C. Schumacher, "IPv6 1843 over Low-Power Wireless Personal Area Networks (6LoWPANs): 1844 Overview, Assumptions, Problem Statement, and Goals", RFC 1845 4919, August 2007. 1847 [RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, 1848 "Transmission of IPv6 Packets over IEEE 802.15.4 1849 Networks", RFC 4944, September 2007. 1851 [RFC5110] Savola, P., "Overview of the Internet Multicast Routing 1852 Architecture", RFC 5110, January 2008. 1854 [RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for 1855 IPv4 Multicast Address Assignments", BCP 51, RFC 5771, 1856 March 2010. 1858 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 1859 Address Text Representation", RFC 5952, August 2010. 1861 [RFC6092] Woodyatt, J., "Recommended Simple Security Capabilities in 1862 Customer Premises Equipment (CPE) for Providing 1863 Residential IPv6 Internet Service", RFC 6092, January 1864 2011. 1866 [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., 1867 Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. 1868 Alexander, "RPL: IPv6 Routing Protocol for Low-Power and 1869 Lossy Networks", RFC 6550, March 2012. 1871 [RFC6636] Asaeda, H., Liu, H., and Q. Wu, "Tuning the Behavior of 1872 the Internet Group Management Protocol (IGMP) and 1873 Multicast Listener Discovery (MLD) for Routers in Mobile 1874 and Wireless Networks", RFC 6636, May 2012. 1876 [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link 1877 Format", RFC 6690, August 2012. 1879 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1880 Discovery", RFC 6763, February 2013. 1882 [RFC6775] Shelby, Z., Chakrabarti, S., Nordmark, E., and C. Bormann, 1883 "Neighbor Discovery Optimization for IPv6 over Low-Power 1884 Wireless Personal Area Networks (6LoWPANs)", RFC 6775, 1885 November 2012. 1887 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 1888 Specifications and Registration Procedures", BCP 13, RFC 1889 6838, January 2013. 1891 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 1892 Interchange Format", RFC 7159, March 2014. 1894 [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 1895 (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 1896 2014. 1898 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 1899 Application Protocol (CoAP)", RFC 7252, June 2014. 1901 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 1902 Attack", BCP 188, RFC 7258, May 2014. 1904 [RFC7320] Nottingham, M., "URI Design and Ownership", BCP 190, RFC 1905 7320, July 2014. 1907 8.2. Informative References 1909 [RFC1033] Lottor, M., "Domain administrators operations guide", RFC 1910 1033, November 1987. 1912 [RFC4605] Fenner, B., He, H., Haberman, B., and H. Sandick, 1913 "Internet Group Management Protocol (IGMP) / Multicast 1914 Listener Discovery (MLD)-Based Multicast Forwarding 1915 ("IGMP/MLD Proxying")", RFC 4605, August 2006. 1917 [RFC5740] Adamson, B., Bormann, C., Handley, M., and J. Macker, 1918 "NACK-Oriented Reliable Multicast (NORM) Transport 1919 Protocol", RFC 5740, November 2009. 1921 [I-D.ietf-core-block] 1922 Bormann, C. and Z. Shelby, "Blockwise transfers in CoAP", 1923 draft-ietf-core-block-15 (work in progress), July 2014. 1925 [I-D.ietf-core-resource-directory] 1926 Shelby, Z., Bormann, C., and S. Krco, "CoRE Resource 1927 Directory", draft-ietf-core-resource-directory-01 (work in 1928 progress), December 2013. 1930 [I-D.ietf-core-observe] 1931 Hartke, K., "Observing Resources in CoAP", draft-ietf- 1932 core-observe-14 (work in progress), June 2014. 1934 [I-D.ietf-roll-trickle-mcast] 1935 Hui, J. and R. Kelsey, "Multicast Protocol for Low power 1936 and Lossy Networks (MPL)", draft-ietf-roll-trickle- 1937 mcast-09 (work in progress), April 2014. 1939 [I-D.keoh-dice-multicast-security] 1940 Keoh, S., Kumar, S., Garcia-Morchon, O., Dijk, E., and A. 1941 Rahman, "DTLS-based Multicast Security in Constrained 1942 Environments", draft-keoh-dice-multicast-security-08 (work 1943 in progress), July 2014. 1945 [I-D.droms-6man-multicast-scopes] 1946 Droms, R., "IPv6 Multicast Address Scopes", draft-droms- 1947 6man-multicast-scopes-02 (work in progress), July 2013. 1949 [I-D.mglt-dice-ipsec-for-application-payload] 1950 Migault, D. and C. Bormann, "IPsec/ESP for Application 1951 Payload", draft-mglt-dice-ipsec-for-application-payload-00 1952 (work in progress), July 2014. 1954 Appendix A. Multicast Listener Discovery (MLD) 1956 In order to extend the scope of IP multicast beyond link-local scope, 1957 an IP multicast routing or forwarding protocol has to be active in 1958 routers on an LLN. To achieve efficient IP multicast routing (i.e., 1959 avoid always flooding IP multicast packets), routers have to learn 1960 which hosts need to receive packets addressed to specific IP 1961 multicast destinations. 1963 The Multicast Listener Discovery (MLD) protocol [RFC3810] (or its 1964 IPv4 equivalent IGMP [RFC3376]) is today the method of choice used by 1965 an (IP multicast enabled) router to discover the presence of IP 1966 multicast listeners on directly attached links, and to discover which 1967 IP multicast addresses are of interest to those listening nodes. MLD 1968 was specifically designed to cope with fairly dynamic situations in 1969 which IP multicast listeners may join and leave at any time. 1971 [RFC6636] discusses optimal tuning of the parameters of MLD/IGMP for 1972 routers for mobile and wireless networks. These guidelines may be 1973 useful when implementing MLD in LLNs. 1975 Appendix B. Change Log 1977 [Note to RFC Editor: Please remove this section before publication.] 1979 Changes from ietf-24 to ietf-25: 1981 o Updated with the remaining agreed minor comments from Ben 1982 Campbell's GEN-ART review. Specifically, addressed the two 1983 comments on section 2.6.2.1 (which was section 2.7.2.1 in rev-21) 1984 as called out in "http://www.ietf.org/mail- 1985 archive/web/core/current/msg05604.html". 1987 o Updated with the clarification comment from Badis Djamaa in 1988 Section 2.3 as called out in "http://www.ietf.org/mail- 1989 archive/web/core/current/msg05612.html". 1991 o Minor editorial updates. 1993 Changes from ietf-23 to ietf-24: 1995 o Clarified in section 2.6.1.2 (Configuring Members) that ABNF rules 1996 from Section 3.2.2 of [RFC 3986] should be used for the IP address 1997 parsing. 1999 o Minor editorial updates. 2001 Changes from ietf-22 to ietf-23: 2003 o Updated requirements language (RFC 2119) to follow Barry Leiba's 2004 suggestions #1, #2b, and #2.1 as per "http://www.ietf.org/mail- 2005 archive/web/core/current/msg05593.html". 2007 o Clarified that [RFC 7320] implies that also other specifications 2008 cannot pre-define URI structure. 2010 o Added MUST to Token re-use time as it is additional specification 2011 to CoAP [RFC 7252]. 2013 o Clarified use of multicast POSTing in Section 2.4, in response to 2014 Jari Arkko's COMMENTs in "http://www.ietf.org/mail- 2015 archive/web/core/current/msg05572.html". 2017 o Added to Section 5.1 (Security Configuration) the possibility to 2018 use application-layer (data object) security, which enables to use 2019 CoAP group communication also for critical applications, pointed 2020 out by Jari Arkko's COMMENTs in "http://www.ietf.org/mail- 2021 archive/web/core/current/msg05572.html". 2023 o Fixed subtle error in hex string "c00l" to "c001". 2025 o Clarified in Section 2.11 (Exceptions) that CoAP Observe feature 2026 does not support group communication as per Jari's Arkko's comment 2027 in "http://www.ietf.org/mail-archive/web/core/current/ 2028 msg05592.html". 2030 o Moved section 2.6 (Member Discovery) into a new subsection as part 2031 of 2.7.1 (Membership Configuration - Background). 2033 o Minor editorial updates. 2035 Changes from ietf-21 to ietf-22: 2037 o Updated with comments from IESG review as follows: 2039 1. Changed Status from Informational to Experimental. 2041 2. Addressed Brian Haberman's DISCUSS (to put in reference to 2042 ASM) in section 1.2 as called out in "http://www.ietf.org/ 2043 mail-archive/web/core/current/msg05547.html". 2045 3. Addressed Brian Haberman's DISCUSS (to put in reference to 2046 multicast forwarding proxies) in section 2.1 as called out in 2047 "http://www.ietf.org/mail-archive/web/core/current/ 2048 msg05547.html". 2050 4. Addressed Brian Haberman's DISCUSS (to put in reference to 2051 getting port numbers from URIs) in section 2.3 as called out 2052 in "http://www.ietf.org/mail-archive/web/core/current/ 2053 msg05563.html". 2055 5. Addressed Brian Haberman's DISCUSS (to put in reference to 2056 IGMP/MLD API) in section 2.7.2.1, 2.7.2.2, 2.7.2.6 and 2057 2.7.2.7 as called out in "http://www.ietf.org/mail- 2058 archive/web/core/current/msg05547.html". 2060 6. Addressed Brian Haberman's COMMENT (to put in reference to 2061 reliable multicast RFC) in section 1.3 as called out in 2062 "http://www.ietf.org/mail-archive/web/core/current/ 2063 msg05545.html". 2065 7. Addressed Kathleen Moriarty's DISCUSS (to broaden to cover 2066 general monitoring) in section 5.4 as called out in 2067 "http://www.ietf.org/mail-archive/web/core/current/ 2068 msg05566.html". 2070 8. Addressed Martin Stiemerling's DISCUSS (to clearly indicate 2071 that the draft introduces new CoAP protocol functionality) in 2072 the Abstract and section 1.2 as called out in 2073 "http://www.ietf.org/mail-archive/web/core/current/ 2074 msg05542.html". 2076 9. Addressed Martin Stiemerling's DISCUSS (to clarify selected 2077 requirements language) in section 2.7.2 as called out in 2078 "http://www.ietf.org/mail-archive/web/core/current/ 2079 msg05542.html". (Note that the other sections are not 2080 impacted as they truly are new requirements and not 2081 repetition of the CoAP RFC 7252) 2083 10. Addressed Spencer Dawkins' COMMENT as called out in 2084 "http://www.ietf.org/mail-archive/web/core/current/ 2085 msg05557.html". 2087 11. Addressed Alissa Cooper's COMMENT as called out in 2088 "http://www.ietf.org/mail-archive/web/core/current/ 2089 msg05567.html". 2091 12. Addressed selected Stephen Farrell's COMMENTs as called out 2092 in "http://www.ietf.org/mail-archive/web/core/current/ 2093 msg05576.html". 2095 13. Addressed selected Pete Resnick's COMMENTs as called out in 2096 "http://www.ietf.org/mail-archive/web/core/current/ 2097 msg05568.html". 2099 14. Addressed selected Adrian Farrel's COMMENTs as called out in 2100 "http://www.ietf.org/mail-archive/web/core/current/ 2101 msg05565.html". 2103 15. Addressed selected Jari Arkko's COMMENTs as called out in 2104 "http://www.ietf.org/mail-archive/web/core/current/ 2105 msg05572.html". 2107 o Updated with comments from GEN-ART review as follows: 2109 1. Addressed major issue #1 from Ben Campbell's GEN-ART review 2110 (about introducing new functionality beyond CoAP RFC 7252) by 2111 changing the status of document to Experimental, and updating 2112 Abstract and section 2.1 as called out in 2113 "http://www.ietf.org/mail-archive/web/core/current/ 2114 msg05551.html". 2116 2. Addressed major issue #2 from Ben Campbell's GEN-ART review 2117 (about giving a stronger recommendation not to use CoAP group 2118 communication in many scenarios until stronger security 2119 solutions are available) in section 5.1 and section 5.4 as 2120 called out in "http://www.ietf.org/mail- 2121 archive/web/core/current/msg05551.html". 2123 3. Addressed selected minor issues and nits from Ben Campbell's 2124 GEN-ART review comments from "http://www.ietf.org/mail- 2125 archive/web/core/current/msg05535.html". 2127 o Various minor editorial updates. 2129 Changes from ietf-20 to ietf-21: 2131 o Updated with comments from AD review by Barry Leiba. The details 2132 of the updates can be seen by looking at the WG mailing list from 2133 July 26-31, 2014. 2135 o Various minor editorial updates. 2137 Changes from ietf-19 to ietf-20: 2139 o Replaced obsolete reference [RFC 2616] by [RFC 7230]. 2141 o Replaced outdated reference draft-ietf-appsawg-uri-get-off-my-lawn 2142 by [RFC 7320] and moved to Normative reference. 2144 o Replaced outdated reference draft-ietf-core-coap by [RFC 7252]. 2146 o Moved [RFC 1033] to Informative reference. 2148 o Updated to latest revision numbers for informative draft 2149 references by regenerating file through xml2rfc tool. 2151 o Re-ran IETF spell check tool and corrected some minor spelling 2152 errors. 2154 o Various minor editorial updates. 2156 Changes from ietf-18 to ietf-19: 2158 o Added guideline on Token value re-use in section 2.5. 2160 o Updated section 5.1 (Security Configuration) and 5.3.3 (Future 2161 Security Evolution) to point to latest security developments 2162 happening in DICE WG for support of group security. 2164 o Added Pervasive Monitoring considerations in section 5.4. 2166 o Various editorial updates for improved readability. 2168 Changes from ietf-17 to ietf-18: 2170 o Extensive editorial updates based on WGLC comments by Thomas 2171 Fossati and Gengyu Wei. 2173 o Addressed ticket #361: Added text for single membership PUT 2174 section 2.7.2.7 (Updating a single group membership (PUT)). 2176 o Addressed ticket #360: Added text for server duties upon all-at- 2177 once PUT section 2.7.2.6 (Creating/updating all group memberships 2178 at once (PUT)). 2180 o Addressed ticket #359: Fixed requirements text for Section 2.7.2.2 2181 (Creating a new multicast group membership (POST)). 2183 o Addressed ticket #358: Fixed requirements text for Section 2.7.2.1 2184 (CoAP-Group Resource Type and Media Type). 2186 o Addressed ticket #357: Added that "IPv6 addresses of other scopes 2187 MAY be enabled" in section 2.2 (Group Definition and Naming). 2189 o Various editorial updates for improved readability. 2191 Changes from ietf-16 to ietf-17: 2193 o Added guidelines on joining of IPv6/IPv4 "All CoAP Nodes" 2194 multicast addresses (#356). 2196 o Added MUST support default port in case multicast discovery is 2197 available. 2199 o In section 2.1 (IP Multicast Background), clarified that IP 2200 multicast is not guaranteed and referenced a definition of 2201 Reliable Group Communication (#355). 2203 o Added section 2.5 (Messages and Responses) to clarify how 2204 responses are identified and how Token/MID are used in multicast 2205 CoAP. 2207 o In section 2.6.2 (RESTful Interface for Configuring Group 2208 Memberships), clarified that group management interface is an 2209 optional approach for dynamic commissioning and that other 2210 approaches can also be used if desired. 2212 o Updated section 2.6.2 (RESTful Interface for Configuring Group 2213 Memberships) to allow deletion of individual group memberships 2214 (#354). 2216 o Various editorial updates based on comments by Peter van der Stok. 2217 Removed reference to expired draft-vanderstok-core-dna at request 2218 of its author. 2220 o Various editorial updates for improved readability. 2222 Changes from ietf-15 to ietf-16: 2224 o In section 2.6.2, changed DELETE in group management interface to 2225 a PUT with empty JSON array to clear the list (#345). 2227 o In section 2.6.2, aligned the syntax for IP addresses to follow 2228 RFC 3986 URI syntax, which is also used by coap-18. This allows 2229 re-use of the parsing code for CoAP URIs for this purpose (#342). 2231 o Addressed some more editorial comments provided by Carsten Bormann 2232 in preparation for WGLC. 2234 o Various editorial updates for improved readability. 2236 Changes from ietf-14 to ietf-15: 2238 o In section 2.2, provided guidance on how implementers should parse 2239 URIs for group communication (#339). 2241 o In section 2.6.2.1, specified that for group membership 2242 configuration interface the "ip" (i.e., "a" parameter) key/value 2243 is not required when it is unknown (#338). 2245 o In section 2.6.2.1, specified that for group membership 2246 configuration interface the port configuration be defaulted to 2247 standard CoAP port 5683, and if not default then should follow 2248 standard notation (#340). 2250 o In section 2.6.2.1, specified that notation of IP address in group 2251 membership configuration interface should follow standard notation 2252 (#342). 2254 o In section 6.2, "coap-group+json" Media Type encoding simplified 2255 to just support UTF-8 (and not UTF-16 and UTF-32) (#344). 2257 o Various editorial updates for improved readability. 2259 Changes from ietf-13 to ietf-14: 2261 o Update to address final editorial comments from the Chair's review 2262 (by Carsten Bormann) of the draft. This included restructuring of 2263 Section 2.6 (Configuring Group Memberships) and Section 4 2264 (Deployment Guidelines) to make it easier to read. Also various 2265 other editorial changes. 2267 o Changed "ip" field to "a" in Section 2.6 (#337) 2269 Changes from ietf-12 to ietf-13: 2271 o Extensive editorial updates due to comments from the Chair's 2272 review (by Carsten Bormann) of the draft. The best way to see the 2273 changes will be to do a -Diff with Rev. 12. 2275 o The technical comments from the Chair's review will be addressed 2276 in a future revision after tickets are generated and the solutions 2277 are agreed to on the WG E-mail list. 2279 Changes from ietf-11 to ietf-12: 2281 o Removed reference to "CoAP Ping" in Section 3.5 (Group Member 2282 Discovery) and replaced it with the more efficient support of 2283 discovery of groups and group members via the CORE RD as suggested 2284 by Zach Shelby. 2286 o Various editorial updates for improved readability. 2288 Changes from ietf-10 to ietf-11: 2290 o Added text to section 3.8 (Congestion Control) to clarify that a 2291 "CoAP client sending a multicast CoAP request to /.well-known/core 2292 SHOULD support core-block" (#332). 2294 o Various editorial updates for improved readability. 2296 Changes from ietf-09 to ietf-10: 2298 o Various editorial updates including: 2300 o Added a fourth option in section 3.3 on ways to obtain the URI 2301 path for a group request. 2303 o Clarified use of content format in GET/PUT requests for 2304 Configuring Group Membership in Endpoints (in section 3.6). 2306 o Changed reference "draft-shelby-core-resource-directory" to 2307 "draft-ietf-core-resource-directory". 2309 o Clarified (in section 3.7) that ACKs are never used for a 2310 multicast request (from #296). 2312 o Clarified (in section 5.2/5.2.3) that MPL does not support group 2313 membership advertisement. 2315 o Adding introductory paragraph to Scope (section 2.2). 2317 o Wrote out fully the URIs in table section 3.2. 2319 o Reworded security text in section 7.2 (New Internet Media Type) to 2320 make it consistent with section 3.6 (Configuring Group 2321 Membership). 2323 o Fixed formatting of hyperlinks in sections 6.3 and 7.2. 2325 Changes from ietf-08 to ietf-09: 2327 o Cleaned up requirements language in general. Also, requirements 2328 language are now only used in section 3 (Protocol Considerations) 2329 and section 6 (Security Considerations). Requirements language 2330 has been removed from other sections to keep them to a minimum 2331 (#271). 2333 o Addressed final comment from Peter van der Stok to define what "IP 2334 stack" meant (#296). Following the lead of CoAP-17, we know refer 2335 instead to "APIs such as IPV6_RECVPKTINFO [RFC 3542]". 2337 o Changed text in section 3.4 (Group Methods) to allow multicast 2338 POST under specific conditions and highlighting the risks with 2339 using it (#328). 2341 o Various editorial updates for improved readability. 2343 Changes from ietf-07 to ietf-08: 2345 o Updated text in section 3.6 (Configuring Group Membership in 2346 Endpoints) to make it more explicit that the Internet Media Type 2347 is used in the processing rules (#299). 2349 o Addressed various comments from Peter van der Stok (#296). 2351 o Various editorial updates for improved readability including 2352 defining all acronyms. 2354 Changes from ietf-06 to ietf-07: 2356 o Added an IANA request (in section 7.2) for a dedicated content- 2357 format (Internet Media type) for the group management JSON format 2358 called 'application/coap-group+json' (#299). 2360 o Clarified semantics (in section 3.6) of group management JSON 2361 format (#300). 2363 o Added details of IANA request (in section 7.1) for a new CORE 2364 Resource Type called 'core.gp'. 2366 o Clarified that DELETE method (in section 3.6) is also a valid 2367 group management operation. 2369 o Various editorial updates for improved readability. 2371 Changes from ietf-05 to ietf-06: 2373 o Added a new section on commissioning flow when using discovery 2374 services when end devices discover in which multicast group they 2375 are allocated (#295). 2377 o Added a new section on CoAP Proxy Operation (section 3.9) that 2378 outlines the potential issues and limitations of doing CoAP 2379 multicast requests via a CoAP Proxy (#274). 2381 o Added use case of multicasting controller on the backbone (#279). 2383 o Use cases were updated to show only a single CoAP RD (to replace 2384 the previous multiple RDs with one in each subnet). This is a 2385 more efficient deployment and also avoids RD specific issues such 2386 as synchronization of RD information between serves (#280). 2388 o Added text to section 3.6 (Configuring Group Membership in 2389 Endpoints) that clarified that any (unicast) operation to change 2390 an endpoint's group membership must use DTLS-secured CoAP. 2392 o Clarified relationship of this document to draft-ietf-core-coap in 2393 section 2.2 (Scope). 2395 o Removed IPSec related requirement, as IPSec is not part of draft- 2396 ietf-core-coap anymore. 2398 o Editorial reordering of subsections in section 3 to have a better 2399 flow of topics. Also renamed some of the (sub)sections to better 2400 reflect their content. Finally, moved the URI Configuration text 2401 to the same section as the Port Configuration section as it was a 2402 more natural grouping (now in section 3.3) . 2404 o Editorial rewording of section 3.7 (Multicast Request Acceptance 2405 and Response Suppression) to make the logic easier to comprehend 2406 (parse). 2408 o Various editorial updates for improved readability. 2410 Changes from ietf-04 to ietf-05: 2412 o Added a new section 3.9 (Exceptions) that highlights that IP 2413 multicast (and hence group communication) is not always available 2414 (#187). 2416 o Updated text on the use of [RFC2119] language (#271) in Section 1. 2418 o Included guidelines on when (not) to use CoAP responses to 2419 multicast requests and when (not) to accept multicast requests 2420 (#273). 2422 o Added guideline on use of core-block for minimizing response size 2423 (#275). 2425 o Restructured section 6 (Security Considerations) to more fully 2426 describe threats and threat mitigation (#277). 2428 o Clearly indicated that DNS resolution and reverse DNS lookup are 2429 optional. 2431 o Removed confusing text about a single group having multiple IP 2432 addresses. If multiple IP addresses are required then multiple 2433 groups (with the same members) should be created. 2435 o Removed repetitive text about the fact that group communication is 2436 not guaranteed. 2438 o Merged previous section 5.2 (Multicast Routing) into 3.1 (IP 2439 Multicast Routing Background) and added link to section 5.2 2440 (Advertising Membership of Multicast Groups). 2442 o Clarified text in section 3.8 (Congestion Control) regarding 2443 precedence of use of IP multicast domains (i.e., first try to use 2444 link-local scope, then site-local scope, and only use global IP 2445 multicast as a last resort). 2447 o Extended group resource manipulation guidelines with use of pre- 2448 configured ports/paths for the multicast group. 2450 o Consolidated all text relating to ports in a new section 3.3 (Port 2451 Configuration). 2453 o Clarified that all methods (GET/PUT/POST) for configuring group 2454 membership in endpoints should be unicast (and not multicast) in 2455 section 3.7 (Configuring Group Membership In Endpoints). 2457 o Various editorial updates for improved readability, including 2458 editorial comments by Peter van der Stok to WG list of December 2459 18th, 2012. 2461 Changes from ietf-03 to ietf-04: 2463 o Removed section 2.3 (Potential Solutions for Group Communication) 2464 as it is purely background information and moved section to draft- 2465 dijk-core-groupcomm-misc (#266). 2467 o Added reference to draft-keoh-tls-multicast-security to section 6 2468 (Security Considerations). 2470 o Removed Appendix B (CoAP-Observe Alternative to Group 2471 Communications) as it is as an alternative to IP Multicast that 2472 the WG has not adopted and moved section to draft-dijk-core- 2473 groupcomm-misc (#267). 2475 o Deleted section 8 (Conclusions) as it is redundant (#268). 2477 o Simplified light switch use case (#269) by splitting into basic 2478 operations and additional functions (#269). 2480 o Moved section 3.7 (CoAP Multicast and HTTP Unicast Interworking) 2481 to draft-dijk-core-groupcomm-misc (#270). 2483 o Moved section 3.3.1 (DNS-SD) and 3.3.2 (CoRE Resource Directory) 2484 to draft-dijk-core-groupcomm-misc as these sections essentially 2485 just repeated text from other drafts regarding DNS based features. 2486 Clarified remaining text in this draft relating to DNS based 2487 features to clearly indicate that these features are optional 2488 (#272). 2490 o Focus section 3.5 (Configuring Group Membership) on a single 2491 proposed solution. 2493 o Scope of section 5.3 (Use of MLD) widened to multicast destination 2494 advertisement methods in general. 2496 o Rewrote section 2.2 (Scope) for improved readability. 2498 o Moved use cases that are not addressed to draft-dijk-core- 2499 groupcomm-misc. 2501 o Various editorial updates for improved readability. 2503 Changes from ietf-02 to ietf-03: 2505 o Clarified that a group resource manipulation may return back a 2506 mixture of successful and unsuccessful responses (section 3.4 and 2507 Figure 6) (#251). 2509 o Clarified that security option for group communication must be 2510 NoSec mode (section 6) (#250). 2512 o Added mechanism for group membership configuration (#249). 2514 o Removed IANA request for multicast addresses (section 7) and 2515 replaced with a note indicating that the request is being made in 2516 draft-ietf-core-coap (#248). 2518 o Made the definition of 'group' more specific to group of CoAP 2519 endpoints and included text on UDP port selection (#186). 2521 o Added explanatory text in section 3.4 regarding why not to use 2522 group communication for non-idempotent messages (i.e., CoAP POST) 2523 (#186). 2525 o Changed link-local RD discovery to site-local in RD discovery use 2526 case to make it more realistic. 2528 o Fixed lighting control use case CoAP proxying; now returns 2529 individual CoAP responses as in coap-12. 2531 o Replaced link format I-D with RFC6690 reference. 2533 o Various editorial updates for improved readability 2535 Changes from ietf-01 to ietf-02: 2537 o Rewrote congestion control section based on latest CoAP text 2538 including Leisure concept (#188) 2540 o Updated the CoAP/HTTP interworking section and example use case 2541 with more details and use of MLD for multicast group joining 2543 o Key use cases added (#185) 2545 o References to draft-vanderstok-core-dna and draft-castellani-core- 2546 advanced-http-mapping added 2548 o Moved background sections on "MLD" and "CoAP-Observe" to 2549 Appendices 2551 o Removed requirements section (and moved it to draft-dijk-core- 2552 groupcomm-misc) 2554 o Added details for IANA request for group communication multicast 2555 addresses 2557 o Clarified text to distinguish between "link local" and general 2558 multicast cases 2560 o Moved lengthy background section 5 to draft-dijk-core-groupcomm- 2561 misc and replaced with a summary 2563 o Various editorial updates for improved readability 2565 o Change log added 2567 Changes from ietf-00 to ietf-01: 2569 o Moved CoAP-observe solution section to section 2 2571 o Editorial changes 2573 o Moved security requirements into requirements section 2575 o Changed multicast POST to PUT in example use case 2577 o Added CoAP responses in example use case 2579 Changes from rahman-07 to ietf-00: 2581 o Editorial changes 2583 o Use cases section added 2585 o CoRE Resource Directory section added 2587 o Removed section 3.3.5. IP Multicast Transmission Methods 2589 o Removed section 3.4 Overlay Multicast 2591 o Removed section 3.5 CoAP Application Layer Group Management 2593 o Clarified section 4.3.1.3 RPL Routers with Non-RPL Hosts case 2595 o References added and some normative/informative status changes 2597 Authors' Addresses 2599 Akbar Rahman (editor) 2600 InterDigital Communications, LLC 2602 Email: Akbar.Rahman@InterDigital.com 2603 Esko Dijk (editor) 2604 Philips Research 2606 Email: esko.dijk@philips.com