idnits 2.17.1 draft-ietf-lwig-security-protocol-comparison-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2, 2018) is 2124 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-16) exists of draft-ietf-core-object-security-13 == Outdated reference: A later version (-13) exists of draft-ietf-tls-dtls-connection-id-00 == Outdated reference: A later version (-43) exists of draft-ietf-tls-dtls13-26 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Mattsson 3 Internet-Draft F. Palombini 4 Intended status: Informational Ericsson AB 5 Expires: January 3, 2019 July 2, 2018 7 Comparison of CoAP Security Protocols 8 draft-ietf-lwig-security-protocol-comparison-01 10 Abstract 12 This document analyzes and compares per-packet message size overheads 13 when using different security protocols to secure CoAP. The analyzed 14 security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and 15 OSCORE. DTLS and TLS are analyzed with and without 6LoWPAN-GHC 16 compression. DTLS is analyzed with and without Connection ID. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 3, 2019. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Overhead of Security Protocols . . . . . . . . . . . . . . . 3 54 2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 4 57 2.1.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 4 58 2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 5 59 2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 6 60 2.2.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 6 61 2.2.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 6 62 2.2.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 7 63 2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 7 64 2.2.5. DTLS 1.3 with Short Header . . . . . . . . . . . . . 8 65 2.2.6. DTLS 1.3 with Short Header and 6LoWPAN-GHC . . . . . 8 66 2.3. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 2.3.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 9 68 2.3.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 9 69 2.4. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 2.4.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 10 71 2.4.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 10 72 2.5. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 3. Overhead with Different Parameters . . . . . . . . . . . . . 12 74 4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 75 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 76 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 77 7. Informative References . . . . . . . . . . . . . . . . . . . 15 78 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 81 1. Introduction 83 This document analyzes and compares per-packet message size overheads 84 when using different security protocols to secure CoAP over UPD 85 [RFC7252] and TCP [RFC8323]. The analyzed security protocols are 86 DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 87 [RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE 88 [I-D.ietf-core-object-security]. The DTLS and TLS record layers are 89 analyzed with and without compression. DTLS is anlyzed with and 90 without Connection ID [I-D.ietf-tls-dtls-connection-id] and DTLS 1.3 91 is analyzed with and without the use of the short header. Readers 92 are expected to be familiar with some of the terms described in RFC 93 7925 [RFC7925], such as ICV. 95 2. Overhead of Security Protocols 97 To enable comparison, all the overhead calculations in this section 98 use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES- 99 CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'. 100 This follows the example in [RFC7400], Figure 16. 102 Note that the compressed overhead calculations for DLTS 1.2, DTLS 103 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, 104 sequence number, and length, and all the overhead calculations are 105 dependent on the parameter Connection ID when used. Note that the 106 OSCORE overhead calculations are dependent on the CoAP option 107 numbers, as well as the length of the OSCORE parameters Sender ID and 108 Sequence Number. The following are only examples. 110 2.1. DTLS 1.2 112 2.1.1. DTLS 1.2 114 This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce 115 follow the strict profiling given in [RFC7925]. This example is 116 taken directly from [RFC7400], Figure 16. 118 DTLS 1.2 record layer (35 bytes, 29 bytes overhead): 119 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 120 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 121 cb 35 b9 123 Content type: 124 17 125 Version: 126 fe fd 127 Epoch: 128 00 01 129 Sequence number: 130 00 00 00 00 00 05 131 Length: 132 00 16 133 Nonce: 134 00 01 00 00 00 00 00 05 135 Ciphertext: 136 ae a0 15 56 67 92 137 ICV: 138 4d ff 8a 24 e4 cb 35 b9 140 DTLS 1.2 gives 29 bytes overhead. 142 2.1.2. DTLS 1.2 with 6LoWPAN-GHC 144 This section analyzes the overhead of DTLS 1.2 [RFC6347] when 145 compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with 146 [OlegHahm-ghc]. 148 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 149 an exceptionally small overhead that is not representative. 151 Note that this header compression is not available when DTLS is used 152 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 154 Compressed DTLS 1.2 record layer (22 bytes, 16 bytes overhead): 155 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 156 8a 24 e4 cb 35 b9 158 Compressed DTLS 1.2 record layer header and nonce: 159 b0 c3 03 05 00 16 f2 0e 160 Ciphertext: 161 ae a0 15 56 67 92 162 ICV: 163 4d ff 8a 24 e4 cb 35 b9 165 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 166 (epoch, sequence number, length) gives 16 bytes overhead. 168 2.1.3. DTLS 1.2 with Connection ID 170 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 171 Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead 172 calculations in this section uses Connection ID = '42'. DTLS recored 173 layer with a Connection ID = '' (the empty string) is equal to DTLS 174 without Connection ID. 176 DTLS 1.2 record layer (36 bytes, 30 bytes overhead): 177 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 178 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 179 e4 cb 35 b9 181 Content type: 182 17 183 Version: 184 fe fd 185 Epoch: 186 00 01 187 Sequence number: 188 00 00 00 00 00 05 189 Connection ID: 190 42 191 Length: 192 00 16 193 Nonce: 194 00 01 00 00 00 00 00 05 195 Ciphertext: 196 ae a0 15 56 67 92 197 ICV: 198 4d ff 8a 24 e4 cb 35 b9 200 DTLS 1.2 with Connection ID gives 30 bytes overhead. 202 2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC 204 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 205 Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 206 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 208 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 209 an exceptionally small overhead that is not representative. 211 Note that this header compression is not available when DTLS is used 212 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 214 Compressed DTLS 1.2 record layer (23 bytes, 17 bytes overhead): 215 b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d 216 ff 8a 24 e4 cb 35 b9 218 Compressed DTLS 1.2 record layer header and nonce: 219 b0 c3 04 05 42 00 16 f2 0e 220 Ciphertext: 221 ae a0 15 56 67 92 222 ICV: 223 4d ff 8a 24 e4 cb 35 b9 224 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 225 (epoch, sequence number, Connection ID, length) gives 17 bytes 226 overhead. 228 2.2. DTLS 1.3 230 2.2.1. DTLS 1.3 232 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. 233 The changes compared to DTLS 1.2 are: omission of version number, 234 merging of epoch and sequence number fields (of total 8 bytes) into 235 one 4-bytes-field. 237 DTLS 1.3 record layer (22 bytes, 16 bytes overhead): 238 17 40 00 00 05 00 0f ae a0 15 56 67 92 ec 4d ff 239 8a 24 e4 cb 35 b9 241 Content type: 242 17 243 Epoch and sequence: 244 40 00 00 05 245 Length: 246 00 0f 247 Ciphertext (including encrypted content type): 248 ae a0 15 56 67 92 ec 249 ICV: 250 4d ff 8a 24 e4 cb 35 b9 252 DTLS 1.3 gives 16 bytes overhead. 254 2.2.2. DTLS 1.3 with 6LoWPAN-GHC 256 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 257 when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 259 Note that this header compression is not available when DTLS is used 260 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 262 Compressed DTLS 1.3 record layer (23 bytes, 17 bytes overhead): 263 02 17 40 80 12 05 00 0f ae a0 15 56 67 92 ec 4d 264 ff 8a 24 e4 cb 35 b9 266 Compressed DTLS 1.3 record layer header and nonce: 267 02 17 40 80 12 05 00 0f 268 Ciphertext (including encrypted content type): 269 ae a0 15 56 67 92 ec 270 ICV: 271 4d ff 8a 24 e4 cb 35 b9 272 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 273 (epoch, sequence number, length) gives 17 bytes overhead. 275 2.2.3. DTLS 1.3 with Connection ID 277 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 278 with Connection ID [I-D.ietf-tls-dtls-connection-id]. 280 DTLS 1.3 record layer (23 bytes, 17 bytes overhead): 281 17 40 00 00 05 42 00 0f ae a0 15 56 67 92 ec 4d 282 ff 8a 24 e4 cb 35 b9 284 Content type: 285 17 286 Epoch and sequence: 287 40 00 00 05 288 Connection ID: 289 42 290 Length: 291 00 0f 292 Ciphertext (including encrypted content type): 293 ae a0 15 56 67 92 ec 294 ICV: 295 4d ff 8a 24 e4 cb 35 b9 297 DTLS 1.3 gives 17 bytes overhead. 299 2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC 301 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 302 with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed 303 with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 305 Note that this header compression is not available when DTLS is used 306 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 308 Compressed DTLS 1.3 record layer (24 bytes, 18 bytes overhead): 309 02 17 40 80 13 05 42 00 0f ae a0 15 56 67 92 ec 310 4d ff 8a 24 e4 cb 35 b9 312 Compressed DTLS 1.3 record layer header and nonce: 313 02 17 40 80 13 05 42 00 0f 314 Ciphertext (including encrypted content type): 315 ae a0 15 56 67 92 ec 316 ICV: 317 4d ff 8a 24 e4 cb 35 b9 318 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 319 (epoch, sequence number, Connection ID, length) gives 18 bytes 320 overhead. 322 2.2.5. DTLS 1.3 with Short Header 324 This section analyzes the overhead of DTLS 1.3 with short header 325 format [I-D.ietf-tls-dtls13]. The short header format for DTLS 1.3 326 reduces the header of 5 bytes, by omitting the length value and 327 sending 1 lower bit of epoch value instead of 2, and 12 lower bits of 328 sequence number instead of 30. 330 DTLS 1.3 record layer (17 bytes, 11 bytes overhead): 331 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 332 b9 334 Short epoch and sequence: 335 30 05 336 Ciphertext (including encrypted content type): 337 ae a0 15 56 67 92 ec 338 ICV: 339 4d ff 8a 24 e4 cb 35 b9 341 DTLS 1.3 with short header gives 11 bytes overhead. 343 2.2.6. DTLS 1.3 with Short Header and 6LoWPAN-GHC 345 This section analyzes the overhead of DTLS 1.3 with short header 346 [I-D.ietf-tls-dtls13] when compressed with 6LoWPAN-GHC [RFC7400] 347 [OlegHahm-ghc]. 349 Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 350 11 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 351 35 b9 353 Compressed DTLS 1.3 short header (including sequence number): 354 11 30 05 355 Ciphertext (including encrypted content type): 356 ae a0 15 56 67 92 ec 357 ICV: 358 4d ff 8a 24 e4 cb 35 b9 360 Compressed DTLS 1.3 with short header gives 12 bytes overhead. 362 2.3. TLS 1.2 364 2.3.1. TLS 1.2 366 This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes 367 compared to DTLS 1.2 is that the TLS 1.2 record layer does not have 368 epoch and sequence number, and that the version is different. 370 TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): 371 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 372 56 67 92 4d ff 8a 24 e4 cb 35 b9 374 Content type: 375 17 376 Version: 377 03 03 378 Length: 379 00 16 380 Nonce: 381 00 00 00 00 00 00 00 05 382 Ciphertext: 383 ae a0 15 56 67 92 384 ICV: 385 4d ff 8a 24 e4 cb 35 b9 387 TLS 1.2 gives 21 bytes overhead. 389 2.3.2. TLS 1.2 with 6LoWPAN-GHC 391 This section analyzes the overhead of TLS 1.2 [RFC5246] when 392 compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 394 Note that this header compression is not available when TLS is used 395 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 397 Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead): 398 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 399 ff 8a 24 e4 cb 35 b9 401 Compressed TLS 1.2 record layer header and nonce: 402 05 17 03 03 00 16 85 0f 05 403 Ciphertext: 404 ae a0 15 56 67 92 405 ICV: 406 4d ff 8a 24 e4 cb 35 b9 408 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 409 (epoch, sequence number, length) gives 17 bytes overhead. 411 2.4. TLS 1.3 413 2.4.1. TLS 1.3 415 This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]. 416 The change compared to TLS 1.2 is that the TLS 1.3 record layer uses 417 a different version. 419 TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 420 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 421 e4 cb 35 b9 423 Content type: 424 17 425 Legacy version: 426 03 03 427 Length: 428 00 0f 429 Ciphertext (including encrypted content type): 430 ae a0 15 56 67 92 ec 431 ICV: 432 4d ff 8a 24 e4 cb 35 b9 434 TLS 1.3 gives 14 bytes overhead. 436 2.4.2. TLS 1.3 with 6LoWPAN-GHC 438 This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13] 439 when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 441 Note that this header compression is not available when TLS is used 442 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 444 Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead): 445 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 446 24 e4 cb 35 b9 448 Compressed TLS 1.3 record layer header and nonce: 449 14 17 03 03 00 0f 450 Ciphertext (including encrypted content type): 451 ae a0 15 56 67 92 ec 452 ICV: 453 4d ff 8a 24 e4 cb 35 b9 455 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 456 (epoch, sequence number, length) gives 15 bytes overhead. 458 2.5. OSCORE 460 This section analyzes the overhead of OSCORE 461 [I-D.ietf-core-object-security]. 463 The below calculation Option Delta = '9', Sender ID = '' (empty 464 string), and Sequence Number = '05', and is only an example. Note 465 that Sender ID = '' (empty string) can only be used by one client per 466 server. 468 OSCORE request (19 bytes, 13 bytes overhead): 469 92 09 05 470 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 472 CoAP option delta and length: 473 92 474 Option value (flag byte and sequence number): 475 09 05 476 Payload marker: 477 ff 478 Ciphertext (including encrypted code): 479 ec ae a0 15 56 67 92 480 ICV: 481 4d ff 8a 24 e4 cb 35 b9 483 The below calculation Option Delta = '9', Sender ID = '42', and 484 Sequence Number = '05', and is only an example. 486 OSCORE request (20 bytes, 14 bytes overhead): 487 93 09 05 42 488 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 490 CoAP option delta and length: 491 93 492 Option Value (flag byte, sequence number, and Sender ID): 493 09 05 42 494 Payload marker: 495 ff 496 Ciphertext (including encrypted code): 497 ec ae a0 15 56 67 92 498 ICV: 499 4d ff 8a 24 e4 cb 35 b9 501 The below calculation uses Option Delta = '9'. 503 OSCORE response (17 bytes, 11 bytes overhead): 504 90 505 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 507 CoAP delta and option length: 508 90 509 Option value: 510 - 511 Payload marker: 512 ff 513 Ciphertext (including encrypted code): 514 ec ae a0 15 56 67 92 515 ICV: 516 4d ff 8a 24 e4 cb 35 b9 518 OSCORE with the above parameters gives 13-14 bytes overhead for 519 requests and 11 bytes overhead for responses. 521 Unlike DTLS and TLS, OSCORE has much smaller overhead for responses 522 than requests. 524 3. Overhead with Different Parameters 526 The DTLS overhead is dependent on the parameter Connection ID. The 527 following overheads apply for all Connection IDs with the same 528 length. 530 The compression overhead (GHC) is dependent on the parameters epoch, 531 sequence number, Connection ID, and length (where applicable). The 532 following overheads should be representative for sequence numbers and 533 Connection IDs with the same length. 535 The OSCORE overhead is dependent on the included CoAP Option numbers 536 as well as the length of the OSCORE parameters Sender ID and sequence 537 number. The following overheads apply for all sequence numbers and 538 Sender IDs with the same length. 540 Sequence Number '05' '1005' '100005' 541 ------------------------------------------------------------- 542 DTLS 1.2 29 29 29 543 DTLS 1.3 16 16 16 544 DTLS 1.3 (short header) 11 11 11 545 ------------------------------------------------------------- 546 DTLS 1.2 (GHC) 16 16 16 547 DTLS 1.3 (GHC) 17 17 17 548 DTLS 1.3 (short header) (GCH) 12 12 12 549 ------------------------------------------------------------- 550 TLS 1.2 21 21 21 551 TLS 1.3 14 14 14 552 ------------------------------------------------------------- 553 TLS 1.2 (GHC) 17 18 19 554 TLS 1.3 (GHC) 15 16 17 555 ------------------------------------------------------------- 556 OSCORE request 13 14 15 557 OSCORE response 11 11 11 559 Figure 1: Overhead in bytes as a function of sequence number 560 (Connection/Sender ID = '') 562 Connection/Sender ID '' '42' '4002' 563 ------------------------------------------------------------- 564 DTLS 1.2 29 30 31 565 DTLS 1.3 16 17 18 566 DTLS 1.3 (short header) 11 12 13 567 ------------------------------------------------------------- 568 DTLS 1.2 (GHC) 16 17 18 569 DTLS 1.3 (GHC) 17 18 19 570 DTLS 1.3 (short header) (GCH) 12 13 14 571 ------------------------------------------------------------- 572 OSCORE request 13 14 15 573 OSCORE response 11 11 11 575 Figure 2: Overhead in bytes as a function of Connection/Sender ID 576 (Sequence Number = '05') 578 Protocol Overhead Overhead (GHC) 579 ------------------------------------------------------------- 580 DTLS 1.2 21 8 581 DTLS 1.3 8 9 582 DTLS 1.3 (short header) 3 4 583 ------------------------------------------------------------- 584 TLS 1.2 13 9 585 TLS 1.3 6 7 586 ------------------------------------------------------------- 587 OSCORE request 5 588 OSCORE response 3 590 Figure 3: Overhead (excluding ICV) in bytes 591 (Connection/Sender ID = '', Sequence Number = '05') 593 4. Summary 595 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 596 number and an explicit nonce. TLS 1.2 has significantly less (but 597 not small) overhead. TLS 1.3 and DTLS 1.3 have quite small overhead. 598 OSCORE and DTLS 1.3 with short header format has very small overhead. 600 The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS 601 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic 602 Header Compression (6LoWPAN-GHC) works very well for Connection ID 603 and the overhead seems to increase exactly with the length of the 604 Connection ID (which is optimal). The compression of TLS 1.2 is not 605 as good as the compression of DTLS 1.2 (as the static dictionary only 606 contains the DTLS 1.2 version number). Similar compression levels as 607 for DTLS could be achieved also for TLS 1.2, but this would require 608 different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC 609 increases the overhead. The 6LoWPAN-GHC header compression is not 610 available when (D)TLS is used over transports that do not use 6LoWPAN 611 together with 6LoWPAN-GHC. 613 The short header format for DTLS 1.3 reduces the header of 5 bytes, 614 by omitting the length value and sending 1 lower bit of epoch value 615 instead of 2, and 12 lower bits of sequence number instead of 30. 616 This may create problems reconstructing the full sequence number, if 617 ~2000 datagrams in sequence are lost. 619 OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2. The 620 overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN 621 with compression, and this small overhead is achieved even on 622 deployments without 6LoWPAN or 6LoWPAN without DTLS compression. 623 OSCORE is lightweight because it makes use of some excellent features 624 in CoAP, CBOR, and COSE. 626 5. Security Considerations 628 This document is purely informational. 630 6. IANA Considerations 632 This document has no actions for IANA. 634 7. Informative References 636 [I-D.ietf-core-object-security] 637 Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 638 "Object Security for Constrained RESTful Environments 639 (OSCORE)", draft-ietf-core-object-security-13 (work in 640 progress), June 2018. 642 [I-D.ietf-tls-dtls-connection-id] 643 Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, 644 "The Datagram Transport Layer Security (DTLS) Connection 645 Identifier", draft-ietf-tls-dtls-connection-id-00 (work in 646 progress), December 2017. 648 [I-D.ietf-tls-dtls13] 649 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 650 Datagram Transport Layer Security (DTLS) Protocol Version 651 1.3", draft-ietf-tls-dtls13-26 (work in progress), March 652 2018. 654 [I-D.ietf-tls-tls13] 655 Rescorla, E., "The Transport Layer Security (TLS) Protocol 656 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 657 March 2018. 659 [OlegHahm-ghc] 660 Hahm, O., "Generic Header Compression", July 2016, 661 . 663 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 664 (TLS) Protocol Version 1.2", RFC 5246, 665 DOI 10.17487/RFC5246, August 2008, 666 . 668 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 669 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 670 January 2012, . 672 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 673 Application Protocol (CoAP)", RFC 7252, 674 DOI 10.17487/RFC7252, June 2014, 675 . 677 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 678 IPv6 over Low-Power Wireless Personal Area Networks 679 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 680 2014, . 682 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 683 Security (TLS) / Datagram Transport Layer Security (DTLS) 684 Profiles for the Internet of Things", RFC 7925, 685 DOI 10.17487/RFC7925, July 2016, 686 . 688 [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 689 Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained 690 Application Protocol) over TCP, TLS, and WebSockets", 691 RFC 8323, DOI 10.17487/RFC8323, February 2018, 692 . 694 Acknowledgments 696 The authors want to thank Ari Keraenen, Carsten Bormann, Goeran 697 Selander, and Hannes Tschofenig for comments and suggestions on 698 previous versions of the draft. 700 All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. 702 Authors' Addresses 704 John Mattsson 705 Ericsson AB 707 Email: john.mattsson@ericsson.com 709 Francesca Palombini 710 Ericsson AB 712 Email: francesca.palombini@ericsson.com