idnits 2.17.1 draft-ietf-lwig-security-protocol-comparison-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 2, 2019) is 1940 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-16) exists of draft-ietf-core-object-security-15 == Outdated reference: A later version (-13) exists of draft-ietf-tls-dtls-connection-id-02 == Outdated reference: A later version (-43) exists of draft-ietf-tls-dtls13-30 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Mattsson 3 Internet-Draft F. Palombini 4 Intended status: Informational Ericsson AB 5 Expires: July 6, 2019 January 2, 2019 7 Comparison of CoAP Security Protocols 8 draft-ietf-lwig-security-protocol-comparison-02 10 Abstract 12 This document analyzes and compares per-packet message size overheads 13 when using different security protocols to secure CoAP. The analyzed 14 security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and 15 OSCORE. DTLS and TLS are analyzed with and without 6LoWPAN-GHC 16 compression. DTLS is analyzed with and without Connection ID. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on July 6, 2019. 35 Copyright Notice 37 Copyright (c) 2019 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Overhead of Security Protocols . . . . . . . . . . . . . . . 2 54 2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 3 57 2.1.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 4 58 2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 5 59 2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 5 60 2.2.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 5 61 2.2.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 6 62 2.2.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 6 63 2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 7 64 2.3. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 7 65 2.3.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 7 66 2.3.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 8 67 2.4. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 8 68 2.4.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 8 69 2.4.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 9 70 2.5. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 9 71 3. Overhead with Different Parameters . . . . . . . . . . . . . 11 72 4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 73 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 75 7. Informative References . . . . . . . . . . . . . . . . . . . 13 76 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 79 1. Introduction 81 This document analyzes and compares per-packet message size overheads 82 when using different security protocols to secure CoAP over UPD 83 [RFC7252] and TCP [RFC8323]. The analyzed security protocols are 84 DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 85 [RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE 86 [I-D.ietf-core-object-security]. The DTLS and TLS record layers are 87 analyzed with and without compression. DTLS is anlyzed with and 88 without Connection ID [I-D.ietf-tls-dtls-connection-id]. Readers are 89 expected to be familiar with some of the terms described in RFC 7925 90 [RFC7925], such as ICV. 92 2. Overhead of Security Protocols 94 To enable comparison, all the overhead calculations in this section 95 use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES- 96 CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'. 97 This follows the example in [RFC7400], Figure 16. 99 Note that the compressed overhead calculations for DLTS 1.2, DTLS 100 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, 101 sequence number, and length, and all the overhead calculations are 102 dependent on the parameter Connection ID when used. Note that the 103 OSCORE overhead calculations are dependent on the CoAP option 104 numbers, as well as the length of the OSCORE parameters Sender ID and 105 Sequence Number. The following are only examples. 107 2.1. DTLS 1.2 109 2.1.1. DTLS 1.2 111 This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce 112 follow the strict profiling given in [RFC7925]. This example is 113 taken directly from [RFC7400], Figure 16. 115 DTLS 1.2 record layer (35 bytes, 29 bytes overhead): 116 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 117 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 118 cb 35 b9 120 Content type: 121 17 122 Version: 123 fe fd 124 Epoch: 125 00 01 126 Sequence number: 127 00 00 00 00 00 05 128 Length: 129 00 16 130 Nonce: 131 00 01 00 00 00 00 00 05 132 Ciphertext: 133 ae a0 15 56 67 92 134 ICV: 135 4d ff 8a 24 e4 cb 35 b9 137 DTLS 1.2 gives 29 bytes overhead. 139 2.1.2. DTLS 1.2 with 6LoWPAN-GHC 141 This section analyzes the overhead of DTLS 1.2 [RFC6347] when 142 compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with 143 [OlegHahm-ghc]. 145 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 146 an exceptionally small overhead that is not representative. 148 Note that this header compression is not available when DTLS is used 149 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 151 Compressed DTLS 1.2 record layer (22 bytes, 16 bytes overhead): 152 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 153 8a 24 e4 cb 35 b9 155 Compressed DTLS 1.2 record layer header and nonce: 156 b0 c3 03 05 00 16 f2 0e 157 Ciphertext: 158 ae a0 15 56 67 92 159 ICV: 160 4d ff 8a 24 e4 cb 35 b9 162 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 163 (epoch, sequence number, length) gives 16 bytes overhead. 165 2.1.3. DTLS 1.2 with Connection ID 167 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 168 Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead 169 calculations in this section uses Connection ID = '42'. DTLS recored 170 layer with a Connection ID = '' (the empty string) is equal to DTLS 171 without Connection ID. 173 DTLS 1.2 record layer (36 bytes, 30 bytes overhead): 174 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 175 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 176 e4 cb 35 b9 178 Content type: 179 17 180 Version: 181 fe fd 182 Epoch: 183 00 01 184 Sequence number: 185 00 00 00 00 00 05 186 Connection ID: 187 42 188 Length: 189 00 16 190 Nonce: 191 00 01 00 00 00 00 00 05 192 Ciphertext: 193 ae a0 15 56 67 92 194 ICV: 195 4d ff 8a 24 e4 cb 35 b9 196 DTLS 1.2 with Connection ID gives 30 bytes overhead. 198 2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC 200 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 201 Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 202 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 204 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 205 an exceptionally small overhead that is not representative. 207 Note that this header compression is not available when DTLS is used 208 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 210 Compressed DTLS 1.2 record layer (23 bytes, 17 bytes overhead): 211 b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d 212 ff 8a 24 e4 cb 35 b9 214 Compressed DTLS 1.2 record layer header and nonce: 215 b0 c3 04 05 42 00 16 f2 0e 216 Ciphertext: 217 ae a0 15 56 67 92 218 ICV: 219 4d ff 8a 24 e4 cb 35 b9 221 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 222 (epoch, sequence number, Connection ID, length) gives 17 bytes 223 overhead. 225 2.2. DTLS 1.3 227 2.2.1. DTLS 1.3 229 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. 230 The changes compared to DTLS 1.2 are: omission of version number, 231 merging of epoch into the first byte containing signalling bits, 232 optional omission of length, reduction of sequence number into a 1 or 233 2-bytes field. 235 In this example, the length field is omitted, and the 1-byte field is 236 used for the sequence number. The minimal DTLSCiphertext structure 237 is used (see Figure 4 of [I-D.ietf-tls-dtls13]). 239 DTLS 1.3 record layer (17 bytes, 11 bytes overhead): 240 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 242 First byte (including epoch): 243 21 244 Sequence number: 245 05 246 Ciphertext (including encrypted content type): 247 ae a0 15 56 67 92 ec 248 ICV: 249 4d ff 8a 24 e4 cb 35 b9 251 DTLS 1.3 gives 11 bytes overhead. 253 2.2.2. DTLS 1.3 with 6LoWPAN-GHC 255 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 256 when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 258 Note that this header compression is not available when DTLS is used 259 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 261 Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 262 11 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 263 35 b9 265 Compressed DTLS 1.3 record layer header and nonce: 266 11 21 05 267 Ciphertext (including encrypted content type): 268 ae a0 15 56 67 92 ec 269 ICV: 270 4d ff 8a 24 e4 cb 35 b9 272 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 273 (epoch, sequence number, no length) gives 12 bytes overhead. 275 2.2.3. DTLS 1.3 with Connection ID 277 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 278 with Connection ID [I-D.ietf-tls-dtls-connection-id]. 280 In this example, the length field is omitted, and the 1-byte field is 281 used for the sequence number. The minimal DTLSCiphertext structure 282 is used (see Figure 4 of [I-D.ietf-tls-dtls13]), with the addition of 283 the Connection ID field. 285 DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 286 31 42 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 288 First byte (including epoch): 289 31 290 Connection ID: 291 42 292 Sequence number: 293 05 294 Ciphertext (including encrypted content type): 295 ae a0 15 56 67 92 ec 296 ICV: 297 4d ff 8a 24 e4 cb 35 b9 299 DTLS 1.3 with Connection ID gives 12 bytes overhead. 301 2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC 303 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 304 with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed 305 with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 307 Note that this header compression is not available when DTLS is used 308 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 310 Compressed DTLS 1.3 record layer (19 bytes, 13 bytes overhead): 311 12 31 05 42 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 312 cb 35 b9 314 Compressed DTLS 1.3 record layer header and nonce: 315 12 31 05 42 316 Ciphertext (including encrypted content type): 317 ae a0 15 56 67 92 ec 318 ICV: 319 4d ff 8a 24 e4 cb 35 b9 321 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 322 (epoch, sequence number, Connection ID, no length) gives 13 bytes 323 overhead. 325 2.3. TLS 1.2 327 2.3.1. TLS 1.2 329 This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes 330 compared to DTLS 1.2 is that the TLS 1.2 record layer does not have 331 epoch and sequence number, and that the version is different. 333 TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): 334 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 335 56 67 92 4d ff 8a 24 e4 cb 35 b9 337 Content type: 338 17 339 Version: 340 03 03 341 Length: 342 00 16 343 Nonce: 344 00 00 00 00 00 00 00 05 345 Ciphertext: 346 ae a0 15 56 67 92 347 ICV: 348 4d ff 8a 24 e4 cb 35 b9 350 TLS 1.2 gives 21 bytes overhead. 352 2.3.2. TLS 1.2 with 6LoWPAN-GHC 354 This section analyzes the overhead of TLS 1.2 [RFC5246] when 355 compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 357 Note that this header compression is not available when TLS is used 358 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 360 Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead): 361 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 362 ff 8a 24 e4 cb 35 b9 364 Compressed TLS 1.2 record layer header and nonce: 365 05 17 03 03 00 16 85 0f 05 366 Ciphertext: 367 ae a0 15 56 67 92 368 ICV: 369 4d ff 8a 24 e4 cb 35 b9 371 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 372 (epoch, sequence number, length) gives 17 bytes overhead. 374 2.4. TLS 1.3 376 2.4.1. TLS 1.3 378 This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]. 379 The change compared to TLS 1.2 is that the TLS 1.3 record layer uses 380 a different version. 382 TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 383 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 384 e4 cb 35 b9 386 Content type: 387 17 388 Legacy version: 389 03 03 390 Length: 391 00 0f 392 Ciphertext (including encrypted content type): 393 ae a0 15 56 67 92 ec 394 ICV: 395 4d ff 8a 24 e4 cb 35 b9 397 TLS 1.3 gives 14 bytes overhead. 399 2.4.2. TLS 1.3 with 6LoWPAN-GHC 401 This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13] 402 when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 404 Note that this header compression is not available when TLS is used 405 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 407 Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead): 408 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 409 24 e4 cb 35 b9 411 Compressed TLS 1.3 record layer header and nonce: 412 14 17 03 03 00 0f 413 Ciphertext (including encrypted content type): 414 ae a0 15 56 67 92 ec 415 ICV: 416 4d ff 8a 24 e4 cb 35 b9 418 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 419 (epoch, sequence number, length) gives 15 bytes overhead. 421 2.5. OSCORE 423 This section analyzes the overhead of OSCORE 424 [I-D.ietf-core-object-security]. 426 The below calculation Option Delta = '9', Sender ID = '' (empty 427 string), and Sequence Number = '05', and is only an example. Note 428 that Sender ID = '' (empty string) can only be used by one client per 429 server. 431 OSCORE request (19 bytes, 13 bytes overhead): 432 92 09 05 433 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 435 CoAP option delta and length: 436 92 437 Option value (flag byte and sequence number): 438 09 05 439 Payload marker: 440 ff 441 Ciphertext (including encrypted code): 442 ec ae a0 15 56 67 92 443 ICV: 444 4d ff 8a 24 e4 cb 35 b9 446 The below calculation Option Delta = '9', Sender ID = '42', and 447 Sequence Number = '05', and is only an example. 449 OSCORE request (20 bytes, 14 bytes overhead): 450 93 09 05 42 451 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 453 CoAP option delta and length: 454 93 455 Option Value (flag byte, sequence number, and Sender ID): 456 09 05 42 457 Payload marker: 458 ff 459 Ciphertext (including encrypted code): 460 ec ae a0 15 56 67 92 461 ICV: 462 4d ff 8a 24 e4 cb 35 b9 464 The below calculation uses Option Delta = '9'. 466 OSCORE response (17 bytes, 11 bytes overhead): 467 90 468 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 470 CoAP delta and option length: 471 90 472 Option value: 473 - 474 Payload marker: 475 ff 476 Ciphertext (including encrypted code): 477 ec ae a0 15 56 67 92 478 ICV: 479 4d ff 8a 24 e4 cb 35 b9 481 OSCORE with the above parameters gives 13-14 bytes overhead for 482 requests and 11 bytes overhead for responses. 484 Unlike DTLS and TLS, OSCORE has much smaller overhead for responses 485 than requests. 487 3. Overhead with Different Parameters 489 The DTLS overhead is dependent on the parameter Connection ID. The 490 following overheads apply for all Connection IDs with the same 491 length. 493 The compression overhead (GHC) is dependent on the parameters epoch, 494 sequence number, Connection ID, and length (where applicable). The 495 following overheads should be representative for sequence numbers and 496 Connection IDs with the same length. 498 The OSCORE overhead is dependent on the included CoAP Option numbers 499 as well as the length of the OSCORE parameters Sender ID and sequence 500 number. The following overheads apply for all sequence numbers and 501 Sender IDs with the same length. 503 Sequence Number '05' '1005' '100005' 504 ------------------------------------------------------------- 505 DTLS 1.2 29 29 29 506 DTLS 1.3 11 12 12 507 ------------------------------------------------------------- 508 DTLS 1.2 (GHC) 16 16 16 509 DTLS 1.3 (GHC) 12 13 13 510 ------------------------------------------------------------- 511 TLS 1.2 21 21 21 512 TLS 1.3 14 14 14 513 ------------------------------------------------------------- 514 TLS 1.2 (GHC) 17 18 19 515 TLS 1.3 (GHC) 15 16 17 516 ------------------------------------------------------------- 517 OSCORE request 13 14 15 518 OSCORE response 11 11 11 520 Figure 1: Overhead in bytes as a function of sequence number 521 (Connection/Sender ID = '') 523 Connection/Sender ID '' '42' '4002' 524 ------------------------------------------------------------- 525 DTLS 1.2 29 30 31 526 DTLS 1.3 11 12 13 527 ------------------------------------------------------------- 528 DTLS 1.2 (GHC) 16 17 18 529 DTLS 1.3 (GHC) 12 13 14 530 ------------------------------------------------------------- 531 OSCORE request 13 14 15 532 OSCORE response 11 11 11 534 Figure 2: Overhead in bytes as a function of Connection/Sender ID 535 (Sequence Number = '05') 537 Protocol Overhead Overhead (GHC) 538 ------------------------------------------------------------- 539 DTLS 1.2 21 8 540 DTLS 1.3 3 4 541 ------------------------------------------------------------- 542 TLS 1.2 13 9 543 TLS 1.3 6 7 544 ------------------------------------------------------------- 545 OSCORE request 5 546 OSCORE response 3 548 Figure 3: Overhead (excluding ICV) in bytes 549 (Connection/Sender ID = '', Sequence Number = '05') 551 4. Summary 553 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 554 number and an explicit nonce. TLS 1.2 has significantly less (but 555 not small) overhead. TLS 1.3 has quite a small overhead. OSCORE and 556 DTLS 1.3 (using the minimal structure) format have very small 557 overhead. 559 The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS 560 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic 561 Header Compression (6LoWPAN-GHC) works very well for Connection ID 562 and the overhead seems to increase exactly with the length of the 563 Connection ID (which is optimal). The compression of TLS 1.2 is not 564 as good as the compression of DTLS 1.2 (as the static dictionary only 565 contains the DTLS 1.2 version number). Similar compression levels as 566 for DTLS could be achieved also for TLS 1.2, but this would require 567 different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC 568 increases the overhead. The 6LoWPAN-GHC header compression is not 569 available when (D)TLS is used over transports that do not use 6LoWPAN 570 together with 6LoWPAN-GHC. 572 Only the minimal header format for DTLS 1.3 was considered, which 573 reduces the header of 3 bytes compared to the full header, by 574 omitting the 2-byte-long length value and sending 1 byte of sequence 575 number instead of 2. This may create problems reconstructing the 576 full sequence number, if ~2000 datagrams in sequence are lost. 578 OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2. The 579 overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN 580 with compression, and this small overhead is achieved even on 581 deployments without 6LoWPAN or 6LoWPAN without DTLS compression. 582 OSCORE is lightweight because it makes use of CoAP, CBOR, and COSE, 583 which were designed to have as low overhead as possible. 585 5. Security Considerations 587 This document is purely informational. 589 6. IANA Considerations 591 This document has no actions for IANA. 593 7. Informative References 595 [I-D.ietf-core-object-security] 596 Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 597 "Object Security for Constrained RESTful Environments 598 (OSCORE)", draft-ietf-core-object-security-15 (work in 599 progress), August 2018. 601 [I-D.ietf-tls-dtls-connection-id] 602 Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, 603 "Connection Identifiers for DTLS 1.2", draft-ietf-tls- 604 dtls-connection-id-02 (work in progress), October 2018. 606 [I-D.ietf-tls-dtls13] 607 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 608 Datagram Transport Layer Security (DTLS) Protocol Version 609 1.3", draft-ietf-tls-dtls13-30 (work in progress), 610 November 2018. 612 [I-D.ietf-tls-tls13] 613 Rescorla, E., "The Transport Layer Security (TLS) Protocol 614 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 615 March 2018. 617 [OlegHahm-ghc] 618 Hahm, O., "Generic Header Compression", July 2016, 619 . 621 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 622 (TLS) Protocol Version 1.2", RFC 5246, 623 DOI 10.17487/RFC5246, August 2008, 624 . 626 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 627 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 628 January 2012, . 630 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 631 Application Protocol (CoAP)", RFC 7252, 632 DOI 10.17487/RFC7252, June 2014, 633 . 635 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 636 IPv6 over Low-Power Wireless Personal Area Networks 637 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 638 2014, . 640 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 641 Security (TLS) / Datagram Transport Layer Security (DTLS) 642 Profiles for the Internet of Things", RFC 7925, 643 DOI 10.17487/RFC7925, July 2016, 644 . 646 [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 647 Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained 648 Application Protocol) over TCP, TLS, and WebSockets", 649 RFC 8323, DOI 10.17487/RFC8323, February 2018, 650 . 652 Acknowledgments 654 The authors want to thank Ari Keraenen, Carsten Bormann, Goeran 655 Selander, and Hannes Tschofenig for comments and suggestions on 656 previous versions of the draft. 658 All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. 660 Authors' Addresses 662 John Mattsson 663 Ericsson AB 665 Email: john.mattsson@ericsson.com 667 Francesca Palombini 668 Ericsson AB 670 Email: francesca.palombini@ericsson.com