idnits 2.17.1 draft-ietf-lwig-security-protocol-comparison-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 09, 2020) is 1502 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-21) exists of draft-ietf-core-oscore-groupcomm-06 == Outdated reference: A later version (-13) exists of draft-ietf-tls-dtls-connection-id-07 == Outdated reference: A later version (-43) exists of draft-ietf-tls-dtls13-34 == Outdated reference: A later version (-04) exists of draft-rescorla-tls-ctls-03 == Outdated reference: A later version (-01) exists of draft-selander-lake-edhoc-00 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LWIG Working Group J. Mattsson 3 Internet-Draft F. Palombini 4 Intended status: Informational Ericsson AB 5 Expires: September 10, 2020 M. Vucinic 6 INRIA 7 March 09, 2020 9 Comparison of CoAP Security Protocols 10 draft-ietf-lwig-security-protocol-comparison-04 12 Abstract 14 This document analyzes and compares the sizes of key exchange flights 15 and the per-packet message size overheads when using different 16 security protocols to secure CoAP. The analyzed security protocols 17 are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group 18 OSCORE. The DTLS and TLS record layers are analyzed with and without 19 6LoWPAN-GHC compression. DTLS is analyzed with and without 20 Connection ID. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 10, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Overhead of Key Exchange Protocols . . . . . . . . . . . . . 3 58 2.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 5 60 2.2.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 5 61 2.2.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 10 62 2.2.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 11 63 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 64 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 65 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 66 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 67 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 68 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 69 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 70 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 71 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 72 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 73 2.4.2. Message Sizes PSK . . . . . . . . . . . . . . . . . . 25 74 2.4.3. message_1 . . . . . . . . . . . . . . . . . . . . . . 25 75 2.4.4. message_2 . . . . . . . . . . . . . . . . . . . . . . 25 76 2.4.5. message_3 . . . . . . . . . . . . . . . . . . . . . . 26 77 2.4.6. Summary . . . . . . . . . . . . . . . . . . . . . . . 26 78 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 26 79 3. Overhead for Protection of Application Data . . . . . . . . . 27 80 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 27 81 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 29 82 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 29 83 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 29 84 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 30 85 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 31 86 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 31 87 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 31 88 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 32 89 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 32 90 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 33 91 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 33 92 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 33 93 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34 94 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 34 95 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 34 96 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 98 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 35 99 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 37 100 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 37 101 4. Security Considerations . . . . . . . . . . . . . . . . . . . 38 102 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 103 6. Informative References . . . . . . . . . . . . . . . . . . . 38 104 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 40 105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 107 1. Introduction 109 This document analyzes and compares the sizes of key exchange flights 110 and the per-packet message size overheads when using different 111 security protocols to secure CoAP over UPD [RFC7252] and TCP 112 [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], 113 DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], 114 EDHOC [I-D.selander-lake-edhoc], OSCORE [RFC8613], and Group OSCORE 115 [I-D.ietf-core-oscore-groupcomm]. 117 The DTLS and TLS record layers are analyzed with and without 6LoWPAN- 118 GHC compression. DTLS is anlyzed with and without Connection ID 119 [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be 120 familiar with some of the terms described in RFC 7925 [RFC7925], such 121 as ICV. Section 2 compares the overhead of key exchange, while 122 Section 3 covers the overhead for protection of application data. 124 2. Overhead of Key Exchange Protocols 126 This section analyzes and compares the sizes of key exchange flights 127 for different protocols. 129 To enable a fair comparison between protocols, the following 130 assumptions are made: 132 o All the overhead calculations in this section use AES-CCM with a 133 tag length of 8 bytes (e.g. AES_128_CCM_8 or AES-CCM-16-64-128). 135 o A minimum number of algorithms and cipher suites is offered. The 136 algorithm used/offered are Curve25519, ECDSA with P-256, AES- 137 CCM_8, SHA-256. 139 o The length of key identifiers are 1 byte. 141 o The length of connection identifiers are 1 byte. 143 o DTLS RPK makes use of point compression, which saves 32 bytes. 145 o DTLS handshake message fragmentation is not considered. 147 o Only the DTLS mandatory extensions are considered, except for 148 Connection ID. 150 Section 2.1 gives a short summary of the message overhead based on 151 different parameters and some assumptions. The following sections 152 detail the assumptions and the calculations. 154 2.1. Summary 156 The DTLS overhead is dependent on the parameter Connection ID. The 157 following overheads apply for all Connection IDs of the same length, 158 when Connection ID is used. 160 The EDHOC overhead is dependent on the key identifiers included. The 161 following overheads apply for Sender IDs of the same length. 163 All the overhead are dependent on the tag length. The following 164 overheads apply for tags of the same length. 166 Figure 1 compares the message sizes of EDHOC 167 [I-D.selander-lake-edhoc] with the DTLS 1.3 [I-D.ietf-tls-dtls13] and 168 TLS 1.3 [RFC8446] handshakes with connection ID. 170 ===================================================================== 171 Flight #1 #2 #3 Total 172 --------------------------------------------------------------------- 173 DTLS 1.3 RPK + ECDHE 150 373 213 736 174 DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 175 DTLS 1.3 PSK + ECDHE 184 190 57 431 176 DTLS 1.3 PSK 134 150 57 341 177 --------------------------------------------------------------------- 178 EDHOC RPK + ECDHE 37 46 20 103 179 EDHOC PSK + ECDHE 38 44 10 92 180 ===================================================================== 182 Figure 1: Comparison of message sizes in bytes with Connection ID 184 Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] 185 and TLS 1.3 [RFC8446] handshakes without connection ID. 187 ===================================================================== 188 Flight #1 #2 #3 Total 189 --------------------------------------------------------------------- 190 DTLS 1.3 RPK + ECDHE 144 364 212 722 191 DTLS 1.3 PSK + ECDHE 178 183 56 417 192 DTLS 1.3 PSK 128 143 56 327 193 --------------------------------------------------------------------- 194 TLS 1.3 RPK + ECDHE 129 322 194 645 195 TLS 1.3 PSK + ECDHE 163 157 50 370 196 TLS 1.3 PSK 113 117 50 280 197 ===================================================================== 199 Figure 2: Comparison of message sizes in bytes without Connection ID 201 The details of the message size calculations are given in the 202 following sections. 204 2.2. DTLS 1.3 206 This section gives an estimate of the message sizes of DTLS 1.3 with 207 different authentication methods. Note that the examples in this 208 section are not test vectors, the cryptographic parts are just 209 replaced with byte strings of the same length, while other fixed 210 length fields are replace with arbitrary strings or omitted, in which 211 case their length is indicated. Values that are not arbitrary are 212 given in hexadecimal. 214 2.2.1. Message Sizes RPK + ECDHE 216 In this section, a Connection ID of 1 byte is used. 218 2.2.1.1. flight_1 220 Record Header - DTLSPlaintext (13 bytes): 221 16 fe fd EE EE SS SS SS SS SS SS LL LL 223 Handshake Header - Client Hello (10 bytes): 224 01 LL LL LL SS SS 00 00 00 LL LL LL 226 Legacy Version (2 bytes): 227 fe fd 229 Client Random (32 bytes): 230 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 231 16 17 18 19 1a 1b 1c 1d 1e 1f 233 Legacy Session ID (1 bytes): 234 00 235 Legacy Cookie (1 bytes): 236 00 238 Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes): 239 00 02 13 05 241 Compression Methods (null) (2 bytes): 242 01 00 244 Extensions Length (2 bytes): 245 LL LL 247 Extension - Supported Groups (x25519) (8 bytes): 248 00 0a 00 04 00 02 00 1d 250 Extension - Signature Algorithms (ecdsa_secp256r1_sha256) 251 (8 bytes): 252 00 0d 00 04 00 02 08 07 254 Extension - Key Share (42 bytes): 255 00 33 00 26 00 24 00 1d 00 20 256 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 257 16 17 18 19 1a 1b 1c 1d 1e 1f 259 Extension - Supported Versions (1.3) (7 bytes): 260 00 2b 00 03 02 03 04 262 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 263 00 13 00 01 01 02 265 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 266 00 14 00 01 01 02 268 Extension - Connection Identifier (43) (6 bytes): 269 XX XX 00 02 01 42 271 13 + 10 + 2 + 32 + 1 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 + 6 = 150 272 bytes 274 DTLS 1.3 RPK + ECDHE flight_1 gives 150 bytes of overhead. 276 2.2.1.2. flight_2 278 Record Header - DTLSPlaintext (13 bytes): 279 16 fe fd EE EE SS SS SS SS SS SS LL LL 281 Handshake Header - Server Hello (10 bytes): 282 02 LL LL LL SS SS 00 00 00 LL LL LL 283 Legacy Version (2 bytes): 284 fe fd 286 Server Random (32 bytes): 287 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 288 16 17 18 19 1a 1b 1c 1d 1e 1f 290 Legacy Session ID (1 bytes): 291 00 293 Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes): 294 13 05 296 Compression Method (null) (1 bytes): 297 00 299 Extensions Length (2 bytes): 300 LL LL 302 Extension - Key Share (40 bytes): 303 00 33 00 24 00 1d 00 20 304 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 305 16 17 18 19 1a 1b 1c 1d 1e 1f 307 Extension - Supported Versions (1.3) (6 bytes): 308 00 2b 00 02 03 04 310 Extension - Connection Identifier (43) (6 bytes): 311 XX XX 00 02 01 43 313 Record Header - DTLSCiphertext, Full (6 bytes): 314 HH ES SS 43 LL LL 316 Handshake Header - Encrypted Extensions (10 bytes): 317 08 LL LL LL SS SS 00 00 00 LL LL LL 319 Extensions Length (2 bytes): 320 LL LL 322 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 323 00 13 00 01 01 02 325 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 326 00 14 00 01 01 02 328 Handshake Header - Certificate Request (10 bytes): 329 0d LL LL LL SS SS 00 00 00 LL LL LL 330 Request Context (1 bytes): 331 00 333 Extensions Length (2 bytes): 334 LL LL 336 Extension - Signature Algorithms (ecdsa_secp256r1_sha256) 337 (8 bytes): 338 00 0d 00 04 00 02 08 07 340 Handshake Header - Certificate (10 bytes): 341 0b LL LL LL SS SS 00 00 00 LL LL LL 343 Request Context (1 bytes): 344 00 346 Certificate List Length (3 bytes): 347 LL LL LL 349 Certificate Length (3 bytes): 350 LL LL LL 352 Certificate (59 bytes) // Point compression 353 .... 355 Certificate Extensions (2 bytes): 356 00 00 358 Handshake Header - Certificate Verify (10 bytes): 359 0f LL LL LL SS SS 00 00 00 LL LL LL 361 Signature (68 bytes): 362 ZZ ZZ 00 40 .... 364 Handshake Header - Finished (10 bytes): 365 14 LL LL LL SS SS 00 00 00 LL LL LL 367 Verify Data (32 bytes): 368 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 369 16 17 18 19 1a 1b 1c 1d 1e 1f 371 Record Type (1 byte): 372 16 374 Auth Tag (8 bytes): 375 e0 8b 0e 45 5a 35 0a e5 377 13 + 102 + 6 + 24 + 21 + 78 + 78 + 42 + 1 + 8 = 373 bytes 378 DTLS 1.3 RPK + ECDHE flight_2 gives 373 bytes of overhead. 380 2.2.1.3. flight_3 382 Record Header (6 bytes) // DTLSCiphertext, Full: 383 ZZ ES SS 42 LL LL 385 Handshake Header - Certificate (10 bytes): 386 0b LL LL LL SS SS XX XX XX LL LL LL 388 Request Context (1 bytes): 389 00 391 Certificate List Length (3 bytes): 392 LL LL LL 394 Certificate Length (3 bytes): 395 LL LL LL 397 Certificate (59 bytes) // Point compression 398 .... 400 Certificate Extensions (2 bytes): 401 00 00 403 Handshake Header - Certificate Verify (10 bytes): 404 0f LL LL LL SS SS 00 00 00 LL LL LL 406 Signature (68 bytes): 407 04 03 LL LL //ecdsa_secp256r1_sha256 408 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 409 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b 410 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 412 Handshake Header - Finished (10 bytes): 413 14 LL LL LL SS SS 00 00 00 LL LL LL 415 Verify Data (32 bytes) // SHA-256: 416 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 417 16 17 18 19 1a 1b 1c 1d 1e 1f 419 Record Type (1 byte): 420 16 422 Auth Tag (8 bytes) // AES-CCM_8: 423 00 01 02 03 04 05 06 07 425 6 + 78 + 78 + 42 + 1 + 8 = 213 bytes 426 DTLS 1.3 RPK + ECDHE flight_2 gives 213 bytes of overhead. 428 2.2.2. Message Sizes PSK + ECDHE 430 2.2.2.1. flight_1 432 The differences in overhead compared to Section 2.2.1.1 are: 434 The following is added: 436 + Extension - PSK Key Exchange Modes (6 bytes): 437 00 2d 00 02 01 01 439 + Extension - Pre Shared Key (48 bytes): 440 00 29 00 2F 441 00 0a 00 01 ID 00 00 00 00 442 00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 443 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 445 The following is removed: 447 - Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) 449 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 451 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 453 In total: 455 150 + 6 + 48 - 8 - 6 - 6 = 184 bytes 457 DTLS 1.3 PSK + ECDHE flight_1 gives 184 bytes of overhead. 459 2.2.2.2. flight_2 461 The differences in overhead compared to Section 2.2.1.2 are: 463 The following is added: 465 + Extension - Pre Shared Key (6 bytes) 466 00 29 00 02 00 00 468 The following is removed: 470 - Handshake Message Certificate (78 bytes) 472 - Handshake Message CertificateVerify (78 bytes) 474 - Handshake Message CertificateRequest (21 bytes) 476 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 478 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 480 In total: 482 373 - 78 - 78 - 21 - 6 - 6 + 6 = 190 bytes 484 DTLS 1.3 PSK + ECDHE flight_2 gives 190 bytes of overhead. 486 2.2.2.3. flight_3 488 The differences in overhead compared to Section 2.2.1.3 are: 490 The following is removed: 492 - Handshake Message Certificate (78 bytes) 494 - Handshake Message Certificate Verify (78 bytes) 496 In total: 498 213 - 78 - 78 = 57 bytes 500 DTLS 1.3 PSK + ECDHE flight_3 gives 57 bytes of overhead. 502 2.2.3. Message Sizes PSK 504 2.2.3.1. flight_1 506 The differences in overhead compared to Section 2.2.2.1 are: 508 The following is removed: 510 - Extension - Supported Groups (x25519) (8 bytes) 512 - Extension - Key Share (42 bytes) 514 In total: 516 184 - 8 - 42 = 134 bytes 517 DTLS 1.3 PSK flight_1 gives 134 bytes of overhead. 519 2.2.3.2. flight_2 521 The differences in overhead compared to Section 2.2.2.2 are: 523 The following is removed: 525 - Extension - Key Share (40 bytes) 527 In total: 529 190 - 40 = 150 bytes 531 DTLS 1.3 PSK flight_2 gives 150 bytes of overhead. 533 2.2.3.3. flight_3 535 There are no differences in overhead compared to Section 2.2.2.3. 537 DTLS 1.3 PSK flight_3 gives 57 bytes of overhead. 539 2.2.4. Cached Information 541 In this section, we consider the effect of [RFC7924] on the message 542 size overhead. 544 Cached information together with server X.509 can be used to move 545 bytes from flight #2 to flight #1 (cached RPK increases the number of 546 bytes compared to cached X.509). 548 The differences compared to Section 2.2.1 are the following. 550 For the flight #1, the following is added: 552 + Extension - Client Cashed Information (39 bytes): 553 00 19 LL LL LL LL 554 01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 555 16 17 18 19 1a 1b 1c 1d 1e 1f 557 And the following is removed: 559 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 561 Giving a total of: 563 150 + 33 = 183 bytes 564 For the flight #2, the following is added: 566 + Extension - Server Cashed Information (7 bytes): 567 00 19 LL LL LL LL 01 569 And the following is removed: 571 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 573 - Server Certificate (59 bytes -> 32 bytes) 575 Giving a total of: 577 373 - 26 = 347 bytes 579 A summary of the calculation is given in Figure 3. 581 ====================================================================== 582 Flight #1 #2 #3 Total 583 ---------------------------------------------------------------------- 584 DTLS 1.3 Cached X.509/RPK + ECDHE 183 347 213 743 585 DTLS 1.3 RPK + ECDHE 150 373 213 736 586 ======================================================================= 588 Figure 3: Comparison of message sizes in bytes for DTLS 1.3 RPK + 589 ECDH with and without cached X.509 591 2.2.5. Resumption 593 To enable resumption, a 4th flight (New Session Ticket) is added to 594 the PSK handshake. 596 Record Header - DTLSCiphertext, Full (6 bytes): 597 HH ES SS 43 LL LL 599 Handshake Header - New Session Ticket (10 bytes): 600 04 LL LL LL SS SS 00 00 00 LL LL LL 602 Ticket Lifetime (4 bytes): 603 00 01 02 03 605 Ticket Age Add (4 bytes): 606 00 01 02 03 608 Ticket Nonce (2 bytes): 609 01 00 611 Ticket (6 bytes): 612 00 04 ID ID ID ID 614 Extensions (2 bytes): 615 00 00 617 Auth Tag (8 bytes) // AES-CCM_8: 618 00 01 02 03 04 05 06 07 620 6 + 10 + 4 + 4 + 2 + 6 + 2 + 8 = 42 bytes 622 The initial handshake when resumption is enabled is just a PSK 623 handshake with 134 + 150 + 57 + 42 = 383 bytes. 625 2.2.6. Without Connection ID 627 Without a Connection ID the DTLS 1.3 flight sizes changes as follows. 629 DTLS 1.3 Flight #1: -6 bytes 630 DTLS 1.3 Flight #2: -7 bytes 631 DTLS 1.3 Flight #3: -1 byte 633 ======================================================================= 634 Flight #1 #2 #3 Total 635 ----------------------------------------------------------------------- 636 DTLS 1.3 RPK + ECDHE (no cid) 144 364 212 722 637 DTLS 1.3 PSK + ECDHE (no cid) 178 183 56 417 638 DTLS 1.3 PSK (no cid) 128 143 56 327 639 ======================================================================= 641 Figure 4: Comparison of message sizes in bytes for DTLS 1.3 without 642 Connection ID 644 2.2.7. DTLS Raw Public Keys 646 TODO 648 2.2.7.1. SubjectPublicKeyInfo without point compression 650 0x30 // Sequence 651 0x59 // Size 89 653 0x30 // Sequence 654 0x13 // Size 19 655 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01 656 // OID 1.2.840.10045.2.1 (ecPublicKey) 657 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 658 // OID 1.2.840.10045.3.1.7 (secp256r1) 660 0x03 // Bit string 661 0x42 // Size 66 662 0x00 // Unused bits 0 663 0x04 // Uncompressed 664 ...... 64 bytes X and Y 666 Total of 91 bytes 668 2.2.7.2. SubjectPublicKeyInfo with point compression 670 0x30 // Sequence 671 0x59 // Size 89 673 0x30 // Sequence 674 0x13 // Size 19 675 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01 676 // OID 1.2.840.10045.2.1 (ecPublicKey) 677 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 678 // OID 1.2.840.10045.3.1.7 (secp256r1) 680 0x03 // Bit string 681 0x42 // Size 66 682 0x00 // Unused bits 0 683 0x03 // Compressed 684 ...... 32 bytes X 686 Total of 59 bytes 688 2.3. TLS 1.3 690 In this section, the message sizes are calculated for TLS 1.3. The 691 major changes compared to DTLS 1.3 are that the record header is 692 smaller, the handshake headers is smaller, and that Connection ID is 693 not supported. Recently, additional work has taken shape with the 694 goal to further reduce overhead for TLS 1.3 (see 695 [I-D.rescorla-tls-ctls]). 697 TLS Assumptions: 699 o Minimum number of algorithms and cipher suites offered 701 o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 703 o Length of key identifiers: 1 bytes 705 o TLS RPK with point compression (saves 32 bytes) 707 o Only mandatory TLS extensions 709 For the PSK calculations, [Ulfheim-TLS13] was a useful resource, 710 while for RPK calculations we followed the work of [IoT-Cert]. 712 2.3.1. Message Sizes RPK + ECDHE 714 2.3.1.1. flight_1 715 Record Header - TLSPlaintext (5 bytes): 716 16 03 03 LL LL 718 Handshake Header - Client Hello (4 bytes): 719 01 LL LL LL 721 Legacy Version (2 bytes): 722 03 03 724 Client Random (32 bytes): 725 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 726 16 17 18 19 1a 1b 1c 1d 1e 1f 728 Legacy Session ID (1 bytes): 729 00 731 Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes): 732 00 02 13 05 734 Compression Methods (null) (2 bytes): 735 01 00 737 Extensions Length (2 bytes): 738 LL LL 740 Extension - Supported Groups (x25519) (8 bytes): 741 00 0a 00 04 00 02 00 1d 743 Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes): 744 00 0d 00 04 00 02 08 07 746 Extension - Key Share (42 bytes): 747 00 33 00 26 00 24 00 1d 00 20 748 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 749 16 17 18 19 1a 1b 1c 1d 1e 1f 751 Extension - Supported Versions (1.3) (7 bytes): 752 00 2b 00 03 02 03 04 754 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 755 00 13 00 01 01 02 757 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 758 00 14 00 01 01 02 760 5 + 4 + 2 + 32 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 = 129 bytes 762 TLS 1.3 RPK + ECDHE flight_1 gives 129 bytes of overhead. 764 2.3.1.2. flight_2 766 Record Header - TLSPlaintext (5 bytes): 767 16 03 03 LL LL 769 Handshake Header - Server Hello (4 bytes): 770 02 LL LL LL 772 Legacy Version (2 bytes): 773 fe fd 775 Server Random (32 bytes): 776 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 777 16 17 18 19 1a 1b 1c 1d 1e 1f 779 Legacy Session ID (1 bytes): 780 00 782 Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes): 783 13 05 785 Compression Method (null) (1 bytes): 786 00 788 Extensions Length (2 bytes): 789 LL LL 791 Extension - Key Share (40 bytes): 792 00 33 00 24 00 1d 00 20 793 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 794 16 17 18 19 1a 1b 1c 1d 1e 1f 796 Extension - Supported Versions (1.3) (6 bytes): 797 00 2b 00 02 03 04 799 Record Header - TLSCiphertext (5 bytes): 800 17 03 03 LL LL 802 Handshake Header - Encrypted Extensions (4 bytes): 803 08 LL LL LL 805 Extensions Length (2 bytes): 806 LL LL 808 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 809 00 13 00 01 01 02 811 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 813 00 14 00 01 01 02 815 Handshake Header - Certificate Request (4 bytes): 816 0d LL LL LL 818 Request Context (1 bytes): 819 00 821 Extensions Length (2 bytes): 822 LL LL 824 Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes): 825 00 0d 00 04 00 02 08 07 827 Handshake Header - Certificate (4 bytes): 828 0b LL LL LL 830 Request Context (1 bytes): 831 00 833 Certificate List Length (3 bytes): 834 LL LL LL 836 Certificate Length (3 bytes): 837 LL LL LL 839 Certificate (59 bytes) // Point compression 840 .... 842 Certificate Extensions (2 bytes): 843 00 00 845 Handshake Header - Certificate Verify (4 bytes): 846 0f LL LL LL 848 Signature (68 bytes): 849 ZZ ZZ 00 40 .... 851 Handshake Header - Finished (4 bytes): 852 14 LL LL LL 854 Verify Data (32 bytes): 855 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 856 16 17 18 19 1a 1b 1c 1d 1e 1f 858 Record Type (1 byte): 859 16 861 Auth Tag (8 bytes): 862 e0 8b 0e 45 5a 35 0a e5 864 5 + 90 + 5 + 18 + 15 + 72 + 72 + 36 + 1 + 8 = 322 bytes 866 TLS 1.3 RPK + ECDHE flight_2 gives 322 bytes of overhead. 868 2.3.1.3. flight_3 869 Record Header - TLSCiphertext (5 bytes): 870 17 03 03 LL LL 872 Handshake Header - Certificate (4 bytes): 873 0b LL LL LL 875 Request Context (1 bytes): 876 00 878 Certificate List Length (3 bytes): 879 LL LL LL 881 Certificate Length (3 bytes): 882 LL LL LL 884 Certificate (59 bytes) // Point compression 885 .... 887 Certificate Extensions (2 bytes): 888 00 00 890 Handshake Header - Certificate Verify (4 bytes): 891 0f LL LL LL 893 Signature (68 bytes): 894 04 03 LL LL //ecdsa_secp256r1_sha256 895 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 896 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b 897 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 899 Handshake Header - Finished (4 bytes): 900 14 LL LL LL 902 Verify Data (32 bytes) // SHA-256: 903 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 904 16 17 18 19 1a 1b 1c 1d 1e 1f 906 Record Type (1 byte) 907 16 909 Auth Tag (8 bytes) // AES-CCM_8: 910 00 01 02 03 04 05 06 07 912 5 + 72 + 72 + 36 + 1 + 8 = 194 bytes 914 TLS 1.3 RPK + ECDHE flight_3 gives 194 bytes of overhead. 916 2.3.2. Message Sizes PSK + ECDHE 918 2.3.2.1. flight_1 920 The differences in overhead compared to Section 2.3.1.3 are: 922 The following is added: 924 + Extension - PSK Key Exchange Modes (6 bytes): 925 00 2d 00 02 01 01 927 + Extension - Pre Shared Key (48 bytes): 928 00 29 00 2F 929 00 0a 00 01 ID 00 00 00 00 930 00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 931 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 933 The following is removed: 935 - Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) 937 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 939 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 941 In total: 943 129 + 6 + 48 - 8 - 6 - 6 = 163 bytes 945 TLS 1.3 PSK + ECDHE flight_1 gives 166 bytes of overhead. 947 2.3.2.2. flight_2 949 The differences in overhead compared to Section 2.3.1.2 are: 951 The following is added: 953 + Extension - Pre Shared Key (6 bytes) 954 00 29 00 02 00 00 956 The following is removed: 958 - Handshake Message Certificate (72 bytes) 960 - Handshake Message CertificateVerify (72 bytes) 962 - Handshake Message CertificateRequest (15 bytes) 964 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 966 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 968 In total: 970 322 - 72 - 72 - 15 - 6 - 6 + 6 = 157 bytes 972 TLS 1.3 PSK + ECDHE flight_2 gives 157 bytes of overhead. 974 2.3.2.3. flight_3 976 The differences in overhead compared to Section 2.3.1.3 are: 978 The following is removed: 980 - Handshake Message Certificate (72 bytes) 982 - Handshake Message Certificate Verify (72 bytes) 984 In total: 986 194 - 72 - 72 = 50 bytes 988 TLS 1.3 PSK + ECDHE flight_3 gives 50 bytes of overhead. 990 2.3.3. Message Sizes PSK 992 2.3.3.1. flight_1 994 The differences in overhead compared to Section 2.3.2.1 are: 996 The following is removed: 998 - Extension - Supported Groups (x25519) (8 bytes) 1000 - Extension - Key Share (42 bytes) 1002 In total: 1004 163 - 8 - 42 = 113 bytes 1005 TLS 1.3 PSK flight_1 gives 116 bytes of overhead. 1007 2.3.3.2. flight_2 1009 The differences in overhead compared to Section 2.3.2.2 are: 1011 The following is removed: 1013 - Extension - Key Share (40 bytes) 1015 In total: 1017 157 - 40 = 117 bytes 1019 TLS 1.3 PSK flight_2 gives 117 bytes of overhead. 1021 2.3.3.3. flight_3 1023 There are no differences in overhead compared to Section 2.3.2.3. 1025 TLS 1.3 PSK flight_3 gives 57 bytes of overhead. 1027 2.4. EDHOC 1029 This section gives an estimate of the message sizes of EDHOC with 1030 different authentication methods. All examples are given in CBOR 1031 diagnostic notation and hexadecimal. 1033 2.4.1. Message Sizes RPK 1035 2.4.1.1. message_1 1037 message_1 = ( 1038 13, 1039 0, 1040 h'8D3EF56D1B750A4351D68AC250A0E883790EFC80A538A444EE9E2B57E244 1041 1A7C', 1042 -2 1043 ) 1045 message_1 (37 bytes): 1046 0d 00 58 20 8d 3e f5 6d 1b 75 0a 43 51 d6 8a c2 50 a0 e8 83 1047 79 0e fc 80 a5 38 a4 44 ee 9e 2b 57 e2 44 1a 7c 21 1049 2.4.1.2. message_2 1051 message_2 = ( 1052 h'52FBA0BDC8D953DD86CE1AB2FD7C05A4658C7C30AFDBFC3301047069451B 1053 AF35', 1054 8, 1055 h'DCF6FE9C524C22454DEB' 1056 ) 1058 message_2 (46 bytes): 1059 58 20 52 fb a0 bd c8 d9 53 dd 86 ce 1a b2 fd 7c 05 a4 65 8c 1060 7c 30 af db fc 33 01 04 70 69 45 1b af 35 08 4a dc f6 fe 9c 1061 52 4c 22 45 4d eb 1063 2.4.1.3. message_3 1065 message_3 = ( 1066 8, 1067 h'53C3991999A5FFB86921E99B607C067770E0' 1068 ) 1070 message_3 (20 bytes): 1071 08 52 53 c3 99 19 99 a5 ff b8 69 21 e9 9b 60 7c 06 77 70 e0 1073 2.4.2. Message Sizes PSK 1075 2.4.3. message_1 1077 message_1 = ( 1078 17, 1079 0, 1080 h'3662C4A71D624E8A4D9DFF879ABC6E2A0E745F82F497F7AFBEBFF3B01A8F 1081 AB57', 1082 14, 1083 -17 1084 ) 1086 message_1 (38 bytes): 1087 11 00 58 20 36 62 c4 a7 1d 62 4e 8a 4d 9d ff 87 9a bc 6e 2a 1088 0e 74 5f 82 f4 97 f7 af be bf f3 b0 1a 8f ab 57 0e 30 1090 2.4.4. message_2 1091 message_2 = ( 1092 h'A3967F6CF99B6DDC7E7C219D0D119A383F754001DF33515971EC6C842553 1093 B776', 1094 -24, 1095 h'4F355451E069226F' 1096 ) 1098 message_2 (44 bytes): 1099 58 20 a3 96 7f 6c f9 9b 6d dc 7e 7c 21 9d 0d 11 9a 38 3f 75 1100 40 01 df 33 51 59 71 ec 6c 84 25 53 b7 76 37 48 4f 35 54 51 1101 e0 69 22 6f 1103 2.4.5. message_3 1105 message_3 = ( 1106 -24, 1107 h'763BD2F3C10F0D45' 1108 ) 1110 message_3 (10 bytes): 1111 37 48 76 3b d2 f3 c1 0f 0d 45 1113 2.4.6. Summary 1115 The previous examples of typical message sizes are summarized in 1116 Figure 5. 1118 ===================================================================== 1119 PSK RPK x5t x5chain 1120 --------------------------------------------------------------------- 1121 message_1 38 37 37 37 1122 message_2 44 46 117 110 + Certificate chain 1123 message_3 10 20 91 84 + Certificate chain 1124 --------------------------------------------------------------------- 1125 Total 92 103 245 231 + Certificate chains 1126 ===================================================================== 1128 Figure 5: Typical message sizes in bytes 1130 2.5. Conclusion 1132 To do a fair comparison, one has to choose a specific deployment and 1133 look at the topology, the whole protocol stack, frame sizes (e.g. 51 1134 or 128 bytes), how and where in the protocol stack fragmentation is 1135 done, and the expected packet loss. Note that the number of byte in 1136 each frame that is available for the key exchange protocol may depend 1137 on the underlying protocol layers as well as the number of hops in 1138 multi-hop networks. The packet loss depends may depend on how many 1139 other devices that are transmitting at the same time, and may 1140 increase during network formation. The total overhead will be larger 1141 due to mechanisms for fragmentation, retransmission, and packet 1142 ordering. The overhead of fragmentation is roughly proportional to 1143 the number of fragments, while the expected overhead due to 1144 retransmission in noisy environments is a superlinear function of the 1145 flight sizes. 1147 3. Overhead for Protection of Application Data 1149 To enable comparison, all the overhead calculations in this section 1150 use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES- 1151 CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'. 1152 This follows the example in [RFC7400], Figure 16. 1154 Note that the compressed overhead calculations for DLTS 1.2, DTLS 1155 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, 1156 sequence number, and length, and all the overhead calculations are 1157 dependent on the parameter Connection ID when used. Note that the 1158 OSCORE overhead calculations are dependent on the CoAP option 1159 numbers, as well as the length of the OSCORE parameters Sender ID and 1160 Sequence Number. The following calculations are only examples. 1162 Section 3.1 gives a short summary of the message overhead based on 1163 different parameters and some assumptions. The following sections 1164 detail the assumptions and the calculations. 1166 3.1. Summary 1168 The DTLS overhead is dependent on the parameter Connection ID. The 1169 following overheads apply for all Connection IDs with the same 1170 length. 1172 The compression overhead (GHC) is dependent on the parameters epoch, 1173 sequence number, Connection ID, and length (where applicable). The 1174 following overheads should be representative for sequence numbers and 1175 Connection IDs with the same length. 1177 The OSCORE overhead is dependent on the included CoAP Option numbers 1178 as well as the length of the OSCORE parameters Sender ID and sequence 1179 number. The following overheads apply for all sequence numbers and 1180 Sender IDs with the same length. 1182 Sequence Number '05' '1005' '100005' 1183 ------------------------------------------------------------- 1184 DTLS 1.2 29 29 29 1185 DTLS 1.3 11 12 12 1186 ------------------------------------------------------------- 1187 DTLS 1.2 (GHC) 16 16 16 1188 DTLS 1.3 (GHC) 12 13 13 1189 ------------------------------------------------------------- 1190 TLS 1.2 21 21 21 1191 TLS 1.3 14 14 14 1192 ------------------------------------------------------------- 1193 TLS 1.2 (GHC) 17 18 19 1194 TLS 1.3 (GHC) 15 16 17 1195 ------------------------------------------------------------- 1196 OSCORE request 13 14 15 1197 OSCORE response 11 11 11 1199 Figure 6: Overhead in bytes as a function of sequence number 1200 (Connection/Sender ID = '') 1202 Connection/Sender ID '' '42' '4002' 1203 ------------------------------------------------------------- 1204 DTLS 1.2 29 30 31 1205 DTLS 1.3 11 12 13 1206 ------------------------------------------------------------- 1207 DTLS 1.2 (GHC) 16 17 18 1208 DTLS 1.3 (GHC) 12 13 14 1209 ------------------------------------------------------------- 1210 OSCORE request 13 14 15 1211 OSCORE response 11 11 11 1213 Figure 7: Overhead in bytes as a function of Connection/Sender 1214 ID (Sequence Number = '05') 1216 Protocol Overhead Overhead (GHC) 1217 ------------------------------------------------------------- 1218 DTLS 1.2 21 8 1219 DTLS 1.3 3 4 1220 ------------------------------------------------------------- 1221 TLS 1.2 13 9 1222 TLS 1.3 6 7 1223 ------------------------------------------------------------- 1224 OSCORE request 5 1225 OSCORE response 3 1227 Figure 8: Overhead (excluding ICV) in bytes 1228 (Connection/Sender ID = '', Sequence Number = '05') 1230 3.2. DTLS 1.2 1232 3.2.1. DTLS 1.2 1234 This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce 1235 follow the strict profiling given in [RFC7925]. This example is 1236 taken directly from [RFC7400], Figure 16. 1238 DTLS 1.2 record layer (35 bytes, 29 bytes overhead): 1239 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 1240 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 1241 cb 35 b9 1243 Content type: 1244 17 1245 Version: 1246 fe fd 1247 Epoch: 1248 00 01 1249 Sequence number: 1250 00 00 00 00 00 05 1251 Length: 1252 00 16 1253 Nonce: 1254 00 01 00 00 00 00 00 05 1255 Ciphertext: 1256 ae a0 15 56 67 92 1257 ICV: 1258 4d ff 8a 24 e4 cb 35 b9 1260 DTLS 1.2 gives 29 bytes overhead. 1262 3.2.2. DTLS 1.2 with 6LoWPAN-GHC 1264 This section analyzes the overhead of DTLS 1.2 [RFC6347] when 1265 compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with 1266 [OlegHahm-ghc]. 1268 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 1269 an exceptionally small overhead that is not representative. 1271 Note that this header compression is not available when DTLS is used 1272 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1274 Compressed DTLS 1.2 record layer (22 bytes, 16 bytes overhead): 1275 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 1276 8a 24 e4 cb 35 b9 1278 Compressed DTLS 1.2 record layer header and nonce: 1279 b0 c3 03 05 00 16 f2 0e 1280 Ciphertext: 1281 ae a0 15 56 67 92 1282 ICV: 1283 4d ff 8a 24 e4 cb 35 b9 1285 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 1286 (epoch, sequence number, length) gives 16 bytes overhead. 1288 3.2.3. DTLS 1.2 with Connection ID 1290 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 1291 Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead 1292 calculations in this section uses Connection ID = '42'. DTLS recored 1293 layer with a Connection ID = '' (the empty string) is equal to DTLS 1294 without Connection ID. 1296 DTLS 1.2 record layer (36 bytes, 30 bytes overhead): 1297 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 1298 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 1299 e4 cb 35 b9 1301 Content type: 1302 17 1303 Version: 1304 fe fd 1305 Epoch: 1306 00 01 1307 Sequence number: 1308 00 00 00 00 00 05 1309 Connection ID: 1310 42 1311 Length: 1312 00 16 1313 Nonce: 1314 00 01 00 00 00 00 00 05 1315 Ciphertext: 1316 ae a0 15 56 67 92 1317 ICV: 1318 4d ff 8a 24 e4 cb 35 b9 1320 DTLS 1.2 with Connection ID gives 30 bytes overhead. 1322 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC 1324 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 1325 Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 1326 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1328 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 1329 an exceptionally small overhead that is not representative. 1331 Note that this header compression is not available when DTLS is used 1332 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1334 Compressed DTLS 1.2 record layer (23 bytes, 17 bytes overhead): 1335 b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d 1336 ff 8a 24 e4 cb 35 b9 1338 Compressed DTLS 1.2 record layer header and nonce: 1339 b0 c3 04 05 42 00 16 f2 0e 1340 Ciphertext: 1341 ae a0 15 56 67 92 1342 ICV: 1343 4d ff 8a 24 e4 cb 35 b9 1345 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 1346 (epoch, sequence number, Connection ID, length) gives 17 bytes 1347 overhead. 1349 3.3. DTLS 1.3 1351 3.3.1. DTLS 1.3 1353 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. 1354 The changes compared to DTLS 1.2 are: omission of version number, 1355 merging of epoch into the first byte containing signalling bits, 1356 optional omission of length, reduction of sequence number into a 1 or 1357 2-bytes field. 1359 Only the minimal header format for DTLS 1.3 is analyzed (see Figure 4 1360 of [I-D.ietf-tls-dtls13]). The minimal header formal omit the length 1361 field and only a 1-byte field is used to carry the 8 low order bits 1362 of the sequence number 1363 DTLS 1.3 record layer (17 bytes, 11 bytes overhead): 1364 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 1366 First byte (including epoch): 1367 21 1368 Sequence number: 1369 05 1370 Ciphertext (including encrypted content type): 1371 ae a0 15 56 67 92 ec 1372 ICV: 1373 4d ff 8a 24 e4 cb 35 b9 1375 DTLS 1.3 gives 11 bytes overhead. 1377 3.3.2. DTLS 1.3 with 6LoWPAN-GHC 1379 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 1380 when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1382 Note that this header compression is not available when DTLS is used 1383 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1385 Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 1386 11 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 1387 35 b9 1389 Compressed DTLS 1.3 record layer header and nonce: 1390 11 21 05 1391 Ciphertext (including encrypted content type): 1392 ae a0 15 56 67 92 ec 1393 ICV: 1394 4d ff 8a 24 e4 cb 35 b9 1396 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 1397 (epoch, sequence number, no length) gives 12 bytes overhead. 1399 3.3.3. DTLS 1.3 with Connection ID 1401 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 1402 with Connection ID [I-D.ietf-tls-dtls-connection-id]. 1404 In this example, the length field is omitted, and the 1-byte field is 1405 used for the sequence number. The minimal DTLSCiphertext structure 1406 is used (see Figure 4 of [I-D.ietf-tls-dtls13]), with the addition of 1407 the Connection ID field. 1409 DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 1410 31 42 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 1412 First byte (including epoch): 1413 31 1414 Connection ID: 1415 42 1416 Sequence number: 1417 05 1418 Ciphertext (including encrypted content type): 1419 ae a0 15 56 67 92 ec 1420 ICV: 1421 4d ff 8a 24 e4 cb 35 b9 1423 DTLS 1.3 with Connection ID gives 12 bytes overhead. 1425 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC 1427 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 1428 with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed 1429 with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1431 Note that this header compression is not available when DTLS is used 1432 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1434 Compressed DTLS 1.3 record layer (19 bytes, 13 bytes overhead): 1435 12 31 05 42 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 1436 cb 35 b9 1438 Compressed DTLS 1.3 record layer header and nonce: 1439 12 31 05 42 1440 Ciphertext (including encrypted content type): 1441 ae a0 15 56 67 92 ec 1442 ICV: 1443 4d ff 8a 24 e4 cb 35 b9 1445 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 1446 (epoch, sequence number, Connection ID, no length) gives 13 bytes 1447 overhead. 1449 3.4. TLS 1.2 1451 3.4.1. TLS 1.2 1453 This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes 1454 compared to DTLS 1.2 is that the TLS 1.2 record layer does not have 1455 epoch and sequence number, and that the version is different. 1457 TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): 1458 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 1459 56 67 92 4d ff 8a 24 e4 cb 35 b9 1461 Content type: 1462 17 1463 Version: 1464 03 03 1465 Length: 1466 00 16 1467 Nonce: 1468 00 00 00 00 00 00 00 05 1469 Ciphertext: 1470 ae a0 15 56 67 92 1471 ICV: 1472 4d ff 8a 24 e4 cb 35 b9 1474 TLS 1.2 gives 21 bytes overhead. 1476 3.4.2. TLS 1.2 with 6LoWPAN-GHC 1478 This section analyzes the overhead of TLS 1.2 [RFC5246] when 1479 compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1481 Note that this header compression is not available when TLS is used 1482 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1484 Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead): 1485 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 1486 ff 8a 24 e4 cb 35 b9 1488 Compressed TLS 1.2 record layer header and nonce: 1489 05 17 03 03 00 16 85 0f 05 1490 Ciphertext: 1491 ae a0 15 56 67 92 1492 ICV: 1493 4d ff 8a 24 e4 cb 35 b9 1495 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 1496 (epoch, sequence number, length) gives 17 bytes overhead. 1498 3.5. TLS 1.3 1500 3.5.1. TLS 1.3 1502 This section analyzes the overhead of TLS 1.3 [RFC8446]. The change 1503 compared to TLS 1.2 is that the TLS 1.3 record layer uses a different 1504 version. 1506 TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 1507 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 1508 e4 cb 35 b9 1510 Content type: 1511 17 1512 Legacy version: 1513 03 03 1514 Length: 1515 00 0f 1516 Ciphertext (including encrypted content type): 1517 ae a0 15 56 67 92 ec 1518 ICV: 1519 4d ff 8a 24 e4 cb 35 b9 1521 TLS 1.3 gives 14 bytes overhead. 1523 3.5.2. TLS 1.3 with 6LoWPAN-GHC 1525 This section analyzes the overhead of TLS 1.3 [RFC8446] when 1526 compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1528 Note that this header compression is not available when TLS is used 1529 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1531 Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead): 1532 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 1533 24 e4 cb 35 b9 1535 Compressed TLS 1.3 record layer header and nonce: 1536 14 17 03 03 00 0f 1537 Ciphertext (including encrypted content type): 1538 ae a0 15 56 67 92 ec 1539 ICV: 1540 4d ff 8a 24 e4 cb 35 b9 1542 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 1543 (epoch, sequence number, length) gives 15 bytes overhead. 1545 3.6. OSCORE 1547 This section analyzes the overhead of OSCORE [RFC8613]. 1549 The below calculation Option Delta = '9', Sender ID = '' (empty 1550 string), and Sequence Number = '05', and is only an example. Note 1551 that Sender ID = '' (empty string) can only be used by one client per 1552 server. 1554 OSCORE request (19 bytes, 13 bytes overhead): 1555 92 09 05 1556 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 1558 CoAP option delta and length: 1559 92 1560 Option value (flag byte and sequence number): 1561 09 05 1562 Payload marker: 1563 ff 1564 Ciphertext (including encrypted code): 1565 ec ae a0 15 56 67 92 1566 ICV: 1567 4d ff 8a 24 e4 cb 35 b9 1569 The below calculation Option Delta = '9', Sender ID = '42', and 1570 Sequence Number = '05', and is only an example. 1572 OSCORE request (20 bytes, 14 bytes overhead): 1573 93 09 05 42 1574 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 1576 CoAP option delta and length: 1577 93 1578 Option Value (flag byte, sequence number, and Sender ID): 1579 09 05 42 1580 Payload marker: 1581 ff 1582 Ciphertext (including encrypted code): 1583 ec ae a0 15 56 67 92 1584 ICV: 1585 4d ff 8a 24 e4 cb 35 b9 1587 The below calculation uses Option Delta = '9'. 1589 OSCORE response (17 bytes, 11 bytes overhead): 1590 90 1591 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 1593 CoAP delta and option length: 1594 90 1595 Option value: 1596 - 1597 Payload marker: 1598 ff 1599 Ciphertext (including encrypted code): 1600 ec ae a0 15 56 67 92 1601 ICV: 1602 4d ff 8a 24 e4 cb 35 b9 1604 OSCORE with the above parameters gives 13-14 bytes overhead for 1605 requests and 11 bytes overhead for responses. 1607 Unlike DTLS and TLS, OSCORE has much smaller overhead for responses 1608 than requests. 1610 3.7. Group OSCORE 1612 This section analyzes the overhead of Group OSCORE 1613 [I-D.ietf-core-oscore-groupcomm]. 1615 TODO 1617 3.8. Conclusion 1619 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 1620 number and an explicit nonce. TLS 1.2 has significantly less (but 1621 not small) overhead. TLS 1.3 has quite a small overhead. OSCORE and 1622 DTLS 1.3 (using the minimal structure) format have very small 1623 overhead. 1625 The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS 1626 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic 1627 Header Compression (6LoWPAN-GHC) works very well for Connection ID 1628 and the overhead seems to increase exactly with the length of the 1629 Connection ID (which is optimal). The compression of TLS 1.2 is not 1630 as good as the compression of DTLS 1.2 (as the static dictionary only 1631 contains the DTLS 1.2 version number). Similar compression levels as 1632 for DTLS could be achieved also for TLS 1.2, but this would require 1633 different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC 1634 increases the overhead. The 6LoWPAN-GHC header compression is not 1635 available when (D)TLS is used over transports that do not use 6LoWPAN 1636 together with 6LoWPAN-GHC. 1638 New security protocols like OSCORE, TLS 1.3, and DTLS 1.3 have much 1639 lower overhead than DTLS 1.2 and TLS 1.2. The overhead is even 1640 smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN with compression, and 1641 therefore the small overhead is achieved even on deployments without 1642 6LoWPAN or 6LoWPAN without compression. OSCORE is lightweight 1643 because it makes use of CoAP, CBOR, and COSE, which were designed to 1644 have as low overhead as possible. 1646 Note that the compared protocols have slightly different use cases. 1647 TLS and DTLS are designed for the transport layer and are terminated 1648 in CoAP proxies. OSCORE is designed for the application layer and 1649 protects information end-to-end between the CoAP client and the CoAP 1650 server. Group OSCORE is designed for group communication and 1651 protects information between a CoAP client and any number of CoAP 1652 servers. 1654 4. Security Considerations 1656 This document is purely informational. 1658 5. IANA Considerations 1660 This document has no actions for IANA. 1662 6. Informative References 1664 [I-D.ietf-core-oscore-groupcomm] 1665 Tiloca, M., Selander, G., Palombini, F., and J. Park, 1666 "Group OSCORE - Secure Group Communication for CoAP", 1667 draft-ietf-core-oscore-groupcomm-06 (work in progress), 1668 November 2019. 1670 [I-D.ietf-tls-dtls-connection-id] 1671 Rescorla, E., Tschofenig, H., and T. Fossati, "Connection 1672 Identifiers for DTLS 1.2", draft-ietf-tls-dtls-connection- 1673 id-07 (work in progress), October 2019. 1675 [I-D.ietf-tls-dtls13] 1676 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 1677 Datagram Transport Layer Security (DTLS) Protocol Version 1678 1.3", draft-ietf-tls-dtls13-34 (work in progress), 1679 November 2019. 1681 [I-D.rescorla-tls-ctls] 1682 Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS 1683 1.3", draft-rescorla-tls-ctls-03 (work in progress), 1684 November 2019. 1686 [I-D.selander-lake-edhoc] 1687 Selander, G., Mattsson, J., and F. Palombini, "Ephemeral 1688 Diffie-Hellman Over COSE (EDHOC)", draft-selander-lake- 1689 edhoc-00 (work in progress), November 2019. 1691 [IoT-Cert] 1692 Forsby, F., "Digital Certificates for the Internet of 1693 Things", June 2017, . 1696 [OlegHahm-ghc] 1697 Hahm, O., "Generic Header Compression", July 2016, 1698 . 1700 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1701 (TLS) Protocol Version 1.2", RFC 5246, 1702 DOI 10.17487/RFC5246, August 2008, 1703 . 1705 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1706 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1707 January 2012, . 1709 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 1710 Application Protocol (CoAP)", RFC 7252, 1711 DOI 10.17487/RFC7252, June 2014, 1712 . 1714 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 1715 IPv6 over Low-Power Wireless Personal Area Networks 1716 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 1717 2014, . 1719 [RFC7924] Santesson, S. and H. Tschofenig, "Transport Layer Security 1720 (TLS) Cached Information Extension", RFC 7924, 1721 DOI 10.17487/RFC7924, July 2016, 1722 . 1724 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 1725 Security (TLS) / Datagram Transport Layer Security (DTLS) 1726 Profiles for the Internet of Things", RFC 7925, 1727 DOI 10.17487/RFC7925, July 2016, 1728 . 1730 [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 1731 Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained 1732 Application Protocol) over TCP, TLS, and WebSockets", 1733 RFC 8323, DOI 10.17487/RFC8323, February 2018, 1734 . 1736 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1737 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1738 . 1740 [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 1741 "Object Security for Constrained RESTful Environments 1742 (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, 1743 . 1745 [Ulfheim-TLS13] 1746 Driscoll, M., "Every Byte Explained The Illustrated TLS 1747 1.3 Connection", March 2018, . 1749 Acknowledgments 1751 The authors want to thank Ari Keraenen, Carsten Bormann, Goeran 1752 Selander, and Hannes Tschofenig for comments and suggestions on 1753 previous versions of the draft. 1755 All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. 1757 Authors' Addresses 1759 John Preuss Mattsson 1760 Ericsson AB 1762 Email: john.mattsson@ericsson.com 1764 Francesca Palombini 1765 Ericsson AB 1767 Email: francesca.palombini@ericsson.com 1769 Malisa Vucinic 1770 INRIA 1772 Email: malisa.vucinic@inria.fr