idnits 2.17.1 draft-ietf-lwig-security-protocol-comparison-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 02, 2020) is 1270 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-21) exists of draft-ietf-core-oscore-groupcomm-09 == Outdated reference: A later version (-23) exists of draft-ietf-lake-edhoc-01 == Outdated reference: A later version (-13) exists of draft-ietf-tls-dtls-connection-id-07 == Outdated reference: A later version (-43) exists of draft-ietf-tls-dtls13-38 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LWIG Working Group J. Mattsson 3 Internet-Draft F. Palombini 4 Intended status: Informational Ericsson AB 5 Expires: May 6, 2021 M. Vucinic 6 INRIA 7 November 02, 2020 9 Comparison of CoAP Security Protocols 10 draft-ietf-lwig-security-protocol-comparison-05 12 Abstract 14 This document analyzes and compares the sizes of key exchange flights 15 and the per-packet message size overheads when using different 16 security protocols to secure CoAP. The analyzed security protocols 17 are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group 18 OSCORE. The DTLS and TLS record layers are analyzed with and without 19 6LoWPAN-GHC compression. DTLS is analyzed with and without 20 Connection ID. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 6, 2021. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Overhead of Key Exchange Protocols . . . . . . . . . . . . . 3 58 2.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 5 60 2.2.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 5 61 2.2.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 10 62 2.2.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 11 63 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 64 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 65 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 66 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 67 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 68 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 69 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 70 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 71 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 72 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 73 2.4.2. Summary . . . . . . . . . . . . . . . . . . . . . . . 25 74 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 25 75 3. Overhead for Protection of Application Data . . . . . . . . . 26 76 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 26 77 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 28 78 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 28 79 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 28 80 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 29 81 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 30 82 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 30 83 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 30 84 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 31 85 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 31 86 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 32 87 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 32 88 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 32 89 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 33 90 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 33 91 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 33 92 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34 93 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 34 94 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 36 95 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 36 96 4. Security Considerations . . . . . . . . . . . . . . . . . . . 37 97 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 98 6. Informative References . . . . . . . . . . . . . . . . . . . 37 99 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 39 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 102 1. Introduction 104 This document analyzes and compares the sizes of key exchange flights 105 and the per-packet message size overheads when using different 106 security protocols to secure CoAP over UPD [RFC7252] and TCP 107 [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], 108 DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], 109 EDHOC [I-D.ietf-lake-edhoc], OSCORE [RFC8613], and Group OSCORE 110 [I-D.ietf-core-oscore-groupcomm]. 112 The DTLS and TLS record layers are analyzed with and without 6LoWPAN- 113 GHC compression. DTLS is anlyzed with and without Connection ID 114 [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be 115 familiar with some of the terms described in RFC 7925 [RFC7925], such 116 as ICV. Section 2 compares the overhead of key exchange, while 117 Section 3 covers the overhead for protection of application data. 119 2. Overhead of Key Exchange Protocols 121 This section analyzes and compares the sizes of key exchange flights 122 for different protocols. 124 To enable a fair comparison between protocols, the following 125 assumptions are made: 127 o All the overhead calculations in this section use AES-CCM with a 128 tag length of 8 bytes (e.g. AES_128_CCM_8 or AES-CCM-16-64-128). 130 o A minimum number of algorithms and cipher suites is offered. The 131 algorithm used/offered are Curve25519, ECDSA with P-256, AES- 132 CCM_8, SHA-256. 134 o The length of key identifiers are 1 byte. 136 o The length of connection identifiers are 1 byte. 138 o DTLS RPK makes use of point compression, which saves 32 bytes. 140 o DTLS handshake message fragmentation is not considered. 142 o Only the DTLS mandatory extensions are considered, except for 143 Connection ID. 145 Section 2.1 gives a short summary of the message overhead based on 146 different parameters and some assumptions. The following sections 147 detail the assumptions and the calculations. 149 2.1. Summary 151 The DTLS overhead is dependent on the parameter Connection ID. The 152 following overheads apply for all Connection IDs of the same length, 153 when Connection ID is used. 155 The EDHOC overhead is dependent on the key identifiers included. The 156 following overheads apply for Sender IDs of the same length. 158 All the overhead are dependent on the tag length. The following 159 overheads apply for tags of the same length. 161 Figure 1 compares the message sizes of EDHOC [I-D.ietf-lake-edhoc] 162 with the DTLS 1.3 [I-D.ietf-tls-dtls13] and TLS 1.3 [RFC8446] 163 handshakes with connection ID. 165 ===================================================================== 166 Flight #1 #2 #3 Total 167 --------------------------------------------------------------------- 168 DTLS 1.3 RPK + ECDHE 150 373 213 736 169 DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 170 DTLS 1.3 PSK + ECDHE 184 190 57 431 171 DTLS 1.3 PSK 134 150 57 341 172 --------------------------------------------------------------------- 173 EDHOC RPK + ECDHE 37 46 20 103 174 EDHOC X.509 + ECDHE 37 117 91 245 175 ===================================================================== 177 Figure 1: Comparison of message sizes in bytes with Connection ID 179 Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] 180 and TLS 1.3 [RFC8446] handshakes without connection ID. 182 ===================================================================== 183 Flight #1 #2 #3 Total 184 --------------------------------------------------------------------- 185 DTLS 1.3 RPK + ECDHE 144 364 212 722 186 DTLS 1.3 PSK + ECDHE 178 183 56 417 187 DTLS 1.3 PSK 128 143 56 327 188 --------------------------------------------------------------------- 189 TLS 1.3 RPK + ECDHE 129 322 194 645 190 TLS 1.3 PSK + ECDHE 163 157 50 370 191 TLS 1.3 PSK 113 117 50 280 192 ===================================================================== 194 Figure 2: Comparison of message sizes in bytes without Connection ID 196 The details of the message size calculations are given in the 197 following sections. 199 2.2. DTLS 1.3 201 This section gives an estimate of the message sizes of DTLS 1.3 with 202 different authentication methods. Note that the examples in this 203 section are not test vectors, the cryptographic parts are just 204 replaced with byte strings of the same length, while other fixed 205 length fields are replace with arbitrary strings or omitted, in which 206 case their length is indicated. Values that are not arbitrary are 207 given in hexadecimal. 209 2.2.1. Message Sizes RPK + ECDHE 211 In this section, a Connection ID of 1 byte is used. 213 2.2.1.1. flight_1 215 Record Header - DTLSPlaintext (13 bytes): 216 16 fe fd EE EE SS SS SS SS SS SS LL LL 218 Handshake Header - Client Hello (10 bytes): 219 01 LL LL LL SS SS 00 00 00 LL LL LL 221 Legacy Version (2 bytes): 222 fe fd 224 Client Random (32 bytes): 225 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 226 16 17 18 19 1a 1b 1c 1d 1e 1f 228 Legacy Session ID (1 bytes): 229 00 230 Legacy Cookie (1 bytes): 231 00 233 Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes): 234 00 02 13 05 236 Compression Methods (null) (2 bytes): 237 01 00 239 Extensions Length (2 bytes): 240 LL LL 242 Extension - Supported Groups (x25519) (8 bytes): 243 00 0a 00 04 00 02 00 1d 245 Extension - Signature Algorithms (ecdsa_secp256r1_sha256) 246 (8 bytes): 247 00 0d 00 04 00 02 08 07 249 Extension - Key Share (42 bytes): 250 00 33 00 26 00 24 00 1d 00 20 251 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 252 16 17 18 19 1a 1b 1c 1d 1e 1f 254 Extension - Supported Versions (1.3) (7 bytes): 255 00 2b 00 03 02 03 04 257 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 258 00 13 00 01 01 02 260 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 261 00 14 00 01 01 02 263 Extension - Connection Identifier (43) (6 bytes): 264 XX XX 00 02 01 42 266 13 + 10 + 2 + 32 + 1 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 + 6 = 150 267 bytes 269 DTLS 1.3 RPK + ECDHE flight_1 gives 150 bytes of overhead. 271 2.2.1.2. flight_2 273 Record Header - DTLSPlaintext (13 bytes): 274 16 fe fd EE EE SS SS SS SS SS SS LL LL 276 Handshake Header - Server Hello (10 bytes): 277 02 LL LL LL SS SS 00 00 00 LL LL LL 278 Legacy Version (2 bytes): 279 fe fd 281 Server Random (32 bytes): 282 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 283 16 17 18 19 1a 1b 1c 1d 1e 1f 285 Legacy Session ID (1 bytes): 286 00 288 Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes): 289 13 05 291 Compression Method (null) (1 bytes): 292 00 294 Extensions Length (2 bytes): 295 LL LL 297 Extension - Key Share (40 bytes): 298 00 33 00 24 00 1d 00 20 299 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 300 16 17 18 19 1a 1b 1c 1d 1e 1f 302 Extension - Supported Versions (1.3) (6 bytes): 303 00 2b 00 02 03 04 305 Extension - Connection Identifier (43) (6 bytes): 306 XX XX 00 02 01 43 308 Record Header - DTLSCiphertext, Full (6 bytes): 309 HH ES SS 43 LL LL 311 Handshake Header - Encrypted Extensions (10 bytes): 312 08 LL LL LL SS SS 00 00 00 LL LL LL 314 Extensions Length (2 bytes): 315 LL LL 317 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 318 00 13 00 01 01 02 320 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 321 00 14 00 01 01 02 323 Handshake Header - Certificate Request (10 bytes): 324 0d LL LL LL SS SS 00 00 00 LL LL LL 325 Request Context (1 bytes): 326 00 328 Extensions Length (2 bytes): 329 LL LL 331 Extension - Signature Algorithms (ecdsa_secp256r1_sha256) 332 (8 bytes): 333 00 0d 00 04 00 02 08 07 335 Handshake Header - Certificate (10 bytes): 336 0b LL LL LL SS SS 00 00 00 LL LL LL 338 Request Context (1 bytes): 339 00 341 Certificate List Length (3 bytes): 342 LL LL LL 344 Certificate Length (3 bytes): 345 LL LL LL 347 Certificate (59 bytes) // Point compression 348 .... 350 Certificate Extensions (2 bytes): 351 00 00 353 Handshake Header - Certificate Verify (10 bytes): 354 0f LL LL LL SS SS 00 00 00 LL LL LL 356 Signature (68 bytes): 357 ZZ ZZ 00 40 .... 359 Handshake Header - Finished (10 bytes): 360 14 LL LL LL SS SS 00 00 00 LL LL LL 362 Verify Data (32 bytes): 363 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 364 16 17 18 19 1a 1b 1c 1d 1e 1f 366 Record Type (1 byte): 367 16 369 Auth Tag (8 bytes): 370 e0 8b 0e 45 5a 35 0a e5 372 13 + 102 + 6 + 24 + 21 + 78 + 78 + 42 + 1 + 8 = 373 bytes 373 DTLS 1.3 RPK + ECDHE flight_2 gives 373 bytes of overhead. 375 2.2.1.3. flight_3 377 Record Header (6 bytes) // DTLSCiphertext, Full: 378 ZZ ES SS 42 LL LL 380 Handshake Header - Certificate (10 bytes): 381 0b LL LL LL SS SS XX XX XX LL LL LL 383 Request Context (1 bytes): 384 00 386 Certificate List Length (3 bytes): 387 LL LL LL 389 Certificate Length (3 bytes): 390 LL LL LL 392 Certificate (59 bytes) // Point compression 393 .... 395 Certificate Extensions (2 bytes): 396 00 00 398 Handshake Header - Certificate Verify (10 bytes): 399 0f LL LL LL SS SS 00 00 00 LL LL LL 401 Signature (68 bytes): 402 04 03 LL LL //ecdsa_secp256r1_sha256 403 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 404 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b 405 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 407 Handshake Header - Finished (10 bytes): 408 14 LL LL LL SS SS 00 00 00 LL LL LL 410 Verify Data (32 bytes) // SHA-256: 411 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 412 16 17 18 19 1a 1b 1c 1d 1e 1f 414 Record Type (1 byte): 415 16 417 Auth Tag (8 bytes) // AES-CCM_8: 418 00 01 02 03 04 05 06 07 420 6 + 78 + 78 + 42 + 1 + 8 = 213 bytes 421 DTLS 1.3 RPK + ECDHE flight_2 gives 213 bytes of overhead. 423 2.2.2. Message Sizes PSK + ECDHE 425 2.2.2.1. flight_1 427 The differences in overhead compared to Section 2.2.1.1 are: 429 The following is added: 431 + Extension - PSK Key Exchange Modes (6 bytes): 432 00 2d 00 02 01 01 434 + Extension - Pre Shared Key (48 bytes): 435 00 29 00 2F 436 00 0a 00 01 ID 00 00 00 00 437 00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 438 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 440 The following is removed: 442 - Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) 444 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 446 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 448 In total: 450 150 + 6 + 48 - 8 - 6 - 6 = 184 bytes 452 DTLS 1.3 PSK + ECDHE flight_1 gives 184 bytes of overhead. 454 2.2.2.2. flight_2 456 The differences in overhead compared to Section 2.2.1.2 are: 458 The following is added: 460 + Extension - Pre Shared Key (6 bytes) 461 00 29 00 02 00 00 463 The following is removed: 465 - Handshake Message Certificate (78 bytes) 467 - Handshake Message CertificateVerify (78 bytes) 469 - Handshake Message CertificateRequest (21 bytes) 471 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 473 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 475 In total: 477 373 - 78 - 78 - 21 - 6 - 6 + 6 = 190 bytes 479 DTLS 1.3 PSK + ECDHE flight_2 gives 190 bytes of overhead. 481 2.2.2.3. flight_3 483 The differences in overhead compared to Section 2.2.1.3 are: 485 The following is removed: 487 - Handshake Message Certificate (78 bytes) 489 - Handshake Message Certificate Verify (78 bytes) 491 In total: 493 213 - 78 - 78 = 57 bytes 495 DTLS 1.3 PSK + ECDHE flight_3 gives 57 bytes of overhead. 497 2.2.3. Message Sizes PSK 499 2.2.3.1. flight_1 501 The differences in overhead compared to Section 2.2.2.1 are: 503 The following is removed: 505 - Extension - Supported Groups (x25519) (8 bytes) 507 - Extension - Key Share (42 bytes) 509 In total: 511 184 - 8 - 42 = 134 bytes 512 DTLS 1.3 PSK flight_1 gives 134 bytes of overhead. 514 2.2.3.2. flight_2 516 The differences in overhead compared to Section 2.2.2.2 are: 518 The following is removed: 520 - Extension - Key Share (40 bytes) 522 In total: 524 190 - 40 = 150 bytes 526 DTLS 1.3 PSK flight_2 gives 150 bytes of overhead. 528 2.2.3.3. flight_3 530 There are no differences in overhead compared to Section 2.2.2.3. 532 DTLS 1.3 PSK flight_3 gives 57 bytes of overhead. 534 2.2.4. Cached Information 536 In this section, we consider the effect of [RFC7924] on the message 537 size overhead. 539 Cached information together with server X.509 can be used to move 540 bytes from flight #2 to flight #1 (cached RPK increases the number of 541 bytes compared to cached X.509). 543 The differences compared to Section 2.2.1 are the following. 545 For the flight #1, the following is added: 547 + Extension - Client Cashed Information (39 bytes): 548 00 19 LL LL LL LL 549 01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 550 16 17 18 19 1a 1b 1c 1d 1e 1f 552 And the following is removed: 554 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 556 Giving a total of: 558 150 + 33 = 183 bytes 559 For the flight #2, the following is added: 561 + Extension - Server Cashed Information (7 bytes): 562 00 19 LL LL LL LL 01 564 And the following is removed: 566 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 568 - Server Certificate (59 bytes -> 32 bytes) 570 Giving a total of: 572 373 - 26 = 347 bytes 574 A summary of the calculation is given in Figure 3. 576 ====================================================================== 577 Flight #1 #2 #3 Total 578 ---------------------------------------------------------------------- 579 DTLS 1.3 Cached X.509/RPK + ECDHE 183 347 213 743 580 DTLS 1.3 RPK + ECDHE 150 373 213 736 581 ======================================================================= 583 Figure 3: Comparison of message sizes in bytes for DTLS 1.3 RPK + 584 ECDH with and without cached X.509 586 2.2.5. Resumption 588 To enable resumption, a 4th flight (New Session Ticket) is added to 589 the PSK handshake. 591 Record Header - DTLSCiphertext, Full (6 bytes): 592 HH ES SS 43 LL LL 594 Handshake Header - New Session Ticket (10 bytes): 595 04 LL LL LL SS SS 00 00 00 LL LL LL 597 Ticket Lifetime (4 bytes): 598 00 01 02 03 600 Ticket Age Add (4 bytes): 601 00 01 02 03 603 Ticket Nonce (2 bytes): 604 01 00 606 Ticket (6 bytes): 607 00 04 ID ID ID ID 609 Extensions (2 bytes): 610 00 00 612 Auth Tag (8 bytes) // AES-CCM_8: 613 00 01 02 03 04 05 06 07 615 6 + 10 + 4 + 4 + 2 + 6 + 2 + 8 = 42 bytes 617 The initial handshake when resumption is enabled is just a PSK 618 handshake with 134 + 150 + 57 + 42 = 383 bytes. 620 2.2.6. Without Connection ID 622 Without a Connection ID the DTLS 1.3 flight sizes changes as follows. 624 DTLS 1.3 Flight #1: -6 bytes 625 DTLS 1.3 Flight #2: -7 bytes 626 DTLS 1.3 Flight #3: -1 byte 628 ======================================================================= 629 Flight #1 #2 #3 Total 630 ----------------------------------------------------------------------- 631 DTLS 1.3 RPK + ECDHE (no cid) 144 364 212 722 632 DTLS 1.3 PSK + ECDHE (no cid) 178 183 56 417 633 DTLS 1.3 PSK (no cid) 128 143 56 327 634 ======================================================================= 636 Figure 4: Comparison of message sizes in bytes for DTLS 1.3 without 637 Connection ID 639 2.2.7. DTLS Raw Public Keys 641 TODO 643 2.2.7.1. SubjectPublicKeyInfo without point compression 645 0x30 // Sequence 646 0x59 // Size 89 648 0x30 // Sequence 649 0x13 // Size 19 650 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01 651 // OID 1.2.840.10045.2.1 (ecPublicKey) 652 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 653 // OID 1.2.840.10045.3.1.7 (secp256r1) 655 0x03 // Bit string 656 0x42 // Size 66 657 0x00 // Unused bits 0 658 0x04 // Uncompressed 659 ...... 64 bytes X and Y 661 Total of 91 bytes 663 2.2.7.2. SubjectPublicKeyInfo with point compression 665 0x30 // Sequence 666 0x59 // Size 89 668 0x30 // Sequence 669 0x13 // Size 19 670 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01 671 // OID 1.2.840.10045.2.1 (ecPublicKey) 672 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 673 // OID 1.2.840.10045.3.1.7 (secp256r1) 675 0x03 // Bit string 676 0x42 // Size 66 677 0x00 // Unused bits 0 678 0x03 // Compressed 679 ...... 32 bytes X 681 Total of 59 bytes 683 2.3. TLS 1.3 685 In this section, the message sizes are calculated for TLS 1.3. The 686 major changes compared to DTLS 1.3 are that the record header is 687 smaller, the handshake headers is smaller, and that Connection ID is 688 not supported. Recently, additional work has taken shape with the 689 goal to further reduce overhead for TLS 1.3 (see 690 [I-D.rescorla-tls-ctls]). 692 TLS Assumptions: 694 o Minimum number of algorithms and cipher suites offered 696 o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 698 o Length of key identifiers: 1 bytes 700 o TLS RPK with point compression (saves 32 bytes) 702 o Only mandatory TLS extensions 704 For the PSK calculations, [Ulfheim-TLS13] was a useful resource, 705 while for RPK calculations we followed the work of [IoT-Cert]. 707 2.3.1. Message Sizes RPK + ECDHE 709 2.3.1.1. flight_1 710 Record Header - TLSPlaintext (5 bytes): 711 16 03 03 LL LL 713 Handshake Header - Client Hello (4 bytes): 714 01 LL LL LL 716 Legacy Version (2 bytes): 717 03 03 719 Client Random (32 bytes): 720 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 721 16 17 18 19 1a 1b 1c 1d 1e 1f 723 Legacy Session ID (1 bytes): 724 00 726 Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes): 727 00 02 13 05 729 Compression Methods (null) (2 bytes): 730 01 00 732 Extensions Length (2 bytes): 733 LL LL 735 Extension - Supported Groups (x25519) (8 bytes): 736 00 0a 00 04 00 02 00 1d 738 Extension - Signature Algorithms(ecdsa_secp256r1_sha256)(8 bytes): 739 00 0d 00 04 00 02 08 07 741 Extension - Key Share (42 bytes): 742 00 33 00 26 00 24 00 1d 00 20 743 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 744 16 17 18 19 1a 1b 1c 1d 1e 1f 746 Extension - Supported Versions (1.3) (7 bytes): 747 00 2b 00 03 02 03 04 749 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 750 00 13 00 01 01 02 752 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 753 00 14 00 01 01 02 755 5 + 4 + 2 + 32 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 = 129 bytes 757 TLS 1.3 RPK + ECDHE flight_1 gives 129 bytes of overhead. 759 2.3.1.2. flight_2 761 Record Header - TLSPlaintext (5 bytes): 762 16 03 03 LL LL 764 Handshake Header - Server Hello (4 bytes): 765 02 LL LL LL 767 Legacy Version (2 bytes): 768 fe fd 770 Server Random (32 bytes): 771 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 772 16 17 18 19 1a 1b 1c 1d 1e 1f 774 Legacy Session ID (1 bytes): 775 00 777 Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes): 778 13 05 780 Compression Method (null) (1 bytes): 781 00 783 Extensions Length (2 bytes): 784 LL LL 786 Extension - Key Share (40 bytes): 787 00 33 00 24 00 1d 00 20 788 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 789 16 17 18 19 1a 1b 1c 1d 1e 1f 791 Extension - Supported Versions (1.3) (6 bytes): 792 00 2b 00 02 03 04 794 Record Header - TLSCiphertext (5 bytes): 795 17 03 03 LL LL 797 Handshake Header - Encrypted Extensions (4 bytes): 798 08 LL LL LL 800 Extensions Length (2 bytes): 801 LL LL 803 Extension - Client Certificate Type (Raw Public Key) (6 bytes): 804 00 13 00 01 01 02 806 Extension - Server Certificate Type (Raw Public Key) (6 bytes): 808 00 14 00 01 01 02 810 Handshake Header - Certificate Request (4 bytes): 811 0d LL LL LL 813 Request Context (1 bytes): 814 00 816 Extensions Length (2 bytes): 817 LL LL 819 Extension - Signature Algorithms(ecdsa_secp256r1_sha256)(8 bytes): 820 00 0d 00 04 00 02 08 07 822 Handshake Header - Certificate (4 bytes): 823 0b LL LL LL 825 Request Context (1 bytes): 826 00 828 Certificate List Length (3 bytes): 829 LL LL LL 831 Certificate Length (3 bytes): 832 LL LL LL 834 Certificate (59 bytes) // Point compression 835 .... 837 Certificate Extensions (2 bytes): 838 00 00 840 Handshake Header - Certificate Verify (4 bytes): 841 0f LL LL LL 843 Signature (68 bytes): 844 ZZ ZZ 00 40 .... 846 Handshake Header - Finished (4 bytes): 847 14 LL LL LL 849 Verify Data (32 bytes): 850 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 851 16 17 18 19 1a 1b 1c 1d 1e 1f 853 Record Type (1 byte): 854 16 856 Auth Tag (8 bytes): 857 e0 8b 0e 45 5a 35 0a e5 859 5 + 90 + 5 + 18 + 15 + 72 + 72 + 36 + 1 + 8 = 322 bytes 861 TLS 1.3 RPK + ECDHE flight_2 gives 322 bytes of overhead. 863 2.3.1.3. flight_3 864 Record Header - TLSCiphertext (5 bytes): 865 17 03 03 LL LL 867 Handshake Header - Certificate (4 bytes): 868 0b LL LL LL 870 Request Context (1 bytes): 871 00 873 Certificate List Length (3 bytes): 874 LL LL LL 876 Certificate Length (3 bytes): 877 LL LL LL 879 Certificate (59 bytes) // Point compression 880 .... 882 Certificate Extensions (2 bytes): 883 00 00 885 Handshake Header - Certificate Verify (4 bytes): 886 0f LL LL LL 888 Signature (68 bytes): 889 04 03 LL LL //ecdsa_secp256r1_sha256 890 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 891 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b 892 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 894 Handshake Header - Finished (4 bytes): 895 14 LL LL LL 897 Verify Data (32 bytes) // SHA-256: 898 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 899 16 17 18 19 1a 1b 1c 1d 1e 1f 901 Record Type (1 byte) 902 16 904 Auth Tag (8 bytes) // AES-CCM_8: 905 00 01 02 03 04 05 06 07 907 5 + 72 + 72 + 36 + 1 + 8 = 194 bytes 909 TLS 1.3 RPK + ECDHE flight_3 gives 194 bytes of overhead. 911 2.3.2. Message Sizes PSK + ECDHE 913 2.3.2.1. flight_1 915 The differences in overhead compared to Section 2.3.1.3 are: 917 The following is added: 919 + Extension - PSK Key Exchange Modes (6 bytes): 920 00 2d 00 02 01 01 922 + Extension - Pre Shared Key (48 bytes): 923 00 29 00 2F 924 00 0a 00 01 ID 00 00 00 00 925 00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 926 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 928 The following is removed: 930 - Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) 932 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 934 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 936 In total: 938 129 + 6 + 48 - 8 - 6 - 6 = 163 bytes 940 TLS 1.3 PSK + ECDHE flight_1 gives 166 bytes of overhead. 942 2.3.2.2. flight_2 944 The differences in overhead compared to Section 2.3.1.2 are: 946 The following is added: 948 + Extension - Pre Shared Key (6 bytes) 949 00 29 00 02 00 00 951 The following is removed: 953 - Handshake Message Certificate (72 bytes) 955 - Handshake Message CertificateVerify (72 bytes) 957 - Handshake Message CertificateRequest (15 bytes) 959 - Extension - Client Certificate Type (Raw Public Key) (6 bytes) 961 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 963 In total: 965 322 - 72 - 72 - 15 - 6 - 6 + 6 = 157 bytes 967 TLS 1.3 PSK + ECDHE flight_2 gives 157 bytes of overhead. 969 2.3.2.3. flight_3 971 The differences in overhead compared to Section 2.3.1.3 are: 973 The following is removed: 975 - Handshake Message Certificate (72 bytes) 977 - Handshake Message Certificate Verify (72 bytes) 979 In total: 981 194 - 72 - 72 = 50 bytes 983 TLS 1.3 PSK + ECDHE flight_3 gives 50 bytes of overhead. 985 2.3.3. Message Sizes PSK 987 2.3.3.1. flight_1 989 The differences in overhead compared to Section 2.3.2.1 are: 991 The following is removed: 993 - Extension - Supported Groups (x25519) (8 bytes) 995 - Extension - Key Share (42 bytes) 997 In total: 999 163 - 8 - 42 = 113 bytes 1000 TLS 1.3 PSK flight_1 gives 116 bytes of overhead. 1002 2.3.3.2. flight_2 1004 The differences in overhead compared to Section 2.3.2.2 are: 1006 The following is removed: 1008 - Extension - Key Share (40 bytes) 1010 In total: 1012 157 - 40 = 117 bytes 1014 TLS 1.3 PSK flight_2 gives 117 bytes of overhead. 1016 2.3.3.3. flight_3 1018 There are no differences in overhead compared to Section 2.3.2.3. 1020 TLS 1.3 PSK flight_3 gives 57 bytes of overhead. 1022 2.4. EDHOC 1024 This section gives an estimate of the message sizes of EDHOC with 1025 authenticated with static Diffie-Hellman keys. All examples are 1026 given in CBOR diagnostic notation and hexadecimal, and are based on 1027 the test vectors in Appendix B.2 of [I-D.ietf-lake-edhoc]. 1029 2.4.1. Message Sizes RPK 1031 2.4.1.1. message_1 1033 message_1 = ( 1034 13, 1035 0, 1036 h'8D3EF56D1B750A4351D68AC250A0E883790EFC80A538A444EE9E2B57E244 1037 1A7C', 1038 -2 1039 ) 1041 message_1 (37 bytes): 1042 0d 00 58 20 8d 3e f5 6d 1b 75 0a 43 51 d6 8a c2 50 a0 e8 83 1043 79 0e fc 80 a5 38 a4 44 ee 9e 2b 57 e2 44 1a 7c 21 1045 2.4.1.2. message_2 1047 message_2 = ( 1048 h'52FBA0BDC8D953DD86CE1AB2FD7C05A4658C7C30AFDBFC3301047069451B 1049 AF35', 1050 8, 1051 h'DCF6FE9C524C22454DEB' 1052 ) 1054 message_2 (46 bytes): 1055 58 20 52 fb a0 bd c8 d9 53 dd 86 ce 1a b2 fd 7c 05 a4 65 8c 1056 7c 30 af db fc 33 01 04 70 69 45 1b af 35 08 4a dc f6 fe 9c 1057 52 4c 22 45 4d eb 1059 2.4.1.3. message_3 1061 message_3 = ( 1062 8, 1063 h'53C3991999A5FFB86921E99B607C067770E0' 1064 ) 1066 message_3 (20 bytes): 1067 08 52 53 c3 99 19 99 a5 ff b8 69 21 e9 9b 60 7c 06 77 70 e0 1069 2.4.2. Summary 1071 The typical message sizes for the previous example and for an example 1072 of EDHOC authenticated with signature keys and X.509 certificates 1073 based on Appendix B.1 of [I-D.ietf-lake-edhoc] are summarized in 1074 Figure 5. 1076 =============================== 1077 RPK x5t 1078 ------------------------------- 1079 message_1 37 37 1080 message_2 46 117 1081 message_3 20 91 1082 ------------------------------- 1083 Total 103 245 1084 =============================== 1086 Figure 5: Typical message sizes in bytes 1088 2.5. Conclusion 1090 To do a fair comparison, one has to choose a specific deployment and 1091 look at the topology, the whole protocol stack, frame sizes (e.g. 51 1092 or 128 bytes), how and where in the protocol stack fragmentation is 1093 done, and the expected packet loss. Note that the number of bytes in 1094 each frame that is available for the key exchange protocol may depend 1095 on the underlying protocol layers as well as on the number of hops in 1096 multi-hop networks. The packet loss may depend on how many other 1097 devices are transmitting at the same time, and may increase during 1098 network formation. The total overhead will be larger due to 1099 mechanisms for fragmentation, retransmission, and packet ordering. 1100 The overhead of fragmentation is roughly proportional to the number 1101 of fragments, while the expected overhead due to retransmission in 1102 noisy environments is a superlinear function of the flight sizes. 1104 3. Overhead for Protection of Application Data 1106 To enable comparison, all the overhead calculations in this section 1107 use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES- 1108 CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'. 1109 This follows the example in [RFC7400], Figure 16. 1111 Note that the compressed overhead calculations for DLTS 1.2, DTLS 1112 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, 1113 sequence number, and length, and all the overhead calculations are 1114 dependent on the parameter Connection ID when used. Note that the 1115 OSCORE overhead calculations are dependent on the CoAP option 1116 numbers, as well as the length of the OSCORE parameters Sender ID and 1117 Sequence Number. The following calculations are only examples. 1119 Section 3.1 gives a short summary of the message overhead based on 1120 different parameters and some assumptions. The following sections 1121 detail the assumptions and the calculations. 1123 3.1. Summary 1125 The DTLS overhead is dependent on the parameter Connection ID. The 1126 following overheads apply for all Connection IDs with the same 1127 length. 1129 The compression overhead (GHC) is dependent on the parameters epoch, 1130 sequence number, Connection ID, and length (where applicable). The 1131 following overheads should be representative for sequence numbers and 1132 Connection IDs with the same length. 1134 The OSCORE overhead is dependent on the included CoAP Option numbers 1135 as well as the length of the OSCORE parameters Sender ID and sequence 1136 number. The following overheads apply for all sequence numbers and 1137 Sender IDs with the same length. 1139 Sequence Number '05' '1005' '100005' 1140 ------------------------------------------------------------- 1141 DTLS 1.2 29 29 29 1142 DTLS 1.3 11 12 12 1143 ------------------------------------------------------------- 1144 DTLS 1.2 (GHC) 16 16 16 1145 DTLS 1.3 (GHC) 12 13 13 1146 ------------------------------------------------------------- 1147 TLS 1.2 21 21 21 1148 TLS 1.3 14 14 14 1149 ------------------------------------------------------------- 1150 TLS 1.2 (GHC) 17 18 19 1151 TLS 1.3 (GHC) 15 16 17 1152 ------------------------------------------------------------- 1153 OSCORE request 13 14 15 1154 OSCORE response 11 11 11 1156 Figure 6: Overhead in bytes as a function of sequence number 1157 (Connection/Sender ID = '') 1159 Connection/Sender ID '' '42' '4002' 1160 ------------------------------------------------------------- 1161 DTLS 1.2 29 30 31 1162 DTLS 1.3 11 12 13 1163 ------------------------------------------------------------- 1164 DTLS 1.2 (GHC) 16 17 18 1165 DTLS 1.3 (GHC) 12 13 14 1166 ------------------------------------------------------------- 1167 OSCORE request 13 14 15 1168 OSCORE response 11 11 11 1170 Figure 7: Overhead in bytes as a function of Connection/Sender 1171 ID (Sequence Number = '05') 1173 Protocol Overhead Overhead (GHC) 1174 ------------------------------------------------------------- 1175 DTLS 1.2 21 8 1176 DTLS 1.3 3 4 1177 ------------------------------------------------------------- 1178 TLS 1.2 13 9 1179 TLS 1.3 6 7 1180 ------------------------------------------------------------- 1181 OSCORE request 5 1182 OSCORE response 3 1184 Figure 8: Overhead (excluding ICV) in bytes 1185 (Connection/Sender ID = '', Sequence Number = '05') 1187 3.2. DTLS 1.2 1189 3.2.1. DTLS 1.2 1191 This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce 1192 follow the strict profiling given in [RFC7925]. This example is 1193 taken directly from [RFC7400], Figure 16. 1195 DTLS 1.2 record layer (35 bytes, 29 bytes overhead): 1196 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 1197 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 1198 cb 35 b9 1200 Content type: 1201 17 1202 Version: 1203 fe fd 1204 Epoch: 1205 00 01 1206 Sequence number: 1207 00 00 00 00 00 05 1208 Length: 1209 00 16 1210 Nonce: 1211 00 01 00 00 00 00 00 05 1212 Ciphertext: 1213 ae a0 15 56 67 92 1214 ICV: 1215 4d ff 8a 24 e4 cb 35 b9 1217 DTLS 1.2 gives 29 bytes overhead. 1219 3.2.2. DTLS 1.2 with 6LoWPAN-GHC 1221 This section analyzes the overhead of DTLS 1.2 [RFC6347] when 1222 compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with 1223 [OlegHahm-ghc]. 1225 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 1226 an exceptionally small overhead that is not representative. 1228 Note that this header compression is not available when DTLS is used 1229 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1231 Compressed DTLS 1.2 record layer (22 bytes, 16 bytes overhead): 1232 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 1233 8a 24 e4 cb 35 b9 1235 Compressed DTLS 1.2 record layer header and nonce: 1236 b0 c3 03 05 00 16 f2 0e 1237 Ciphertext: 1238 ae a0 15 56 67 92 1239 ICV: 1240 4d ff 8a 24 e4 cb 35 b9 1242 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 1243 (epoch, sequence number, length) gives 16 bytes overhead. 1245 3.2.3. DTLS 1.2 with Connection ID 1247 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 1248 Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead 1249 calculations in this section uses Connection ID = '42'. DTLS recored 1250 layer with a Connection ID = '' (the empty string) is equal to DTLS 1251 without Connection ID. 1253 DTLS 1.2 record layer (36 bytes, 30 bytes overhead): 1254 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 1255 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 1256 e4 cb 35 b9 1258 Content type: 1259 17 1260 Version: 1261 fe fd 1262 Epoch: 1263 00 01 1264 Sequence number: 1265 00 00 00 00 00 05 1266 Connection ID: 1267 42 1268 Length: 1269 00 16 1270 Nonce: 1271 00 01 00 00 00 00 00 05 1272 Ciphertext: 1273 ae a0 15 56 67 92 1274 ICV: 1275 4d ff 8a 24 e4 cb 35 b9 1277 DTLS 1.2 with Connection ID gives 30 bytes overhead. 1279 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC 1281 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 1282 Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 1283 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1285 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 1286 an exceptionally small overhead that is not representative. 1288 Note that this header compression is not available when DTLS is used 1289 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1291 Compressed DTLS 1.2 record layer (23 bytes, 17 bytes overhead): 1292 b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d 1293 ff 8a 24 e4 cb 35 b9 1295 Compressed DTLS 1.2 record layer header and nonce: 1296 b0 c3 04 05 42 00 16 f2 0e 1297 Ciphertext: 1298 ae a0 15 56 67 92 1299 ICV: 1300 4d ff 8a 24 e4 cb 35 b9 1302 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 1303 (epoch, sequence number, Connection ID, length) gives 17 bytes 1304 overhead. 1306 3.3. DTLS 1.3 1308 3.3.1. DTLS 1.3 1310 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. 1311 The changes compared to DTLS 1.2 are: omission of version number, 1312 merging of epoch into the first byte containing signalling bits, 1313 optional omission of length, reduction of sequence number into a 1 or 1314 2-bytes field. 1316 Only the minimal header format for DTLS 1.3 is analyzed (see Figure 4 1317 of [I-D.ietf-tls-dtls13]). The minimal header formal omit the length 1318 field and only a 1-byte field is used to carry the 8 low order bits 1319 of the sequence number 1320 DTLS 1.3 record layer (17 bytes, 11 bytes overhead): 1321 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 1323 First byte (including epoch): 1324 21 1325 Sequence number: 1326 05 1327 Ciphertext (including encrypted content type): 1328 ae a0 15 56 67 92 ec 1329 ICV: 1330 4d ff 8a 24 e4 cb 35 b9 1332 DTLS 1.3 gives 11 bytes overhead. 1334 3.3.2. DTLS 1.3 with 6LoWPAN-GHC 1336 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 1337 when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1339 Note that this header compression is not available when DTLS is used 1340 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1342 Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 1343 11 21 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 1344 35 b9 1346 Compressed DTLS 1.3 record layer header and nonce: 1347 11 21 05 1348 Ciphertext (including encrypted content type): 1349 ae a0 15 56 67 92 ec 1350 ICV: 1351 4d ff 8a 24 e4 cb 35 b9 1353 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 1354 (epoch, sequence number, no length) gives 12 bytes overhead. 1356 3.3.3. DTLS 1.3 with Connection ID 1358 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 1359 with Connection ID [I-D.ietf-tls-dtls-connection-id]. 1361 In this example, the length field is omitted, and the 1-byte field is 1362 used for the sequence number. The minimal DTLSCiphertext structure 1363 is used (see Figure 4 of [I-D.ietf-tls-dtls13]), with the addition of 1364 the Connection ID field. 1366 DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 1367 31 42 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 1369 First byte (including epoch): 1370 31 1371 Connection ID: 1372 42 1373 Sequence number: 1374 05 1375 Ciphertext (including encrypted content type): 1376 ae a0 15 56 67 92 ec 1377 ICV: 1378 4d ff 8a 24 e4 cb 35 b9 1380 DTLS 1.3 with Connection ID gives 12 bytes overhead. 1382 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC 1384 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 1385 with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed 1386 with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1388 Note that this header compression is not available when DTLS is used 1389 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1391 Compressed DTLS 1.3 record layer (19 bytes, 13 bytes overhead): 1392 12 31 05 42 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 1393 cb 35 b9 1395 Compressed DTLS 1.3 record layer header and nonce: 1396 12 31 05 42 1397 Ciphertext (including encrypted content type): 1398 ae a0 15 56 67 92 ec 1399 ICV: 1400 4d ff 8a 24 e4 cb 35 b9 1402 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 1403 (epoch, sequence number, Connection ID, no length) gives 13 bytes 1404 overhead. 1406 3.4. TLS 1.2 1408 3.4.1. TLS 1.2 1410 This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes 1411 compared to DTLS 1.2 is that the TLS 1.2 record layer does not have 1412 epoch and sequence number, and that the version is different. 1414 TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): 1415 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 1416 56 67 92 4d ff 8a 24 e4 cb 35 b9 1418 Content type: 1419 17 1420 Version: 1421 03 03 1422 Length: 1423 00 16 1424 Nonce: 1425 00 00 00 00 00 00 00 05 1426 Ciphertext: 1427 ae a0 15 56 67 92 1428 ICV: 1429 4d ff 8a 24 e4 cb 35 b9 1431 TLS 1.2 gives 21 bytes overhead. 1433 3.4.2. TLS 1.2 with 6LoWPAN-GHC 1435 This section analyzes the overhead of TLS 1.2 [RFC5246] when 1436 compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1438 Note that this header compression is not available when TLS is used 1439 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1441 Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead): 1442 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 1443 ff 8a 24 e4 cb 35 b9 1445 Compressed TLS 1.2 record layer header and nonce: 1446 05 17 03 03 00 16 85 0f 05 1447 Ciphertext: 1448 ae a0 15 56 67 92 1449 ICV: 1450 4d ff 8a 24 e4 cb 35 b9 1452 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 1453 (epoch, sequence number, length) gives 17 bytes overhead. 1455 3.5. TLS 1.3 1457 3.5.1. TLS 1.3 1459 This section analyzes the overhead of TLS 1.3 [RFC8446]. The change 1460 compared to TLS 1.2 is that the TLS 1.3 record layer uses a different 1461 version. 1463 TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 1464 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 1465 e4 cb 35 b9 1467 Content type: 1468 17 1469 Legacy version: 1470 03 03 1471 Length: 1472 00 0f 1473 Ciphertext (including encrypted content type): 1474 ae a0 15 56 67 92 ec 1475 ICV: 1476 4d ff 8a 24 e4 cb 35 b9 1478 TLS 1.3 gives 14 bytes overhead. 1480 3.5.2. TLS 1.3 with 6LoWPAN-GHC 1482 This section analyzes the overhead of TLS 1.3 [RFC8446] when 1483 compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc]. 1485 Note that this header compression is not available when TLS is used 1486 over transports that do not use 6LoWPAN together with 6LoWPAN-GHC. 1488 Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead): 1489 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 1490 24 e4 cb 35 b9 1492 Compressed TLS 1.3 record layer header and nonce: 1493 14 17 03 03 00 0f 1494 Ciphertext (including encrypted content type): 1495 ae a0 15 56 67 92 ec 1496 ICV: 1497 4d ff 8a 24 e4 cb 35 b9 1499 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 1500 (epoch, sequence number, length) gives 15 bytes overhead. 1502 3.6. OSCORE 1504 This section analyzes the overhead of OSCORE [RFC8613]. 1506 The below calculation Option Delta = '9', Sender ID = '' (empty 1507 string), and Sequence Number = '05', and is only an example. Note 1508 that Sender ID = '' (empty string) can only be used by one client per 1509 server. 1511 OSCORE request (19 bytes, 13 bytes overhead): 1512 92 09 05 1513 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 1515 CoAP option delta and length: 1516 92 1517 Option value (flag byte and sequence number): 1518 09 05 1519 Payload marker: 1520 ff 1521 Ciphertext (including encrypted code): 1522 ec ae a0 15 56 67 92 1523 ICV: 1524 4d ff 8a 24 e4 cb 35 b9 1526 The below calculation Option Delta = '9', Sender ID = '42', and 1527 Sequence Number = '05', and is only an example. 1529 OSCORE request (20 bytes, 14 bytes overhead): 1530 93 09 05 42 1531 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 1533 CoAP option delta and length: 1534 93 1535 Option Value (flag byte, sequence number, and Sender ID): 1536 09 05 42 1537 Payload marker: 1538 ff 1539 Ciphertext (including encrypted code): 1540 ec ae a0 15 56 67 92 1541 ICV: 1542 4d ff 8a 24 e4 cb 35 b9 1544 The below calculation uses Option Delta = '9'. 1546 OSCORE response (17 bytes, 11 bytes overhead): 1547 90 1548 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 1550 CoAP delta and option length: 1551 90 1552 Option value: 1553 - 1554 Payload marker: 1555 ff 1556 Ciphertext (including encrypted code): 1557 ec ae a0 15 56 67 92 1558 ICV: 1559 4d ff 8a 24 e4 cb 35 b9 1561 OSCORE with the above parameters gives 13-14 bytes overhead for 1562 requests and 11 bytes overhead for responses. 1564 Unlike DTLS and TLS, OSCORE has much smaller overhead for responses 1565 than requests. 1567 3.7. Group OSCORE 1569 This section analyzes the overhead of Group OSCORE 1570 [I-D.ietf-core-oscore-groupcomm]. 1572 TODO 1574 3.8. Conclusion 1576 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 1577 number and an explicit nonce. TLS 1.2 has significantly less (but 1578 not small) overhead. TLS 1.3 has quite a small overhead. OSCORE and 1579 DTLS 1.3 (using the minimal structure) format have very small 1580 overhead. 1582 The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS 1583 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic 1584 Header Compression (6LoWPAN-GHC) works very well for Connection ID 1585 and the overhead seems to increase exactly with the length of the 1586 Connection ID (which is optimal). The compression of TLS 1.2 is not 1587 as good as the compression of DTLS 1.2 (as the static dictionary only 1588 contains the DTLS 1.2 version number). Similar compression levels as 1589 for DTLS could be achieved also for TLS 1.2, but this would require 1590 different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC 1591 increases the overhead. The 6LoWPAN-GHC header compression is not 1592 available when (D)TLS is used over transports that do not use 6LoWPAN 1593 together with 6LoWPAN-GHC. 1595 New security protocols like OSCORE, TLS 1.3, and DTLS 1.3 have much 1596 lower overhead than DTLS 1.2 and TLS 1.2. The overhead is even 1597 smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN with compression, and 1598 therefore the small overhead is achieved even on deployments without 1599 6LoWPAN or 6LoWPAN without compression. OSCORE is lightweight 1600 because it makes use of CoAP, CBOR, and COSE, which were designed to 1601 have as low overhead as possible. 1603 Note that the compared protocols have slightly different use cases. 1604 TLS and DTLS are designed for the transport layer and are terminated 1605 in CoAP proxies. OSCORE is designed for the application layer and 1606 protects information end-to-end between the CoAP client and the CoAP 1607 server. Group OSCORE is designed for group communication and 1608 protects information between a CoAP client and any number of CoAP 1609 servers. 1611 4. Security Considerations 1613 This document is purely informational. 1615 5. IANA Considerations 1617 This document has no actions for IANA. 1619 6. Informative References 1621 [I-D.ietf-core-oscore-groupcomm] 1622 Tiloca, M., Selander, G., Palombini, F., and J. Park, 1623 "Group OSCORE - Secure Group Communication for CoAP", 1624 draft-ietf-core-oscore-groupcomm-09 (work in progress), 1625 June 2020. 1627 [I-D.ietf-lake-edhoc] 1628 Selander, G., Mattsson, J., and F. Palombini, "Ephemeral 1629 Diffie-Hellman Over COSE (EDHOC)", draft-ietf-lake- 1630 edhoc-01 (work in progress), August 2020. 1632 [I-D.ietf-tls-dtls-connection-id] 1633 Rescorla, E., Tschofenig, H., and T. Fossati, "Connection 1634 Identifiers for DTLS 1.2", draft-ietf-tls-dtls-connection- 1635 id-07 (work in progress), October 2019. 1637 [I-D.ietf-tls-dtls13] 1638 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 1639 Datagram Transport Layer Security (DTLS) Protocol Version 1640 1.3", draft-ietf-tls-dtls13-38 (work in progress), May 1641 2020. 1643 [I-D.rescorla-tls-ctls] 1644 Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS 1645 1.3", draft-rescorla-tls-ctls-04 (work in progress), March 1646 2020. 1648 [IoT-Cert] 1649 Forsby, F., "Digital Certificates for the Internet of 1650 Things", June 2017, . 1653 [OlegHahm-ghc] 1654 Hahm, O., "Generic Header Compression", July 2016, 1655 . 1657 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1658 (TLS) Protocol Version 1.2", RFC 5246, 1659 DOI 10.17487/RFC5246, August 2008, 1660 . 1662 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1663 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1664 January 2012, . 1666 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 1667 Application Protocol (CoAP)", RFC 7252, 1668 DOI 10.17487/RFC7252, June 2014, 1669 . 1671 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 1672 IPv6 over Low-Power Wireless Personal Area Networks 1673 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 1674 2014, . 1676 [RFC7924] Santesson, S. and H. Tschofenig, "Transport Layer Security 1677 (TLS) Cached Information Extension", RFC 7924, 1678 DOI 10.17487/RFC7924, July 2016, 1679 . 1681 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 1682 Security (TLS) / Datagram Transport Layer Security (DTLS) 1683 Profiles for the Internet of Things", RFC 7925, 1684 DOI 10.17487/RFC7925, July 2016, 1685 . 1687 [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 1688 Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained 1689 Application Protocol) over TCP, TLS, and WebSockets", 1690 RFC 8323, DOI 10.17487/RFC8323, February 2018, 1691 . 1693 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1694 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1695 . 1697 [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 1698 "Object Security for Constrained RESTful Environments 1699 (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, 1700 . 1702 [Ulfheim-TLS13] 1703 Driscoll, M., "Every Byte Explained The Illustrated TLS 1704 1.3 Connection", March 2018, . 1706 Acknowledgments 1708 The authors want to thank Ari Keraenen, Carsten Bormann, Goeran 1709 Selander, and Hannes Tschofenig for comments and suggestions on 1710 previous versions of the draft. 1712 All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. 1714 Authors' Addresses 1716 John Preuss Mattsson 1717 Ericsson AB 1719 Email: john.mattsson@ericsson.com 1721 Francesca Palombini 1722 Ericsson AB 1724 Email: francesca.palombini@ericsson.com 1726 Malisa Vucinic 1727 INRIA 1729 Email: malisa.vucinic@inria.fr