idnits 2.17.1 draft-mattsson-core-security-overhead-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 13, 2017) is 2594 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-11) exists of draft-ietf-core-coap-tcp-tls-07 == Outdated reference: A later version (-16) exists of draft-ietf-core-object-security-01 == Outdated reference: A later version (-28) exists of draft-ietf-tls-tls13-19 == Outdated reference: A later version (-01) exists of draft-rescorla-tls-dtls13-00 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Mattsson 3 Internet-Draft Ericsson AB 4 Intended status: Informational March 13, 2017 5 Expires: September 14, 2017 7 Message Size Overhead of CoAP Security Protocols 8 draft-mattsson-core-security-overhead-00 10 Abstract 12 This document analyzes and compares per-packet message size overheads 13 when using different security protocols to secure CoAP. The analyzed 14 security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and 15 OSCOAP. DTLS and TLS are analyzed with and without compression. 16 DTLS are analyzed with two different alternatives for header 17 compression. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on September 14, 2017. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Overhead of Security Protocols . . . . . . . . . . . . . . . 2 55 2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 3 57 2.3. DTLS 1.2 with raza-6lo-compressed-dtls . . . . . . . . . 4 58 2.4. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 4 59 2.5. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 5 60 2.6. DTLS 1.3 with raza-6lo-compressed-dtls . . . . . . . . . 6 61 2.7. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 2.8. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 7 63 2.9. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 2.10. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 8 65 2.11. OSCOAP . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 3. Overhead with Different Sequence Numbers . . . . . . . . . . 9 67 4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 68 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 69 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 70 7. Informative References . . . . . . . . . . . . . . . . . . . 11 71 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 73 1. Introduction 75 This document analyzes and compares per-packet message size overheads 76 when using different security protocols to secure CoAP over UPD 77 [RFC7252] and TCP [I-D.ietf-core-coap-tcp-tls]. The analyzed 78 security protocols are DTLS 1.2 [RFC6347], DTLS 1.3 79 [I-D.rescorla-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 80 [I-D.ietf-tls-tls13], and OSCOAP [I-D.ietf-core-object-security]. 81 The DTLS and TLS record layers are analyzed with and without 82 compression. DTLS are analyzed with two different alternatives 83 ([RFC7400] and [raza-6lo-compressed-dtls]) for header compression. 85 2. Overhead of Security Protocols 87 To enable comparison, all the overhead calculations in this section 88 use AES-CCM with a tag length of 8 bytes, a plaintext of 6 bytes, and 89 the sequence number '05'. This follows the example in [RFC7400], 90 Figure 16. 92 2.1. DTLS 1.2 94 This example is taken directly from [RFC7400], Figure 16. The nonce 95 follow the strict profiling given in [RFC7925]. 97 DTLS 1.2 Record Layer (35 bytes, 29 bytes overhead): 98 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 99 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 100 cb 35 b9 102 Content type: 103 17 104 Version: 105 fe fd 106 Epoch: 107 00 01 108 Sequence number: 109 00 00 00 00 00 05 110 Length: 111 00 16 112 Nonce: 113 00 01 00 00 00 00 00 05 114 Ciphertext: 115 ae a0 15 56 67 92 116 ICV: 117 4d ff 8a 24 e4 cb 35 b9 119 DTLS 1.2 gives 29 bytes overhead. 121 2.2. DTLS 1.2 with 6LoWPAN-GHC 123 Note that the compressed overhead is dependent on the parameters 124 epoch, sequence number, and length. The following is only an 125 example. 127 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 128 an exceptionally small overhead that is not representative at all. 130 Note that this header compression is not available when DTLS is 131 exchanged over transports that do not use 6LoWPAN together with 132 6LoWPAN-GHC. 134 Compressed DTLS 1.2 Record Layer (22 bytes, 16 bytes overhead): 135 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 136 8a 24 e4 cb 35 b9 138 Compressed DTLS 1.2 Record Layer Header and Nonce: 139 b0 c3 03 05 00 16 f2 0e 140 Ciphertext: 141 ae a0 15 56 67 92 142 ICV: 143 4d ff 8a 24 e4 cb 35 b9 145 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 146 (epoch, sequence number, length) gives 16 bytes overhead. 148 2.3. DTLS 1.2 with raza-6lo-compressed-dtls 150 Note that the compressed overhead is dependent on the parameters 151 epoch and sequence number. The following is only an example. 153 Note that this header compression is not available when DTLS is 154 exchanged over transports that do not use 6LoWPAN together with raza- 155 6lo-compressed-dtls. 157 Compressed DTLS 1.2 Record Layer (19 bytes, 13 bytes overhead): 158 90 17 01 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 159 cb 35 b9 161 NHC 162 90 163 Compressed DTLS 1.2 Record Layer Header and Nonce: 164 17 01 00 05 165 Ciphertext: 166 ae a0 15 56 67 92 167 ICV: 168 4d ff 8a 24 e4 cb 35 b9 170 When compressed with raza-6lo-compressed-dtls, DTLS 1.2 with the 171 above parameters (epoch, sequence number) gives 13 bytes overhead. 173 2.4. DTLS 1.3 175 The only change compared to DTLS 1.2 is that the DTLS 1.3 record 176 layer does not have an explicit nonce. 178 DTLS 1.3 Record Layer (27 bytes, 21 bytes overhead): 179 17 fe fd 00 01 00 00 00 00 00 05 00 0e ae a0 15 180 56 67 92 4d ff 8a 24 e4 cb 35 b9 182 Content type: 183 17 184 Version: 185 fe fd 186 Epoch: 187 00 01 188 Sequence number: 189 00 00 00 00 00 05 190 Length: 191 00 0e 192 Ciphertext: 193 ae a0 15 56 67 92 194 ICV: 195 4d ff 8a 24 e4 cb 35 b9 197 DTLS 1.3 gives 21 bytes overhead. 199 2.5. DTLS 1.3 with 6LoWPAN-GHC 201 Note that the overhead is dependent on the parameters epoch, sequence 202 number, and length. The following is only an example. 204 Note that this header compression is not available when DTLS is 205 exchanged over transports that do not use 6LoWPAN together with 206 6LoWPAN-GHC. 208 Compressed DTLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 209 b0 c3 11 05 00 0e ae a0 15 56 67 92 4d ff 8a 24 210 e4 cb 35 b9 212 Compressed DTLS 1.3 Record Layer Header and Nonce: 213 b0 c3 11 05 00 0e 214 Ciphertext: 215 ae a0 15 56 67 92 216 ICV: 217 4d ff 8a 24 e4 cb 35 b9 219 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 220 (epoch, sequence number, length) gives 14 bytes overhead. 222 2.6. DTLS 1.3 with raza-6lo-compressed-dtls 224 Note that the compressed overhead is dependent on the parameters 225 epoch and sequence number. The following is only an example. 227 Note that this header compression is not available when DTLS is 228 exchanged over transports that do not use 6LoWPAN together with raza- 229 6lo-compressed-dtls. 231 Note that this header compression is not available when DTLS is 232 exchanged over transports that do not use 6LoWPAN together with raza- 233 6lo-compressed-dtls. 235 Compressed DTLS 1.3 Record Layer (19 bytes, 13 bytes overhead): 236 90 17 01 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 237 cb 35 b9 239 NHC 240 90 241 Compressed DTLS 1.3 Record Layer Header and Nonce: 242 17 01 00 05 243 c3 03 05 00 16 f2 0e 244 Ciphertext: 245 ae a0 15 56 67 92 246 ICV: 247 4d ff 8a 24 e4 cb 35 b9 249 When compressed with raza-6lo-compressed-dtls, DTLS 1.3 with the 250 above parameters (epoch, sequence number) gives 13 bytes overhead. 252 2.7. TLS 1.2 254 The changes compared to DTLS 1.2 is that the TLS 1.2 record layer 255 does not have epoch and sequence number, and that the version is 256 different. 258 TLS 1.2 Record Layer (27 bytes, 21 byte overhead): 259 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 260 56 67 92 4d ff 8a 24 e4 cb 35 b9 262 Content type: 263 17 264 Version: 265 03 03 266 Length: 267 00 16 268 Nonce: 269 00 00 00 00 00 00 00 05 270 Ciphertext: 271 ae a0 15 56 67 92 272 ICV: 273 4d ff 8a 24 e4 cb 35 b9 275 TLS 1.2 gives 21 bytes overhead. 277 2.8. TLS 1.2 with 6LoWPAN-GHC 279 Note that the overhead is dependent on the parameters epoch, sequence 280 number, and length. The following is only an example. 282 Note that this header compression is not available when TLS is 283 exchanged over transports that do not use 6LoWPAN together with 284 6LoWPAN-GHC. 286 Compressed TLS 1.2 Record Layer (23 bytes, 17 bytes overhead): 287 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 288 ff 8a 24 e4 cb 35 b9 290 Compressed TLS 1.2 Record Layer Header and Nonce: 291 05 17 03 03 00 16 85 0f 05 292 Ciphertext: 293 ae a0 15 56 67 92 294 ICV: 295 4d ff 8a 24 e4 cb 35 b9 297 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 298 (epoch, sequence number, length) gives 17 bytes overhead. 300 2.9. TLS 1.3 302 The change compared to TLS 1.2 is that the TLS 1.3 record layer uses 303 a different version. 305 TLS 1.3 Record Layer (27 bytes, 21 byte overhead): 306 17 03 01 00 16 00 00 00 00 00 00 00 05 ae a0 15 307 56 67 92 4d ff 8a 24 e4 cb 35 b9 309 Content type: 310 17 311 Version: 312 03 01 313 Length: 314 00 16 315 Nonce: 316 00 00 00 00 00 00 00 05 317 Ciphertext: 318 ae a0 15 56 67 92 319 ICV: 320 4d ff 8a 24 e4 cb 35 b9 322 TLS 1.3 gives 21 bytes overhead. 324 2.10. TLS 1.3 with 6LoWPAN-GHC 326 Note that the overhead is dependent on the parameters epoch, sequence 327 number, and length. The following is only an example. 329 Note that this header compression is not available when TLS is 330 exchanged over transports that do not use 6LoWPAN together with 331 6LoWPAN-GHC. 333 Compressed TLS 1.3 Record Layer (23 bytes, 17 bytes overhead): 334 02 17 03 c3 01 16 85 0f 05 ae a0 15 56 67 92 4d 335 ff 8a 24 e4 cb 35 b9 337 Compressed TLS 1.3 Record Layer Header and Nonce: 338 02 17 03 c3 01 16 85 0f 05 339 Ciphertext: 340 ae a0 15 56 67 92 341 ICV: 342 4d ff 8a 24 e4 cb 35 b9 344 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 345 (epoch, sequence number, length) gives 17 bytes overhead. 347 2.11. OSCOAP 349 Note that the overhead is dependent on the included CoAP Option 350 numbers, if the CoAP method allows payload, as well as the length of 351 the OSCOAP parameters Sender ID and sequence number. The below 352 calculation uses Method = POST, Option Delta = '9', and Sender ID = 353 '25', and is only an example. 355 OSCOAP Request (19 bytes, 13 bytes overhead): 356 90 19 05 41 25 ae a0 15 56 67 92 4d ff 8a 24 e4 357 cb 35 b9 359 CoAP Delta and Option Length: 360 90 361 Compressed COSE Header: 362 19 05 41 25 363 Ciphertext: 364 ae a0 15 56 67 92 365 ICV: 366 4d ff 8a 24 e4 cb 35 b9 368 OSCOAP Response (15 bytes, 9 bytes overhead): 369 90 ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 371 CoAP Delta and Option Length: 372 90 373 Ciphertext: 374 ae a0 15 56 67 92 375 ICV: 376 4d ff 8a 24 e4 cb 35 b9 378 OSCOAP with the above parameters gives 13 bytes overhead for requests 379 and 9 bytes overhead for responses. 381 Unlike DTLS and TLS, OSCOAP has much smaller overhead for responses 382 than requests. 384 3. Overhead with Different Sequence Numbers 386 The compression overhead (GHC) is dependent on the parameters epoch, 387 sequence number, and length. The following overheads should be 388 representative for sequence numbers with the same length. 390 The compression overhead (raza-6lo-compressed-dtls) is dependent on 391 the length of the parameters epoch and sequence number. The 392 following overheads apply for all sequence numbers with the same 393 length. 395 The OSCOAP overhead is dependent on the included CoAP Option numbers, 396 if the CoAP method allows payload, as well as the length of the 397 OSCOAP parameters Sender ID and sequence number. 399 Sequence Number '05' '1005' '100005' 400 ---------------------------------------------------------- 401 DTLS 1.2 29 29 29 402 DTLS 1.3 21 21 21 403 TLS 1.2 21 21 21 404 TLS 1.3 21 21 21 405 ---------------------------------------------------------- 406 DTLS 1.2 (GHC) 16 16 17 407 DTLS 1.2 (Raza) 13 13 14 408 DTLS 1.3 (GHC) 14 14 15 409 DTLS 1.3 (Raza) 13 13 14 410 TLS 1.2 (GHC) 17 18 19 411 TLS 1.3 (GHC) 17 18 19 412 ---------------------------------------------------------- 413 OSCOAP Request 13 14 15 414 OSCOAP Response 9 9 9 416 Figure 1: Overhead as a function of sequence number 418 4. Summary 420 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 421 number and an explicit nonce. DTLS 1.3, TLS 1.2, and TLS 1.3 have 422 significantly less overhead. 424 Both DTLS compression methods provides very good compression. raza- 425 6lo-compressed-dtls achieves slightly better compression but requires 426 state. GHC is stateless but provides slightly worse compression. As 427 DTLS 1.3 uses the same version number as DTLS 1.2, both GHC and raza- 428 6lo-compressed-dtls works well also for DTLS 1.3. 430 The Generic Header Compression (6LoWPAN-GHC) is not very generic (the 431 static dictionary is more or less a DTLS record layer) and the 432 compression of TLS is significantly worse than the compression of 433 DTLS. Similar compression levels as for DTLS could be achieved also 434 for TLS, but this would require different static dictionaries for 435 each version of TLS (as TLS 1.2 and TLS 1.3 uses different version 436 numbers). 438 The header compression is not available when (D)TLS is exchanged over 439 transports that do not use 6LoWPAN together with 6LoWPAN-GHC or raza- 440 6lo-compressed-dtls. 442 OSCOAP has much lower overhead than DTLS and TLS. The overhead of 443 OSCOAP is smaller than DTLS over 6LoWPAN with compression, and this 444 small overhead is achieved even on deployments without 6LoWPAN or 445 6LoWPAN without DTLS compression. OSCOAP is lightweight because it 446 makes use of some excellent features in CoAP, CBOR, and COSE. 448 5. Security Considerations 450 This document is purely informational. 452 6. Acknowledgments 454 The authors want to thank Ari Keraenen for reviewing previous 455 versions of the draft. 457 7. Informative References 459 [I-D.ietf-core-coap-tcp-tls] 460 Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 461 Silverajan, B., and B. Raymor, "CoAP (Constrained 462 Application Protocol) over TCP, TLS, and WebSockets", 463 draft-ietf-core-coap-tcp-tls-07 (work in progress), March 464 2017. 466 [I-D.ietf-core-object-security] 467 Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 468 "Object Security of CoAP (OSCOAP)", draft-ietf-core- 469 object-security-01 (work in progress), December 2016. 471 [I-D.ietf-tls-tls13] 472 Rescorla, E., "The Transport Layer Security (TLS) Protocol 473 Version 1.3", draft-ietf-tls-tls13-19 (work in progress), 474 March 2017. 476 [I-D.rescorla-tls-dtls13] 477 Rescorla, E. and H. Tschofenig, "The Datagram Transport 478 Layer Security (DTLS) Protocol Version 1.3", draft- 479 rescorla-tls-dtls13-00 (work in progress), October 2016. 481 [raza-6lo-compressed-dtls] 482 Raza, S., Shafagh, H., and O. Dupont, "Compression of 483 Record and Handshake Headers for Constrained 484 Environments", March 2017, 485 . 487 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 488 (TLS) Protocol Version 1.2", RFC 5246, 489 DOI 10.17487/RFC5246, August 2008, 490 . 492 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 493 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 494 January 2012, . 496 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 497 Application Protocol (CoAP)", RFC 7252, 498 DOI 10.17487/RFC7252, June 2014, 499 . 501 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 502 IPv6 over Low-Power Wireless Personal Area Networks 503 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 504 2014, . 506 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 507 Security (TLS) / Datagram Transport Layer Security (DTLS) 508 Profiles for the Internet of Things", RFC 7925, 509 DOI 10.17487/RFC7925, July 2016, 510 . 512 Author's Address 514 John Mattsson 515 Ericsson AB 516 Faeroegatan 6 517 Kista SE-164 80 Stockholm 518 Sweden 520 Email: john.mattsson@ericsson.com