idnits 2.17.1 draft-mattsson-core-security-overhead-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 30, 2017) is 2397 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-11) exists of draft-ietf-core-coap-tcp-tls-09 == Outdated reference: A later version (-16) exists of draft-ietf-core-object-security-05 == Outdated reference: A later version (-28) exists of draft-ietf-tls-tls13-21 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Mattsson 3 Internet-Draft Ericsson AB 4 Intended status: Informational September 30, 2017 5 Expires: April 3, 2018 7 Message Size Overhead of CoAP Security Protocols 8 draft-mattsson-core-security-overhead-01 10 Abstract 12 This document analyzes and compares per-packet message size overheads 13 when using different security protocols to secure CoAP. The analyzed 14 security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and 15 OSCORE. DTLS and TLS are analyzed with and without compression. 16 DTLS are analyzed with two different alternatives for header 17 compression. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 3, 2018. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Overhead of Security Protocols . . . . . . . . . . . . . . . 2 55 2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 3 57 2.3. DTLS 1.2 with raza-6lo-compressed-dtls . . . . . . . . . 4 58 2.4. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 4 59 2.5. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 5 60 2.6. DTLS 1.3 with raza-6lo-compressed-dtls . . . . . . . . . 6 61 2.7. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 2.8. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 7 63 2.9. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 2.10. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . . . 8 65 2.11. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 3. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 67 4. Overhead with Different Sequence Numbers . . . . . . . . . . 10 68 5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 70 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 71 8. Informative References . . . . . . . . . . . . . . . . . . . 12 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 74 1. Introduction 76 This document analyzes and compares per-packet message size overheads 77 when using different security protocols to secure CoAP over UPD 78 [RFC7252] and TCP [I-D.ietf-core-coap-tcp-tls]. The analyzed 79 security protocols are DTLS 1.2 [RFC6347], DTLS 1.3 80 [I-D.rescorla-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 81 [I-D.ietf-tls-tls13], and OSCORE [I-D.ietf-core-object-security]. 82 The DTLS and TLS record layers are analyzed with and without 83 compression. DTLS are analyzed with two different alternatives 84 ([RFC7400] and [raza-6lo-compressed-dtls]) for header compression. 86 2. Overhead of Security Protocols 88 To enable comparison, all the overhead calculations in this section 89 use AES-CCM with a tag length of 8 bytes, a plaintext of 6 bytes, and 90 the sequence number '05'. This follows the example in [RFC7400], 91 Figure 16. 93 2.1. DTLS 1.2 95 This example is taken directly from [RFC7400], Figure 16. The nonce 96 follow the strict profiling given in [RFC7925]. 98 DTLS 1.2 Record Layer (35 bytes, 29 bytes overhead): 99 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 100 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 101 cb 35 b9 103 Content type: 104 17 105 Version: 106 fe fd 107 Epoch: 108 00 01 109 Sequence number: 110 00 00 00 00 00 05 111 Length: 112 00 16 113 Nonce: 114 00 01 00 00 00 00 00 05 115 Ciphertext: 116 ae a0 15 56 67 92 117 ICV: 118 4d ff 8a 24 e4 cb 35 b9 120 DTLS 1.2 gives 29 bytes overhead. 122 2.2. DTLS 1.2 with 6LoWPAN-GHC 124 Note that the compressed overhead is dependent on the parameters 125 epoch, sequence number, and length. The following is only an 126 example. 128 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 129 an exceptionally small overhead that is not representative. 131 Note that this header compression is not available when DTLS is 132 exchanged over transports that do not use 6LoWPAN together with 133 6LoWPAN-GHC. 135 Compressed DTLS 1.2 Record Layer (22 bytes, 16 bytes overhead): 136 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 137 8a 24 e4 cb 35 b9 139 Compressed DTLS 1.2 Record Layer Header and Nonce: 140 b0 c3 03 05 00 16 f2 0e 141 Ciphertext: 142 ae a0 15 56 67 92 143 ICV: 144 4d ff 8a 24 e4 cb 35 b9 146 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 147 (epoch, sequence number, length) gives 16 bytes overhead. 149 2.3. DTLS 1.2 with raza-6lo-compressed-dtls 151 Note that the compressed overhead is dependent on the parameters 152 epoch and sequence number. The following is only an example. 154 Note that this header compression is not available when DTLS is 155 exchanged over transports that do not use 6LoWPAN together with raza- 156 6lo-compressed-dtls. 158 Compressed DTLS 1.2 Record Layer (19 bytes, 13 bytes overhead): 159 90 17 01 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 160 cb 35 b9 162 NHC 163 90 164 Compressed DTLS 1.2 Record Layer Header and Nonce: 165 17 01 00 05 166 Ciphertext: 167 ae a0 15 56 67 92 168 ICV: 169 4d ff 8a 24 e4 cb 35 b9 171 When compressed with raza-6lo-compressed-dtls, DTLS 1.2 with the 172 above parameters (epoch, sequence number) gives 13 bytes overhead. 174 2.4. DTLS 1.3 176 The only change compared to DTLS 1.2 is that the DTLS 1.3 record 177 layer does not have an explicit nonce. 179 DTLS 1.3 Record Layer (27 bytes, 21 bytes overhead): 180 17 fe fd 00 01 00 00 00 00 00 05 00 0e ae a0 15 181 56 67 92 4d ff 8a 24 e4 cb 35 b9 183 Content type: 184 17 185 Version: 186 fe fd 187 Epoch: 188 00 01 189 Sequence number: 190 00 00 00 00 00 05 191 Length: 192 00 0e 193 Ciphertext: 194 ae a0 15 56 67 92 195 ICV: 196 4d ff 8a 24 e4 cb 35 b9 198 DTLS 1.3 gives 21 bytes overhead. 200 2.5. DTLS 1.3 with 6LoWPAN-GHC 202 Note that the overhead is dependent on the parameters epoch, sequence 203 number, and length. The following is only an example. 205 Note that this header compression is not available when DTLS is 206 exchanged over transports that do not use 6LoWPAN together with 207 6LoWPAN-GHC. 209 Compressed DTLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 210 b0 c3 11 05 00 0e ae a0 15 56 67 92 4d ff 8a 24 211 e4 cb 35 b9 213 Compressed DTLS 1.3 Record Layer Header and Nonce: 214 b0 c3 11 05 00 0e 215 Ciphertext: 216 ae a0 15 56 67 92 217 ICV: 218 4d ff 8a 24 e4 cb 35 b9 220 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 221 (epoch, sequence number, length) gives 14 bytes overhead. 223 2.6. DTLS 1.3 with raza-6lo-compressed-dtls 225 Note that the compressed overhead is dependent on the parameters 226 epoch and sequence number. The following is only an example. 228 Note that this header compression is not available when DTLS is 229 exchanged over transports that do not use 6LoWPAN together with raza- 230 6lo-compressed-dtls. 232 Note that this header compression is not available when DTLS is 233 exchanged over transports that do not use 6LoWPAN together with raza- 234 6lo-compressed-dtls. 236 Compressed DTLS 1.3 Record Layer (19 bytes, 13 bytes overhead): 237 90 17 01 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 238 cb 35 b9 240 NHC 241 90 242 Compressed DTLS 1.3 Record Layer Header and Nonce: 243 17 01 00 05 244 c3 03 05 00 16 f2 0e 245 Ciphertext: 246 ae a0 15 56 67 92 247 ICV: 248 4d ff 8a 24 e4 cb 35 b9 250 When compressed with raza-6lo-compressed-dtls, DTLS 1.3 with the 251 above parameters (epoch, sequence number) gives 13 bytes overhead. 253 2.7. TLS 1.2 255 The changes compared to DTLS 1.2 is that the TLS 1.2 record layer 256 does not have epoch and sequence number, and that the version is 257 different. 259 TLS 1.2 Record Layer (27 bytes, 21 byte overhead): 260 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 261 56 67 92 4d ff 8a 24 e4 cb 35 b9 263 Content type: 264 17 265 Version: 266 03 03 267 Length: 268 00 16 269 Nonce: 270 00 00 00 00 00 00 00 05 271 Ciphertext: 272 ae a0 15 56 67 92 273 ICV: 274 4d ff 8a 24 e4 cb 35 b9 276 TLS 1.2 gives 21 bytes overhead. 278 2.8. TLS 1.2 with 6LoWPAN-GHC 280 Note that the overhead is dependent on the parameters epoch, sequence 281 number, and length. The following is only an example. 283 Note that this header compression is not available when TLS is 284 exchanged over transports that do not use 6LoWPAN together with 285 6LoWPAN-GHC. 287 Compressed TLS 1.2 Record Layer (23 bytes, 17 bytes overhead): 288 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 289 ff 8a 24 e4 cb 35 b9 291 Compressed TLS 1.2 Record Layer Header and Nonce: 292 05 17 03 03 00 16 85 0f 05 293 Ciphertext: 294 ae a0 15 56 67 92 295 ICV: 296 4d ff 8a 24 e4 cb 35 b9 298 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 299 (epoch, sequence number, length) gives 17 bytes overhead. 301 2.9. TLS 1.3 303 The change compared to TLS 1.2 is that the TLS 1.3 record layer uses 304 a different version. 306 TLS 1.3 Record Layer (27 bytes, 21 byte overhead): 307 17 03 01 00 16 00 00 00 00 00 00 00 05 ae a0 15 308 56 67 92 4d ff 8a 24 e4 cb 35 b9 310 Content type: 311 17 312 Version: 313 03 01 314 Length: 315 00 16 316 Nonce: 317 00 00 00 00 00 00 00 05 318 Ciphertext: 319 ae a0 15 56 67 92 320 ICV: 321 4d ff 8a 24 e4 cb 35 b9 323 TLS 1.3 gives 21 bytes overhead. 325 2.10. TLS 1.3 with 6LoWPAN-GHC 327 Note that the overhead is dependent on the parameters epoch, sequence 328 number, and length. The following is only an example. 330 Note that this header compression is not available when TLS is 331 exchanged over transports that do not use 6LoWPAN together with 332 6LoWPAN-GHC. 334 Compressed TLS 1.3 Record Layer (23 bytes, 17 bytes overhead): 335 02 17 03 c3 01 16 85 0f 05 ae a0 15 56 67 92 4d 336 ff 8a 24 e4 cb 35 b9 338 Compressed TLS 1.3 Record Layer Header and Nonce: 339 02 17 03 c3 01 16 85 0f 05 340 Ciphertext: 341 ae a0 15 56 67 92 342 ICV: 343 4d ff 8a 24 e4 cb 35 b9 345 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 346 (epoch, sequence number, length) gives 17 bytes overhead. 348 2.11. OSCORE 350 Note that the overhead is dependent on the included CoAP Option 351 numbers as well as the length of the OSCORE parameters Sender ID and 352 sequence number. 354 Note that the sequence number '0' used in Example: Request 2 of 355 [I-D.ietf-core-object-security], gives an exceptionally small 356 overhead that is not representative. 358 The below calculation uses Option Delta = '9', and Sender ID = '0', 359 and is only an example. 361 OSCORE Request (18 bytes, 12 bytes overhead): 362 91 0a 05 ec ae a0 15 56 67 92 4d ff 8a 24 e4 363 cb 35 b9 365 CoAP Option Delta and Length 366 91 367 Compressed COSE Header in Option Value: 368 0a 369 Compressed COSE Header in payload: 370 05 371 Ciphertext (including encrypted code): 372 ec ae a0 15 56 67 92 373 ICV: 374 4d ff 8a 24 e4 cb 35 b9 376 The below calculation uses Option Delta = '9', and Sender ID = '25', 377 and is only an example. 379 OSCORE Request (19 bytes, 13 bytes overhead): 380 92 0a 25 05 ec ae a0 15 56 67 92 4d ff 8a 24 e4 381 cb 35 b9 383 CoAP Option Delta and Length 384 92 385 Compressed COSE Header in Option Value: 386 0a 25 387 Compressed COSE Header in payload: 388 05 389 Ciphertext (including encrypted code): 390 ec ae a0 15 56 67 92 391 ICV: 392 4d ff 8a 24 e4 cb 35 b9 394 The below calculation uses Option Delta = '9' 395 OSCORE Response (16 bytes, 10 bytes overhead): 396 90 ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 398 CoAP Delta and Option Length: 399 90 400 Compressed COSE Header in Option Value: 401 - 402 Compressed COSE Header in payload: 403 - 404 Ciphertext (including encrypted code): 405 ec ae a0 15 56 67 92 406 ICV: 407 4d ff 8a 24 e4 cb 35 b9 409 OSCORE with the above parameters gives 13 bytes overhead for requests 410 and 10 bytes overhead for responses. Clients having Sender ID = '0' 411 gives an even smaller overhead (12 bytes) for requests. 413 Unlike DTLS and TLS, OSCORE has much smaller overhead for responses 414 than requests. 416 3. OSCORE 418 4. Overhead with Different Sequence Numbers 420 The compression overhead (GHC) is dependent on the parameters epoch, 421 sequence number, and length. The following overheads should be 422 representative for sequence numbers with the same length. 424 The compression overhead (raza-6lo-compressed-dtls) is dependent on 425 the length of the parameters epoch and sequence number. The 426 following overheads apply for all sequence numbers with the same 427 length. 429 The OSCORE overhead is dependent on the included CoAP Option numbers 430 as well as the length of the OSCORE parameters Sender ID and sequence 431 number. 433 Sequence Number '05' '1005' '100005' 434 ------------------------------------------------------------- 435 DTLS 1.2 29 29 29 436 DTLS 1.3 21 21 21 437 TLS 1.2 21 21 21 438 TLS 1.3 21 21 21 439 ------------------------------------------------------------- 440 DTLS 1.2 (GHC) 16 16 17 441 DTLS 1.2 (Raza) 13 13 14 442 DTLS 1.3 (GHC) 14 14 15 443 DTLS 1.3 (Raza) 13 13 14 444 TLS 1.2 (GHC) 17 18 19 445 TLS 1.3 (GHC) 17 18 19 446 ------------------------------------------------------------- 447 OSCORE Request (SID = 0) 12 13 14 448 OSCORE Request (SID = 1-255) 13 14 15 449 OSCORE Response 10 10 10 451 Figure 1: Overhead as a function of sequence number 453 5. Summary 455 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 456 number and an explicit nonce. DTLS 1.3, TLS 1.2, and TLS 1.3 have 457 significantly less overhead. 459 Both DTLS compression methods provides very good compression. raza- 460 6lo-compressed-dtls achieves slightly better compression but requires 461 state. GHC is stateless but provides slightly worse compression. As 462 DTLS 1.3 uses the same version number as DTLS 1.2, both GHC and raza- 463 6lo-compressed-dtls works well also for DTLS 1.3. 465 The Generic Header Compression (6LoWPAN-GHC) is not that generic (the 466 static dictionary is more or less a DTLS record layer) and the 467 compression of TLS is not as good as the compression of DTLS. 468 Similar compression levels as for DTLS could be achieved also for 469 TLS, but this would require different static dictionaries for each 470 version of TLS (as TLS 1.2 and TLS 1.3 uses different version 471 numbers). GCH works very well as good for DTLS 1.3 as for DTLS 1.2 472 as the version number is the same. 474 The header compression is not available when (D)TLS is exchanged over 475 transports that do not use 6LoWPAN together with 6LoWPAN-GHC or raza- 476 6lo-compressed-dtls. 478 OSCORE has much lower overhead than DTLS and TLS. The overhead of 479 OSCORE is smaller than DTLS over 6LoWPAN with compression, and this 480 small overhead is achieved even on deployments without 6LoWPAN or 481 6LoWPAN without DTLS compression. OSCORE is lightweight because it 482 makes use of some excellent features in CoAP, CBOR, and COSE. 484 6. Security Considerations 486 This document is purely informational. 488 7. Acknowledgments 490 The authors want to thank Ari Keraenen for reviewing previous 491 versions of the draft. 493 8. Informative References 495 [I-D.ietf-core-coap-tcp-tls] 496 Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 497 Silverajan, B., and B. Raymor, "CoAP (Constrained 498 Application Protocol) over TCP, TLS, and WebSockets", 499 draft-ietf-core-coap-tcp-tls-09 (work in progress), May 500 2017. 502 [I-D.ietf-core-object-security] 503 Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 504 "Object Security for Constrained RESTful Environments 505 (OSCORE)", draft-ietf-core-object-security-05 (work in 506 progress), September 2017. 508 [I-D.ietf-tls-tls13] 509 Rescorla, E., "The Transport Layer Security (TLS) Protocol 510 Version 1.3", draft-ietf-tls-tls13-21 (work in progress), 511 July 2017. 513 [I-D.rescorla-tls-dtls13] 514 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 515 Datagram Transport Layer Security (DTLS) Protocol Version 516 1.3", draft-rescorla-tls-dtls13-01 (work in progress), 517 March 2017. 519 [raza-6lo-compressed-dtls] 520 Raza, S., Shafagh, H., and O. Dupont, "Compression of 521 Record and Handshake Headers for Constrained 522 Environments", March 2017, 523 . 525 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 526 (TLS) Protocol Version 1.2", RFC 5246, 527 DOI 10.17487/RFC5246, August 2008, 528 . 530 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 531 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 532 January 2012, . 534 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 535 Application Protocol (CoAP)", RFC 7252, 536 DOI 10.17487/RFC7252, June 2014, 537 . 539 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 540 IPv6 over Low-Power Wireless Personal Area Networks 541 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 542 2014, . 544 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 545 Security (TLS) / Datagram Transport Layer Security (DTLS) 546 Profiles for the Internet of Things", RFC 7925, 547 DOI 10.17487/RFC7925, July 2016, 548 . 550 Author's Address 552 John Mattsson 553 Ericsson AB 554 Faeroegatan 6 555 Kista SE-164 80 Stockholm 556 Sweden 558 Email: john.mattsson@ericsson.com