idnits 2.17.1 draft-mattsson-lwig-security-protocol-comparison-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 19, 2018) is 2223 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-16) exists of draft-ietf-core-object-security-11 == Outdated reference: A later version (-13) exists of draft-ietf-tls-dtls-connection-id-00 == Outdated reference: A later version (-43) exists of draft-ietf-tls-dtls13-26 == Outdated reference: A later version (-28) exists of draft-ietf-tls-tls13-27 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Mattsson 3 Internet-Draft F. Palombini 4 Intended status: Informational Ericsson AB 5 Expires: September 20, 2018 March 19, 2018 7 Comparison of CoAP Security Protocols 8 draft-mattsson-lwig-security-protocol-comparison-01 10 Abstract 12 This document analyzes and compares per-packet message size overheads 13 when using different security protocols to secure CoAP. The analyzed 14 security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and 15 OSCORE. DTLS and TLS are analyzed with and without 6LoWPAN-GHC 16 compression. DTLS is analyzed with and without Connection ID. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on September 20, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Overhead of Security Protocols . . . . . . . . . . . . . . . 3 54 2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 4 57 2.1.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 4 58 2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 5 59 2.2. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 6 60 2.2.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 6 61 2.2.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 6 62 2.2.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 7 63 2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 7 64 2.2.5. DTLS 1.3 with short header . . . . . . . . . . . . . 8 65 2.2.6. DTLS 1.3 with short header and 6LoWPAN-GHC . . . . . 8 66 2.3. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 2.3.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 9 68 2.3.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 9 69 2.4. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 2.4.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 10 71 2.4.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 10 72 2.5. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 3. Overhead with Different Parameters . . . . . . . . . . . . . 12 74 4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 75 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 76 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 77 7. Informative References . . . . . . . . . . . . . . . . . . . 15 78 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 81 1. Introduction 83 This document analyzes and compares per-packet message size overheads 84 when using different security protocols to secure CoAP over UPD 85 [RFC7252] and TCP [RFC8323]. The analyzed security protocols are 86 DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 87 [RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE 88 [I-D.ietf-core-object-security]. The DTLS and TLS record layers are 89 analyzed with and without compression. DTLS is anlyzed with and 90 without Connection ID [I-D.ietf-tls-dtls-connection-id] and DTLS 1.3 91 is analyzed with and without the use of the short header. Readers 92 are expected to be familiar with some of the terms described in RFC 93 7925 [RFC7925], such as ICV. 95 2. Overhead of Security Protocols 97 To enable comparison, all the overhead calculations in this section 98 use AES-CCM with a tag length of 8 bytes (i.e. AES_128_CCM_8, AES- 99 CCM-16-64, or AES-CCM-64-64), a plaintext of 6 bytes, and the 100 sequence number '05'. This follows the example in [RFC7400], 101 Figure 16. 103 Note that the compressed overhead calculations for DLTS 1.2, DTLS 104 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, 105 sequence number, and length, and all the overhead calculations are 106 dependent on the parameter Connection ID when used. Note that the 107 OSCORE overhead calculations are dependent on the CoAP option 108 numbers, as well as the length of the OSCORE parameters Sender ID and 109 Sequence Number. The following are only examples. 111 2.1. DTLS 1.2 113 2.1.1. DTLS 1.2 115 This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce 116 follow the strict profiling given in [RFC7925]. This example is 117 taken directly from [RFC7400], Figure 16. 119 DTLS 1.2 Record Layer (35 bytes, 29 bytes overhead): 120 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 121 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 122 cb 35 b9 124 Content type: 125 17 126 Version: 127 fe fd 128 Epoch: 129 00 01 130 Sequence number: 131 00 00 00 00 00 05 132 Length: 133 00 16 134 Nonce: 135 00 01 00 00 00 00 00 05 136 Ciphertext: 137 ae a0 15 56 67 92 138 ICV: 139 4d ff 8a 24 e4 cb 35 b9 141 DTLS 1.2 gives 29 bytes overhead. 143 2.1.2. DTLS 1.2 with 6LoWPAN-GHC 145 This section analyzes the overhead of DTLS 1.2 [RFC6347] when 146 compressed with [RFC7400]. The compression was done with 147 [OlegHahm-ghc]. 149 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 150 an exceptionally small overhead that is not representative. 152 Note that this header compression is not available when DTLS is 153 exchanged over transports that do not use 6LoWPAN together with 154 6LoWPAN-GHC. 156 Compressed DTLS 1.2 Record Layer (22 bytes, 16 bytes overhead): 157 b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 158 8a 24 e4 cb 35 b9 160 Compressed DTLS 1.2 Record Layer Header and Nonce: 161 b0 c3 03 05 00 16 f2 0e 162 Ciphertext: 163 ae a0 15 56 67 92 164 ICV: 165 4d ff 8a 24 e4 cb 35 b9 167 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 168 (epoch, sequence number, length) gives 16 bytes overhead. 170 2.1.3. DTLS 1.2 with Connection ID 172 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 173 Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead 174 calculations in this section uses Connection ID = '42'. DTLS with a 175 Connection ID = '' (the empty string) is equal to DTLS without 176 Connection ID. 178 DTLS 1.2 Record Layer (36 bytes, 30 bytes overhead): 179 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 180 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 181 e4 cb 35 b9 183 Content type: 184 17 185 Version: 186 fe fd 187 Epoch: 188 00 01 189 Sequence number: 190 00 00 00 00 00 05 191 Connection ID: 192 42 193 Length: 194 00 16 195 Nonce: 196 00 01 00 00 00 00 00 05 197 Ciphertext: 198 ae a0 15 56 67 92 199 ICV: 200 4d ff 8a 24 e4 cb 35 b9 202 DTLS 1.2 with Connection ID gives 30 bytes overhead. 204 2.1.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC 206 This section analyzes the overhead of DTLS 1.2 [RFC6347] with 207 Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 208 [RFC7400] [OlegHahm-ghc]. 210 Note that the sequence number '01' used in [RFC7400], Figure 15 gives 211 an exceptionally small overhead that is not representative. 213 Note that this header compression is not available when DTLS is 214 exchanged over transports that do not use 6LoWPAN together with 215 6LoWPAN-GHC. 217 Compressed DTLS 1.2 Record Layer (23 bytes, 17 bytes overhead): 218 b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d 219 ff 8a 24 e4 cb 35 b9 221 Compressed DTLS 1.2 Record Layer Header and Nonce: 222 b0 c3 04 05 42 00 16 f2 0e 223 Ciphertext: 224 ae a0 15 56 67 92 225 ICV: 226 4d ff 8a 24 e4 cb 35 b9 228 When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters 229 (epoch, sequence number, Connection ID, length) gives 17 bytes 230 overhead. 232 2.2. DTLS 1.3 234 2.2.1. DTLS 1.3 236 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. 237 The changes compared to DTLS 1.2 are: omission of version number, 238 merging of epoch and sequence number fields (of total 8 bytes) into 239 one 4-bytes-field. 241 DTLS 1.3 Record Layer (22 bytes, 16 bytes overhead): 242 17 40 00 00 05 00 0f ae a0 15 56 67 92 ec 4d ff 243 8a 24 e4 cb 35 b9 245 Content type: 246 17 247 Epoch and Sequence: 248 40 00 00 05 249 Length: 250 00 0f 251 Ciphertext (including encrypted ContentType): 252 ae a0 15 56 67 92 ec 253 ICV: 254 4d ff 8a 24 e4 cb 35 b9 256 DTLS 1.3 gives 16 bytes overhead. 258 2.2.2. DTLS 1.3 with 6LoWPAN-GHC 260 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 261 when compressed with [RFC7400] [OlegHahm-ghc]. 263 Note that this header compression is not available when DTLS is 264 exchanged over transports that do not use 6LoWPAN together with 265 6LoWPAN-GHC. 267 Compressed DTLS 1.3 Record Layer (23 bytes, 17 bytes overhead): 268 02 17 40 80 12 05 00 0f ae a0 15 56 67 92 ec 4d 269 ff 8a 24 e4 cb 35 b9 271 Compressed DTLS 1.3 Record Layer Header and Nonce: 272 02 17 40 80 12 05 00 0f 273 Ciphertext (including encrypted ContentType): 274 ae a0 15 56 67 92 ec 275 ICV: 276 4d ff 8a 24 e4 cb 35 b9 278 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 279 (epoch, sequence number, length) gives 17 bytes overhead. 281 2.2.3. DTLS 1.3 with Connection ID 283 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 284 with Connection ID [I-D.ietf-tls-dtls-connection-id]. 286 DTLS 1.3 Record Layer (23 bytes, 17 bytes overhead): 287 17 40 00 00 05 42 00 0f ae a0 15 56 67 92 ec 4d 288 ff 8a 24 e4 cb 35 b9 290 Content type: 291 17 292 Epoch and Sequence: 293 40 00 00 05 294 Connection ID: 295 42 296 Length: 297 00 0f 298 Ciphertext (including encrypted ContentType): 299 ae a0 15 56 67 92 ec 300 ICV: 301 4d ff 8a 24 e4 cb 35 b9 303 DTLS 1.3 gives 17 bytes overhead. 305 2.2.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC 307 This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] 308 with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed 309 with [RFC7400] [OlegHahm-ghc]. 311 Note that this header compression is not available when DTLS is 312 exchanged over transports that do not use 6LoWPAN together with 313 6LoWPAN-GHC. 315 Compressed DTLS 1.3 Record Layer (24 bytes, 18 bytes overhead): 316 02 17 40 80 13 05 42 00 0f ae a0 15 56 67 92 ec 317 4d ff 8a 24 e4 cb 35 b9 319 Compressed DTLS 1.3 Record Layer Header and Nonce: 320 02 17 40 80 13 05 42 00 0f 321 Ciphertext (including encrypted ContentType): 322 ae a0 15 56 67 92 ec 323 ICV: 324 4d ff 8a 24 e4 cb 35 b9 326 When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters 327 (epoch, sequence number, Connection ID, length) gives 18 bytes 328 overhead. 330 2.2.5. DTLS 1.3 with short header 332 This section analyzes the overhead of DTLS 1.3 with short header 333 format [I-D.ietf-tls-dtls13]. The short header format for DTLS 1.3 334 reduces the header of 5 bytes, by omitting the length value and 335 sending 1 lower bit of epoch value instead of 2, and 12 lower bits of 336 sequence number instead of 30. 338 DTLS 1.3 Record Layer (17 bytes, 11 bytes overhead): 339 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 340 b9 342 DTLS 1.3 short header: 343 30 05 344 Ciphertext (including encrypted ContentType): 345 ae a0 15 56 67 92 ec 346 ICV: 347 4d ff 8a 24 e4 cb 35 b9 349 DTLS 1.3 with short header gives 11 bytes overhead. 351 2.2.6. DTLS 1.3 with short header and 6LoWPAN-GHC 353 This section analyzes the overhead of DTLS 1.3 with short header 354 [I-D.ietf-tls-dtls13] when compressed with [RFC7400] [OlegHahm-ghc]. 356 Compressed DTLS 1.3 Record Layer (18 bytes, 12 bytes overhead) 357 11 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 358 35 b9 360 Compressed DTLS 1.3 short header (including sequence number) 361 11 30 05 362 Ciphertext (including encrypted ContentType): 363 ae a0 15 56 67 92 ec 364 ICV: 365 4d ff 8a 24 e4 cb 35 b9 367 Compressed DTLS 1.3 with short header gives 12 bytes overhead. 369 2.3. TLS 1.2 371 2.3.1. TLS 1.2 373 This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes 374 compared to DTLS 1.2 is that the TLS 1.2 record layer does not have 375 epoch and sequence number, and that the version is different. 377 TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): 378 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 379 56 67 92 4d ff 8a 24 e4 cb 35 b9 381 Content type: 382 17 383 Version: 384 03 03 385 Length: 386 00 16 387 Nonce: 388 00 00 00 00 00 00 00 05 389 Ciphertext: 390 ae a0 15 56 67 92 391 ICV: 392 4d ff 8a 24 e4 cb 35 b9 394 TLS 1.2 gives 21 bytes overhead. 396 2.3.2. TLS 1.2 with 6LoWPAN-GHC 398 This section analyzes the overhead of TLS 1.2 [RFC5246] when 399 compressed with [RFC7400] [OlegHahm-ghc]. 401 Note that this header compression is not available when TLS is 402 exchanged over transports that do not use 6LoWPAN together with 403 6LoWPAN-GHC. 405 Compressed TLS 1.2 Record Layer (23 bytes, 17 bytes overhead): 406 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d 407 ff 8a 24 e4 cb 35 b9 409 Compressed TLS 1.2 Record Layer Header and Nonce: 410 05 17 03 03 00 16 85 0f 05 411 Ciphertext: 412 ae a0 15 56 67 92 413 ICV: 414 4d ff 8a 24 e4 cb 35 b9 416 When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters 417 (epoch, sequence number, length) gives 17 bytes overhead. 419 2.4. TLS 1.3 421 2.4.1. TLS 1.3 423 This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]. 424 The change compared to TLS 1.2 is that the TLS 1.3 record layer uses 425 a different version. 427 TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 428 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 429 e4 cb 35 b9 431 Content type: 432 17 433 Legacy Version: 434 03 03 435 Length: 436 00 0f 437 Ciphertext (including encrypted ContentType): 438 ae a0 15 56 67 92 ec 439 ICV: 440 4d ff 8a 24 e4 cb 35 b9 442 TLS 1.3 gives 14 bytes overhead. 444 2.4.2. TLS 1.3 with 6LoWPAN-GHC 446 This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13] 447 when compressed with [RFC7400] [OlegHahm-ghc]. 449 Note that this header compression is not available when TLS is 450 exchanged over transports that do not use 6LoWPAN together with 451 6LoWPAN-GHC. 453 Compressed TLS 1.3 Record Layer (21 bytes, 15 bytes overhead) 454 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 455 24 e4 cb 35 b9 457 Compressed TLS 1.3 Record Layer Header and Nonce: 458 14 17 03 03 00 0f 459 Ciphertext (including encrypted ContentType): 460 ae a0 15 56 67 92 ec 461 ICV: 462 4d ff 8a 24 e4 cb 35 b9 464 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters 465 (epoch, sequence number, length) gives 15 bytes overhead. 467 2.5. OSCORE 469 This section analyzes the overhead of OSCORE 470 [I-D.ietf-core-object-security]. 472 Note that Sender ID = '' (empty string) can only be used by one 473 client per server. 475 The examples below assume that the original messages does not have 476 payload (note that this does not affect the overhead). 478 The below calculation Option Delta = '9', Sender ID = '' (empty 479 string), and Sequence Number = '05', and is only an example. 481 OSCORE Request (19 bytes, 13 bytes overhead): 482 92 09 05 483 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 485 CoAP Option Delta and Length 486 92 487 Option Value (flag byte and sequence number): 488 09 05 489 Payload Marker 490 ff 491 Ciphertext (including encrypted code): 492 ec ae a0 15 56 67 92 493 ICV: 494 4d ff 8a 24 e4 cb 35 b9 496 The below calculation Option Delta = '9', Sender ID = '42', and 497 Sequence Number = '05', and is only an example. 499 OSCORE Request (20 bytes, 14 bytes overhead): 500 93 09 05 42 501 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 503 CoAP Option Delta and Length 504 93 505 Option Value (flag byte, sequence number, and Sender ID): 506 09 05 42 507 Payload Marker 508 ff 509 Ciphertext (including encrypted code): 510 ec ae a0 15 56 67 92 511 ICV: 512 4d ff 8a 24 e4 cb 35 b9 514 The below calculation uses Option Delta = '9'. 516 OSCORE Response (17 bytes, 11 bytes overhead): 517 90 518 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 520 CoAP Delta and Option Length: 521 90 522 Option Value 523 - 524 Payload Marker 525 ff 526 Ciphertext (including encrypted code): 527 ec ae a0 15 56 67 92 528 ICV: 529 4d ff 8a 24 e4 cb 35 b9 531 OSCORE with the above parameters gives 13-14 bytes overhead for 532 requests and 11 bytes overhead for responses. 534 Unlike DTLS and TLS, OSCORE has much smaller overhead for responses 535 than requests. 537 3. Overhead with Different Parameters 539 The DTLS overhead is dependent on the parameter Connection ID. The 540 following overheads apply for all Connection IDs with the same 541 length. 543 The compression overhead (GHC) is dependent on the parameters epoch, 544 sequence number, Connection ID, and length (where applicable). The 545 following overheads should be representative for sequence numbers and 546 Connection IDs with the same length. 548 The OSCORE overhead is dependent on the included CoAP Option numbers 549 as well as the length of the OSCORE parameters Sender ID and sequence 550 number. The following overheads apply for all sequence numbers and 551 Sender IDs with the same length. 553 Sequence Number '05' '1005' '100005' 554 ------------------------------------------------------------- 555 DTLS 1.2 29 29 29 556 DTLS 1.3 16 16 16 557 DTLS 1.3 (short header) 11 11 11 558 ------------------------------------------------------------- 559 DTLS 1.2 (GHC) 16 16 16 560 DTLS 1.3 (GHC) 17 17 17 561 DTLS 1.3 (short header) (GCH) 12 12 12 562 ------------------------------------------------------------- 563 TLS 1.2 21 21 21 564 TLS 1.3 14 14 14 565 ------------------------------------------------------------- 566 TLS 1.2 (GHC) 17 18 19 567 TLS 1.3 (GHC) 15 16 17 568 ------------------------------------------------------------- 569 OSCORE Request 13 14 15 570 OSCORE Response 11 11 11 572 Figure 1: Overhead in bytes as a function of sequence number 573 (Connection/Sender ID = '') 575 Connection/Sender ID '' '42' '4002' 576 ------------------------------------------------------------- 577 DTLS 1.2 29 30 31 578 DTLS 1.3 16 17 18 579 DTLS 1.3 (short header) 11 12 13 580 ------------------------------------------------------------- 581 DTLS 1.2 (GHC) 16 17 18 582 DTLS 1.3 (GHC) 17 18 19 583 DTLS 1.3 (short header) (GCH) 12 13 14 584 ------------------------------------------------------------- 585 OSCORE Request 13 14 15 586 OSCORE Response 11 11 11 588 Figure 2: Overhead in bytes as a function of Connection/Sender ID 589 (Sequence Number = '05') 591 Protocol Overhead Overhead (GHC) 592 ------------------------------------------------------------- 593 DTLS 1.2 21 8 594 DTLS 1.3 8 9 595 DTLS 1.3 (short header) 3 4 596 ------------------------------------------------------------- 597 TLS 1.2 13 9 598 TLS 1.3 6 7 599 ------------------------------------------------------------- 600 OSCORE Request 5 601 OSCORE Response 3 603 Figure 3: Overhead (excluding ICV) in bytes (Connection/Sender 604 ID = '', Sequence Number = '05') 606 4. Summary 608 DTLS 1.2 has quite a large overhead as it uses an explicit sequence 609 number and an explicit nonce. TLS 1.2 has significantly less (but 610 not small) overhead. TLS 1.3 and DTLS 1.3 have quite small overhead. 611 OSCORE and DTLS 1.3 with short header format has very small overhead. 613 The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS 614 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic 615 Header Compression (6LoWPAN-GHC) works very well for Connection ID 616 and the overhead seems to increase exactly with the length of the 617 Connection ID (which is optimal). The compression of TLS 1.2 is not 618 as good as the compression of DTLS 1.2 (as the static dictionary only 619 contains the DTLS 1.2 version number). Similar compression levels as 620 for DTLS could be achieved also for TLS 1.2, but this would require 621 different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC 622 increases the overhead. The 6LoWPAN-GHC header compression is not 623 available when (D)TLS is exchanged over transports that do not use 624 6LoWPAN together with 6LoWPAN-GHC. 626 The short header format for DTLS 1.3 reduces the header of 5 bytes, 627 by omitting the length value and sending 1 lower bit of epoch value 628 instead of 2, and 12 lower bits of sequence number instead of 30. 629 This may create problems reconstructing the full sequence number, if 630 ~2000 datagrams in sequence are lost. 632 OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2. The 633 overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN 634 with compression, and this small overhead is achieved even on 635 deployments without 6LoWPAN or 6LoWPAN without DTLS compression. 636 OSCORE is lightweight because it makes use of some excellent features 637 in CoAP, CBOR, and COSE. 639 5. Security Considerations 641 This document is purely informational. 643 6. IANA Considerations 645 This document has no actions for IANA. 647 7. Informative References 649 [I-D.ietf-core-object-security] 650 Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 651 "Object Security for Constrained RESTful Environments 652 (OSCORE)", draft-ietf-core-object-security-11 (work in 653 progress), March 2018. 655 [I-D.ietf-tls-dtls-connection-id] 656 Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, 657 "The Datagram Transport Layer Security (DTLS) Connection 658 Identifier", draft-ietf-tls-dtls-connection-id-00 (work in 659 progress), December 2017. 661 [I-D.ietf-tls-dtls13] 662 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 663 Datagram Transport Layer Security (DTLS) Protocol Version 664 1.3", draft-ietf-tls-dtls13-26 (work in progress), March 665 2018. 667 [I-D.ietf-tls-tls13] 668 Rescorla, E., "The Transport Layer Security (TLS) Protocol 669 Version 1.3", draft-ietf-tls-tls13-27 (work in progress), 670 March 2018. 672 [OlegHahm-ghc] 673 Hahm, O., "Generic Header Compression", July 2016, 674 . 676 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 677 (TLS) Protocol Version 1.2", RFC 5246, 678 DOI 10.17487/RFC5246, August 2008, 679 . 681 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 682 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 683 January 2012, . 685 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 686 Application Protocol (CoAP)", RFC 7252, 687 DOI 10.17487/RFC7252, June 2014, 688 . 690 [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for 691 IPv6 over Low-Power Wireless Personal Area Networks 692 (6LoWPANs)", RFC 7400, DOI 10.17487/RFC7400, November 693 2014, . 695 [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer 696 Security (TLS) / Datagram Transport Layer Security (DTLS) 697 Profiles for the Internet of Things", RFC 7925, 698 DOI 10.17487/RFC7925, July 2016, 699 . 701 [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., 702 Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained 703 Application Protocol) over TCP, TLS, and WebSockets", 704 RFC 8323, DOI 10.17487/RFC8323, February 2018, 705 . 707 Acknowledgments 709 The authors want to thank Ari Keraenen, Carsten Bormann, Goeran 710 Selander, and Hannes Tschofenig for comments and suggestions on 711 previous versions of the draft. 713 All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. 715 Authors' Addresses 717 John Mattsson 718 Ericsson AB 720 Email: john.mattsson@ericsson.com 722 Francesca Palombini 723 Ericsson AB 725 Email: francesca.palombini@ericsson.com