]> RISE AB

Isafjordsgatan 22 Kista 16440 Sweden marco.tiloca@ri.se

IMT Atlantique

CS 17607, 2 rue de la Chataigneraie Cesson-Sevigne Cedex 35576 France Laurent.Toutain@imt-atlantique.fr

Nokia Bell Labs

12 Rue Jean Bart Massy 91300 France ivan.martinez_bolivar@nokia-bell-labs.com

Consultant

Rue de Rennes Cesson-Sevigne 35510 France anaminaburo@gmail.com

Internet SCHC Working Group Internet-Draft This document defines how to compress Constrained Application Protocol (CoAP) headers using the Static Context Header Compression and fragmentation (SCHC) framework. SCHC defines a header compression mechanism adapted for Constrained Devices. SCHC uses a static description of the header to reduce the header's redundancy and size. While RFC 8724 describes the SCHC compression and fragmentation framework, and its application for IPv6/UDP headers, this document applies SCHC to CoAP headers. The CoAP header structure differs from IPv6 and UDP, since CoAP uses a flexible header with a variable number of options, themselves of variable length. The CoAP message format is asymmetric: the request messages have a header format different from the format in the response messages. This specification gives guidance on applying SCHC to flexible headers and how to leverage the asymmetry for more efficient compression Rules. This document replaces and obsoletes RFC 8824. Discussion Venues Discussion of this document takes place on the Static Context Header Compression Working Group mailing list (schc@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction The Constrained Application Protocol (CoAP) is a command/response protocol designed for microcontrollers with small RAM and ROM, and optimized for services based on REST (Representational State Transfer). Although the Constrained Devices are a leading factor in the design of CoAP, a CoAP header's size is still too large for LPWANs (Low-Power Wide-Area Networks). Static Context Header Compression and fragmentation (SCHC) over CoAP headers is required to increase performance or to use CoAP over LPWAN technologies. defines the SCHC framework, which includes a header compression mechanism for LPWANs that is based on a static context. explains where compression and decompression occur in the architecture. The SCHC compression scheme assumes as a prerequisite that both endpoints know the static context before transmission. The way the context is configured, provisioned, or exchanged is out of this document's scope. CoAP is an application protocol, so CoAP compression requires installing common Rules between the two SCHC instances. SCHC compression may apply at two different levels: at the IP and UDP level in the LPWAN, as well as at the application level for CoAP. These two compression techniques may be independent. Both follow the same principle as that described in . As different entities manage the CoAP compression process at different levels, the SCHC Rules driving the compression/decompression are also different. describes how to use SCHC for IP and UDP headers. This document specifies how to apply SCHC compression to CoAP headers. SCHC compresses and decompresses headers based on common contexts between Devices. The SCHC context includes multiple Rules. Each Rule can match the header fields to specific values or ranges of values. If a Rule matches, the matched header fields are replaced by the RuleID and the Compression Residue that contains the residual bits of the compression. Thus, different Rules may correspond to different protocol headers in the packet that a Device expects to send or receive. A Rule describes the packets' entire header with an ordered list of Field Descriptors (see ). Thereby, each description contains the Field ID (FID), Field Length (FL), and Field Position (FP), as well as a Direction Indicator (DI) (upstream, downstream, and bidirectional) and some associated Target Values (TVs). The DI is used for compression to give the best TV to the FID when these values differ in their transmission direction. Therefore, a field may be described several times in the same Rule. A Matching Operator (MO) is associated with each header Field Descriptor. The Rule is selected if all the MOs fit the TVs for all the fields of the header. A Rule cannot be selected if the message contains a field that is unknown to the SCHC compressor. In that case, a Compression/Decompression Action (CDA) associated with each field specifies the method to compress and decompress that field. Compression mainly results in one of four actions:

• send the field value (value-sent),
• send nothing (not-sent),
• send some Least Significant Bits (LSBs) of the field, or
• send an index (mapping-sent).

After applying the compression, there may be some bits to be sent. These values are called "Compression Residue". SCHC is a general mechanism applied to different protocols, with the exact Rules to be used depending on the protocol and the application. describes the compression scheme for IPv6 and UDP headers. This document targets CoAP header compression using SCHC. The use of SCHC compression applied to CoAP headers was originally defined in . While this document does not alter the core approach, design choices, and features specified therein, this document clarifies, updates, and extends the SCHC compression of CoAP headers defined in . In particular, this documents replaces and obsoletes as follows.

• It provides clarifications and amendments to the original specification text, based on collected feedback and reported errata.
• It clarifies the SCHC compression for the CoAP options Size1, Size2, Proxy-Uri, and Proxy-Scheme (see ).
• It defines the SCHC compression for the CoAP option Hop-Limit (see ).
• It defines the SCHC compression for the recently defined CoAP options Echo (see ), Request-Tag (see ), EDHOC (see ), as well as Q-Block1 and Q-Block2 (see ).
• It updates the SCHC compression processing for the CoAP option OSCORE (see ), in the light of recent developments related to the security protocol OSCORE as defined in and .
• It clarifies how the SCHC compression handles the CoAP payload marker (see ).
• It defines the SCHC compression of CoAP headers in the presence of CoAP proxies (see ), for which examples are provided (see ).

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Readers are expected to be familiar with the terms and concepts related to the SCHC framework , the web-transfer protocol CoAP , and the security protocols OSCORE and Group OSCORE .

SCHC Applicability to CoAP SCHC compression for CoAP headers MAY be done in conjunction with the lower layers (IPv6/UDP) or independently. The SCHC adaptation layers, described in , may be used as shown in , , and . In the first example depicted in , a Rule compresses the complete header stack from IPv6 to CoAP. In this case, the Device and the Network Gateway (NGW) perform SCHC C/D (SCHC Compression/Decompression, see ). The application communicating with the Device does not implement SCHC C/D.

Compression/Decompression at the LPWAN Boundary

shows the use of SCHC header compression above Layer 2 in the Device and the NGW. The SCHC layer receives non-encrypted packets and can apply compression Rules to all the headers in the stack. On the other end, the NGW receives the SCHC packet and reconstructs the headers using the Rule and the Compression Residue. After the decompression, the NGW forwards the IPv6 packet toward the destination. The same process applies in the other direction when a non-encrypted packet arrives at the NGW. Thanks to the IP forwarding based on the IPv6 prefix, the NGW identifies the Device and compresses headers using the Device's Rules. In the second example depicted in , SCHC compression is applied in the CoAP layer, compressing the CoAP header independently of the other layers. The RuleID, Compression Residue, and CoAP payload are encrypted using a mechanism such as DTLS . Only the other end (App) can decipher the information. If needed, layers below use SCHC to compress the header as defined in (represented by dotted lines in the figure). This use case needs an end-to-end context initialization between the Device and the application. The context initialization is out of scope for this document.

Standalone CoAP End-to-End Compression/Decompression

The third example depicted in shows the use of Object Security for Constrained RESTful Environments (OSCORE) . In this case, SCHC needs two Rules to compress the CoAP header. A first Rule focuses on the Inner header. The result of this first compression is encrypted using the OSCORE mechanism. Then, a second Rule compresses the Outer header, including the CoAP Option OSCORE.

OSCORE Compression/Decompression

In the case of several SCHC instances, as shown in and , the Rules may come from different provisioning domains. This document focuses on CoAP compression, as represented by the dashed boxes in the previous figures.

CoAP Headers Compressed with SCHC The use of SCHC over the CoAP header applies the same description and compression/decompression techniques as the technique used for IP and UDP, as explained in . For CoAP, the SCHC Rules description uses the direction information to optimize the compression by reducing the number of Rules needed to compress headers. The Field Descriptor MAY define both request/response headers and TVs in the same Rule, using the DI to indicate the header type. As for other header compression protocols, when the compressor does not find a correct Rule to compress the header, the packet MUST be sent uncompressed using the RuleID dedicated to this purpose, and where the Compression Residue is the complete header of the packet. See .

Differences between CoAP and UDP/IP Compression CoAP compression differs from IPv6 and UDP compression in the following aspects:

• The CoAP message format is asymmetric, i.e., the headers are different for a request or a response. For example, the Uri-Path Option can be used in a request, while it is not used in a response. A request might contain an Accept Option, and a response might include a Content-Format Option. In comparison, the IPv6 and UDP returning path swaps the value of some fields in the header. However, all the directions have the same fields (e.g., source and destination address fields). defines the use of a DI in the Field Descriptor, which allows a single Rule to process a message header differently, depending on the direction.
• Even when a field is "symmetric" (i.e., found in both directions), the values carried in each direction are different. The compression may use a "match-mapping" MO to limit the range of expected values in a particular direction and reduce the Compression Residue's size. Through the DI, a Field Descriptor in the Rules splits the possible field value into two parts, one for each direction. For instance, if a client sends only Confirmable (CON) requests , the Type can be elided by compression, and the reply from the server may use one single bit to carry either the Acknowledgement (ACK) or Reset (RST) type. The field Code has the same behavior: the 0.0X code format value in a request and the Y.ZZ code format in a response.
• In SCHC, the Rule defines the different header fields' length, so SCHC does not need to send it. In IPv6 and UDP headers, the fields have a fixed size, known by definition. On the other hand, some CoAP header fields have variable lengths, and the Rule description specifies it. For example, the size of the Token field may vary from 0 to 8 bytes, and the CoAP options rely on the Type-Length-Value encoding format to specify the size of the actual option value in bytes. When doing SCHC compression of a variable-length field, makes it possible to define a function for the Field Length in the Field Descriptor, in order to determine the length before compression. If the Field Length is unknown, the Rule will set it as a variable, and SCHC will send the compressed field's length in the Compression Residue.
• A field can appear several times in the CoAP headers. This is typically the case for elements of a URI (path or queries). The SCHC specification allows a FID to appear several times in the Rule and uses the Field Position (FP) to identify the correct instance, thereby removing the MO's ambiguity.
• Field Lengths defined in CoAP can be too large when it comes to LPWAN traffic constraints. For instance, this is particularly true for the Message ID field and the Token field. SCHC uses different MOs to perform the compression (see ). In this case, SCHC can apply the Most Significant Bits (MSBs) MO to reduce the information carried on LPWANs.

Compression of CoAP Header Fields This section discusses the SCHC compression of the CoAP header fields, building on what is specified in .

CoAP Version Field The CoAP version is bidirectional and MUST be elided during SCHC compression, since it always contains the same value. In the future, or if a new version of CoAP is defined, new Rules will be needed to avoid ambiguities between versions.

CoAP Type Field CoAP has four types of messages: Confirmable (CON), Non-confirmable (NON), Acknowledgement (ACK), and Reset (RST). The SCHC compression scheme SHOULD elide this field if, for instance, a client is sending only NON messages or only CON messages. For RST messages, SCHC may use a dedicated Rule. For other usages, SCHC can use a "match-mapping" MO.

CoAP Code Field The Code field takes value from the "Code" column of the "CoAP Codes" IANA registry, encoded as specified in . This field indicates the Method Code of a CoAP request or the Response Code of a CoAP Response, while the value 0.00 indicates an Empty message. The compression of the CoAP Code field follows the same principle as that of the CoAP Type field. If the Device plays a specific role, SCHC may split the code values into two Field Descriptors: (1) the Method Codes with the 0 class and (2) the Response Codes. SCHC will use the DI to identify the correct value in the packet. If the Device only implements a CoAP client, SCHC compression may focus only on the Method Codes that the client uses in its outgoing requests. For known values, SCHC can use a "match-mapping" MO. If SCHC cannot compress the Code field, it will send the values in the Compression Residue.

CoAP Message ID Field SCHC can compress the Message ID field with the MSB MO and the LSB CDA (see ).

CoAP Token Field CoAP defines the Token using two CoAP fields: Token Length in the mandatory header and Token Value directly following the mandatory CoAP header. SCHC processes the Token Length as it would process any header field. If the value does not change, the size can be stored in the TV and elided during the transmission. Otherwise, SCHC will send the Token Length in the Compression Residue. For the Token Value, SCHC MUST NOT send it as variable-size data in the Compression Residue, to avoid ambiguity with the Token Length. Therefore, SCHC MUST use the Token Length value to define the size of the Compression Residue. SCHC designates a specific function, "tkl", that the Rule MUST use to complete the Field Descriptor. During the decompression, this function returns the value contained in the Token Length field.

Compression of CoAP Options CoAP defines options placed after the mandatory header and the Token field, ordered by option number (see ). Each option instance in a message uses the format Delta-Type (D-T), Length (L), Value (V). The SCHC Rule builds the description of each option as follows:

• in the FID: an identifier of the option with option number built from the D-T;
• in the FL: the option length, consistent with what is specified in Sections and of ; and
• in the TV: the option value.

When the Option Length has a well-known size, the Rule may keep the length value. Therefore, SCHC compression does not send it. Otherwise, SCHC compression carries the length of the Compression Residue, in addition to the Compression Residue value. Note that the length coding differs between CoAP options and SCHC variable size Compression Residue. CoAP requests and responses do not include the same options. Compression Rules may reflect this asymmetry by using the DI. The following sections present how SCHC compresses some specific CoAP options. If the use of an additional CoAP option is later introduced, the SCHC Rules MAY be updated, in which case a new FID description MUST be assigned to perform the compression of the CoAP option. Otherwise, if no Rule describes that CoAP option, SCHC compression is not achieved, and SCHC sends the CoAP header without compression.

CoAP Option Content-Format and Accept Fields If the client expects a single specific value, SCHC can elide these fields, by specifying the value in the TV of a Rule description with an "equal" MO and a "not-sent" CDA. Otherwise, if the client expects several possible values, a "match-mapping" MO SHOULD be used to limit the Compression Residue's size. If not, SCHC has to send the option value in the Compression Residue (with fixed or variable length).

CoAP Option Max-Age, Uri-Host, and Uri-Port Fields SCHC compresses these three fields in the same way. When the values of these options are known, SCHC can elide these fields. If the option uses well-known values, SCHC can use a "match-mapping" MO. Otherwise, these options' values will be sent in the Compression Residue, i.e., the SCHC Rule description does not set the TV, while setting the MO to "ignore" and the CDA to "value-sent".

CoAP Option Uri-Path and Uri-Query Fields The Uri-Path and Uri-Query fields are repeatable options, i.e., the CoAP header may include them several times and with different values. The SCHC Rule description uses the FP to distinguish the different instances of such options. To compress these repeatable field values, SCHC can use a "match-mapping" MO to reduce the size of variable paths or queries. When doing so, several elements can be regrouped into a single entry in order to optimize the compression. The numbering of elements does not change, and the first matching element sets the MO comparison. For example, as per the Rule descriptions shown in , SCHC can use a single bit in the Compression Residue to code the path segments "/a/b" or the path segments "/c/d". If regrouping were not allowed, then 2 bits in the Compression Residue would be needed. At the same time, SCHC sends the third path element following "/a/b" or "/c/d" as a variable-size field in the Compression Residue. Complex Path Example

Field	FL	FP	DI	TV	MO	CDA
Uri-Path		1	Up	["/a/b", "/c/d"]	match- mapping	mapping-sent
Uri-Path	var	3	Up		ignore	value-sent

The length of the Uri-Path and Uri-Query Options may be known when the Rule is defined. In any other case, SCHC MUST set the Field Length (FL) to a variable value. The unit of the variable length is bytes, hence the Compression Residue size is expressed in bytes, encoded as defined in . SCHC compression can use the MSB MO for a Uri-Path or Uri-Query element. In such a case, care must be taken when specifying the MSB parameter value in bits, which MUST be a multiple of 8. The length sent at the beginning of the variable-size field Compression Residue indicates the LSB's size in bytes, consistent with the unit of the variable length in the Rule description. For instance, for a CORECONF path /c/X6?k=eth0, the Rule description can be as shown in . That is, SCHC compresses the first part of the Uri-Path with a "not-sent" CDA. Also, SCHC will send the second element of the Uri-Path with the length (i.e., 0x2 "X6") followed by the query option with the length (i.e., 0x4 "eth0"). CORECONF URI compression

Field	FL	FP	DI	TV	MO	CDA
Uri-Path		1	Up	"c"	equal	not-sent
Uri-Path	var	2	Up		ignore	value-sent
Uri-Query	var	1	Up	"k="	MSB(16)	LSB

Variable Number of Path or Query Elements SCHC fixes the number of Uri-Path or Uri-Query elements in a Rule at Rule creation time. If the number of such elements varies, SCHC SHOULD either:

• create several Rules to cover all possibilities; or
• create a Rule that defines several entries for Uri-Path to cover the longest path, and send a Compression Residue with a length of 0 to indicate that a Uri-Path entry is empty. However, this adds 4 bits to the variable Compression Residue size (see ).

CoAP Option Size1, Size2, Proxy-URI, and Proxy-Scheme Fields The SCHC Rule description MAY define sending some field values by not setting the TV, while setting the MO to "ignore" and the CDA to "value-sent". A Rule MAY also use a "match-mapping" MO when there are different options for the same FID. Otherwise, the Rule sets the TV to a specific value, the MO to "equal", and the CDA to "not-sent".

CoAP Option ETag, If-Match, If-None-Match, Location-Path, and Location-Query Fields A Rule entry cannot store these fields' values. Therefore, SCHC compression MUST always send these values in the Compression Residue. That is, in the SCHC Rule, the TV is not set, while the MO is set to "ignore" and the CDA is set to "value-sent".

CoAP Option Hop-Limit Field The Hop-Limit field is an option defined in that can be used to detect forwarding loops through a chain of CoAP proxies. The first proxy in the chain that understands the option includes it in a received request with a proper value set, before forwarding the request. Any following proxy that understands the option decrements the option value and forwards the request if the new value is different than zero, or returns a 5.08 (Hop Limit Reached) error response otherwise. When a packet uses the Hop-Limit Option, SCHC compression SHOULD send its content in the Compression Residue. That is, in the SCHC Rule, the TV is not set, while the MO is set to "ignore" and the CDA is set to "value-sent". As an exception, and consistently with the default value 16 defined for the Hop-Limit Option in , a Rule MAY describe a TV with value 16, with the MO set to "equal" and the CDA set to "not-sent".

CoAP Option Echo Field The Echo field is an option defined in that a server can include in a CoAP response as a challenge to the client, and that the client echoes back to the server in one or more CoAP requests. This enables the server to verify the freshness of a request and to cryptographically verify the aliveness of the client. Also, it forces the client to demonstrate reachability at its claimed network address. When a packet uses the Echo Option, SCHC compression SHOULD send its content in the Compression Residue. That is, in the SCHC Rule, the TV is not set, while the MO is set to "ignore" and the CDA is set to "value-sent". An exception applies in case the server generates the values to use for the Echo Option by means of a persistent counter (see ). In such a case, a Rule MAY use the MSB MO and the LSB CDA. This would be effectively applicable until the persistent counter at the server becomes greater than the maximum threshold value that produces an MSB-matching.

CoAP Option Request-Tag Field The Request-Tag field is an option defined in that the client can set in CoAP requests throughout block-wise operations, with value an ephemeral short-lived identifier of the specific block-wise operation in question. This allows the server to match message fragments belonging to the same request operation and, if the server supports it, to reliably process simultaneous block-wise request operations on a single resource. If requests are integrity protected, this also protects against interchange of fragments between different block-wise request operations. When a packet uses the Request-Tag Option, SCHC compression MAY send its content in the Compression Residue. That is, in the SCHC Rule, the TV is not set, while the MO is set to "ignore" and the CDA is set to "value-sent". Alternatively, if a pre-defined set of Request-Tag values used by the client is known, a Rule MAY use a "match-mapping" MO when there are different options for the same FID.

CoAP Option EDHOC Field The EDHOC field is an option defined in that a client can include in a CoAP request, in order to perform an optimized, shortened execution of the authenticated key establishment protocol EDHOC . Such a request conveys both the final EDHOC message and actual application data, where the latter is protected with OSCORE using a Security Context derived from the result of the current EDHOC execution. The EDHOC Option occurs at most once and is always empty. The SCHC Rule MUST describe an empty TV, with the MO set to "equal" and the CDA set to "not-sent".

Compression of CoAP Extensions

Block When a packet uses a Block1 or Block2 Option or a Q-Block1 or Q-Block2 Option , SCHC compression MUST send its content in the Compression Residue. In the SCHC Rule, the TV is not set, while the MO is set to "ignore" and the CDA is set to "value-sent". The Block1, Block2, Q-Block1, and Q-Block2 options allow fragmentation at the CoAP level that is compatible with SCHC fragmentation. Both fragmentation mechanisms are complementary, and the node may use them for the same packet as needed.

Observe defines the Observe Option. The SCHC Rule description does not set the TV, while setting the MO to "ignore" and the CDA to "value-sent". SCHC does not limit the maximum size for this option (3 bytes). To reduce the transmission size, either the Device implementation MAY limit the delta between two consecutive values or a proxy can modify the increment. Since the client MAY use a RST message to inform a server that the Observe response is not required, a specific SCHC Rule SHOULD exist to allow the compression of a RST message.

No-Response defines a No-Response Option limiting the CoAP responses made by a server to a CoAP request. Different behaviors exist while using this option to limit the responses made by a server to a request. If both ends know the specific value, then the SCHC Rule describes the TV set to that value, the MO set to "equal", and the CDA set to "not-sent". Otherwise, if the value changes over time, the SCHC Rule does not set the TV, while setting the MO to "ignore" and the CDA to "value-sent". The Rule may also use a "match-mapping" MO to compress the value.

OSCORE The security protocol OSCORE provides end-to-end protection for CoAP messages. Group OSCORE builds on OSCORE and defines end-to-end protection of CoAP messages in group communication . This section describes how SCHC Rules can be applied to compress messages protected with OSCORE or Group OSCORE. shows the OSCORE Option value encoding, as it was originally defined in . As explained later in this section, this has been extended in and . The first byte of the OSCORE Option value specifies information to parse the rest of the value by using flags, as described below.

• As defined in , the eight least significant bit, when set, indicates that the OSCORE Option includes a second byte of flags. The seventh least significant bit is currently unassigned.
• As defined in , the sixth least significant bit, when set, indicates that the message including the OSCORE option is protected with the group mode of Group OSCORE (see ). When not set, the bit indicates that the message is protected either with OSCORE, or with the pairwise mode of Group OSCORE (see ), while the specific OSCORE Security Context used to protect the message determines which of the two cases applies.
• As defined in , bit h, when set, indicates the presence of the kid context field in the option. Also, bit k, when set, indicates the presence of the kid field. Finally, the three least significant bits form the n field, which indicates the length of the piv (Partial Initialization Vector) field in bytes. When n = 0, no piv is present.

Assuming the presence of a single flag byte, this is followed by the piv field. After that, if the h bit is set, the kid context field is present, preceded by one byte "s" indicating its length in bytes. After that, if the k bit is set, the kid field is present, and it ends where the OSCORE Option value ends.

OSCORE Option +-+-+-+-+-+-+-+-+---------------------------------+ |0 0 0|h|k| n | Partial IV (if any) | +-+-+-+-+-+-+-+-+---------------------------------+ | | | |<-- CoAP -->|<------- CoAP OSCORE_piv ------> | OSCORE_flags <-- 1 byte --> <------ s bytes -----> +--------------+----------------------+-----------------------+ | s (if any) | kid context (if any) | kid (if any) ... | +--------------+----------------------+-----------------------+ | | | |<-------- CoAP OSCORE_kidctx ------->|<-- CoAP OSCORE_kid -->| ]]>

shows the extended OSCORE Option value encoding, with the second byte of flags also present. As defined in , the least significant bit d of this byte, when set, indicates that two additional fields are included in the option, following the kid context field (if any). These two fields, namely x and nonce, are used when running the key update protocol KUDOS defined in , with x specifying the length of the nonce field in bytes as well as the specific behavior to adopt during the KUDOS execution. If the seventh least significant bit z of the x field is set, it indicates that two additional fields are included in the option, following the x and nonce fields. These two fields, namely y and old_nonce, are also used when running the key update protocol KUDOS, with y specifying the length of the old_nonce field in bytes. provides the breakdown of the x field, where its four least significant bits form the sub-field m, which specifies the size of nonce in bytes, minus 1. Also, the figure provides the breakdown of the y field, where its four least significant bits form the sub-field w, which specifies the size of old_nonce in bytes, minus 1.

OSCORE Option extended to support a KUDOS execution +-+-+-+-+-+-+-+-+---+---+---+---+---+---+---+---+---------------------+ |1|0|0|h|k| n | 0 | 0 | 0 | 0 | 0 | 0 | 0 | d | Partial IV (if any) | +-+-+-+-+-+-+-+-+---+---+---+---+---+---+---+---+---------------------+ | | | |<------------------- CoAP -------------------->|<- CoAP OSCORE_piv ->| OSCORE_flags <- 1 byte -> <----------- s bytes ------------> +------------+----------------------------------+ | s (if any) | kid context (if any) | +------------+----------------------------------+ | | |<------------- CoAP OSCORE_kidctx ------------>| <------ 1 byte -----> <----- m + 1 bytes -----> +---------------------+-------------------------+ | x (if any) | nonce (if any) | +---------------------+-------------------------+ |<-- CoAP OSCORE_x -->|<-- CoAP OSCORE_nonce -->| | | | 0 1 2 3 4 5 6 7 | | +-+-+-+-+-+-+-+-+ | | |0|z|b|p| m | | | +-+-+-+-+-+-+-+-+ | <------ 1 byte -----> <------ w + 1 bytes ------> +---------------------+----------------------------+ | y (if any) | old_nonce (if any) | +---------------------+----------------------------+ |<-- CoAP OSCORE_y -->|<-- CoAP OSCORE_oldnonce -->| | | | 0 1 2 3 4 5 6 7 | | +-+-+-+-+-+-+-+-+ | | |0|0|0|0| w | | | +-+-+-+-+-+-+-+-+ | +-----------------------+ | kid (if any) ... | +-----------------------+ | | |<-- CoAP OSCORE_kid -->| ]]>

To better perform OSCORE SCHC compression, the Rule description needs to identify the OSCORE Option and the fields it contains. Conceptually, it discerns up to eight distinct pieces of information within the OSCORE Option: the flag bits, the piv, the kid context prepended by its size, the x byte, the nonce, the y byte, the old_nonce, and the kid. The SCHC Rule splits the OSCORE Option into eight corresponding Field Descriptors in order to compress those pieces of information:

• CoAP OSCORE_flags
• CoAP OSCORE_piv
• CoAP OSCORE_kidctx
• CoAP OSCORE_x
• CoAP OSCORE_nonce
• CoAP OSCORE_y
• CoAP OSCORE_oldnonce
• CoAP OSCORE_kid

shows the original format of the OSCORE Option with the four fields OSCORE_flags, OSCORE_piv, OSCORE_kidctx, and OSCORE_kid superimposed on it. Also, shows the extended format of the OSCORE option with all the eight fields superimposed on it. If a field is not present, then the corresponding Field Descriptor in the SCHC Rule describes the TV set to b'', with the MO set to "equal" and the CDA set to "not-sent". Note that, if the field kid context is present, it directly includes the size octet, s. In addition, the following applies.

• For the x field, if both endpoints know the value, then the corresponding Field Descriptor in the SCHC Rule describes the TV set to that value, with the MO set to "equal" and the CDA set to "not-sent". This models: the case where the x field is not present, and thus TV is set to b''; and the case where the two endpoints run KUDOS with a pre-agreed size of the nonce field as per the m sub-field of the x field, as well as with a pre-agreed combination of its modes of operation, as per the bits b and p of the x field. Otherwise, if the value changes over time, then the corresponding Field Descriptor in the SCHC Rule does not set the TV, while it sets the MO to "ignore" and the CDA to "value-sent". The Rule may also use a "match-mapping" MO to compress this field, in case the two endpoints pre-agree on a set of alternative ways to run KUDOS, with respect to the size of the nonce field and the combination of the KUDOS modes of operation to use.
• For the y field, if both endpoints know the value, then the corresponding Field Descriptor in the SCHC Rule describes the TV set to that value, with the MO set to "equal" and the CDA set to "not-sent". This models: the case where the y field is not present, and thus TV is set to b''; and the case where the two endpoints run KUDOS with a pre-agreed size of the old_nonce field as per the w sub-field of the y field. Otherwise, if the value changes over time, then the corresponding Field Descriptor in the SCHC Rule does not set the TV, while it sets the MO to "ignore" and the CDA to "value-sent". The Rule may also use a "match-mapping" MO to compress this field, in case the two endpoints pre-agree on a set of sizes of the old_nonce field.
• For the nonce field, if it is not present (i.e., the x field is not present in the first place), then the corresponding Field Descriptor in the SCHC Rule describes the TV set to b'', with the MO set to "equal" and the CDA set to "not-sent". Otherwise, if the nonce field is present, then the corresponding Field Descriptor in the SCHC Rule has the TV not set, while the MO is set to "ignore" and the CDA is set to "value-sent". In such a case, for the value of the nonce field, SCHC MUST NOT send it as variable-length data in the Compression Residue, to avoid ambiguity with the length of the nonce field encoded in the x field. Therefore, SCHC MUST use the m sub-field of the x field to define the size of the Compression Residue. SCHC designates a specific function, "osc.x.m", that the Rule MUST use to complete the Field Descriptor. During the decompression, this function returns the length of the nonce field in bytes, as the value of the m sub-field of the x field, plus 1.
• For the old_nonce field, if it is not present (i.e., the y field is not present in the first place), then the corresponding Field Descriptor in the SCHC Rule describes the TV set to b'', with the MO set to "equal" and the CDA set to "not-sent". Otherwise, if the old_nonce field is present, then the corresponding Field Descriptor in the SCHC Rule has the TV not set, while the MO is set to "ignore" and the CDA is set to "value-sent". In such a case, for the value of the old_nonce field, SCHC MUST NOT send it as variable-length data in the Compression Residue, to avoid ambiguity with the length of the old_nonce field encoded in the y field. Therefore, SCHC MUST use the w sub-field of the y field to define the size of the Compression Residue. SCHC designates a specific function, "osc.y.w", that the Rule MUST use to complete the Field Descriptor. During the decompression, this function returns the length of the old_nonce field in bytes, as the value of the w sub-field of the y field, plus 1.

Compression of the CoAP Payload Marker The following applies with respect to the 0xFF payload marker. A SCHC compression Rule for CoAP includes all the expected CoAP options, therefore the payload marker does not have to be specified in a SCHC Rule description. If the CoAP message to compress with SCHC is not going to be protected with OSCORE and includes a payload, then the 0xFF payload marker MUST NOT be included in the compressed message, which is composed of the Compression RuleID, the Compression Residue (if any), and the CoAP payload. After having decompressed an incoming message, the recipient endpoint MUST prepend the 0xFF payload marker to the CoAP payload, if any was present after the consumed Compression Residue. If the CoAP message to compress with SCHC is going to be protected with OSCORE, the 0xFF payload marker is compressed as specified later in .

Examples of CoAP Header Compression

Mandatory Header with CON Message In this first scenario, the SCHC compressor on the NGW side receives a POST message from an Internet client, which is immediately acknowledged by the Device. describes the SCHC Rule descriptions for this scenario. CoAP Context to compress header without Token

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not-sent
CoAP Type	2	1	Dw	CON	equal	not-sent
CoAP Type	2	1	Up	[ACK, RST]	match- mapping	mapping- sent	T
CoAP TKL	4	1	Bi	0	equal	not-sent
CoAP Code	8	1	Bi	[0.00, ... 5.05]	match- mapping	mapping- sent	CC CCC
CoAP MID	16	1	Bi	0000	MSB(7)	LSB	MID
CoAP Uri-Path	var	1	Dw	path	equal	not-sent

In this example, SCHC compression elides the version and Token Length fields. The 25 Method and Response Codes defined in have been shrunk to 5 bits using a "match-mapping" MO. The Uri-Path contains a single element indicated in the TV and elided with the CDA "not-sent". SCHC compression reduces the header, sending only a mapped Type (and only for uplink messages), a mapped code, and the least significant bits of the Message ID (9 bits in the example above). Note that, if a client is located in an Application Server and sends a request to a server located in the Device, then the request may not be compressed through this Rule, since the MID might not start with 7 bits equal to 0. A CoAP proxy placed before SCHC C/D can rewrite the Message ID to fit the value and match the Rule.

OSCORE Compression OSCORE aims to solve the problem of end-to-end protection for CoAP messages. Therefore, the goal is to hide as much as possible of the CoAP message, while still enabling proxy operations. Conceptually, this is achieved by splitting the CoAP message into an Inner Plaintext and an Outer OSCORE message. The Inner Plaintext contains (sensitive) information that is not necessary for performing proxy operations. Therefore, that information can be encrypted end-to-end, until it reaches the other origin endpoint as its final destination. The Outer Message acts as a shell matching the regular CoAP message format, and includes all the CoAP options and information needed for performing proxy operations and caching. This is summarized in . In particular, the CoAP options are arranged into three classes, each of which is granted a specific type of protection by the OSCORE protocol:

• Class E: Encrypted options moved to the Inner Plaintext.
• Class I: Integrity-protected options, included in the Additional Authenticated Data (AAD) when protecting the Plaintext, but otherwise left untouched in the Outer Message.
• Class U: Unprotected options, left untouched in the Outer Message.

As per these classes, the Outer options comprise the OSCORE Option, which indicates that the message is protected with OSCORE and carries the information necessary for the recipient endpoint to retrieve the Security Context for decrypting the message.

CoAP Packet Split into OSCORE Outer Header and Plaintext

shows the packet format for the OSCORE Outer header and Plaintext. In the Outer header, the original header code is hidden and replaced by a well-known value. As specified in Sections and of , the original header code is replaced with POST for requests and Changed for responses, when the message does not include the Observe Option. Otherwise, the original header code is replaced with FETCH for requests and Content for responses. The first byte of the Plaintext contains the original header code, the class E options, and, if present, the original message payload preceded by the payload marker. After that, an Authenticated Encryption with Associated Data (AEAD) algorithm encrypts the Plaintext. This also integrity-protects the Security Context parameters and, if present, any class I options from the Outer header. The resulting ciphertext becomes the new payload of the OSCORE message, as illustrated in . As defined in , this ciphertext is the encrypted Plaintext's concatenation with the Authentication Tag. Note that Inner Compression only affects the Plaintext before encryption. The Authentication Tag, fixed in length and uncompressed, is considered part of the cost of protection.

OSCORE Message

The SCHC compression scheme consists of compressing both the Plaintext before encryption and the resulting OSCORE message after encryption, as shown in . Note that, since the recipient endpoint can only decrypt the Inner part of the message, that endpoint will also have to implement Inner SCHC Compression/Decompression.

OSCORE Compression Diagram

The OSCORE message translates into a segmented process where SCHC compression is applied independently in two stages, each with its corresponding set of Rules, i.e., the Inner SCHC Rules and the Outer SCHC Rules. By doing so, compression is applied to all the fields of the original CoAP message. As to the compression of the 0xFF payload marker, the same rationale described in applies to both the Inner SCHC Compression and the Outer SCHC Compression. That is:

• After the Inner SCHC Compression of a CoAP message including a payload, the payload marker MUST NOT be included in the input to the AEAD Encryption, which is composed of the Inner Compression RuleID, the Inner Compression Residue (if any), and the CoAP payload.
• The Outer SCHC Compression takes as input the OSCORE-protected message, which always includes a payload (i.e., the OSCORE Ciphertext) preceded by the payload marker.
• After the Outer SCHC Compression, the payload marker MUST NOT be included in the final compressed message, which is composed of the Outer Compression RuleID, the Outer Compression Residue (if any), and the OSCORE Ciphertext.

After having completed the Outer SCHC Decompression of an incoming message, the recipient endpoint MUST prepend the 0xFF payload marker to the OSCORE Ciphertext. After having completed the Inner SCHC Decompression of an incoming message, the recipient endpoint MUST prepend the 0xFF payload marker to the CoAP payload, if any was present after the consumed Compression Residue.

Example OSCORE Compression This section provides an example with a GET request and a corresponding Content response, exchanged between a Device-based CoAP client and a cloud-based CoAP server. The example also describes a possible set of Rules for Inner SCHC Compression and Outer SCHC Compression. A dump of the results and a contrast between SCHC + OSCORE performance and SCHC + CoAP performance are also listed. This example shows an estimate of the cost of security with SCHC-OSCORE. Our first CoAP message is the GET request in .

CoAP GET Request

Its corresponding response is the Content response in .

CoAP Content Response

The SCHC Rules for the Inner Compression include all the fields present in a regular CoAP message. The methods described in apply to these fields. Table 4 provides an example. Inner SCHC Rule

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Code	8	1	Up	1	equal	not-sent
CoAP Code	8	1	Dw	[69,132]	match- mapping	mapping- sent	C
CoAP Uri-Path		1	Up	"temperature"	equal	not-sent

shows the Plaintext obtained for the example GET request. The packet follows the process of Inner Compression and encryption until the payload. The Outer OSCORE message adds the result of the Inner process.

Plaintext Compression and Encryption for GET Request

In this case, the original message has no payload, and its resulting Plaintext is compressed up to only 1 byte (the size of the RuleID). The AEAD algorithm preserves this length in its first output and yields a fixed-size tag. SCHC cannot compress the tag, and the OSCORE message must include it without compression. The use of integrity protection translates into an overhead on the total message length, thus limiting the amount of compression that can be achieved and contributing to the cost of adding security to the exchange. shows the process for the example Content response. The Compression Residue is 1 bit long. Note that since SCHC adds padding after the payload, this misalignment causes the hexadecimal code from the payload to differ from the original, even if SCHC cannot compress the tag. The overhead for the tag bytes limits SCHC's performance but adds security to the exchange.

Plaintext Compression and Encryption for Content Response > 1 (shifted payload) | | 0b0000000 Padding | |________________________________________________| | | AEAD Encryption | (piv = 0x04) v _________________________________________________________ | | | encrypted_plaintext = 0x10c6d7c26cc1 (6 bytes) | | tag = 0xe9aef3f2461e0c29 (8 bytes) | | | | ciphertext = 0x10c6d7c26cc1e9aef3f2461e0c29 (14 bytes) | |_________________________________________________________| ]]>

The Outer SCHC Rule shown in is used, also to process the OSCORE Option fields. and show a dump of the OSCORE messages generated from the example messages, also including the Inner Compressed ciphertext in the payload. These are the messages that have to be compressed via the Outer SCHC Compression scheme. shows a possible set of Outer Rule items to compress the Outer header. Outer SCHC Rule

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not- sent
CoAP Type	2	1	Up	0	equal	not- sent
CoAP Type	2	1	Dw	2	equal	not- sent
CoAP TKL	4	1	Bi	1	equal	not- sent
CoAP Code	8	1	Up	2	equal	not- sent
CoAP Code	8	1	Dw	68	equal	not- sent
CoAP MID	16	1	Bi	0000	MSB(12)	LSB	MMMM
CoAP Token	tkl	1	Bi	0x80	MSB(5)	LSB	TTT
CoAP OSCORE_flags	var	1	Up	0x09	equal	not- sent
CoAP OSCORE_piv	var	1	Up	0x00	MSB(4)	LSB	PPPP
CoAP OSCORE_kid	var	1	Up	0x636c69656e70	MSB(44)	LSB	KKKK
CoAP OSCORE_kidctx	var	1	Bi	b''	equal	not- sent
CoAP OSCORE_x	8	1	Bi	b''	equal	not- sent
CoAP OSCORE_nonce	osc.x.m	1	Bi	b''	equal	not- sent
CoAP OSCORE_y	8	1	Bi	b''	equal	not- sent
CoAP OSCORE_oldnonce	osc.y.w	1	Bi	b''	equal	not- sent
CoAP OSCORE_flags	var	1	Dw	b''	equal	not- sent
CoAP OSCORE_piv	var	1	Dw	b''	equal	not- sent
CoAP OSCORE_kid	var	1	Dw	b''	equal	not- sent

Protected and Inner SCHC Compressed GET Request

Protected and Inner SCHC Compressed Content Response

For the flag bits, some SCHC compression methods are useful, depending on the application. The most straightforward alternative is to provide a fixed value for the flags, combining an "equal" MO and a "not-sent" CDA. This SCHC description saves most bits but could prevent flexibility. Otherwise, SCHC could use a "match-mapping" MO to choose from several configurations for the exchange. If not, the SCHC description may use an MSB MO to mask off the three hard-coded most significant bits. Note that fixing a flag bit will limit the possible OSCORE options that can be used in the exchange, since the value of the flag bits plays a role in determining a specific OSCORE option. The piv field lends itself to having some bits masked off with an MSB MO and an LSB CDA. This SCHC description could be useful in applications where the message transmission frequency is low, such as with LPWAN technologies. Note that compressing the piv field may reduce the maximum number of sequence numbers that can be used in an exchange. Once the sequence number exceeds the maximum value, the OSCORE keys need to be re-established. The size, s, that is included in the OSCORE_kidctx field MAY be masked off with an LSB CDA. The rest of the OSCORE_kidctx field could have additional bits masked off, or the whole field could be fixed in accordance with an "equal" MO and a "not-sent" CDA. The same holds for the OSCORE_kid field. The Outer Rule of is applied to the example GET request and Content response. and show the resulting messages.

SCHC-OSCORE Compressed GET Request 2 bytes with padding) mid tkn piv kid Payload 0xa2c54fe1b434297b62 (9 bytes) Compressed message length: 12 bytes ]]>

SCHC-OSCORE Compressed Content Response 1 byte with padding) mid tkn Payload 0x10c6d7c26cc1e9aef3f2461e0c29 (14 bytes) ]]>

In contrast, the following compares these results with what would be obtained by SCHC compressing the original CoAP messages without protecting them with OSCORE, according to the SCHC Rule in . SCHC-CoAP Rule (No OSCORE)

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not-sent
CoAP Type	2	1	Up	0	equal	not-sent
CoAP Type	2	1	Dw	2	equal	not-sent
CoAP TKL	4	1	Bi	1	equal	not-sent
CoAP Code	8	1	Up	2	equal	not-sent
CoAP Code	8	1	Dw	[69,132]	match- mapping	mapping- sent	C
CoAP MID	16	1	Bi	0000	MSB(12)	LSB	MMMM
CoAP Token	tkl	1	Bi	0x80	MSB(5)	LSB	TTT
CoAP Uri-Path		1	Up	"temperature"	equal	not-sent

The Rule in yields the SCHC compression results shown in for the request and in for the response.

CoAP GET Compressed without OSCORE

CoAP Content Compressed without OSCORE

As can be seen, the difference between applying SCHC + OSCORE as compared to regular SCHC + CoAP is about 10 bytes.

CoAP Header Compression with Proxies This section defines how SCHC Compression/Decompression is performed when CoAP proxies are deployed. The following refers to the origin client and origin server as application endpoints. Note that SCHC Compression/Decompression of CoAP headers is not necessarily used between each pair of hops in the communication chain. For example, if a proxy is deployed between an origin client and an origin server, SCHC might be used on the communication leg between the origin client and the proxy, but not on the communication leg between the proxy and the origin server.

Without End-to-End Security In case OSCORE is not used end-to-end between client and server, the SCHC processing occurs hop-by-hop, by relying on SCHC Rules that are consistently shared between two adjacent hops. In particular, SCHC is used as defined below.

• The sender application endpoint compresses the CoAP message, by using the SCHC Rules that it shares with the next hop towards the recipient application endpoint. The resulting, compressed message is sent to the next hop towards the recipient application endpoint.
• Each proxy decompresses the incoming compressed message, by using the SCHC Rules that it shares with the (previous hop towards the) sender application endpoint. Then, the proxy compresses the CoAP message to be forwarded, by using the SCHC Rules that it shares with the (next hop towards the) recipient application endpoint. The resulting, compressed message is sent to the (next hop towards the) recipient application endpoint.
• The recipient application endpoint decompresses the incoming compressed message, by using the SCHC Rules that it shares with the previous hop towards the sender application endpoint.

With End-to-End Security In case OSCORE is used end-to-end between client and server (see ), the following applies. The SCHC processing occurs end-to-end as to the Inner SCHC Compression/Decompression, by relying on Inner SCHC Rules that are consistently shared between the two application endpoints acting as OSCORE endpoints and sharing the used OSCORE Security Context. Instead, the SCHC processing occurs hop-by-hop as to the Outer SCHC Compression/Decompression, by relying on Outer SCHC Rules that are consistently shared between two adjacent hops. In particular, SCHC is used as defined below.

• The sender application endpoint performs the Inner SCHC Compression on the original CoAP message, by using the Inner SCHC Rules that it shares with the recipient application endpoint. Following the AEAD Encryption of the compressed input obtained from the previous step, the sender application endpoint performs the Outer SCHC Compression on the resulting OSCORE-protected message, by using the Outer SCHC Rules that it shares with the next hop towards the recipient application endpoint. The resulting, compressed message is sent to the next hop towards the recipient application endpoint.
• Each proxy performs the Outer SCHC Decompression on the incoming compressed message, by using the SCHC Rules that it shares with the (previous hop towards the) sender application endpoint. Then, the proxy performs the Outer SCHC Compression of the OSCORE-protected message to be forwarded, by using the SCHC Rules that it shares with the (next hop towards the) recipient application endpoint. The resulting, compressed message is sent to the (next hop towards the) recipient application endpoint.
• The recipient application endpoint performs the Outer SCHC Decompression on the incoming compressed message, by using the Outer SCHC Rules that it shares with the previous hop towards the sender application endpoint. Then, the recipient application endpoint performs the AEAD Decryption of the OSCORE-protected message obtained from the previous step. Finally, the recipient application endpoint performs the Inner SCHC Decompression on the compressed input obtained from the previous step, by using the Inner SCHC Rules that it shares with the sender application endpoint. The result is the original CoAP message produced by the sender application endpoint.

Examples of CoAP Header Compression with Proxies This section provides examples of SCHC Compression/Decompression in the presence of a CoAP proxy. The presented examples refer to the same deployment considered in , including a Device communicating over LPWAN with a Network Gateway (NGW), which in turn communicates with an Application Server over the Internet. The Application Server and the Device exchange CoAP messages through the NGW. The following also applies in the presented examples.

• CoAP request messages are sent only by the Device as targeting the Application Server (uplink traffic), which replies to the Device with corresponding CoAP response messages (downlink traffic). That is, the Device acts as CoAP client, while the Application Server acts as CoAP server.
• A CoAP proxy is co-located on the Network Gateway (NGW) deployed between the Application Server and the Device.
• SCHC is used also on the communication leg between the Application Server and the proxy.

Like in , the presented examples focus on SCHC Compression/Decompression of CoAP headers, i.e., irrespective of possible SCHC Compression/Decompression applied to further protocol headers. The example in considers an exchange of two unprotected messages, while the example in considers an exchange of two messages protected end-to-end with OSCORE. In the examples, the character | denotes bit concatenation. and show the two CoAP messages exchanged between the Device and the Application Server, via the proxy. The figures show the two messages as originally generated by the application at the two origin endpoints, i.e., before they are possibly protected end-to-end with OSCORE as considered by the example in . In particular, note that:

• On the communication leg between the Device and the proxy, the CoAP Message ID has value 0x0001 and the CoAP Token has value 0x82.
• On the communication leg between the proxy and the Application Server, the CoAP Message ID has value 0x0004 and the CoAP Token has value 0x75.

CoAP GET Request

CoAP Content Response

Without End-to-End Security In case OSCORE is not used end-to-end between the Device and the Application Server, the following SCHC Rules are shared between the different entities. Based on those Rules, the SCHC Compression/Decompression is performed as per . The Device and the proxy share the SCHC Rule shown in , with RuleID 0. SCHC Rule between the Device and the Proxy

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not-sent
CoAP Type	2	1	Up	0	equal	not-sent
CoAP Type	2	1	Dw	[0,2]	match- mapping	mapping- sent	T
CoAP TKL	4	1	Bi	1	equal	not-sent
CoAP Code	8	1	Up	[1, 2, 3, 4]	match- mapping	mapping- sent	CC
CoAP Code	8	1	Dw	[65, 68, 69, 132]	match- mapping	mapping- sent	CC
CoAP MID	16	1	Bi	0x00	MSB(12)	LSB	MMMM
CoAP Token	tkl	1	Bi	0x80	MSB(5)	LSB	TTT
CoAP Uri-Host	var (B)	1	Up		ignore	value- sent
CoAP Uri-Path	var	1	Up	"temperature"	equal	not-sent
CoAP Proxy-Scheme	var	1	Up	"coap"	equal	not-sent

Instead, the proxy and the Application Server share the SCHC Rule shown in , with RuleID 1. SCHC Rule between the Proxy and the Application Server

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not-sent
CoAP Type	2	1	Up	0	equal	not-sent
CoAP Type	2	1	Dw	[0,2]	match- mapping	mapping- sent	T
CoAP TKL	4	1	Bi	1	equal	not-sent
CoAP Code	8	1	Up	[1, 2, 3, 4]	match- mapping	mapping- sent	CC
CoAP Code	8	1	Dw	[65, 68, 69, 132]	match- mapping	mapping- sent	CC
CoAP MID	16	1	Bi	0x00	MSB(12)	LSB	MMMM
CoAP Token	tkl	1	Bi	0x70	MSB(5)	LSB	TTT
CoAP Uri-Host	var (B)	1	Up		ignore	value- sent
CoAP Uri-Path	var	1	Up	"temperature"	equal	not-sent

First, the Device applies the Rule in shared with the proxy to the CoAP request in . The result is the compressed CoAP request in , which the Device sends to the proxy.

CoAP GET Request Compressed for the Proxy 13 bytes with padding) 0b 00 0001 010 1011 | 0x6578616d706c652e636f6d code mid tkn Uri-Host (residue size and residue) Compressed message length: 14 bytes ]]>

Upon receiving the message in , the proxy decompresses it with the Rule in shared with the Device, and obtains the same CoAP request in . After that, the proxy removes the Proxy-Scheme Option from the decompressed CoAP request. Also, the proxy replaces the values of the CoAP Message ID and of the CoAP Token to 0x0004 and 0x75, respectively. The result is the CoAP request shown in .

CoAP GET Request to be Compressed by the Proxy

Then, the proxy applies the Rule in shared with the Application Server to the CoAP request in . The result is the compressed CoAP request in , which the proxy forwards to the Application Server.

CoAP GET Request Forwarded by the Proxy 13 bytes with padding) 0b 00 0100 101 1011 | 0x6578616d706c652e636f6d code mid tkn Uri-Host (residue size and residue) Compressed message length: 14 bytes ]]>

Upon receiving the message in , the Application Server decompresses it using the Rule in shared with the proxy. The result is the same CoAP request in , which the Application Server delivers to the application. After that, the Application Server produces the CoAP response in , and compresses it using the Rule in shared with the proxy. The result is the compressed CoAP response shown in , which the Application Server sends to the proxy.

CoAP Content Response Compressed for the Proxy 2 bytes with padding) 0b 1 10 0100 101 type code mid tkn Payload 0x32332043 (4 bytes) Compressed message length: 7 bytes ]]>

Upon receiving the message in , the proxy decompresses it using the Rule in shared with the Application Server. The result is the same CoAP response in . Then, the proxy replaces the values of the CoAP Message ID and of the CoAP Token to 0x0001 and 0x82, respectively. The result is the CoAP response shown in .

CoAP Content Response to be Compressed by the Proxy

Then, the proxy compresses the CoAP response in with the Rule in shared with the Device. The result is the compressed CoAP response shown in , which the proxy forwards to the Device.

CoAP Content Response Forwarded by the Proxy 2 bytes with padding) 0b 1 10 0001 010 type code mid tkn Payload 0x32332043 (4 bytes) Compressed message length: 7 bytes ]]>

Upon receiving the message in , the Device decompresses it using the Rule in shared with the proxy. The result is the same CoAP request in , which the Device delivers to the application.

With End-to-End Security In case OSCORE is used end-to-end between the Device and the Application Server, the following SCHC Rules are shared between the different entities. Based on those Rules, the SCHC Compression/Decompression is performed as per . The Device and the Application Server share the SCHC Rule shown in , with RuleID 2. The Device and the Application Server use this Rule to perform the Inner SCHC Compression/Decompression end-to-end. Inner SCHC Rule between the Device and the Application Server

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Code	8	1	Up	[1, 2, 3, 4]	match- mapping	mapping- sent	CC
CoAP Code	8	1	Dw	[65, 68, 69, 132]	match- mapping	mapping- sent	CC
CoAP Uri-Path	var	1	Up	"temperature"	equal	not-sent

The Device and the proxy share the SCHC Rule shown in , with RuleID 3. The Device and the proxy use this Rule to perform the Outer SCHC Compression/Decompression hop-by-hop on their communication leg. Outer SCHC Rule between the Device and the Proxy

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not-sent
CoAP Type	2	1	Up	0	equal	not-sent
CoAP Type	2	1	Dw	[0,2]	match- mapping	mapping- sent	T
CoAP TKL	4	1	Bi	1	equal	not-sent
CoAP Code	8	1	Up	2	equal	not-sent
CoAP Code	8	1	Dw	68	equal	not-sent
CoAP MID	16	1	Bi	0x00	MSB(12)	LSB	MMMM
CoAP Token	tkl	1	Bi	0x80	MSB(5)	LSB	TTT
CoAP Uri-Host	var (B)	1	Up		ignore	value- sent
CoAP OSCORE_flags	var	1	Up	0x09	equal	not-sent
CoAP OSCORE_piv	var	1	Up	0x00	MSB(4)	LSB	PPPP
CoAP OSCORE_kid	var	1	Up	0x0000	MSB(12)	LSB	KKKK
CoAP OSCORE_kidctx	var	1	Bi	b''	equal	not-sent
CoAP OSCORE_x	8	1	Bi	b''	equal	not-sent
CoAP OSCORE_nonce	osc.x.m	1	Bi	b''	equal	not-sent
CoAP OSCORE_y	8	1	Bi	b''	equal	not-sent
CoAP OSCORE_oldnonce	osc.y.w	1	Bi	b''	equal	not-sent
CoAP OSCORE_flags	var	1	Dw	b''	equal	not-sent
CoAP OSCORE_piv	var	1	Dw	b''	equal	not-sent
CoAP OSCORE_kid	var	1	Dw	b''	equal	not-sent
CoAP Proxy-Scheme	var	1	Up	"coap"	equal	not-sent

The proxy and the Application Server share the SCHC Rule shown in , with RuleID 4. The proxy and the Application Server use this Rule to perform the Outer SCHC Compression/Decompression hop-by-hop on their communication leg. Outer SCHC Rule between the Proxy and the Application Server

Field	FL	FP	DI	TV	MO	CDA	Sent [bits]
CoAP Version	2	1	Bi	01	equal	not-sent
CoAP Type	2	1	Up	0	equal	not-sent
CoAP Type	2	1	Dw	[0,2]	match- mapping	mapping- sent	T
CoAP TKL	4	1	Bi	1	equal	not-sent
CoAP Code	8	1	Up	2	equal	not-sent
CoAP Code	8	1	Dw	68	equal	not-sent
CoAP MID	16	1	Bi	0x00	MSB(12)	LSB	MMMM
CoAP Token	tkl	1	Bi	0x70	MSB(5)	LSB	TTT
CoAP Uri-Host	var (B)	1	Up		ignore	value- sent
CoAP OSCORE_flags	var	1	Up	0x09	equal	not-sent
CoAP OSCORE_piv	var	1	Up	0x00	MSB(4)	LSB	PPPP
CoAP OSCORE_kid	var	1	Up	0x0000	MSB(12)	LSB	KKKK
CoAP OSCORE_kidctx	var	1	Bi	b''	equal	not-sent
CoAP OSCORE_x	8	1	Bi	b''	equal	not-sent
CoAP OSCORE_nonce	osc.x.m	1	Bi	b''	equal	not-sent
CoAP OSCORE_y	8	1	Bi	b''	equal	not-sent
CoAP OSCORE_oldnonce	osc.y.w	1	Bi	b''	equal	not-sent
CoAP OSCORE_flags	var	1	Dw	b''	equal	not-sent
CoAP OSCORE_piv	var	1	Dw	b''	equal	not-sent
CoAP OSCORE_kid	var	1	Dw	b''	equal	not-sent

When the Device applies the Rule in shared with the Application Server to the CoAP request in , this results in the Compressed Plaintext shown in . As per , the message follows the process of SCHC Inner Compression and encryption until the payload (if any). The ciphertext resulting from the overall Inner process is used as payload of the Outer OSCORE message.

Plaintext Compression and Encryption for the GET Request

When the Application Server applies the Rule in shared with the Device to the CoAP response in , this results in the Compressed Plaintext shown in . As per , the message follows the process of SCHC Inner Compression and encryption until the payload (if any). The ciphertext resulting from the overall Inner process is used as payload of the Outer OSCORE message.

Plaintext Compression and Encryption for the Content Response > 2 (shifted payload) | | 0b000000 Padding | |_________________________________________________| | | AEAD Encryption | (piv = 0x04) | v _________________________________________________________ | | | encrypted_plaintext = 0x10c6d7c26cc1 (6 bytes) | | tag = 0xe9aef3f2461e0c29 (8 bytes) | | | | ciphertext = 0x10c6d7c26cc1e9aef3f2461e0c29 (14 bytes) | |_________________________________________________________| ]]>

After having performed the SCHC Inner Compression of the CoAP request in , the Device protects it with OSCORE by considering the Compressed Plaintext in . The result is the OSCORE-protected CoAP request shown in .

Protected and Inner SCHC Compressed CoAP GET Request

Then, the Device applies the Rule in shared with the proxy to the OSCORE-protected CoAP request in , thus performing the SCHC Outer Compression of such request. The result is the OSCORE-protected and Outer Compressed CoAP request shown in , which the Device sends to the proxy.

SCHC-OSCORE CoAP GET Request Compressed for the Proxy 14 bytes with padding) 0b 0001 010 1011 | 0x6578616d706c652e636f6d | 0b 0100 0101 mid tkn Uri-Host (residue size and residue) piv kid Payload 0xa2cfc54fe1b434297b62 (10 bytes) Compressed message length: 25 bytes ]]>

Upon receiving the message in , the proxy decompresses it with the Rule in shared with the Device, thus performing the SCHC Outer Decompression. The result is the same OSCORE-protected CoAP request in . After that, the proxy removes the Proxy-Scheme Option from the decompressed OSCORE-protected CoAP request. Also, the proxy replaces the values of the CoAP Message ID and of the CoAP Token to 0x0004 and 0x75, respectively. The result is the OSCORE-protected CoAP request shown in .

SCHC-OSCORE CoAP GET Request to be Compressed by the Proxy

Then, the proxy applies the Rule in shared with the Application Server to the OSCORE-protected CoAP request in , thus performing the SCHC Outer Compression of such request. The result is the OSCORE-protected and Outer Compressed CoAP request shown in , which the proxy forwards to the Application Server.

SCHC-OSCORE CoAP GET Request Forwarded by the Proxy 14 bytes with padding) 0b 0100 101 1011 | 0x6578616d706c652e636f6d | 0b 0100 0101 mid tkn Uri-Host (residue size and residue) piv kid Payload 0xa2cfc54fe1b434297b62 (10 bytes) Compressed message length: 25 bytes ]]>

Upon receiving the message in , the Application Server decompresses it using the Rule in shared with the proxy, thus performing the SCHC Outer Decompression. The result is the same OSCORE-protected CoAP request in . The Application Server decrypts and verifies such a request, which results in the same Compressed Plaintext in . Then, the Application Server applies the Rule in shared with the Device to such a Compressed Plaintext, thus performing the SCHC Inner Decompression. The result is used to rebuild the same CoAP request in , which the Application Server delivers to the application. After having performed the SCHC Inner Compression of the CoAP response in , the Application Server protects it with OSCORE by considering the Compressed Plaintext in . The result is the OSCORE-protected CoAP response shown in .

Protected and Inner SCHC Compressed CoAP Content Response

Then, the Application Server applies the Rule in shared with the proxy to the OSCORE-protected CoAP response in , thus performing the SCHC Outer Compression of such response. The result is the OSCORE-protected and Outer Compressed CoAP response shown in , which the Application Server sends to the proxy.

SCHC-OSCORE CoAP Content Response Compressed for the Proxy 1 byte with padding) 0b 1 0100 101 type mid tkn Payload 0x10c6d7c26cc1e9aef3f2461e0c29 (14 bytes) Compressed message length: 16 bytes ]]>

Upon receiving the message in , the proxy decompresses it with the Rule in shared with the Application Server, thus performing the SCHC Outer Decompression. The result is the same OSCORE-protected CoAP response in . After that, the proxy replaces the values of the CoAP Message ID and of the CoAP Token to 0x0001 and 0x82, respectively. The result is the OSCORE-protected CoAP response shown in .

SCHC-OSCORE CoAP Content Response to be Compressed by the Proxy

Then, the proxy applies the Rule in shared with the Device to the OSCORE-protected CoAP response in , thus performing the SCHC Outer Compression of such response. The result is the OSCORE-protected and Outer Compressed CoAP response shown in , which the proxy forwards to the Device.

SCHC-OSCORE CoAP Content Response Forwarded by the Proxy 1 byte with padding) 0b 1 0001 010 type mid tkn Payload 0x10c6d7c26cc1e9aef3f2461e0c29 (14 bytes) Compressed message length: 16 bytes ]]>

Upon receiving the message in , the Device decompresses it using the Rule in shared with the proxy, thus performing the SCHC Outer Decompression. The result is the same OSCORE-protected CoAP response in . The Device decrypts and verifies such a response, which results in the same Compressed Plaintext in . Then, the Device applies the Rule in shared with the Application Server to such a Compressed Plaintext, thus performing the SCHC Inner Decompression. The result is used to rebuild the same CoAP response in , which the Device delivers to the application.

Security Considerations The use of SCHC header compression for CoAP header fields only affects the representation of the header information. SCHC header compression itself does not increase or decrease the overall level of security of the communication. When the connection does not use a security protocol (OSCORE, DTLS, etc.), it is necessary to use a Layer 2 security mechanism to protect the SCHC messages. If an LPWAN is the Layer 2 technology being used, the SCHC security considerations discussed in continue to apply. When using another Layer 2 protocol, the use of a cryptographic integrity-protection mechanism to protect the SCHC headers is REQUIRED. Such cryptographic integrity protection is necessary in order to continue to provide the properties that relies upon. When SCHC is used with OSCORE, the security considerations discussed in continue to apply. When SCHC is used with Group OSCORE, the security considerations discussed in apply. When SCHC is used in the presence of CoAP proxies, the security considerations discussed in continue to apply. When SCHC is used with the OSCORE Outer headers, the Initialization Vector (IV) size in the Compression Residue must be carefully selected. There is a trade-off between compression efficiency (with a longer MSB MO prefix) and the frequency at which the Device must renew its key material (in order to prevent the IV from expanding to an uncompressible value). The key-renewal operation itself may require several message exchanges and result in energy-intensive computation, but the optimal trade-off will depend on the specifics of the Device and expected usage patterns. In order to renew its key material with another OSCORE endpoint, the Device can rely on the lightweight key update protocol KUDOS defined in . If an attacker can introduce a corrupted SCHC-compressed packet onto a link, DoS attacks can be mounted by causing excessive resource consumption at the decompressor. However, an attacker able to inject packets at the link layer is also capable of other, potentially more damaging, attacks. SCHC compression emits variable-length Compression Residues for some CoAP fields. In the representation of the compressed header, the length field that is sent is not the length of the original header field but rather the length of the Compression Residue that is being transmitted. If a corrupted packet arrives at the decompressor with a longer or shorter length than that of the original compressed representation, the SCHC decompression procedures will detect an error and drop the packet. SCHC header compression Rules MUST remain tightly coupled between the compressor and the decompressor. If the compression Rules get out of sync, a Compression Residue might be decompressed differently at the receiver, thus yielding a result different than the initial message submitted to compression procedures. Accordingly, any time the context Rules are updated on an OSCORE endpoint, that endpoint MUST trigger OSCORE key re-establishment, e.g., by running the lightweight key update protocol KUDOS . Similar procedures may be appropriate to signal Rule updates when other message-protection mechanisms are in use.

IANA Considerations This document has no actions for IANA.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK] The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server. The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred. Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion. A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252. There can be machine-to-machine (M2M) scenarios where server responses to client requests are redundant. This kind of open-loop exchange (with no response path from the server to the client) may be desired to minimize resource consumption in constrained systems while updating many resources simultaneously or performing high-frequency updates. CoAP already provides Non-confirmable (NON) messages that are not acknowledged by the recipient. However, the request/response semantics still require the server to respond with a status code indicating "the result of the attempt to understand and satisfy the request", per RFC 7252. This specification introduces a CoAP option called 'No-Response'. Using this option, the client can explicitly express to the server its disinterest in all responses against the particular request. This option also provides granular control to enable expression of disinterest to a particular response class or a combination of response classes. The server MAY decide to suppress the response by not transmitting it back to the client according to the value of the No-Response option in the request. This option may be effective for both unicast and multicast requests. This document also discusses a few examples of applications that benefit from this option. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols. Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252. This document defines the Static Context Header Compression and fragmentation (SCHC) framework, which provides both a header compression mechanism and an optional fragmentation mechanism. SCHC has been designed with Low-Power Wide Area Networks (LPWANs) in mind. SCHC compression is based on a common static context stored both in the LPWAN device and in the network infrastructure side. This document defines a generic header compression mechanism and its application to compress IPv6/UDP headers. This document also specifies an optional fragmentation and reassembly mechanism. It can be used to support the IPv6 MTU requirement over the LPWAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC compression or when such compression was not possible, still exceed the Layer 2 maximum payload size. The SCHC header compression and fragmentation mechanisms are independent of the specific LPWAN technology over which they are used. This document defines generic functionalities and offers flexibility with regard to parameter settings and mechanism choices. This document standardizes the exchange over the LPWAN between two SCHC entities. Settings and choices specific to a technology or a product are expected to be grouped into profiles, which are specified in other documents. Data models for the context and profiles are out of scope. The presence of Constrained Application Protocol (CoAP) proxies may lead to infinite forwarding loops, which is undesirable. To prevent and detect such loops, this document specifies the Hop-Limit CoAP option. This document specifies enhancements to the Constrained Application Protocol (CoAP) that mitigate security issues in particular use cases. The Echo option enables a CoAP server to verify the freshness of a request or to force a client to demonstrate reachability at its claimed network address. The Request-Tag option allows the CoAP server to match block-wise message fragments belonging to the same request. This document updates RFC 7252 with respect to the following: processing requirements for client Tokens, forbidding non-secure reuse of Tokens to ensure response-to-request binding when CoAP is used with a security protocol, and amplification mitigation (where the use of the Echo option is now recommended). This document specifies alternative Constrained Application Protocol (CoAP) block-wise transfer options: Q-Block1 and Q-Block2. These options are similar to, but distinct from, the CoAP Block1 and Block2 options defined in RFC 7959. The Q-Block1 and Q-Block2 options are not intended to replace the Block1 and Block2 options but rather have the goal of supporting Non-confirmable (NON) messages for large amounts of data with fewer packet interchanges. Also, the Q-Block1 and Q-Block2 options support faster recovery should any of the blocks get lost in transmission. Ericsson RISE AB RISE AB Fraunhofer AISEC Ericsson The lightweight authenticated key exchange protocol EDHOC can be run over CoAP and used by two peers to establish an OSCORE Security Context. This document details this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context. RISE AB Ericsson AB Ericsson AB Ericsson AB Universitaet Duisburg-Essen This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of CoAP messages exchanged between members of a group, e.g., sent over IP multicast. In particular, the described protocol defines how OSCORE is used in a group communication setting to provide source authentication for CoAP group requests, sent by a client to multiple servers, and for protection of the corresponding CoAP responses. Group OSCORE also defines a pairwise mode where each member of the group can efficiently derive a symmetric pairwise key with any other member of the group for pairwise OSCORE communication. Group OSCORE can be used between endpoints communicating with CoAP or CoAP-mappable HTTP. RISE AB RISE AB This document defines Key Update for OSCORE (KUDOS), a lightweight procedure that two CoAP endpoints can use to update their keying material by establishing a new OSCORE Security Context. Accordingly, it updates the use of the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP response messages with OSCORE, and it deprecates the key update procedure specified in Appendix B.2 of RFC 8613. Thus, this document updates RFC 8613. Also, this document defines a procedure that two endpoints can use to update their OSCORE identifiers, run either stand-alone or during a KUDOS execution. Informative References This document defines how to compress Constrained Application Protocol (CoAP) headers using the Static Context Header Compression and fragmentation (SCHC) framework. SCHC defines a header compression mechanism adapted for Constrained Devices. SCHC uses a static description of the header to reduce the header's redundancy and size. While RFC 8724 describes the SCHC compression and fragmentation framework, and its application for IPv6/UDP headers, this document applies SCHC to CoAP headers. The CoAP header structure differs from IPv6 and UDP, since CoAP uses a flexible header with a variable number of options, themselves of variable length. The CoAP message format is asymmetric: the request messages have a header format different from the format in the response messages. This specification gives guidance on applying SCHC to flexible headers and how to leverage the asymmetry for more efficient compression Rules. This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347. IoTconsultancy.nl InterDigital RISE AB This document specifies the use of the Constrained Application Protocol (CoAP) for group communication, including the use of UDP/IP multicast as the default underlying data transport. Both unsecured and secured CoAP group communication are specified. Security is achieved by use of the Group Object Security for Constrained RESTful Environments (Group OSCORE) protocol. The target application area of this specification is any group communication use cases that involve resource-constrained devices or networks that support CoAP. This document replaces RFC 7390, while it updates RFC 7252 and RFC 7641. Ericsson AB Ericsson AB Ericsson AB This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios and a main use case is to establish an OSCORE security context. By reusing COSE for cryptography, CBOR for encoding, and CoAP for transport, the additional code size can be kept very low.

YANG Data Model TBD

Acknowledgments The authors sincerely thank , , , , , , and for their comments and feedback. The work on this document has been partly supported by the H2020 projects SIFIS-Home (Grant agreement 952652) and ARCADIAN-IoT (Grant agreement 101020259).