Internet Engineering Task Force T. Fossati Internet-Draft Nokia Intended status: Informational H. Tschofenig Expires: January 9, 2017 ARM N. Mavrogiannopoulos Red Hat July 8, 2016 TLS/DTLS Optimizations for Internet of Things Deployments draft-fossati-tls-iot-optimizations-00 Abstract Internet protocols work well in a variety of environments, including Internet of Things (IoT) deployments. While there are some optimization possibilities to reduce code size, bandwidth utilization, and to improve battery lifetime, in general most Internet protocols are also applicable to constrained environments. TLS and DTLS are two such security protocols that can be used by many IoT devices since DTLS/TLS provide lot of flexiblity in terms credential choice, ciphersuite usage, etc. The DICE working group has developed a specification that profiles the use of TLS and DTLS for IoT environments, without changing the TLS/DTLS specifications. This memo goes a step further and proposes changes to the DTLS/TLS protocol to introduce further optimizations. Since the ongoing work on TLS/DTLS 1.3 already offers several improvements (compared to previous versions) this document focuses on the use of version 1.3 and suggests further optimizations. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 9, 2017. Fossati, et al. Expires January 9, 2017 [Page 1] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Selective Fragment Retransmission . . . . . . . . . . . . . . 3 3.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 3 3.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Transport Agnostic Security Associations . . . . . . . . . . 4 4.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 4 4.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Reducing the DTLS Record Layer Header Overhead . . . . . . . 6 5.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 6 5.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Reducing Buffers . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 6 6.2. Proposal . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction Internet protocols work well in a variety of environments, including Internet of Things (IoT) deployments. While there are some optimization possibilities to reduce code size, bandwidth utilization, and to improve battery lifetime, in general most Internet protocols are also applicable to constrained environments. TLS and DTLS are two such security protocols that can be used by many IoT devices since DTLS/TLS provide lot of flexiblity in terms credential choice, ciphersuite usage, etc. The DICE working group Fossati, et al. Expires January 9, 2017 [Page 2] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 has developed a specification that profiles the use of TLS and DTLS for IoT environments, without changing the TLS/DTLS specifications. This memo goes a step further and proposes changes to the DTLS/TLS protocol to introduce further optimizations. Since the ongoing work on TLS/DTLS 1.3 [I-D.ietf-tls-tls13] already offers several improvements (compared to previous versions) this document focuses on the use of version 1.3 and suggests further optimizations. This document discusses four extensions, namely: Selective Fragment Retransmission: This extension improves retransmissions of lost handshake packets. Transport Agnostic Security Associations: Changes to a connection (such as an IP address change) requires a new handshake. This extension introduces a transport independent identifier. Reducing the DTLS Record Layer Header Overhead: This extension changes the record layer format to reduce the overhead. Reducing Buffers: This extension allows a DTLS/TLS server running on a constrained node to indicate its buffer size. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Selective Fragment Retransmission 3.1. Problem Statement The unit of retransmission used by the DTLS handshake is a whole flight (see Section 4.2.4 of [RFC6347]. If the underlying media is inherently lossy, or shows high latency variance that might fire spurious retransmission, a single fragment that gets lost or is excessively delayed will force the whole flight to be retransmitted. This is further exacerbated when the effective MTU is very low and therefore handshake messages have higher probability to be fragmented. For example, IEEE 802.15.4 networks have a 128-byte MTU size. In such an environment a very "ordinary" TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA negotiation can take up to 30 individual fragments, 2/3 of which are sent in flight 4. The loss of a single fragment in flight 4 implies a retransmission that is 20x the magnitude of the original loss. Fossati, et al. Expires January 9, 2017 [Page 3] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 The retransmission timer settings suggested in Section 11 of [I-D.ietf-dice-profile] offer mitigation for the spurious retransmit issue and, in general, help with congestion. However, they do not solve the retransmission of the entire flight. 3.2. Proposal A potential solution is to add a NACK-based retransmission scheme to the DTLS handshake and the granularity of retransmission would be a message fragment. We note that each fragment in a DTLS handshake is effectively associated to a unique identifier defined by the tuple Handshake.{message_seq,fragment_offset,fragment_length} that can be used in the NACK report to identify the exact geometry of the missing data in the current flight, together with the right-most received byte. 4. Transport Agnostic Security Associations 4.1. Problem Statement In DTLS, the security context demultiplexing is done via the 5-tuple. This implies that the associated DTLS context needs to be re- negotiated from scratch whenever the IP address changes. For example, when moving the network attachment from WLAN to a cellular connection, or when the IP address of the IoT devices changes during a sleep cyle. A NAT device may also modify the source UDP port after an idle period. In such situations, there is not enough information in the DTLS record header for a DTLS server, which handles multiple clients, to associate the changed address to an existing client. 4.2. Proposal A potential solution is to add the ability to negotiate, at handshake time, a transport independent identifier that is unique per security association. We call this identifier the 'Connection ID (CID)' in Figure 1. It decouples the DTLS session from the underlying transport protocol allowing the same DTLS security association to be migrated across different transport sessions. Fossati, et al. Expires January 9, 2017 [Page 4] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 00 /\ : IP UDP : DTLS Record Header +-----+-----+-------+ +-----+-----+ : +---------+-------+------ | src | dst | proto | | src | dst | : | Seq#i | CID | ... +-----+-----+-------+ +-----+-----+ : +---------+-------+------ `----------------+----------------' : ^ `................ : .............' : GSM-SMS : DTLS Record Header +-------+-------+ : +---------+-------+----- | tp-oa | tp-da | : | Seq#i+1 | CID | ... +-------+-------+ : +---------+-------+----- : \/ 00 Figure 1: Transparent Handover of DTLS Session That approach modifies the DTLS record layer header to the format described in Figure 2. struct { ContentType type; ProtocolVersion version; uint16 epoch; uint48 sequence_number; uint32 connection_id; // New field uint16 length; opaque fragment[DTLSPlaintext.length]; } DTLSPlaintext; Figure 2: Modified DTLS Record Format A similar approach to support transparent handover of a DTLS session has been described in [I-D.barrett-mobile-dtls] and [Seggelmann]. The privacy issue associated with the use of a long-term identifier must be taken into consideration. For example, client and server could use a hash chain [Lamport] derived from the shared secret and pick the next unused id on handover. Fossati, et al. Expires January 9, 2017 [Page 5] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 5. Reducing the DTLS Record Layer Header Overhead 5.1. Problem Statement The DTLS record layer header adds 13 bytes of overhead, as described in Appendix B of [I-D.ietf-dice-profile]. While some of the information carried in the header is unavoidable, other parameters are redundant and included for backwards compatibility reasons. This burden becomes quite substantial in networks with small frame sizes (e.g., low power wide area networks). Overhead that is not strictly needed could be removed to allow applications to transmit more data in a single packet or to make space for other DTLS features, such as the proposal described in Section 4. 5.2. Proposal It is possible to at least remove the following parameters in the header: o Protocol Version (2 bytes) o The sequence number component of the nonce_explicit field at the AES-CCM layer is an exact copy of the sequence number in the record layer header field. This leads to a duplication of 8-bytes per record. 6. Reducing Buffers 6.1. Problem Statement The Maximum Fragment Length extension [RFC6066] allows a client with limited buffer space to specify a different (smaller) maximum size for fragments that the server is allowed to send. The mechanism is not symmetrical: a server cannot state their buffer size. The assumption made in [RFC6066] is that the server is never going to be a constrained device, and therefore does not need such a capability. This may be true for many IoT deployments where the TLS client is implemented in an IoT device that connects to a server on the Internet that does not have memory limitations, such as a server in the cloud. However, with the desire to also deploy CoAPS and HTTPS- based servers in IoT devices, a constrained node may also need to run a DTLS/TLS server. In such a scenario, allowing a constrained server to advertise its Maximum Fragment Length helps to lower memory requirements. Fossati, et al. Expires January 9, 2017 [Page 6] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 6.2. Proposal The semantics of the max_fragment_length extension could be modified to allow the server as well as the client to express their buffer sizes. 7. Acknowledgements We would like to thank Stephen Farrell for suggesting the use of hash chains to implement a privacy-friendly connection id. 8. Security Considerations This document suggests various extensions to DTLS/TLS and each of them comes with their own security and privacy considerations. Since this version of the document only suggests strawman proposals further discussions are needed to specify the details. 9. References 9.1. Normative References [I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", draft-ietf-tls-tls13-13 (work in progress), May 2016. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) Extensions: Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, January 2011, . [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, . 9.2. Informative References [I-D.barrett-mobile-dtls] Williams, M. and J. Barrett, "Mobile DTLS", draft-barrett- mobile-dtls-00 (work in progress), March 2009. Fossati, et al. Expires January 9, 2017 [Page 7] Internet-Draft DTLS/TLS Optimizations for IoT July 2016 [I-D.ietf-dice-profile] Tschofenig, H. and T. Fossati, "TLS/DTLS Profiles for the Internet of Things", draft-ietf-dice-profile-17 (work in progress), October 2015. [Lamport] Lamport, L., "Password Authentication with Insecure Communication", Commun. ACM, 1981. [Seggelmann] Seggelmann, R., Tuexen, M., and E. Rathgeb, "DTLS Mobility", ICDCN 12, 2012. Authors' Addresses Thomas Fossati Nokia Cambridge UK Email: thomas.fossati@nokia.com Hannes Tschofenig ARM Cambridge UK Email: hannes.tschofenig@arm.com Nikos Mavrogiannopoulos Red Hat Brno Czech Republic Email: nmav@redhat.com Fossati, et al. Expires January 9, 2017 [Page 8]