| draft-tiloca-core-oscore-discovery-07.txt | draft-tiloca-core-oscore-discovery-08.txt | |||
|---|---|---|---|---|
| CoRE Working Group M. Tiloca | CoRE Working Group M. Tiloca | |||
| Internet-Draft RISE AB | Internet-Draft RISE AB | |||
| Intended status: Standards Track C. Amsuess | Intended status: Standards Track C. Amsuess | |||
| Expires: May 6, 2021 | Expires: August 26, 2021 | |||
| P. van der Stok | P. van der Stok | |||
| Consultant | Consultant | |||
| November 02, 2020 | February 22, 2021 | |||
| Discovery of OSCORE Groups with the CoRE Resource Directory | Discovery of OSCORE Groups with the CoRE Resource Directory | |||
| draft-tiloca-core-oscore-discovery-07 | draft-tiloca-core-oscore-discovery-08 | |||
| Abstract | Abstract | |||
| Group communication over the Constrained Application Protocol (CoAP) | Group communication over the Constrained Application Protocol (CoAP) | |||
| can be secured by means of Group Object Security for Constrained | can be secured by means of Group Object Security for Constrained | |||
| RESTful Environments (Group OSCORE). At deployment time, devices may | RESTful Environments (Group OSCORE). At deployment time, devices may | |||
| not know the exact security groups to join, the respective Group | not know the exact security groups to join, the respective Group | |||
| Manager, or other information required to perform the joining | Manager, or other information required to perform the joining | |||
| process. This document describes how a CoAP endpoint can use | process. This document describes how a CoAP endpoint can use | |||
| descriptions and links of resources registered at the CoRE Resource | descriptions and links of resources registered at the CoRE Resource | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 6, 2021. | This Internet-Draft will expire on August 26, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Registration of Group Manager Endpoints . . . . . . . . . . . 6 | 2. Registration of Group Manager Endpoints . . . . . . . . . . . 6 | |||
| 2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.2. Relation Link to Authorization Server . . . . . . . . . . 9 | 2.2. Relation Link to Authorization Server . . . . . . . . . . 9 | |||
| 2.3. Registration Example . . . . . . . . . . . . . . . . . . 9 | 2.3. Registration Example . . . . . . . . . . . . . . . . . . 10 | |||
| 2.3.1. Example in Link Format . . . . . . . . . . . . . . . 10 | 2.3.1. Example in Link Format . . . . . . . . . . . . . . . 10 | |||
| 2.3.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 10 | 2.3.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 11 | |||
| 3. Addition and Update of Security Groups . . . . . . . . . . . 11 | 3. Addition and Update of Security Groups . . . . . . . . . . . 11 | |||
| 3.1. Addition Example . . . . . . . . . . . . . . . . . . . . 11 | 3.1. Addition Example . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.1.1. Example in Link Format . . . . . . . . . . . . . . . 12 | 3.1.1. Example in Link Format . . . . . . . . . . . . . . . 12 | |||
| 3.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 12 | 3.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 13 | |||
| 4. Discovery of Security Groups . . . . . . . . . . . . . . . . 14 | 4. Discovery of Security Groups . . . . . . . . . . . . . . . . 15 | |||
| 4.1. Discovery Example #1 . . . . . . . . . . . . . . . . . . 15 | 4.1. Discovery Example #1 . . . . . . . . . . . . . . . . . . 16 | |||
| 4.1.1. Example in Link Format . . . . . . . . . . . . . . . 15 | 4.1.1. Example in Link Format . . . . . . . . . . . . . . . 16 | |||
| 4.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 16 | 4.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 18 | |||
| 4.2. Discovery Example #2 . . . . . . . . . . . . . . . . . . 18 | 4.2. Discovery Example #2 . . . . . . . . . . . . . . . . . . 19 | |||
| 4.2.1. Example in Link Format . . . . . . . . . . . . . . . 18 | 4.2.1. Example in Link Format . . . . . . . . . . . . . . . 19 | |||
| 4.2.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 19 | 4.2.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 20 | |||
| 5. Use Case Example With Full Discovery . . . . . . . . . . . . 20 | 5. Use Case Example With Full Discovery . . . . . . . . . . . . 21 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 25 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 24 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 25 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 26 | 8.2. Informative References . . . . . . . . . . . . . . . . . 27 | |||
| Appendix A. Use Case Example With Full Discovery (CoRAL) . . . . 27 | Appendix A. Use Case Example With Full Discovery (CoRAL) . . . . 28 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 31 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 1. Introduction | 1. Introduction | |||
| The Constrained Application Protocol (CoAP) [RFC7252] supports group | The Constrained Application Protocol (CoAP) [RFC7252] supports group | |||
| communication over IP multicast [I-D.ietf-core-groupcomm-bis] to | communication over IP multicast [I-D.ietf-core-groupcomm-bis] to | |||
| improve efficiency and latency of communication and reduce bandwidth | improve efficiency and latency of communication and reduce bandwidth | |||
| requirements. A set of CoAP endpoints constitutes an application | requirements. A set of CoAP endpoints constitutes an application | |||
| group by sharing a common pool of resources, that can be efficiently | group by sharing a common pool of resources, that can be efficiently | |||
| accessed through group communication. The members of an application | accessed through group communication. The members of an application | |||
| group may be members of a security group, thus sharing a common set | group may be members of a security group, thus sharing a common set | |||
| skipping to change at page 4, line 43 ¶ | skipping to change at page 4, line 43 ¶ | |||
| When querying the RD for security groups, a CoAP endpoint can use | When querying the RD for security groups, a CoAP endpoint can use | |||
| CoAP observation [RFC7641]. This results in automatic notifications | CoAP observation [RFC7641]. This results in automatic notifications | |||
| on the creation of new security groups or the update of existing | on the creation of new security groups or the update of existing | |||
| groups. Thus, it facilitates the early deployment of CoAP endpoints, | groups. Thus, it facilitates the early deployment of CoAP endpoints, | |||
| i.e. even before the GM is deployed and security groups are created. | i.e. even before the GM is deployed and security groups are created. | |||
| Interaction examples are provided in Link Format, as well as in the | Interaction examples are provided in Link Format, as well as in the | |||
| Constrained RESTful Application Language CoRAL [I-D.ietf-core-coral] | Constrained RESTful Application Language CoRAL [I-D.ietf-core-coral] | |||
| with reference to a CoRAL-based RD [I-D.hartke-t2trg-coral-reef]. | with reference to a CoRAL-based RD [I-D.hartke-t2trg-coral-reef]. | |||
| While all the CoRAL examples use the CoRAL textual serialization | While all the CoRAL examples show the CoRAL textual serialization | |||
| format, the CBOR [I-D.ietf-cbor-7049bis] or JSON [RFC8259] binary | format, its binary serialization format is used on the wire. | |||
| serialization format is used when sending such messages on the wire. | ||||
| The approach in this document is consistent with, but not limited to, | The approach in this document is consistent with, but not limited to, | |||
| the joining of security groups defined in | the joining of security groups defined in | |||
| [I-D.ietf-ace-key-groupcomm-oscore]. | [I-D.ietf-ace-key-groupcomm-oscore]. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| skipping to change at page 6, line 37 ¶ | skipping to change at page 6, line 37 ¶ | |||
| following parameters are specified together with the link. | following parameters are specified together with the link. | |||
| In the RD defined in [I-D.ietf-core-resource-directory] and based on | In the RD defined in [I-D.ietf-core-resource-directory] and based on | |||
| Link Format, each parameter is specified in a target attribute with | Link Format, each parameter is specified in a target attribute with | |||
| the same name. | the same name. | |||
| In a RD based on CoRAL, such as the one defined in | In a RD based on CoRAL, such as the one defined in | |||
| [I-D.hartke-t2trg-coral-reef], each parameter is specified in a | [I-D.hartke-t2trg-coral-reef], each parameter is specified in a | |||
| nested element with the same name. | nested element with the same name. | |||
| o 'ct', specifying the content format used with the group-membership | ||||
| resource at the Group Manager, with value "application/ace- | ||||
| groupcomm+cbor" registered in Section 8.2 of | ||||
| [I-D.ietf-ace-key-groupcomm]. | ||||
| Note: The examples in this document use the provisional value | ||||
| 65000 from the range "Reserved for Experimental Use" of the "CoAP | ||||
| Content-Formats" registry, within the "CoRE Parameters" registry. | ||||
| o 'rt', specifying the resource type of the group-membership | o 'rt', specifying the resource type of the group-membership | |||
| resource at the Group Manager, with value "core.osc.gm" registered | resource at the Group Manager, with value "core.osc.gm" registered | |||
| in Section 21.11 of [I-D.ietf-ace-key-groupcomm-oscore]. | in Section 21.11 of [I-D.ietf-ace-key-groupcomm-oscore]. | |||
| o 'if', specifying the interface description for accessing the | o 'if', specifying the interface description for accessing the | |||
| group-membership resource at the Group Manager, with value | group-membership resource at the Group Manager, with value | |||
| "ace.group" registered in Section 8.10 of | "ace.group" registered in Section 8.10 of | |||
| [I-D.ietf-ace-key-groupcomm]. | [I-D.ietf-ace-key-groupcomm]. | |||
| o 'sec-gp', specifying the name of the security group of interest, | o 'sec-gp', specifying the name of the security group of interest, | |||
| skipping to change at page 7, line 20 ¶ | skipping to change at page 7, line 30 ¶ | |||
| Thus, when registering the links to its group-membership resource, | Thus, when registering the links to its group-membership resource, | |||
| the GM is aware of the application groups and their names. | the GM is aware of the application groups and their names. | |||
| If a different entity than the GM registers the security groups to | If a different entity than the GM registers the security groups to | |||
| the RD, e.g. a Commissioning Tool, this entity has to also be | the RD, e.g. a Commissioning Tool, this entity has to also be | |||
| aware of the application groups and their names to specify. To | aware of the application groups and their names to specify. To | |||
| this end, it can obtain them from the GM or from the Administator | this end, it can obtain them from the GM or from the Administator | |||
| that created the security groups at the GM (see | that created the security groups at the GM (see | |||
| [I-D.ietf-ace-oscore-gm-admin]). | [I-D.ietf-ace-oscore-gm-admin]). | |||
| Optionally, the following parameters can also be specified. | Optionally, the following parameters can also be specified. If Link | |||
| Format is used, the value of each of these parameters is encoded as a | ||||
| text string. | ||||
| o 'alg', specifying the AEAD algorithm used in the security group. | ||||
| If present, this parameter MUST specify a single value, which is | ||||
| taken from the 'Value' column of the "COSE Algorithms" Registry | ||||
| [COSE.Algorithms]. | ||||
| o 'hkdf', specifying the HKDF algorithm used in the security group. | ||||
| If present, this parameter MUST specify a single value, which is | ||||
| taken from the 'Value' column of the "COSE Algorithms" Registry | ||||
| defined in [COSE.Algorithms]. | ||||
| o 'cs_alg', specifying the algorithm used to countersign messages in | o 'cs_alg', specifying the algorithm used to countersign messages in | |||
| the security group. If present, this parameter MUST specify a | the security group. If present, this parameter MUST specify a | |||
| single value encoded as a text string, which is taken from the | single value, which is taken from the 'Value' column of the "COSE | |||
| 'Value' column of the "COSE Algorithms" Registry | Algorithms" Registry [COSE.Algorithms]. | |||
| [COSE.Algorithms]. | ||||
| o 'cs_alg_crv', specifying the elliptic curve (if applicable) for | o 'cs_alg_crv', specifying the elliptic curve (if applicable) for | |||
| the algorithm used to countersign messages in the security group. | the algorithm used to countersign messages in the security group. | |||
| If present, this parameter MUST specify a single value encoded as | If present, this parameter MUST specify a single value, which is | |||
| a text string, which is taken from the 'Value' column of the "COSE | taken from the 'Value' column of the "COSE Elliptic Curves" | |||
| Elliptic Curves" Registry [COSE.Elliptic.Curves]. | Registry [COSE.Elliptic.Curves]. | |||
| o 'cs_key_kty', specifying the key type of countersignature keys | o 'cs_key_kty', specifying the key type of countersignature keys | |||
| used to countersign messages in the security group. If present, | used to countersign messages in the security group. If present, | |||
| this parameter MUST specify a single value encoded as a text | this parameter MUST specify a single value, which is taken from | |||
| string, which is taken from the 'Value' column of the "COSE Key | the 'Value' column of the "COSE Key Types" Registry | |||
| Types" Registry [COSE.Key.Types]. | [COSE.Key.Types]. | |||
| o 'cs_key_crv', specifying the elliptic curve (if applicable) of | o 'cs_key_crv', specifying the elliptic curve (if applicable) of | |||
| countersignature keys used to countersign messages in the security | countersignature keys used to countersign messages in the security | |||
| group. If present, this parameter MUST specify a single value | group. If present, this parameter MUST specify a single value, | |||
| encoded as a text string, which is taken from the 'Value' column | which is taken from the 'Value' column of the "COSE Elliptic | |||
| of the "COSE Elliptic Curves" Registry defined in | Curves" Registry defined in [COSE.Elliptic.Curves]. | |||
| [COSE.Elliptic.Curves]. | ||||
| o 'cs_kenc', specifying the encoding of the public keys used in the | o 'cs_kenc', specifying the encoding of the public keys used in the | |||
| security group. If present, this parameter MUST specify a single | security group. If present, this parameter MUST specify a single | |||
| value encoded as a text string. This specification explicitly | value. This specification explicitly admits the signaling of COSE | |||
| admits the signaling of COSE Keys | Keys [I-D.ietf-cose-rfc8152bis-struct] as encoding for public | |||
| [I-D.ietf-cose-rfc8152bis-struct] as encoding for public keys, | keys, which is indicated with "1", as taken from the 'Confirmation | |||
| which is indicated with "1", as taken from the 'Confirmation Key' | Key' column of the "CWT Confirmation Method" Registry defined in | |||
| column of the "CWT Confirmation Method" Registry defined in | ||||
| [RFC8747]. Future specifications may define additional values for | [RFC8747]. Future specifications may define additional values for | |||
| this parameter. | this parameter. | |||
| o 'alg', specifying the AEAD algorithm used in the security group. | o 'ecdh_alg', specifying the ECDH algorithm used to derive pairwise | |||
| If present, this parameter MUST specify a single value encoded as | encryption keys in the security group, e.g. as for the pairwise | |||
| a text string, which is taken from the 'Value' column of the "COSE | mode of Group OSCORE (see Section 2.3 of | |||
| Algorithms" Registry [COSE.Algorithms]. | [I-D.ietf-core-oscore-groupcomm]). If present, this parameter | |||
| MUST specify a single value, which is taken from the 'Value' | ||||
| column of the "COSE Algorithms" Registry [COSE.Algorithms]. | ||||
| o 'hkdf', specifying the HKDF algorithm used in the security group. | o 'ecdh_alg_crv', specifying the elliptic curve for the ECDH | |||
| If present, this parameter MUST specify a single value encoded as | algorithm used to derive pairwise encryption keys in the security | |||
| a text string, which is taken from the 'Value' column of the "COSE | group. If present, this parameter MUST specify a single value, | |||
| Algorithms" Registry defined in [COSE.Algorithms]. | which is taken from the 'Value' column of the "COSE Elliptic | |||
| Curves" Registry [COSE.Elliptic.Curves]. | ||||
| o 'ecdh_key_kty', specifying the key type of keys used with an ECDH | ||||
| algorithm to derive pairwise encryption keys in the security | ||||
| group. If present, this parameter MUST specify a single value, | ||||
| which is taken from the 'Value' column of the "COSE Key Types" | ||||
| Registry [COSE.Key.Types]. | ||||
| o 'ecdh_key_crv', specifying the elliptic curve of keys used with an | ||||
| ECDH algorithm to derive pairwise encryption keys in the security | ||||
| group. If present, this parameter MUST specify a single value, | ||||
| which is taken from the 'Value' column of the "COSE Elliptic | ||||
| Curves" Registry defined in [COSE.Elliptic.Curves]. | ||||
| Note that the values registered in the COSE Registries | Note that the values registered in the COSE Registries | |||
| [COSE.Algorithms][COSE.Elliptic.Curves][COSE.Key.Types] are strongly | [COSE.Algorithms][COSE.Elliptic.Curves][COSE.Key.Types] are strongly | |||
| typed. On the contrary, Link Format is weakly typed and thus does | typed. On the contrary, Link Format is weakly typed and thus does | |||
| not distinguish between, for instance, the string value "-10" and the | not distinguish between, for instance, the string value "-10" and the | |||
| integer value -10. | integer value -10. | |||
| Thus, in RDs that return responses in Link Format, string values | Thus, in RDs that return responses in Link Format, string values | |||
| which look like an integer are not supported. Therefore, such values | which look like an integer are not supported. Therefore, such values | |||
| MUST NOT be advertised through the corresponding parameters above. | MUST NOT be advertised through the corresponding parameters above. | |||
| A CoAP endpoint that queries the RD to discover security groups and | A CoAP endpoint that queries the RD to discover security groups and | |||
| their group-membership resource to access (see Section 4) would | their group-membership resource to access (see Section 4) would | |||
| benefit from the information above as follows. | benefit from the information above as follows. | |||
| o The values of 'cs_alg', 'cs_alg_crv', 'cs_key_kty', 'cs_key_crv' | o The values of 'cs_alg', 'cs_alg_crv', 'cs_key_kty', 'cs_key_crv', | |||
| and 'cs_kenc' related to a group-membership resource provide an | 'cs_kenc', 'ecdh_alg', 'ecdh_alg_crv', 'ecdh_key_kty' and | |||
| 'ecdh_key_crv' related to a group-membership resource provide an | ||||
| early knowledge of the format and encoding of public keys used in | early knowledge of the format and encoding of public keys used in | |||
| the security group. Thus, the CoAP endpoint does not need to ask | the security group. Thus, the CoAP endpoint does not need to ask | |||
| the GM for this information as a preliminary step before the | the GM for this information as a preliminary step before the | |||
| joining process, or to perform a trial-and-error joining exchange | joining process, or to perform a trial-and-error joining exchange | |||
| with the GM. Hence, the CoAP endpoint is able to provide the GM | with the GM. Hence, the CoAP endpoint is able to provide the GM | |||
| with its own public key in the correct expected format and | with its own public key in the correct expected format and | |||
| encoding at the very first step of the joining process. | encoding at the very first step of the joining process. | |||
| o The values of 'cs_alg', 'alg' and 'hkdf' related to a group- | o The values of 'alg', 'hkdf', 'cs_alg' and 'ecdh_alg' related to a | |||
| membership resource provide an early knowledge of the algorithms | group-membership resource provide an early knowledge of the | |||
| used in the security group. Thus, the CoAP endpoint is able to | algorithms used in the security group. Thus, the CoAP endpoint is | |||
| decide whether to actually proceed with the joining process, | able to decide whether to actually proceed with the joining | |||
| depending on its support for the indicated algorithms. | process, depending on its support for the indicated algorithms. | |||
| 2.2. Relation Link to Authorization Server | 2.2. Relation Link to Authorization Server | |||
| For each registered link to a group-membership resource, the GM MAY | For each registered link to a group-membership resource, the GM MAY | |||
| additionally specify the link to the ACE Authorization Server (AS) | additionally specify the link to the ACE Authorization Server (AS) | |||
| [I-D.ietf-ace-oauth-authz] associated to the GM, and issuing | [I-D.ietf-ace-oauth-authz] associated to the GM, and issuing | |||
| authorization credentials to join the security group as described in | authorization credentials to join the security group as described in | |||
| [I-D.ietf-ace-key-groupcomm-oscore]. | [I-D.ietf-ace-key-groupcomm-oscore]. | |||
| The link to the AS has as target the URI of the resource where to | The link to the AS has as target the URI of the resource where to | |||
| skipping to change at page 9, line 39 ¶ | skipping to change at page 10, line 22 ¶ | |||
| relation type. | relation type. | |||
| 2.3. Registration Example | 2.3. Registration Example | |||
| The example below shows a GM with endpoint name "gm1" and address | The example below shows a GM with endpoint name "gm1" and address | |||
| 2001:db8::ab that registers with the RD. | 2001:db8::ab that registers with the RD. | |||
| The GM specifies the value of the 'sec-gp' parameter for accessing | The GM specifies the value of the 'sec-gp' parameter for accessing | |||
| the security group with name "feedca570000", and used by the | the security group with name "feedca570000", and used by the | |||
| application group with name "group1" specified with the value of the | application group with name "group1" specified with the value of the | |||
| 'app-gp' parameter. The countersignature algorithm used in the | 'app-gp' parameter. | |||
| security group is EdDSA, with elliptic curve Ed25519 and keys of type | ||||
| OKP. Public keys used in the security group are encoded as COSE Keys | The countersignature algorithm used in the security group is EdDSA | |||
| [I-D.ietf-cose-rfc8152bis-struct]. | (-8), with elliptic curve Ed25519 (6). Public keys used in the | |||
| security group are encoded as COSE Keys (1) | ||||
| [I-D.ietf-cose-rfc8152bis-struct]. The ECDH algorithm used in the | ||||
| security group is ECDH-SS + HKDF-256 (-27), with elliptic curve | ||||
| X25519 (4). | ||||
| In addition, the GM specifies the link to the ACE Authorization | In addition, the GM specifies the link to the ACE Authorization | |||
| Server associated to the GM, to which a CoAP endpoint should send an | Server associated to the GM, to which a CoAP endpoint should send an | |||
| Authorization Request for joining the corresponding security group | Authorization Request for joining the corresponding security group | |||
| (see [I-D.ietf-ace-key-groupcomm-oscore]). | (see [I-D.ietf-ace-key-groupcomm-oscore]). | |||
| 2.3.1. Example in Link Format | 2.3.1. Example in Link Format | |||
| Request: GM -> RD | Request: GM -> RD | |||
| Req: POST coap://rd.example.com/rd?ep=gm1 | Req: POST coap://rd.example.com/rd?ep=gm1 | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| </ace-group/feedca570000>;ct=41;rt="core.osc.gm";if="ace.group"; | </ace-group/feedca570000>;ct=65000;rt="core.osc.gm";if="ace.group"; | |||
| sec-gp="feedca570000";app-gp="group1"; | sec-gp="feedca570000";app-gp="group1"; | |||
| cs_alg="-8";cs_alg_crv="6"; | cs_alg="-8";cs_alg_crv="6"; | |||
| cs_key_kty="1";cs_key_crv=6"; | cs_kenc="1";ecdh_alg="-27"; | |||
| cs_kenc="1", | ecdh_alg_crv="4", | |||
| <coap://as.example.com/token>; | <coap://as.example.com/token>; | |||
| rel="authorization-server"; | rel="authorization-server"; | |||
| anchor="coap://[2001:db8::ab]/ace-group/feedca570000" | anchor="coap://[2001:db8::ab]/ace-group/feedca570000" | |||
| Response: RD -> GM | Response: RD -> GM | |||
| Res: 2.01 Created | Res: 2.01 Created | |||
| Location-Path: /rd/4521 | Location-Path: /rd/4521 | |||
| 2.3.2. Example in CoRAL | 2.3.2. Example in CoRAL | |||
| Request: GM -> RD | Request: GM -> RD | |||
| Req: POST coap://rd.example.com/rd?ep=gm1 | Req: POST coap://rd.example.com/rd?ep=gm1 | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #using iana = <http://www.iana.org/assignments/relation/> | #using iana = <http://www.iana.org/assignments/relation/> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedca570000> { | reef:rd-item </ace-group/feedca570000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedca570000" | sec-gp "feedca570000" | |||
| app-gp "group1" | app-gp "group1" | |||
| cs_alg -8 | cs_alg -8 | |||
| cs_alg_crv 6 | cs_alg_crv 6 | |||
| cs_key_kty 1 | ||||
| cs_key_crv 6 | ||||
| cs_kenc 1 | cs_kenc 1 | |||
| ecdh_alg -27 | ||||
| ecdh_alg_crv 4 | ||||
| iana:authorization-server <coap://as.example.com/token> | iana:authorization-server <coap://as.example.com/token> | |||
| } | } | |||
| Response: RD -> GM | Response: RD -> GM | |||
| Res: 2.01 Created | Res: 2.01 Created | |||
| Location-Path: /rd/4521 | Location-Path: /rd/4521 | |||
| 3. Addition and Update of Security Groups | 3. Addition and Update of Security Groups | |||
| The GM is responsible to refresh the registration of all its group- | The GM is responsible to refresh the registration of all its group- | |||
| membership resources in the RD. This means that the GM has to update | membership resources in the RD. This means that the GM has to update | |||
| the registration within its lifetime as per Section 5.3.1 of | the registration within its lifetime as per Section 5.3.1 of | |||
| [I-D.ietf-core-resource-directory], and has to change the content of | [I-D.ietf-core-resource-directory], and has to change the content of | |||
| the registration when a group-membership resource is added/removed, | the registration when a group-membership resource is added/removed, | |||
| skipping to change at page 12, line 11 ¶ | skipping to change at page 13, line 4 ¶ | |||
| o A third group-membership resource associated with the security | o A third group-membership resource associated with the security | |||
| group with name "abcdef120000" and used by two application groups, | group with name "abcdef120000" and used by two application groups, | |||
| namely "group3" and "group4". | namely "group3" and "group4". | |||
| Furthermore, the GM relates the same Authorization Server also to the | Furthermore, the GM relates the same Authorization Server also to the | |||
| security groups "ech0ech00000" and "abcdef120000". | security groups "ech0ech00000" and "abcdef120000". | |||
| 3.1.1. Example in Link Format | 3.1.1. Example in Link Format | |||
| Request: GM -> RD | Request: GM -> RD | |||
| Req: POST coap://rd.example.com/rd?ep=gm1 | Req: POST coap://rd.example.com/rd?ep=gm1 | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| </ace-group/feedca570000>;ct=41;rt="core.osc.gm";if="ace.group"; | </ace-group/feedca570000>;ct=65000;rt="core.osc.gm";if="ace.group"; | |||
| sec-gp="feedca570000";app-gp="group1"; | sec-gp="feedca570000";app-gp="group1"; | |||
| cs_alg="-8";cs_alg_crv="6"; | cs_alg="-8";cs_alg_crv="6"; | |||
| cs_key_kty="1";cs_key_crv=6"; | cs_kenc="1";ecdh_alg="-27"; | |||
| cs_kenc="1", | ecdh_alg_crv="4", | |||
| </ace-group/ech0ech00000>;ct=41;rt="core.osc.gm";if="ace.group"; | </ace-group/ech0ech00000>;ct=65000;rt="core.osc.gm";if="ace.group"; | |||
| sec-gp="ech0ech00000";app-gp="group2"; | sec-gp="ech0ech00000";app-gp="group2"; | |||
| cs_alg="-8";cs_alg_crv="6"; | cs_alg="-8";cs_alg_crv="6"; | |||
| cs_key_kty="1";cs_key_crv=6"; | cs_kenc="1";ecdh_alg="-27"; | |||
| cs_kenc="1", | ecdh_alg_crv="4", | |||
| </ace-group/abcdef120000>;ct=41;rt="core.osc.gm";if="ace.group"; | </ace-group/abcdef120000>;ct=65000;rt="core.osc.gm";if="ace.group"; | |||
| sec-gp="abcdef120000";app-gp="group3"; | sec-gp="abcdef120000";app-gp="group3"; | |||
| app-gp="group4";cs_alg="-8"; | app-gp="group4";cs_alg="-8"; | |||
| cs_alg_crv="6";cs_key_kty="1"; | cs_alg_crv="6";cs_kenc="1"; | |||
| cs_key_crv=6";cs_kenc="1", | ecdh_alg="-27";ecdh_alg_crv="4", | |||
| <coap://as.example.com/token>; | <coap://as.example.com/token>; | |||
| rel="authorization-server"; | rel="authorization-server"; | |||
| anchor="coap://[2001:db8::ab]/ace-group/feedca570000", | anchor="coap://[2001:db8::ab]/ace-group/feedca570000", | |||
| <coap://as.example.com/token>; | <coap://as.example.com/token>; | |||
| rel="authorization-server"; | rel="authorization-server"; | |||
| anchor="coap://[2001:db8::ab]/ace-group/ech0ech00000", | anchor="coap://[2001:db8::ab]/ace-group/ech0ech00000", | |||
| <coap://as.example.com/token>; | <coap://as.example.com/token>; | |||
| rel="authorization-server"; | rel="authorization-server"; | |||
| anchor="coap://[2001:db8::ab]/ace-group/abcdef120000" | anchor="coap://[2001:db8::ab]/ace-group/abcdef120000" | |||
| skipping to change at page 13, line 4 ¶ | skipping to change at page 13, line 40 ¶ | |||
| anchor="coap://[2001:db8::ab]/ace-group/abcdef120000" | anchor="coap://[2001:db8::ab]/ace-group/abcdef120000" | |||
| Response: RD -> GM | Response: RD -> GM | |||
| Res: 2.04 Changed | Res: 2.04 Changed | |||
| Location-Path: /rd/4521 | Location-Path: /rd/4521 | |||
| 3.1.2. Example in CoRAL | 3.1.2. Example in CoRAL | |||
| Request: GM -> RD | Request: GM -> RD | |||
| Req: POST coap://rd.example.com/rd?ep=gm1 | Req: POST coap://rd.example.com/rd?ep=gm1 | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #using iana = <http://www.iana.org/assignments/relation/> | #using iana = <http://www.iana.org/assignments/relation/> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedca570000> { | reef:rd-item </ace-group/feedca570000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedca570000" | sec-gp "feedca570000" | |||
| app-gp "group1" | app-gp "group1" | |||
| cs_alg -8 | cs_alg -8 | |||
| cs_alg_crv 6 | cs_alg_crv 6 | |||
| cs_key_kty 1 | ||||
| cs_key_crv 6 | ||||
| cs_kenc 1 | cs_kenc 1 | |||
| ecdh_alg -27 | ||||
| ecdh_alg_crv 4 | ||||
| iana:authorization-server <coap://as.example.com/token> | iana:authorization-server <coap://as.example.com/token> | |||
| } | } | |||
| reef:rd-item </ace-group/ech0ech00000> { | reef:rd-item </ace-group/ech0ech00000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "ech0ech00000" | sec-gp "ech0ech00000" | |||
| app-gp "group2" | app-gp "group2" | |||
| cs_alg -8 | cs_alg -8 | |||
| cs_alg_crv 6 | cs_alg_crv 6 | |||
| cs_key_kty 1 | ||||
| cs_key_crv 6 | ||||
| cs_kenc 1 | cs_kenc 1 | |||
| ecdh_alg -27 | ||||
| ecdh_alg_crv 4 | ||||
| iana:authorization-server <coap://as.example.com/token> | iana:authorization-server <coap://as.example.com/token> | |||
| } | } | |||
| reef:rd-item </ace-group/abcdef120000> { | reef:rd-item </ace-group/abcdef120000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "abcdef120000" | sec-gp "abcdef120000" | |||
| app-gp "group3" | app-gp "group3" | |||
| app-gp "group4" | app-gp "group4" | |||
| cs_alg -8 | cs_alg -8 | |||
| cs_alg_crv 6 | cs_alg_crv 6 | |||
| cs_key_kty 1 | ||||
| cs_key_crv 6 | ||||
| cs_kenc 1 | cs_kenc 1 | |||
| ecdh_alg -27 | ||||
| ecdh_alg_crv 4 | ||||
| iana:authorization-server <coap://as.example.com/token> | iana:authorization-server <coap://as.example.com/token> | |||
| } | } | |||
| Response: RD -> GM | Response: RD -> GM | |||
| Res: 2.04 Changed | Res: 2.04 Changed | |||
| Location-Path: /rd/4521 | Location-Path: /rd/4521 | |||
| 4. Discovery of Security Groups | 4. Discovery of Security Groups | |||
| A CoAP endpoint that wants to join a security group, hereafter called | A CoAP endpoint that wants to join a security group, hereafter called | |||
| the joining node, might not have all the necessary information at | the joining node, might not have all the necessary information at | |||
| deployment time. Also, it might want to know about possible new | deployment time. Also, it might want to know about possible new | |||
| security groups created afterwards by the respective Group Managers. | security groups created afterwards by the respective Group Managers. | |||
| skipping to change at page 15, line 29 ¶ | skipping to change at page 16, line 26 ¶ | |||
| member (see [I-D.ietf-ace-key-groupcomm-oscore]). | member (see [I-D.ietf-ace-key-groupcomm-oscore]). | |||
| Note that, with RD-based discovery, including the 'app-gp' parameter | Note that, with RD-based discovery, including the 'app-gp' parameter | |||
| multiple times would result in finding only the group-membership | multiple times would result in finding only the group-membership | |||
| resource that serves all the specified application groups, i.e. not | resource that serves all the specified application groups, i.e. not | |||
| any group-membership resource that serves either. Therefore, a | any group-membership resource that serves either. Therefore, a | |||
| joining node needs to perform N separate queries with different | joining node needs to perform N separate queries with different | |||
| values for 'app-gp', in order to safely discover the (different) | values for 'app-gp', in order to safely discover the (different) | |||
| group-membership resource(s) serving the N application groups. | group-membership resource(s) serving the N application groups. | |||
| The discovery of security groups as defined in this document is | ||||
| applicable and useful to other CoAP endpoints than the actual joining | ||||
| nodes. In particular, other entities can be interested to discover | ||||
| and interact with the group-membership resource at the Group Manager. | ||||
| These include entities acting as signature checkers, e.g. | ||||
| intermediary gateways, that do not join a security group, but can | ||||
| retrieve public keys of group members from the Group Manager, in | ||||
| order to verify counter signatures of group messages (see Section 3 | ||||
| of [I-D.ietf-core-oscore-groupcomm]). | ||||
| 4.1. Discovery Example #1 | 4.1. Discovery Example #1 | |||
| Consistently with the examples in Section 2 and Section 3, the | Consistently with the examples in Section 2 and Section 3, the | |||
| examples below consider a joining node that wants to join the | examples below consider a joining node that wants to join the | |||
| security group associated with the application group "group1", but | security group associated with the application group "group1", but | |||
| that does not know the name of the security group, the responsible GM | that does not know the name of the security group, the responsible GM | |||
| and the group-membership resource to access. | and the group-membership resource to access. | |||
| 4.1.1. Example in Link Format | 4.1.1. Example in Link Format | |||
| skipping to change at page 15, line 45 ¶ | skipping to change at page 17, line 4 ¶ | |||
| and the group-membership resource to access. | and the group-membership resource to access. | |||
| 4.1.1. Example in Link Format | 4.1.1. Example in Link Format | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/res | Req: GET coap://rd.example.com/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=group1 | ?rt=core.osc.gm&app-gp=group1 | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Payload: | Payload: | |||
| <coap://[2001:db8::ab]/ace-group/feedca570000>;rt="core.osc.gm"; | <coap://[2001:db8::ab]/ace-group/feedca570000>;ct=65000; | |||
| if="ace.group";sec-gp="feedca570000";app-gp="group1"; | rt="core.osc.gm";if="ace.group";sec-gp="feedca570000"; | |||
| cs_alg="-8";cs_alg_crv="6";cs_key_kty="1";cs_key_crv=6"; | app-gp="group1";cs_alg="-8";cs_alg_crv="6"; | |||
| cs_kenc="1";anchor="coap://[2001:db8::ab]" | cs_kenc="1";ecdh_alg="-27";ecdh_alg_crv="4"; | |||
| anchor="coap://[2001:db8::ab]" | ||||
| By performing the separate resource lookup below, the joining node | By performing the separate resource lookup below, the joining node | |||
| can retrieve the link to the ACE Authorization Server associated to | can retrieve the link to the ACE Authorization Server associated to | |||
| the GM, where to send an Authorization Request for joining the | the GM, where to send an Authorization Request for joining the | |||
| corresponding security group (see | corresponding security group (see | |||
| [I-D.ietf-ace-key-groupcomm-oscore]). | [I-D.ietf-ace-key-groupcomm-oscore]). | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/res | Req: GET coap://rd.example.com/rd-lookup/res | |||
| ?rel="authorization-server"& | ?rel=authorization-server& | |||
| anchor="coap://[2001:db8::ab]/ace-group/feedca570000" | anchor=coap://[2001:db8::ab]/ace-group/feedca570000 | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Payload: | Payload: | |||
| <coap://as.example.com/token> | <coap://as.example.com/token> | |||
| To retrieve the multicast IP address of the CoAP group used by the | To retrieve the multicast IP address of the CoAP group used by the | |||
| application group "group1", the joining node performs an endpoint | application group "group1", the joining node performs an endpoint | |||
| lookup as shown below. The following assumes that the application | lookup as shown below. The following assumes that the application | |||
| skipping to change at page 16, line 40 ¶ | skipping to change at page 17, line 47 ¶ | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/ep | Req: GET coap://rd.example.com/rd-lookup/ep | |||
| ?et=core.rd-group&ep=group1 | ?et=core.rd-group&ep=group1 | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Payload: | Payload: | |||
| </rd/501>;ep="group1";et="core.rd-group"; | </rd/501>;ep="group1";et="core.rd-group"; | |||
| base="coap://[ff35:30:2001:db8::23]" | base="coap://[ff35:30:2001:db8::23]";rt="core.rd-ep" | |||
| 4.1.2. Example in CoRAL | 4.1.2. Example in CoRAL | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/res | Req: GET coap://rd.example.com/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=group1 | ?rt=core.osc.gm&app-gp=group1 | |||
| Accept: TBD123456 (application/coral+cbor) | Accept: TBD123456 (application/coral+cbor) | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| skipping to change at page 17, line 4 ¶ | skipping to change at page 18, line 14 ¶ | |||
| 4.1.2. Example in CoRAL | 4.1.2. Example in CoRAL | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/res | Req: GET coap://rd.example.com/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=group1 | ?rt=core.osc.gm&app-gp=group1 | |||
| Accept: TBD123456 (application/coral+cbor) | Accept: TBD123456 (application/coral+cbor) | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #using iana = <http://www.iana.org/assignments/relation/> | #using iana = <http://www.iana.org/assignments/relation/> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedca570000> { | reef:rd-item </ace-group/feedca570000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedca570000" | sec-gp "feedca570000" | |||
| app-gp "group1" | app-gp "group1" | |||
| cs_alg -8 | cs_alg -8 | |||
| cs_alg_crv 6 | cs_alg_crv 6 | |||
| cs_key_kty 1 | ||||
| cs_key_crv 6 | ||||
| cs_kenc 1 | cs_kenc 1 | |||
| ecdh_alg -27 | ||||
| ecdh_alg_crv 4 | ||||
| iana:authorization-server <coap://as.example.com/token> | iana:authorization-server <coap://as.example.com/token> | |||
| } | } | |||
| To retrieve the multicast IP address of the CoAP group used by the | To retrieve the multicast IP address of the CoAP group used by the | |||
| application group "group1", the joining node performs an endpoint | application group "group1", the joining node performs an endpoint | |||
| lookup as shown below. The following assumes that the application | lookup as shown below. The following assumes that the application | |||
| group "group1" had been previously registered, with | group "group1" had been previously registered, with | |||
| ff35:30:2001:db8::23 as multicast IP address of the associated CoAP | ff35:30:2001:db8::23 as multicast IP address of the associated CoAP | |||
| group. | group. | |||
| skipping to change at page 18, line 12 ¶ | skipping to change at page 19, line 12 ¶ | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| reef:rd-unit <./rd/501> { | reef:rd-unit <./rd/501> { | |||
| reef:ep="group1" | reef:ep "group1" | |||
| reef:et="core.rd-group" | reef:et "core.rd-group" | |||
| reef:base <coap://[ff35:30:2001:db8::23]> | reef:base <coap://[ff35:30:2001:db8::23]> | |||
| reef:rt "core.rd-ep" | ||||
| } | } | |||
| 4.2. Discovery Example #2 | 4.2. Discovery Example #2 | |||
| Consistently with the examples in Section 2 and Section 3, the | Consistently with the examples in Section 2 and Section 3, the | |||
| examples below consider a joining node that wants to join the | examples below consider a joining node that wants to join the | |||
| security group with name "feedca570000", but that does not know the | security group with name "feedca570000", but that does not know the | |||
| responsible GM, the group-membership resource to access, and the | responsible GM, the group-membership resource to access, and the | |||
| associated application groups. | associated application groups. | |||
| skipping to change at page 18, line 45 ¶ | skipping to change at page 19, line 46 ¶ | |||
| Req: GET coap://rd.example.com/rd-lookup/res | Req: GET coap://rd.example.com/rd-lookup/res | |||
| ?rt=core.osc.gm&sec-gp=feedca570000 | ?rt=core.osc.gm&sec-gp=feedca570000 | |||
| Observe: 0 | Observe: 0 | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Observe: 24 | Observe: 24 | |||
| Payload: | Payload: | |||
| <coap://[2001:db8::ab]/ace-group/feedca570000>;rt="core.osc.gm"; | <coap://[2001:db8::ab]/ace-group/feedca570000>;ct=65000; | |||
| if="ace.group";sec-gp="feedca570000";app-gp="group1"; | rt="core.osc.gm";if="ace.group";sec-gp="feedca570000"; | |||
| cs_alg="-8";cs_alg_crv="6";cs_key_kty="1";cs_key_crv=6"; | app-gp="group1";cs_alg="-8";cs_alg_crv="6"; | |||
| cs_kenc="1";anchor="coap://[2001:db8::ab]" | cs_kenc="1";ecdh_alg="-27";ecdh_alg_crv="4"; | |||
| anchor="coap://[2001:db8::ab]" | ||||
| Depending on the search criteria, the joining node performing the | Depending on the search criteria, the joining node performing the | |||
| resource lookup can get large responses. This can happen, for | resource lookup can get large responses. This can happen, for | |||
| instance, when the lookup request targets all the group-membership | instance, when the lookup request targets all the group-membership | |||
| resources at a specified GM, or all the group-membership resources of | resources at a specified GM, or all the group-membership resources of | |||
| all the registered GMs, as in the example below. | all the registered GMs, as in the example below. | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/res?rt=core.osc.gm | Req: GET coap://rd.example.com/rd-lookup/res?rt=core.osc.gm | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Payload: | Payload: | |||
| <coap://[2001:db8::ab]/ace-group/feedca570000>;rt="core.osc.gm"; | <coap://[2001:db8::ab]/ace-group/feedca570000>;ct=65000; | |||
| if="ace.group";sec-gp="feedca570000";app-gp="group1"; | rt="core.osc.gm";if="ace.group";sec-gp="feedca570000"; | |||
| cs_alg="-8";cs_alg_crv="6";cs_key_kty="1";cs_key_crv=6"; | app-gp="group1";cs_alg="-8";cs_alg_crv="6"; | |||
| cs_kenc="1";anchor="coap://[2001:db8::ab]", | cs_kenc="1";ecdh_alg="-27";ecdh_alg_crv="4"; | |||
| <coap://[2001:db8::ab]/ace-group/ech0ech00000>;rt="core.osc.gm"; | anchor="coap://[2001:db8::ab]", | |||
| if="ace.group";sec-gp="ech0ech00000";app-gp="group2"; | <coap://[2001:db8::ab]/ace-group/ech0ech00000>;ct=65000; | |||
| cs_alg="-8";cs_alg_crv="6";cs_key_kty="1";cs_key_crv=6"; | rt="core.osc.gm";if="ace.group";sec-gp="ech0ech00000"; | |||
| cs_kenc="1";anchor="coap://[2001:db8::ab]", | app-gp="group2";cs_alg="-8";cs_alg_crv="6"; | |||
| <coap://[2001:db8::ab]/ace-group/abcdef120000>;rt="core.osc.gm"; | cs_kenc="1";ecdh_alg="-27";ecdh_alg_crv="4"; | |||
| if="ace.group";sec-gp="abcdef120000";app-gp="group3"; | anchor="coap://[2001:db8::ab]", | |||
| app-gp="group4";cs_alg="-8";cs_alg_crv="6";cs_key_kty="1"; | <coap://[2001:db8::ab]/ace-group/abcdef120000>;ct=65000; | |||
| cs_key_crv=6";cs_kenc="1";anchor="coap://[2001:db8::ab]" | rt="core.osc.gm";if="ace.group";sec-gp="abcdef120000"; | |||
| app-gp="group3";app-gp="group4";cs_alg="-8";cs_alg_crv="6"; | ||||
| cs_kenc="1";ecdh_alg="-27";ecdh_alg_crv="4"; | ||||
| anchor="coap://[2001:db8::ab]" | ||||
| Therefore, it is RECOMMENDED that a joining node which performs a | Therefore, it is RECOMMENDED that a joining node which performs a | |||
| resource lookup with the CoAP Observe option specifies the value of | resource lookup with the CoAP Observe option specifies the value of | |||
| the parameter 'sec-gp' in its GET request sent to the RD. | the parameter 'sec-gp' in its GET request sent to the RD. | |||
| 4.2.2. Example in CoRAL | 4.2.2. Example in CoRAL | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://rd.example.com/rd-lookup/res | Req: GET coap://rd.example.com/rd-lookup/res | |||
| skipping to change at page 20, line 15 ¶ | skipping to change at page 21, line 15 ¶ | |||
| Observe: 24 | Observe: 24 | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #using iana = <http://www.iana.org/assignments/relation/> | #using iana = <http://www.iana.org/assignments/relation/> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedca570000> { | reef:rd-item </ace-group/feedca570000> { | |||
| reef:rt "core.osc.gm" | reef:ct 65000 | |||
| reef:if "ace.group" | reef:rt "core.osc.gm" | |||
| sec-gp "feedca570000" | reef:if "ace.group" | |||
| app-gp "group1" | sec-gp "feedca570000" | |||
| cs_alg -8 | app-gp "group1" | |||
| cs_alg_crv 6 | cs_alg -8 | |||
| cs_key_kty 1 | cs_alg_crv 6 | |||
| cs_key_crv 6 | cs_kenc 1 | |||
| cs_kenc 1 | ecdh_alg -27 | |||
| iana:authorization-server <coap://as.example.com/token> | ecdh_alg_crv 4 | |||
| iana:authorization-server <coap://as.example.com/token> | ||||
| } | } | |||
| 5. Use Case Example With Full Discovery | 5. Use Case Example With Full Discovery | |||
| In this section, the discovery of security groups is described to | In this section, the discovery of security groups is described to | |||
| support the installation process of a lighting installation in an | support the installation process of a lighting installation in an | |||
| office building. The described process is a simplified version of | office building. The described process is a simplified version of | |||
| one of many processes. | one of many processes. | |||
| The process described in this section is intended as an example and | The process described in this section is intended as an example and | |||
| skipping to change at page 22, line 35 ¶ | skipping to change at page 23, line 35 ¶ | |||
| Finally, the CT defines the corresponding security groups. In | Finally, the CT defines the corresponding security groups. In | |||
| particular, assuming a Group Manager responsible for both security | particular, assuming a Group Manager responsible for both security | |||
| groups and with address [2001:db8::ab], the CT specifies: | groups and with address [2001:db8::ab], the CT specifies: | |||
| Request: CT -> RD | Request: CT -> RD | |||
| Req: POST coap://[2001:db8:4::ff]/rd | Req: POST coap://[2001:db8:4::ff]/rd | |||
| ?ep=gm1&base=coap://[2001:db8::ab] | ?ep=gm1&base=coap://[2001:db8::ab] | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| </ace-group/feedca570000>;ct=41;rt="core.osc.gm";if="ace.group"; | </ace-group/feedca570000>;ct=65000;rt="core.osc.gm";if="ace.group"; | |||
| sec-gp="feedca570000"; | sec-gp="feedca570000"; | |||
| app-gp="grp_R2-4-015", | app-gp="grp_R2-4-015", | |||
| </ace-group/feedsc590000>;ct=41;rt="core.osc.gm";if="ace.group"; | </ace-group/feedsc590000>;ct=65000;rt="core.osc.gm";if="ace.group"; | |||
| sec-gp="feedsc590000"; | sec-gp="feedsc590000"; | |||
| app-gp="grp_schedule" | app-gp="grp_schedule" | |||
| Response: RD -> CT | Response: RD -> CT | |||
| Res: 2.01 Created | Res: 2.01 Created | |||
| Location-Path: /rd/4521 | Location-Path: /rd/4521 | |||
| *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | |||
| skipping to change at page 23, line 16 ¶ | skipping to change at page 24, line 16 ¶ | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep | Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep | |||
| ?et=core.rd-group&ep=grp_R2-4-015 | ?et=core.rd-group&ep=grp_R2-4-015 | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| </rd/501>;ep="grp_R2-4-015";et="core.rd-group"; | </rd/501>;ep="grp_R2-4-015";et="core.rd-group"; | |||
| base="coap://[ff05::5:1]" | base="coap://[ff05::5:1]";rt="core.rd-ep" | |||
| Similarly, to retrieve the multicast IP address of the CoAP group | Similarly, to retrieve the multicast IP address of the CoAP group | |||
| used by the application group "grp_schedule", the device performs an | used by the application group "grp_schedule", the device performs an | |||
| endpoint lookup as shown below. | endpoint lookup as shown below. | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep | Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep | |||
| ?et=core.rd-group&ep=grp_schedule | ?et=core.rd-group&ep=grp_schedule | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| </rd/502>;ep="grp_schedule";et="core.rd-group"; | </rd/502>;ep="grp_schedule";et="core.rd-group"; | |||
| base="coap://[ff05::5:2]" | base="coap://[ff05::5:2]";rt="core.rd-ep" | |||
| *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | |||
| Consequently, the device learns the security groups it has to join. | Consequently, the device learns the security groups it has to join. | |||
| In particular, it does the following for app-gp="grp_R2-4-015". | In particular, it does the following for app-gp="grp_R2-4-015". | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=grp_R2-4-015 | ?rt=core.osc.gm&app-gp=grp_R2-4-015 | |||
| Response: RD -> Joining Node | Response: RD -> Joining Node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| <coap://[2001:db8::ab]/ace-group/feedca570000>; | <coap://[2001:db8::ab]/ace-group/feedca570000>;ct=65000; | |||
| rt="core.osc.gm";if="ace.group";sec-gp="feedca570000"; | rt="core.osc.gm";if="ace.group";sec-gp="feedca570000"; | |||
| app-gp="grp_R2-4-015";anchor="coap://[2001:db8::ab]" | app-gp="grp_R2-4-015";anchor="coap://[2001:db8::ab]" | |||
| Similarly, the device does the following for app-gp="grp_schedule". | Similarly, the device does the following for app-gp="grp_schedule". | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=grp_schedule | ?rt=core.osc.gm&app-gp=grp_schedule | |||
| Response: RD -> Joining Node | Response: RD -> Joining Node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: 40 | Content-Format: 40 | |||
| Payload: | Payload: | |||
| <coap://[2001:db8::ab]/ace-group/feedsc590000>; | <coap://[2001:db8::ab]/ace-group/feedsc590000>;ct=65000; | |||
| rt="core.osc.gm";if="ace.group";sec-gp="feedsc590000"; | rt="core.osc.gm";if="ace.group";sec-gp="feedsc590000"; | |||
| app-gp="grp_schedule";anchor="coap://[2001:db8::ab]" | app-gp="grp_schedule";anchor="coap://[2001:db8::ab]" | |||
| *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | |||
| After this last discovery step, the device can ask permission to join | After this last discovery step, the device can ask permission to join | |||
| the security groups, and effectively join them through the Group | the security groups, and effectively join them through the Group | |||
| Manager, e.g. according to [I-D.ietf-ace-key-groupcomm-oscore]. | Manager, e.g. according to [I-D.ietf-ace-key-groupcomm-oscore]. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| skipping to change at page 25, line 13 ¶ | skipping to change at page 26, line 13 ¶ | |||
| type>. | type>. | |||
| [I-D.ietf-core-coral] | [I-D.ietf-core-coral] | |||
| Hartke, K., "The Constrained RESTful Application Language | Hartke, K., "The Constrained RESTful Application Language | |||
| (CoRAL)", draft-ietf-core-coral-03 (work in progress), | (CoRAL)", draft-ietf-core-coral-03 (work in progress), | |||
| March 2020. | March 2020. | |||
| [I-D.ietf-core-groupcomm-bis] | [I-D.ietf-core-groupcomm-bis] | |||
| Dijk, E., Wang, C., and M. Tiloca, "Group Communication | Dijk, E., Wang, C., and M. Tiloca, "Group Communication | |||
| for the Constrained Application Protocol (CoAP)", draft- | for the Constrained Application Protocol (CoAP)", draft- | |||
| ietf-core-groupcomm-bis-02 (work in progress), November | ietf-core-groupcomm-bis-03 (work in progress), February | |||
| 2020. | 2021. | |||
| [I-D.ietf-core-oscore-groupcomm] | [I-D.ietf-core-oscore-groupcomm] | |||
| Tiloca, M., Selander, G., Palombini, F., and J. Park, | Tiloca, M., Selander, G., Palombini, F., Mattsson, J., and | |||
| "Group OSCORE - Secure Group Communication for CoAP", | J. Park, "Group OSCORE - Secure Group Communication for | |||
| draft-ietf-core-oscore-groupcomm-10 (work in progress), | CoAP", draft-ietf-core-oscore-groupcomm-11 (work in | |||
| November 2020. | progress), February 2021. | |||
| [I-D.ietf-core-resource-directory] | [I-D.ietf-core-resource-directory] | |||
| Shelby, Z., Koster, M., Bormann, C., Stok, P., and C. | Amsuess, C., Shelby, Z., Koster, M., Bormann, C., and P. | |||
| Amsuess, "CoRE Resource Directory", draft-ietf-core- | Stok, "CoRE Resource Directory", draft-ietf-core-resource- | |||
| resource-directory-25 (work in progress), July 2020. | directory-26 (work in progress), November 2020. | |||
| [I-D.ietf-cose-rfc8152bis-algs] | [I-D.ietf-cose-rfc8152bis-algs] | |||
| Schaad, J., "CBOR Object Signing and Encryption (COSE): | Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
| Initial Algorithms", draft-ietf-cose-rfc8152bis-algs-12 | Initial Algorithms", draft-ietf-cose-rfc8152bis-algs-12 | |||
| (work in progress), September 2020. | (work in progress), September 2020. | |||
| [I-D.ietf-cose-rfc8152bis-struct] | [I-D.ietf-cose-rfc8152bis-struct] | |||
| Schaad, J., "CBOR Object Signing and Encryption (COSE): | Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
| Structures and Process", draft-ietf-cose-rfc8152bis- | Structures and Process", draft-ietf-cose-rfc8152bis- | |||
| struct-14 (work in progress), September 2020. | struct-15 (work in progress), February 2021. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link | [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link | |||
| Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, | Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, | |||
| <https://www.rfc-editor.org/info/rfc6690>. | <https://www.rfc-editor.org/info/rfc6690>. | |||
| skipping to change at page 26, line 27 ¶ | skipping to change at page 27, line 31 ¶ | |||
| 2018.pdf>. | 2018.pdf>. | |||
| [I-D.hartke-t2trg-coral-reef] | [I-D.hartke-t2trg-coral-reef] | |||
| Hartke, K., "Resource Discovery in Constrained RESTful | Hartke, K., "Resource Discovery in Constrained RESTful | |||
| Environments (CoRE) using the Constrained RESTful | Environments (CoRE) using the Constrained RESTful | |||
| Application Language (CoRAL)", draft-hartke-t2trg-coral- | Application Language (CoRAL)", draft-hartke-t2trg-coral- | |||
| reef-04 (work in progress), May 2020. | reef-04 (work in progress), May 2020. | |||
| [I-D.ietf-ace-key-groupcomm] | [I-D.ietf-ace-key-groupcomm] | |||
| Palombini, F. and M. Tiloca, "Key Provisioning for Group | Palombini, F. and M. Tiloca, "Key Provisioning for Group | |||
| Communication using ACE", draft-ietf-ace-key-groupcomm-10 | Communication using ACE", draft-ietf-ace-key-groupcomm-11 | |||
| (work in progress), November 2020. | (work in progress), February 2021. | |||
| [I-D.ietf-ace-key-groupcomm-oscore] | [I-D.ietf-ace-key-groupcomm-oscore] | |||
| Tiloca, M., Park, J., and F. Palombini, "Key Management | Tiloca, M., Park, J., and F. Palombini, "Key Management | |||
| for OSCORE Groups in ACE", draft-ietf-ace-key-groupcomm- | for OSCORE Groups in ACE", draft-ietf-ace-key-groupcomm- | |||
| oscore-09 (work in progress), November 2020. | oscore-10 (work in progress), February 2021. | |||
| [I-D.ietf-ace-oauth-authz] | [I-D.ietf-ace-oauth-authz] | |||
| Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | |||
| H. Tschofenig, "Authentication and Authorization for | H. Tschofenig, "Authentication and Authorization for | |||
| Constrained Environments (ACE) using the OAuth 2.0 | Constrained Environments (ACE) using the OAuth 2.0 | |||
| Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-35 | Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-37 | |||
| (work in progress), June 2020. | (work in progress), February 2021. | |||
| [I-D.ietf-ace-oscore-gm-admin] | [I-D.ietf-ace-oscore-gm-admin] | |||
| Tiloca, M., Hoeglund, R., Stok, P., Palombini, F., and K. | Tiloca, M., Hoeglund, R., Stok, P., Palombini, F., and K. | |||
| Hartke, "Admin Interface for the OSCORE Group Manager", | Hartke, "Admin Interface for the OSCORE Group Manager", | |||
| draft-ietf-ace-oscore-gm-admin-01 (work in progress), | draft-ietf-ace-oscore-gm-admin-02 (work in progress), | |||
| November 2020. | February 2021. | |||
| [I-D.ietf-anima-bootstrapping-keyinfra] | [I-D.ietf-anima-bootstrapping-keyinfra] | |||
| Pritikin, M., Richardson, M., Eckert, T., Behringer, M., | Pritikin, M., Richardson, M., Eckert, T., Behringer, M., | |||
| and K. Watsen, "Bootstrapping Remote Secure Key | and K. Watsen, "Bootstrapping Remote Secure Key | |||
| Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- | Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- | |||
| keyinfra-44 (work in progress), September 2020. | keyinfra-45 (work in progress), November 2020. | |||
| [I-D.ietf-cbor-7049bis] | ||||
| Bormann, C. and P. Hoffman, "Concise Binary Object | ||||
| Representation (CBOR)", draft-ietf-cbor-7049bis-16 (work | ||||
| in progress), September 2020. | ||||
| [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for | [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for | |||
| Constrained-Node Networks", RFC 7228, | Constrained-Node Networks", RFC 7228, | |||
| DOI 10.17487/RFC7228, May 2014, | DOI 10.17487/RFC7228, May 2014, | |||
| <https://www.rfc-editor.org/info/rfc7228>. | <https://www.rfc-editor.org/info/rfc7228>. | |||
| [RFC7641] Hartke, K., "Observing Resources in the Constrained | [RFC7641] Hartke, K., "Observing Resources in the Constrained | |||
| Application Protocol (CoAP)", RFC 7641, | Application Protocol (CoAP)", RFC 7641, | |||
| DOI 10.17487/RFC7641, September 2015, | DOI 10.17487/RFC7641, September 2015, | |||
| <https://www.rfc-editor.org/info/rfc7641>. | <https://www.rfc-editor.org/info/rfc7641>. | |||
| [RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and | [RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and | |||
| FETCH Methods for the Constrained Application Protocol | FETCH Methods for the Constrained Application Protocol | |||
| (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, | (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, | |||
| <https://www.rfc-editor.org/info/rfc8132>. | <https://www.rfc-editor.org/info/rfc8132>. | |||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
| Interchange Format", STD 90, RFC 8259, | ||||
| DOI 10.17487/RFC8259, December 2017, | ||||
| <https://www.rfc-editor.org/info/rfc8259>. | ||||
| [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, | [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, | |||
| "Object Security for Constrained RESTful Environments | "Object Security for Constrained RESTful Environments | |||
| (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | |||
| <https://www.rfc-editor.org/info/rfc8613>. | <https://www.rfc-editor.org/info/rfc8613>. | |||
| Appendix A. Use Case Example With Full Discovery (CoRAL) | Appendix A. Use Case Example With Full Discovery (CoRAL) | |||
| This section provides the same use case example of Section 5, but | This section provides the same use case example of Section 5, but | |||
| specified in CoRAL [I-D.ietf-core-coral]. | specified in CoRAL [I-D.ietf-core-coral]. | |||
| skipping to change at page 29, line 13 ¶ | skipping to change at page 30, line 13 ¶ | |||
| Request: CT -> RD | Request: CT -> RD | |||
| Req: POST coap://[2001:db8:4::ff]/rd?ep=gm1 | Req: POST coap://[2001:db8:4::ff]/rd?ep=gm1 | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedca570000> { | reef:rd-item </ace-group/feedca570000> { | |||
| reef:ct 65000 | ||||
| reef:ct 41 | reef:ct 41 | |||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedca570000" | sec-gp "feedca570000" | |||
| app-gp "grp_R2-4-015" | app-gp "grp_R2-4-015" | |||
| } | } | |||
| reef:rd-item </ace-group/feedsc590000> { | reef:rd-item </ace-group/feedsc590000> { | |||
| reef:ct 65000 | ||||
| reef:ct 41 | reef:ct 41 | |||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedsc590000" | sec-gp "feedsc590000" | |||
| app-gp "grp_schedule" | app-gp "grp_schedule" | |||
| } | } | |||
| Response: RD -> CT | Response: RD -> CT | |||
| Res: 2.01 Created | Res: 2.01 Created | |||
| skipping to change at page 30, line 15 ¶ | skipping to change at page 31, line 15 ¶ | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #base <coap://[2001:db8:4::ff]/rd/> | #base <coap://[2001:db8:4::ff]/rd/> | |||
| reef:rd-unit <501> { | reef:rd-unit <501> { | |||
| reef:ep "grp_R2-4-015" | reef:ep "grp_R2-4-015" | |||
| reef:et "core.rd-group" | reef:et "core.rd-group" | |||
| reef:base <coap://[ff05::5:1]/> | reef:base <coap://[ff05::5:1]/> | |||
| reef:rt "core.rd-ep" | ||||
| } | } | |||
| Similarly, to retrieve the multicast IP address of the CoAP group | Similarly, to retrieve the multicast IP address of the CoAP group | |||
| used by the application group "grp_schedule", the device performs an | used by the application group "grp_schedule", the device performs an | |||
| endpoint lookup as shown below. | endpoint lookup as shown below. | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep | Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep | |||
| ?et=core.rd-group&ep=grp_schedule | ?et=core.rd-group&ep=grp_schedule | |||
| Response: RD -> Joining node | Response: RD -> Joining node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #base <coap://[2001:db8:4::ff]/rd/> | #base <coap://[2001:db8:4::ff]/rd/> | |||
| reef:rd-unit <501> { | reef:rd-unit <502> { | |||
| reef:ep "grp_schedule" | reef:ep "grp_schedule" | |||
| reef:et "core.rd-group" | reef:et "core.rd-group" | |||
| reef:base <coap://[ff05::5:2]/> | reef:base <coap://[ff05::5:2]/> | |||
| reef:rt "core.rd-ep" | ||||
| } | } | |||
| *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | |||
| Consequently, the device learns the security groups it has to join. | Consequently, the device learns the security groups it has to join. | |||
| In particular, it does the following for app-gp="grp_R2-4-015". | In particular, it does the following for app-gp="grp_R2-4-015". | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | |||
| skipping to change at page 31, line 4 ¶ | skipping to change at page 32, line 6 ¶ | |||
| Consequently, the device learns the security groups it has to join. | Consequently, the device learns the security groups it has to join. | |||
| In particular, it does the following for app-gp="grp_R2-4-015". | In particular, it does the following for app-gp="grp_R2-4-015". | |||
| Request: Joining node -> RD | Request: Joining node -> RD | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=grp_R2-4-015 | ?rt=core.osc.gm&app-gp=grp_R2-4-015 | |||
| Response: RD -> Joining Node | Response: RD -> Joining Node | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedca570000> { | reef:rd-item </ace-group/feedca570000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedca570000" | sec-gp "feedca570000" | |||
| app-gp "grp_R2-4-015" | app-gp "grp_R2-4-015" | |||
| } | } | |||
| Similarly, the device does the following for app-gp="grp_schedule". | Similarly, the device does the following for app-gp="grp_schedule". | |||
| Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | Req: GET coap://[2001:db8:4::ff]/rd-lookup/res | |||
| ?rt=core.osc.gm&app-gp=grp_schedule | ?rt=core.osc.gm&app-gp=grp_schedule | |||
| skipping to change at page 31, line 35 ¶ | skipping to change at page 32, line 39 ¶ | |||
| Res: 2.05 Content | Res: 2.05 Content | |||
| Content-Format: TBD123456 (application/coral+cbor) | Content-Format: TBD123456 (application/coral+cbor) | |||
| Payload: | Payload: | |||
| #using <http://coreapps.org/core.oscore-discovery#> | #using <http://coreapps.org/core.oscore-discovery#> | |||
| #using reef = <http://coreapps.org/reef#> | #using reef = <http://coreapps.org/reef#> | |||
| #base <coap://[2001:db8::ab]/> | #base <coap://[2001:db8::ab]/> | |||
| reef:rd-item </ace-group/feedsc590000> { | reef:rd-item </ace-group/feedsc590000> { | |||
| reef:ct 65000 | ||||
| reef:rt "core.osc.gm" | reef:rt "core.osc.gm" | |||
| reef:if "ace.group" | reef:if "ace.group" | |||
| sec-gp "feedsc590000" | sec-gp "feedsc590000" | |||
| app-gp "grp_schedule" | app-gp "grp_schedule" | |||
| } | } | |||
| *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** | |||
| After this last discovery step, the device can ask permission to join | After this last discovery step, the device can ask permission to join | |||
| the security groups, and effectively join them through the Group | the security groups, and effectively join them through the Group | |||
| End of changes. 83 change blocks. | ||||
| 161 lines changed or deleted | 218 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||