Since LWM2M v1.1.x, Client Endpoint Name is optional for Register and Bootstrap request

[sbernard31]

See :

• https://www.openmobilealliance.org/release/LightweightM2M/V1_1_1-20190617-A/HTML-Version/OMA-TS-LightweightM2M_Core-V1_1_1-20190617-A.html#6-1-7-1-0-6171-Bootstrap-Request-Operation
• https://www.openmobilealliance.org/release/LightweightM2M/V1_1_1-20190617-A/HTML-Version/OMA-TS-LightweightM2M_Core-V1_1_1-20190617-A.html#6-2-1-0-621-Register-Operation
• https://www.openmobilealliance.org/release/LightweightM2M/V1_1_1-20190617-A/HTML-Version/OMA-TS-LightweightM2M_Core-V1_1_1-20190617-A.html#7-3-0-73-Identifiers

This is not yet supported in Leshan.
Note that a client using LWM2M v1.0 MUST send the client endpoint name, as this is mandatory in LWM2M v1.0.x specification.

[sbernard31]

This talks about that : https://stackoverflow.com/questions/76424125/using-endpoint-client-name-and-or-keys-in-lwm2m-bootstrap-interface

[sbernard31]

All I found about this in the specification :

LWM2M-v1.1.1@core§6.1.7.1. Bootstrap-Request Operation says :

This parameter is optional if it is equal to the identifier in the security protocol and deployment is such that the security protocol identifier is always available for the server

LWM2M-v1.1.1@core§7.3. Identifiers says :

Identifies the LwM2M Client on one LwM2M Server (including LwM2M Bootstrap-Server).
This parameter is optional and provided to the LwM2M Server during Registration, also provided to LwM2M Bootstrap-Server when executing the Bootstrap procedure. It MUST be provided when the security protocol does not provide an authenticated identifier or this information is not available for the server.
The Endpoint Client Name is a string. Recommended URI and URN formats are documented in Section Endpoint Client Name.

LWM2M-v1.1.1@transport§5.2.6. Endpoint Client Name says :

This specification recommends, but does not mandate, transmission of the endpoint client name in the Bootstrap-Request and in the Register message. Since the endpoint client name is not authenticated at the application layer the LwM2M Server MUST compare the received endpoint client name identifier with the identifier used at the TLS/DTLS handshake. This comparison may either be an equality match or may involve a dedicated lookup table to ensure that LwM2M Clients cannot intentionally or due to misconfiguration impersonate other LwM2M Clients. The LwM2M Server MUST respond with a "4.00 Bad Request" to the LwM2M Client if these fields do not match.

LWM2M-v1.1.1@transport§5.5.5. Endpoint Client Name says :

The same verification of Endpoint Client Name in the Bootstrap-Request and in the Register messages as described in 5.2.6. Endpoint Client Name applies also to OSCORE. However, when using OSCORE, the Endpoint Client Name MAY be authenticated at the application layer, by setting the "OSCORE Sender ID" Resource value (see 5.5.7.1. OSCORE Related Resources) to the Endpoint Client Name.

If the OSCORE Sender ID is not set to Endpoint Client Name, then the LwM2M Server MUST compare the received Endpoint Client Name identifier with the OSCORE Sender ID of the LwM2M Client. This comparison may either be an equality match or may involve a dedicated lookup table to ensure that LwM2M Clients cannot intentionally or due to misconfiguration impersonate other LwM2M Clients. The LwM2M Server MUST respond with a "4.00 Bad Request" to the LwM2M Client if these fields do not match.

My understanding is :

When endpoint Name is absent from Register or Bootstrap request, the transport identifier can be used as endpoint name.
I tries to guess what does it means for each transport :

• ❌ no_sec : can not be used, as there is no transport identifier.
• ✔️ psk over (D)TLS : psk identity can be considered as endpoint name.
• ❌ rpk over (D)TLS : no idea what could be used as endpoint name, so I guess this can not work.
• ✔️ x509 over (D)TLS : CN from certificate can be considered as endpoint name.
• ✔️ oscore : sender ID can be considered as endpoint name. (I guess this is also true when it used over (D)TLS)

What I could imagine user asked :

Automatically find endpoint name from SecurityStore with something like SecurityStore.getByIdentity() ? so maybe better to have a way customize default behavior (as usual 😅)

How we can implement it in Leshan ?:

A solution could be to have a EndpointNameProvider interface with a DefaultEndpointNameProvider implementation with behavior described above ☝️.

public interface EndpointNameProvider {
   String getEndpointName(LwM2mIdentity identity);
}