test LwM2M / COAP / DTLS / UDP / IP

• author: Thus0
• last modified: 2022-01-30 21:16

architecture

COAPS sensor  --- [operator_net] --- router-coap (NAT) --- [inter_net] --- COAPS server
                  192.168.12.x     .254             .254   192.168.11.x 

DTLS libraries

• https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security

• axTLS

• BearSSL

  • BearSSL is for now considered alpha-level software. This means that it probably still has some bugs, possibly very serious ones [...]

• CycloneSSL

• Google BoringSSL (go)

  • bssl client
  • bssl server

• Eclise Scandium (java) - DTLS 1.2

  • It implements DTLS 1.2 to secure your application through ECC with pre-shared keys, certificates, or raw public keys.
  • ticket Connection ID
  • patch demo sc-dtls-example-client
  • patch demo sc-dtls-example-server

• GnuTLS (C) - DTLS 1.2

  • "Support for public key methods, including RSA and Elliptic curves, as well as password and key authentication methods such as SRP and PSK protocols"
    • PSK
    • RPK
    • Certificates
  • gnutls-cli
  • gnutls-serv

• MatrixSSL - TLS1.3

• Mbed TLS (C) - DLTS 1.2

  • Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems.
  • ticket Connection ID
  • mbedtls_dtls_client
  • mbedtls_dtls_server

• OpenSSL (C) - DTLS x.x - TLS 1.3

  • The OpenSSL 1.1.1 release includes support for TLSv1.3 (more details)
  • openssl s_client -dtls1_2
  • openssl s_server -dtls1_2

• Pion DTLS (go) - DTLS 1.2

  • ticket Connection ID
  • patch demo client/main.go
  • patch demo server/main.go

• tinydtls (C) - DTLS 1.2

  • basic support for DTLS-PSK and DTLS-RPK mode with ECC
  • branche tinydtls - Connection ID
  • dtls-client
    • TODO: patch demo
  • dtls-server
    • TODO: patch demo

• wolfSSL (C) - DTLS 1.2 - TLS 1.3

  • The wolfSSL embedded TLS library is a lightweight, portable, C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments primarily because of its size, speed, and feature set. It works seamlessly in desktop, enterprise, and cloud environments as well. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2
  • client
  • server

COAPS frameworks

• aiocoap (python)
  • RFC7252 (CoAP): Supported for clients and servers. Multicast is supported on the server side, and partially for clients. DTLS is supported but experimental, and lacking some security properties. No caching is done inside the library.
  • RFC7641 (Observe): Basic support for clients and servers. Reordering, re-registration, and active cancellation are missing.
  • RFC7959 (Blockwise): Supported both for atomic and random access.
  • RFC7967 (No-Response): Supported.
  • RFC8132 (PATCH/FETCH): Types and codes known, FETCH observation supported.
  • RFC8323 (TCP, WebSockets): Supports CoAP over TCP, TLS, and WebSockets (both over HTTP and HTTPS). The TLS parts are server-certificate only; preshared, raw public keys and client certificates are not supported yet.
  • RFC8613 (OSCORE): Full support client-side; protected servers can be implemented based on it but are not automatic yet.
  • draft-ietf-core-resource-directory: A standalone resource directory server is provided along with a library function to register at one. They lack support for groups and security considerations, and are generally rather simplistic.
  • draft-ietf-core-oscore-groupcomm-11 (Group OSCORE): Supported for both group and pairwise mode in groups that are fully known. (The lack of an implemented joining or persistence mechanism makes this impractical for anything but experimentation.)
• Eclipse Californium (java)
  • demo cf-secure
• coap-cli.js (javascript)
• libcoap (C)
  • RFC7252: The Constrained Application Protocol (CoAP)
  • RFC7641: Observing Resources in the Constrained Application Protocol (CoAP)
  • RFC7959: Block-Wise Transfers in the Constrained Application Protocol (CoAP)
  • RFC7967: Constrained Application Protocol (CoAP) Option for No Server Response
  • RFC8132: PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)
  • RFC8323: CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets [No WebSockets support]
  • RFC8768: Constrained Application Protocol (CoAP) Hop-Limit Option
  • The library is designed to support transport layer security utilizing frameworks such as GnuTLS, OpenSSL, Mbed TLS, or tinydtls.
    • OpenSSL (Minimum version 1.1.0) : DTLS-CERT, DTLS-PSK and PKCS11
    • GnuTLS (Minimum version 3.3.0) : DTLS-CERT, DTLS-PSK, DTLS-RPK (3.6.6+) and PKCS11
    • Mbed TLS (Minimum version 2.7.10) : DTLS-CERT and DTLS-PSK
    • TinyDTLS : DTLS-PSK and DTLS-RPK (DTLS Only)

COAPS proxies and gateways

• emqx-coap (Erlang)
• FreeCoAP (C)
  • HTTP/CoAP proxy with DTLS support
  • DTLS-CERT for CoAP implemented using GnuTLS with X.509 certificates (RFC 7252)
  • DTLS-RPK for CoAP implemented using tinydtls with raw public key (RFC 7252)

LWM2M frameworks

• AVSystem Anjay (C)
  • LwM2M Security modes:
    • DTLS-CERT (if supported by backend TLS library)
    • DTLS-PSK (if supported by backend TLS library)
    • NoSec mode
  • Supported TLS backends:
    • OpenSSL (Minimum 1.1.+)
    • Mbed TLS (Minimum 2.0+)
    • tinydtls (Minimum 0.9+)
• Eclipse Wakaama (C)
  • lwm2mclient_tinydtls
    • DTLS-PSK implemented using tinydtls

Serveur LwM2M

• Eclipse leshan
  • demo/test leshan

Serveur/Broker COAP

• Thingsboard
  • CoAP over DTLS