voluntary restricted selection of connection ids, #249

lake-wg · Feb 23, 2022 · a649c17 · a649c17
1 parent f98da66
commit a649c17
Showing 1 changed file with 21 additions and 2 deletions.
diff --git a/draft-ietf-lake-edhoc.md b/draft-ietf-lake-edhoc.md
@@ -362,13 +362,14 @@ Connection identifiers in EDHOC are byte strings or integers, encoded in CBOR. O
 
 ### Selection of Connection Identifiers
 
-C_I and C_R are chosen by I and R, respectively. The Initiator selects C_I and sends it in message_1 for the Responder to use as a reference to the connection in communications with the Initiator. The Responder selects C_R and sends it in message_2 for the Initiator to use as a reference to the connection in communications with the Responder.
+C_I and C_R are chosen by I and R, respectively. The Initiator selects C_I and sends it in message_1 for the Responder to use as a reference to the connection in communications with the Initiator. The Responder selects C_R and sends it in message_2 for the Initiator to use as a reference to the connection in communications with the Responder. An endpoint may choose to select only integer or only byte string connection identifiers.
 
 If connection identifiers are used by an application protocol for which EDHOC establishes keys then the selected connection identifiers SHALL adhere to the requirements for that protocol, see {{ci-oscore}} for an example.
 
 ### Use of Connection Identifiers with OSCORE {#ci-oscore}
 
-For OSCORE, the choice of a connection identifier results in the endpoint selecting its Recipient ID, see Section 3.1 of {{RFC8613}}, for which certain uniqueness requirements apply, see Section 3.3 of {{RFC8613}}. Therefore, the Initiator and the Responder MUST NOT select connection identifiers such that it results in same OSCORE Recipient ID. Since the Recipient ID is a byte string and an EDHOC connection identifier is either a CBOR byte string or a CBOR integer, care must be taken when selecting the connection identifiers and converting them to Recipient IDs. A mapping from EDHOC connection identifier to OSCORE Recipient ID is specified in {{edhoc-to-oscore}}.
+For OSCORE, the choice of a connection identifier results in the endpoint selecting its Recipient ID, see Section 3.1 of {{RFC8613}}, for which certain uniqueness requirements apply, see Section 3.3 of {{RFC8613}}. Therefore, the Initiator and the Responder MUST NOT select connection identifiers such that it results in same OSCORE Recipient ID. Since the Recipient ID is a byte string and an EDHOC connection identifier is either a CBOR byte string or a CBOR integer, care must be taken when selecting the connection identifiers and converting them to Recipient IDs. One simplification is to restrict to only use integer or only byte string connection identifiers. A mapping from EDHOC connection identifier to OSCORE Recipient ID is specified in {{edhoc-to-oscore}}.
+
 
 ## Transport {#transport}
 
@@ -1554,6 +1555,24 @@ Two EDHOC connection identifiers are called "equivalent" if and only if, by appl
 
 When EDHOC is used to establish an OSCORE security context, the connection identifiers C_I and C_R MUST NOT be equivalent. Furthermore, in case of multiple OSCORE security contexts with potentially different endpoints, to facilitate the retrieval of the correct OSCORE security context, an endpoint SHOULD select an EDHOC connection identifier that when converted to OSCORE Recipient ID does not coincide with its other Recipient IDs.
 
+An endpoint MAY choose to select, for example, only numeric connection identifiers which then are equivalent if and only if the integer value is the same, thus simplifying the comparison. The number of unique OSCORE Sender/Recipient ID of a given byte length on the wire is reduced by this choice, see {{fig-number-connection-id}}.
+
+
+~~~~~~~~~~~
++---------------------+----------------------+----------------------+
+|     Size of SID/RID | Number of CI as bstr |  Number of CI as int |
++==========+===============+========================================+
+|                   0 |                    1 |                    0 |
++---------------------+----------------------+----------------------+
+|                   1 |                  208 |                   48 |
++---------------------+----------------------+----------------------+
+|                   2 |                65072 |                  464 |
++---------------------+----------------------+----------------------+
+~~~~~~~~~~~
+{: #fig-number-connection-id title="Number of EDHOC Connection Identifiers resulting in OSCORE Sender/Recipient Identifier of a given size in bytes."}
+
+
+
 ## Deriving the OSCORE Security Context {#oscore-ctx-derivation}
 
 This section specifies how to use EDHOC output to derive the OSCORE security context.