Constrained Application Protocol (CoAP): Corrections and Clarifications

1.1. Process

1.2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

When a section of this document makes formal corrections, additions or invalidations to text in a referenced RFC, this is clearly summarized. The text from the RFC that is being addressed is given and labeled "INCOMPLETE", "INCORRECT", or "INCORRECT AND INVALIDATED", followed by the correct text labeled "CORRECTED", where applicable. When text is added that does not simply correct text in previous specifications, it is given with the label "FORMAL ADDITION".¶

Where a resolution has not yet been agreed, the resolution is marked PENDING.¶

In this document, a reference to a section in RFC nnnn is written as RFC nnnn-<number>, where <number> is the section number.¶

2.1. RFC7252-1.2: Terminology (Request-URI)

[RFC7252] uses the term "request URI" repeatedly, but only provides a vague definition in Section 5.7.2 of [RFC7252]. Text should be added to the definitions in Section 1.2 (Terminology) of [RFC7252].¶

INCOMPLETE; FORMAL ADDITION (Section 1.2):

Request URI:

The URI that identifies a resource on a server intended to be addressed by a request; constructed from the context of the request combined with Options present in the request using the process defined in Section 6.5 (Composing URIs from Options) of [RFC7252], see Section 5.7.2 (Forward-Proxies) of [RFC7252] for further details. Related to the HTTP concept of "target URI"; see Section 7.1 (Determining the Target Resource) of [RFC9110]; previously called "effective request URI" in Section 5.5 (Effective Request URI) of [RFC7230].¶

PENDING.¶

Note that a similar, but distinct concept is the "base URI", relative to which relative URIs are resolved. This is more complex in CoAP than in HTTP because CoAP can multicast requests Section 8 of [RFC7252], expecting unicast responses; these need to be interpreted relative to the unicast source address from which the responses come.¶

Section 8.2 of [RFC7252] has:¶

For the purposes of interpreting the Location-* options and any links embedded in the representation, the request URI (i.e., the base URI relative to which the response is interpreted) is formed by replacing the multicast address in the Host component of the original request URI by the literal IP address of the endpoint actually responding.¶

Similarly, Section 8.2.1 of [RFC7252] (Caching) says:¶

A response received in reply to a GET request to a multicast group MAY be used to satisfy a subsequent request on the related unicast request URI. The unicast request URI is obtained by replacing the authority part of the request URI with the transport-layer source address of the response message.¶

Further discussion of a more generalized response concept can be found in [I-D.bormann-core-responses].¶

2.2. RFC7252-5.10.5: Max-Age

In the discussion of [RFC8516], a comment was made that it would be needed to define the point in time relative to which Max-Age is defined. A sender might reference it to the time it actually sends the message containing the option (and paragraph 3 of RFC7252-5.10.5 indeed requests that Max-Age be updated each time a message is retransmitted). The receiver of the message does not have reliable information about the time of sending, though. It may instead reference the Max-Age to the time of reception. This in effect extends the time of Max-Age by the latency of the packet. This extension was deemed acceptable for the purposes of [RFC8516], but may be suboptimal when Max-Age is about the lifetime of a response object.¶

INCOMPLETE:

The value is intended to be current at the time of transmission.¶

PENDING.¶

2.3. RFC7252-6.4: Decomposing URIs into Options

[Err4895] notes (text updated with newer link):¶

The current specification for decomposing a URI into CoAP Options (Section 6.4) is correct; however the text may still be unclear to implementers who may think that the phrase "not including the delimiting slash characters" means simply omitting a trailing slash character in the URI path. This is incorrect. See the discussion outcome in email thread https://mailarchive.ietf.org/arch/msg/core/vqOiUreodGXqWZGeGOTREChCsKY/.¶

[Err4895] proceeds to propose adding another note at the end of Section 6.4 of [RFC7252]. A slightly updated version of the proposed note might be:¶

INCOMPLETE; FORMAL ADDITION at the end of Section 6.4 of [RFC7252]:

Also note that a trailing slash character in the <path> component represents a separate, zero-character path segment (see the ABNF in Section 3.3 of [RFC3986]). This is encoded using a Uri-Path Option of zero length. The exception at the start of step 8 means that no such zero-character path segment is added for a trailing slash that immediately follows the authority (host and port).¶

PENDING: Enough examples now?¶

2.4. RFC7252-7.2.1: "ct" Attribute (content-format code)

As has been noted in [Err5078], there is no information in [RFC7252] about whether the "ct" target attribute can be present multiply or not.¶

The text does indicate that the value of the attribute MAY be "a space-separated sequence of Content-Format codes, indicating that multiple content-formats are available", but it does not repeat the prohibition of multiple instances that the analogously structured "rt" and "if" attributes in Sections 3.1 and 3.2 of [RFC6690] have.¶

This appears to be an oversight. Published examples in Section 4.1 of [RFC9148] and Section 4.3 of [RFC9176] further illustrate that the space-separated approach is generally accepted to be the one to be used. There is no gain to be had from allowing both variants, and it would be likely to cause interoperability problems.¶

At the 2022-11-23 CoRE WG interim meeting, there was agreement that [Err5078] should be marked "VERIFIED", which was done on 2023-01-18.¶

INCOMPLETE; FORMAL ADDITION:

The Content-Format code attribute MUST NOT appear more than once in a link.¶

2.5. RFC7252-9.1.1/9.1.2: (match boxing)

Sections 9.1.1 and 9.1.2 of [RFC7252] provide details about using CoAP over DTLS connections; in particular they restrict both message-id matching and request/response matching to within a single combination of DTLS session/DTLS epoch.¶

At the time, this was a decision to be very conservative based on the wide variety of security implications a new DTLS epoch might have (which also were not widely understood, e.g., for a re-authentication). The normally short time between a request and a response made this rather strict boxing appear acceptable.¶

However, with the Observe functionality [RFC7641], it is quite likely that significant time elapses between a request and the arrival of a notification that is sent back as a response, causing a need for the latter to use a different box from the original request.¶

Also, additions to CoAP such as CoAP over connection-oriented transports [RFC8323] and OSCORE [RFC8613] create similar matching boxes that also do not fit certain likely use cases of these additions (e.g., with short-lived TCP connections as discussed in Section 4.3 of [RFC9006]).¶

The match boxing semantics of the current protocol are clearly defined, but can be unsatisfactory given the current requirements. Therefore, enhancements may be called for:¶

1. Protocols such as OSCORE [RFC8613], as enhanced by the proposed KUDOS mechanism [I-D.ietf-core-oscore-key-update], need to define how the matching functions are impacted by state transitions of the underlying transport and security sessions. Where extensions are already actively being developed, this work should be done in the context of the extension effort.¶

   1. Protocol mechanisms that have been defined for stitching together connections or phases of an underlying connection, such as Connection Identifiers for DTLS 1.2 [RFC9146], may enable keeping the session/epoch unchanged and even to change the transport address (ip-address/port), once appropriately modified match boxing rules are specified for the stitching mechanism. (These rules either need to be defined to be implicitly active for any use of the mechanism or they may require negotiation, see below.)¶

2. Optimizations such as Eclipse/Californium EndpointContextMatcher [CF-MATCHER] might not work properly unless both sides of the communication agree on the extent of the matching boxes. Mechanisms to indicate capabilities and choices selected may need to be defined; also, a way to define the progression of matching boxes needs to be defined that is compatible with the security properties of the underlying protocols. This may require new efforts, to be initiated based on some formative contributions.¶

PENDING.¶

Relevant starting points for retrieving existing discussion of this issue include:¶

• https://mailarchive.ietf.org/arch/msg/core/biDJ8n4w0kBQATzyh9xHlKnGy1o/
  ("DTLS and Epochs")¶

• https://mailarchive.ietf.org/arch/msg/core/TsyyKIHQ1FJtAvAo0ODNEt2Ileo/
  ("Connection ID")¶

• https://github.com/core-wg/corrclar/issues/9
  ("Clarify/revise language around epochs in section 9.1.1 #9")¶

2.6. RFC 7252-12.3: Content-Format Registry

Section 12.3 of [RFC7252] established the CoAP Content-Formats Registry, which maps a combination of an Internet Media Type with an HTTP Content Coding, collectively called a Content-Format, to a concise numeric identifier for that Content-Format. The "Media Type" is more than a Media-Type-Name (see [RFC9193] for an extensive discussion), i.e., it may contain parameters beyond the mere combination of a type-name and a subtype-name registered in [IANA.media-types], as per [RFC6838], conventionally identified by the two names separated by a slash. This construct is often called a Content Type to reduce the confusion with a Media-Type-Name (e.g., in Section 8.3 of [RFC9110], which then however also opts to use the term Media Type for the same information set).¶

The second column of the Content-Format registry is the Content Coding, which is defined in Section 8.4.1 of [RFC9110]. For historical reasons, the HTTP header field that actually carries the content coding is called Content-Encoding; this often leads to the misnaming of Content Coding as "content encoding".¶

As has been noted in [Err4954], the text in Section 12.3 of [RFC7252] incorrectly uses these terms in the context of content types and content coding:¶

1. The field that describes the Content Type is called "Media Type". This can lead to the misunderstanding that this column just carries a Media-Type-Name (such as "text/plain"), while it actually also can carry media type parameters (as in "text/plain; charset=UTF-8").¶

2. The field that describes the Content Coding uses the incorrect name "Content Encoding".¶

INCORRECT, CORRECTED:

The VERIFIED Errata Report [Err4954] corrects the usage of "Content-Encoding" in the text and changes the name of the first column of the Content-Format registry to "Content Type" and the name of the second field to "Content Coding". This change has been carried out by IANA.¶

[Err4954] also has some notes on what would be valid or invalid Content-Format registrations. These are not repeated here; they are however quite useful as a reference when preparing additional Content-Format registrations.¶