CoRE Resource Directory
draft-ietf-core-resource-directory-18
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9176.
|
|
---|---|---|---|
Authors | Zach Shelby , Michael Koster , Carsten Bormann , Peter Van der Stok , Christian Amsüss | ||
Last updated | 2018-12-20 (Latest revision 2018-10-22) | ||
Replaces | draft-shelby-core-resource-directory | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Telechat review
(of
-25)
by Russ Housley
Almost ready
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | Jaime Jimenez | ||
IESG | IESG state | Became RFC 9176 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | Alexey Melnikov | ||
Send notices to | "Jaime Jimenez" <jaime.jimenez@ericsson.com> |
draft-ietf-core-resource-directory-18
quot; response and a Max-Age option or Retry-After header, the registering Shelby, et al. Expires June 23, 2019 [Page 30] Internet-Draft CoRE Resource Directory December 2018 endpoint SHOULD retry the operation after the time indicated. If the registration fails in another way, including request timeouts, or if the time indicated exceeds the remaining lifetime, the registering endpoint SHOULD attempt registration again. The following example shows how the registering endpoint updates its registration resource at an RD using this interface with the example location value: /rd/4521. Req: POST /rd/4521 Res: 2.04 Changed The following example shows the registering endpoint updating its registration resource at an RD using this interface with the example location value: /rd/4521. The initial registration by the registering endpoint set the following values: o endpoint name (ep)=endpoint1 o lifetime (lt)=500 o Base URI (base)=coap://local-proxy-old.example.com:5683 o payload of Figure 6 The initial state of the Resource Directory is reflected in the following request: Req: GET /rd-lookup/res?ep=endpoint1 Res: 2.01 Content Payload: <coap://local-proxy-old.example.com:5683/sensors/temp>;ct=41; rt="temperature"; anchor="coap://spurious.example.com:5683", <coap://local-proxy-old.example.com:5683/sensors/light>;ct=41; rt="light-lux"; if="sensor"; anchor="coap://local-proxy-old.example.com:5683" The following example shows the registering endpoint changing the Base URI to "coaps://new.example.com:5684": Req: POST /rd/4521?base=coaps://new.example.com:5684 Res: 2.04 Changed The consecutive query returns: Shelby, et al. Expires June 23, 2019 [Page 31] Internet-Draft CoRE Resource Directory December 2018 Req: GET /rd-lookup/res?ep=endpoint1 Res: 2.01 Content Payload: <coaps://new.example.com:5684/sensors/temp>;ct=41;rt="temperature"; anchor="coap://spurious.example.com:5683", <coaps://new.example.com:5684/sensors/light>;ct=41;rt="light-lux"; if="sensor"; anchor="coaps://new.example.com:5684", 5.4.2. Registration Removal Although RD registrations have soft state and will eventually timeout after their lifetime, the registering endpoint SHOULD explicitly remove an entry from the RD if it knows it will no longer be available (for example on shut-down). This is accomplished using a removal interface on the RD by performing a DELETE on the endpoint resource. The removal request interface is specified as follows: Interaction: EP -> RD Method: DELETE URI Template: {+location} URI Template Variables: location := This is the Location returned by the RD as a result of a successful earlier registration. The following response codes are defined for this interface: Success: 2.02 "Deleted" or 204 "No Content" upon successful deletion Failure: 4.00 "Bad Request" or 400 "Bad Request". Malformed request. Failure: 4.04 "Not Found" or 404 "Not Found". Registration does not exist (e.g. may already have been removed). Failure: 5.03 "Service Unavailable" or 503 "Service Unavailable". Service could not perform the operation. HTTP support: YES The following examples shows successful removal of the endpoint from the RD with example location value /rd/4521. Shelby, et al. Expires June 23, 2019 [Page 32] Internet-Draft CoRE Resource Directory December 2018 Req: DELETE /rd/4521 Res: 2.02 Deleted 5.4.3. Further operations Additional operations on the registration can be specified in future documents, for example: o Send iPATCH (or PATCH) updates ([RFC8132]) to add, remove or change the links of a registration. o Use GET to read the currently stored set of links in a registration resource. Those operations are out of scope of this document, and will require media types suitable for modifying sets of links. 6. RD Lookup To discover the resources registered with the RD, a lookup interface must be provided. This lookup interface is defined as a default, and it is assumed that RDs may also support lookups to return resource descriptions in alternative formats (e.g. JSON or CBOR link format [I-D.ietf-core-links-json]) or using more advanced interfaces (e.g. supporting context or semantic based lookup) on different resources that are discovered independently. RD Lookup allows lookups for endpoints and resources using attributes defined in this document and for use with the CoRE Link Format. The result of a lookup request is the list of links (if any) corresponding to the type of lookup. Thus, an endpoint lookup MUST return a list of endpoints and a resource lookup MUST return a list of links to resources. The lookup type is selected by a URI endpoint, which is indicated by a Resource Type as per Table 1 below: +-------------+--------------------+-----------+ | Lookup Type | Resource Type | Mandatory | +-------------+--------------------+-----------+ | Resource | core.rd-lookup-res | Mandatory | | Endpoint | core.rd-lookup-ep | Mandatory | +-------------+--------------------+-----------+ Table 1: Lookup Types Shelby, et al. Expires June 23, 2019 [Page 33] Internet-Draft CoRE Resource Directory December 2018 6.1. Resource lookup Resource lookup results in links that are semantically equivalent to the links submitted to the RD. The links and link parameters returned by the lookup are equal to the submitted ones, except that the target and anchor references are fully resolved. Links that did not have an anchor attribute are therefore returned with the base URI of the registration as the anchor. Links of which href or anchor was submitted as a (full) URI are returned with these attributes unmodified. Above rules allow the client to interpret the response as links without any further knowledge of the storage conventions of the RD. The Resource Directory MAY replace the registration base URIs with a configured intermediate proxy, e.g. in the case of an HTTP lookup interface for CoAP endpoints. 6.2. Lookup filtering Using the Accept Option, the requester can control whether the returned list is returned in CoRE Link Format ("application/link- format", default) or in alternate content-formats (e.g. from [I-D.ietf-core-links-json]). The page and count parameters are used to obtain lookup results in specified increments using pagination, where count specifies how many links to return and page specifies which subset of links organized in sequential pages, each containing 'count' links, starting with link zero and page zero. Thus, specifying count of 10 and page of 0 will return the first 10 links in the result set (links 0-9). Count = 10 and page = 1 will return the next 'page' containing links 10-19, and so on. Multiple search criteria MAY be included in a lookup. All included criteria MUST match for a link to be returned. The Resource Directory MUST support matching with multiple search criteria. A link matches a search criterion if it has an attribute of the same name and the same value, allowing for a trailing "*" wildcard operator as in Section 4.1 of [RFC6690]. Attributes that are defined as "link-type" match if the search value matches any of their values (see Section 4.1 of [RFC6690]; e.g. "?if=core.s" matches ";if="abc core.s";"). A resource link also matches a search criterion if its endpoint would match the criterion, and vice versa, an endpoint link matches a search criterion if any of its resource links matches it. Shelby, et al. Expires June 23, 2019 [Page 34] Internet-Draft CoRE Resource Directory December 2018 Note that "href" is a valid search criterion and matches target references. Like all search criteria, on a resource lookup it can match the target reference of the resource link itself, but also the registration resource of the endpoint that registered it. Queries for resource link targets MUST be in URI form (i.e. not relative references) and are matched against a resolved link target. Queries for endpoints SHOULD be expressed in path-absolute form if possible and MUST be expressed in URI form otherwise; the RD SHOULD recognize either. Endpoints that are interested in a lookup result repeatedly or continuously can use mechanisms like ETag caching, resource observation ([RFC7641]), or any future mechanism that might allow more efficient observations of collections. These are advertised, detected and used according to their own specifications and can be used with the lookup interface as with any other resource. When resource observation is used, every time the set of matching links changes, or the content of a matching link changes, the RD sends a notification with the matching link set. The notification contains the successful current response to the given request, especially with respect to representing zero matching links (see "Success" item below). The lookup interface is specified as follows: Interaction: Client -> RD Method: GET URI Template: {+type-lookup-location}{?page,count,search*} URI Template Variables: type-lookup-location := RD Lookup URI for a given lookup type (mandatory). The address is discovered as described in Section 5.2. search := Search criteria for limiting the number of results (optional). page := Page (optional). Parameter cannot be used without the count parameter. Results are returned from result set in pages that contain 'count' links starting from index (page * count). Page numbering starts with zero. count := Count (optional). Number of results is limited to this parameter value. If the page parameter is also present, the Shelby, et al. Expires June 23, 2019 [Page 35] Internet-Draft CoRE Resource Directory December 2018 response MUST only include 'count' links starting with the (page * count) link in the result set from the query. If the count parameter is not present, then the response MUST return all matching links in the result set. Link numbering starts with zero. Accept: absent, application/link-format or any other indicated media type representing web links The following responses codes are defined for this interface: Success: 2.05 "Content" or 200 "OK" with an "application/link- format" or other web link payload containing matching entries for the lookup. The payload can contain zero links (which is an empty payload in [RFC6690] link format, but could also be "[]" in JSON based formats), indicating that no entities matched the request. Failure: No error response to a multicast request. Failure: 4.00 "Bad Request" or 400 "Bad Request". Malformed request. Failure: 5.03 "Service Unavailable" or 503 "Service Unavailable". Service could not perform the operation. HTTP support: YES 6.3. Resource lookup examples The examples in this section assume the existence of CoAP hosts with a default CoAP port 61616. HTTP hosts are possible and do not change the nature of the examples. The following example shows a client performing a resource lookup with the example resource look-up locations discovered in Figure 5: Req: GET /rd-lookup/res?rt=temperature Res: 2.05 Content <coap://[2001:db8:3::123]:61616/temp>;rt="temperature"; anchor="coap://[2001:db8:3::123]:61616" A client that wants to be notified of new resources as they show up can use observation: Shelby, et al. Expires June 23, 2019 [Page 36] Internet-Draft CoRE Resource Directory December 2018 Req: GET /rd-lookup/res?rt=light Observe: 0 Res: 2.05 Content Observe: 23 Payload: empty (at a later point in time) Res: 2.05 Content Observe: 24 Payload: <coap://[2001:db8:3::124]/west>;rt="light"; anchor="coap://[2001:db8:3::124]", <coap://[2001:db8:3::124]/south>;rt="light"; anchor="coap://[2001:db8:3::124]", <coap://[2001:db8:3::124]/east>;rt="light"; anchor="coap://[2001:db8:3::124]" The following example shows a client performing a paginated resource lookup Shelby, et al. Expires June 23, 2019 [Page 37] Internet-Draft CoRE Resource Directory December 2018 Req: GET /rd-lookup/res?page=0&count=5 Res: 2.05 Content <coap://[2001:db8:3::123]:61616/res/0>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/1>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/2>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/3>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/4>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616" Req: GET /rd-lookup/res?page=1&count=5 Res: 2.05 Content <coap://[2001:db8:3::123]:61616/res/5>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/6>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/7>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/8>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616", <coap://[2001:db8:3::123]:61616/res/9>;rt=sensor;ct=60; anchor="coap://[2001:db8:3::123]:61616" The following example shows a client performing a lookup of all resources from endpoints of all endpoints of a given endpoint type. It assumes that two endpoints (with endpoint names "sensor1" and "sensor2") have previously registered with their respective addresses "coap://sensor1.example.com" and "coap://sensor2.example.com", and posted the very payload of the 6th request of section 5 of [RFC6690]. It demonstrates how absolute link targets stay unmodified, while relative ones are resolved: Shelby, et al. Expires June 23, 2019 [Page 38] Internet-Draft CoRE Resource Directory December 2018 Req: GET /rd-lookup/res?et=oic.d.sensor <coap://sensor1.example.com/sensors>;ct=40;title="Sensor Index"; anchor="coap://sensor1.example.com", <coap://sensor1.example.com/sensors/temp>;rt="temperature-c"; if="sensor"; anchor="coap://sensor1.example.com", <coap://sensor1.example.com/sensors/light>;rt="light-lux"; if="sensor"; anchor="coap://sensor1.example.com", <http://www.example.com/sensors/t123>;rel="describedby"; anchor="coap://sensor1.example.com/sensors/temp", <coap://sensor1.example.com/t>;rel="alternate"; anchor="coap://sensor1.example.com/sensors/temp", <coap://sensor2.example.com/sensors>;ct=40;title="Sensor Index"; anchor="coap://sensor2.example.com", <coap://sensor2.example.com/sensors/temp>;rt="temperature-c"; if="sensor"; anchor="coap://sensor2.example.com", <coap://sensor2.example.com/sensors/light>;rt="light-lux"; if="sensor"; anchor="coap://sensor2.example.com", <http://www.example.com/sensors/t123>;rel="describedby"; anchor="coap://sensor2.example.com/sensors/temp", <coap://sensor2.example.com/t>;rel="alternate"; anchor="coap://sensor2.example.com/sensors/temp" 6.4. Endpoint lookup The endpoint lookup returns registration resources which can only be manipulated by the registering endpoint. Endpoint registration resources are annotated with their endpoint names (ep), sectors (d, if present) and registration base URI (base; reports the registrant-ep's address if no explicit base was given) as well as a constant resource type (rt="core.rd-ep"); the lifetime (lt) is not reported. Additional endpoint attributes are added as target attributes to their endpoint link unless their specification says otherwise. Links to endpoints SHOULD be presented in path-absolute form or, if required, as absolute references. (This avoids the RFC6690 ambiguities.) While Endpoint Lookup does expose the registration resources, the RD does not need to make them accessible to clients. Clients SHOULD NOT attempt to dereference or manipulate them. A Resource Directory can report endpoints in lookup that are not hosted at the same address. Lookup clients MUST be prepared to see arbitrary URIs as registration resources in the results and treat Shelby, et al. Expires June 23, 2019 [Page 39] Internet-Draft CoRE Resource Directory December 2018 them as opaque identifiers; the precise semantics of such links are left to future specifications. The following example shows a client performing an endpoint type (et) lookup with the value oic.d.sensor (which is currently a registered rt value): Req: GET /rd-lookup/ep?et=oic.d.sensor Res: 2.05 Content </rd/1234>;base="coap://[2001:db8:3::127]:61616";ep="node5"; et="oic.d.sensor";ct="40";rt="core.rd-ep", </rd/4521>;base="coap://[2001:db8:3::129]:61616";ep="node7"; et="oic.d.sensor";ct="40";d="floor-3";rt="core.rd-ep" 7. Security policies The Resource Directory (RD) provides assistance to applications situated on a selection of nodes to discover endpoints on connected nodes. This section discusses different security aspects of accessing the RD. The contents of the RD are inserted in two ways: 1. The node hosting the discoverable endpoint fills the RD with the contents of /.well-known/core by: * Storing the contents directly into RD (see Section 5.3) * Requesting the RD to load the contents from /.well-known/core (see Section 5.3.1) 2. A Commissioning Tool (CT) fills the RD with endpoint information for a set of discoverable nodes. (see Section 5.3 with base=authority parameter value) In both cases, the nodes filling the RD should be authenticated and authorized to change the contents of the RD. An Authorization Server (AS) is responsible to assign a token to the registering node to authorize the node to discover or register endpoints in a given RD [I-D.ietf-ace-oauth-authz]. It can be imagined that an installation is divided in a set of security regions, each one with its own RD(s) to discover the endpoints that are part of a given security region. An endpoint that wants to discover an RD, responsible for a given region, needs to be authorized to learn the contents of a given RD. Within a region, for a given RD, a more fine-grained security division is possible based Shelby, et al. Expires June 23, 2019 [Page 40] Internet-Draft CoRE Resource Directory December 2018 on the values of the endpoint registration parameters. Authorization to discover endpoints with a given set of filter values is recommended for those cases. When a node registers its endpoints, criteria are needed to authorize the node to enter them. An important aspect is the uniqueness of the (endpoint name, and optional sector) pair within the RD. Consider the two cases separately: (1) CT registers endpoints, and (2) the registering node registers its own endpoint(s). o A CT needs authorization to register a set of endpoints. This authorization can be based on the region, i.e. a given CT is authorized to register any endpoint (endpoint name, sector) into a given RD, or to register an endpoint with (endpoint name, sector) value pairs assigned by the AS, or can be more fine-grained, including a subset of registration parameter values. o A given endpoint that registers itself, needs to proof its possession of its unique (endpoint name, sector) value pair. Alternatively, the AS can authorize the endpoint to register with an (endpoint name, sector) value pair assigned by the AS. A separate document needs to specify these aspects to ensure interoperability between registering nodes and RD. The subsections below give some hints how to handle a subset of the different aspects. 7.1. Secure RD discovery The Resource Server (RS) discussed in [I-D.ietf-ace-oauth-authz] is equated to the RD. The client (C) needs to discover the RD as discussed in Section 4. C can discover the related AS by sending a request to the RD. The RD denies the request by sending the address of the related AS, as discussed in section 5.1 of [I-D.ietf-ace-oauth-authz]. The client MUST send an authorization request to the AS. When appropriate, the AS returns a token that specifies the authorization permission which needs to be specified in a separate document. 7.2. Secure RD filtering The authorized parameter values for the queries by a given endpoint must be registered by the AS. The AS communicates the parameter values in the token. A separate document needs to specify the parameter value combinations and their storage in the token. The RD decodes the token and checks the validity of the queries of the client. Shelby, et al. Expires June 23, 2019 [Page 41] Internet-Draft CoRE Resource Directory December 2018 7.3. Secure endpoint Name assignment This section only considers the assignment of a name to the endpoint based on an automatic mechanism without use of AS. More elaborate protocols are out of scope. The registering endpoint is authorized by the AS to discover the RD and add registrations. A token is provided by the AS and communicated from registering endpoint to RD. It is assumed that DTLS is used to secure the channel between registering endpoint and RD, where the registering endpoint is the DTLS client. Assuming that the client is provided by a certificate at manufacturing time, the certificate is uniquely identified by the CN field and the serial number. The RD can assign a unique endpoint name by using the certificate identifier as endpoint name. Proof of possession of the endpoint name by the registering endpoint is checked by encrypting the certificate identifier with the private key of the registering endpoint, which the RD can decrypt with the public key stored in the certificate. Even simpler, the authorized registering endpoint can generate a random number (or string) that identifies the endpoint. The RD can check for the improbable replication of the random value. The RD MUST check that registering endpoint uses only one random value for each authorized endpoint. 8. Security Considerations The security considerations as described in Section 5 of [RFC8288] and Section 6 of [RFC6690] apply. The "/.well-known/core" resource may be protected e.g. using DTLS when hosted on a CoAP server as described in [RFC7252]. DTLS or TLS based security SHOULD be used on all resource directory interfaces defined in this document. 8.1. Endpoint Identification and Authentication An Endpoint (name, sector) pair is unique within the et of endpoints registered by the RD. An Endpoint MUST NOT be identified by its protocol, port or IP address as these may change over the lifetime of an Endpoint. Every operation performed by an Endpoint on a resource directory SHOULD be mutually authenticated using Pre-Shared Key, Raw Public Key or Certificate based security. Consider the following threat: two devices A and B are registered at a single server. Both devices have unique, per-device credentials for use with DTLS to make sure that only parties with authorization to access A or B can do so. Now, imagine that a malicious device A wants to sabotage the device B. It uses its credentials during the DTLS exchange. Then, it Shelby, et al. Expires June 23, 2019 [Page 42] Internet-Draft CoRE Resource Directory December 2018 specifies the endpoint name of device B as the name of its own endpoint in device A. If the server does not check whether the identifier provided in the DTLS handshake matches the identifier used at the CoAP layer then it may be inclined to use the endpoint name for looking up what information to provision to the malicious device. Section 7.3 specifies an example that removes this threat for endpoints that have a certificate installed. 8.2. Access Control Access control SHOULD be performed separately for the RD registration and Lookup API paths, as different endpoints may be authorized to register with an RD from those authorized to lookup endpoints from the RD. Such access control SHOULD be performed in as fine-grained a level as possible. For example access control for lookups could be performed either at the sector, endpoint or resource level. 8.3. Denial of Service Attacks Services that run over UDP unprotected are vulnerable to unknowingly become part of a DDoS attack as UDP does not require return routability check. Therefore, an attacker can easily spoof the source IP of the target entity and send requests to such a service which would then respond to the target entity. This can be used for large-scale DDoS attacks on the target. Especially, if the service returns a response that is order of magnitudes larger than the request, the situation becomes even worse as now the attack can be amplified. DNS servers have been widely used for DDoS amplification attacks. There is also a danger that NTP Servers could become implicated in denial-of-service (DoS) attacks since they run on unprotected UDP, there is no return routability check, and they can have a large amplification factor. The responses from the NTP server were found to be 19 times larger than the request. A Resource Directory (RD) which responds to wild-card lookups is potentially vulnerable if run with CoAP over UDP. Since there is no return routability check and the responses can be significantly larger than requests, RDs can unknowingly become part of a DDoS amplification attack. 9. IANA Considerations 9.1. Resource Types IANA is asked to enter the following values into the Resource Type (rt=) Link Target Attribute Values sub-registry of the Constrained Restful Environments (CoRE) Parameters registry defined in [RFC6690]: Shelby, et al. Expires June 23, 2019 [Page 43] Internet-Draft CoRE Resource Directory December 2018 +--------------------+--------------------------+-------------------+ | Value | Description | Reference | +--------------------+--------------------------+-------------------+ | core.rd | Directory resource of an | RFCTHIS Section | | | RD | 5.2 | | core.rd-lookup-res | Resource lookup of an RD | RFCTHIS Section | | | | 5.2 | | core.rd-lookup-ep | Endpoint lookup of an RD | RFCTHIS Section | | | | 5.2 | | core.rd-ep | Endpoint resource of an | RFCTHIS Section 6 | | | RD | | +--------------------+--------------------------+-------------------+ 9.2. IPv6 ND Resource Directory Address Option This document registers one new ND option type under the sub-registry "IPv6 Neighbor Discovery Option Formats": o Resource Directory address Option (38) 9.3. RD Parameter Registry This specification defines a new sub-registry for registration and lookup parameters called "RD Parameters" under "CoRE Parameters". Although this specification defines a basic set of parameters, it is expected that other standards that make use of this interface will define new ones. Each entry in the registry must include o the human readable name of the parameter, o the short name as used in query parameters or target attributes, o indication of whether it can be passed as a query parameter at registration of endpoints, as a query parameter in lookups, or be expressed as a target attribute, o validity requirements if any, and o a description. The query parameter MUST be both a valid URI query key [RFC3986] and a token as used in [RFC8288]. The description must give details on whether the parameter can be updated, and how it is to be processed in lookups. Shelby, et al. Expires June 23, 2019 [Page 44] Internet-Draft CoRE Resource Directory December 2018 The mechanisms around new RD parameters should be designed in such a way that they tolerate RD implementations that are unaware of the parameter and expose any parameter passed at registration or updates on in endpoint lookups. (For example, if a parameter used at registration were to be confidential, the registering endpoint should be instructed to only set that parameter if the RD advertises support for keeping it confidential at the discovery step.) Initial entries in this sub-registry are as follows: +--------------+-------+---------------+-----+----------------------+ | Full name | Short | Validity | Use | Description | +--------------+-------+---------------+-----+----------------------+ | Endpoint | ep | | RLA | Name of the | | Name | | | | endpoint, max 63 | | | | | | bytes | | Lifetime | lt | 60-4294967295 | R | Lifetime of the | | | | | | registration in | | | | | | seconds | | Sector | d | | RLA | Sector to which this | | | | | | endpoint belongs | | Registration | base | URI | RLA | The scheme, address | | Base URI | | | | and port and path at | | | | | | which this server is | | | | | | available | | Page | page | Integer | L | Used for pagination | | Count | count | Integer | L | Used for pagination | | Endpoint | et | | RLA | Semantic name of the | | Type | | | | endpoint (see | | | | | | Section 9.4) | +--------------+-------+---------------+-----+----------------------+ Table 2: RD Parameters (Short: Short name used in query parameters or target attributes. Use: R = used at registration, L = used at lookup, A = expressed in target attribute The descriptions for the options defined in this document are only summarized here. To which registrations they apply and when they are to be shown is described in the respective sections of this document. The IANA policy for future additions to the sub-registry is "Expert Review" as described in [RFC8126]. The evaluation should consider formal criteria, duplication of functionality (Is the new entry redundant with an existing one?), topical suitability (E.g. is the described property actually a property of the endpoint and not a property of a particular resource, in which case it should go into Shelby, et al. Expires June 23, 2019 [Page 45] Internet-Draft CoRE Resource Directory December 2018 the payload of the registration and need not be registered?), and the potential for conflict with commonly used target attributes (For example, "if" could be used as a parameter for conditional registration if it were not to be used in lookup or attributes, but would make a bad parameter for lookup, because a resource lookup with an "if" query parameter could ambiguously filter by the registered endpoint property or the [RFC6690] target attribute). It is expected that the registry will receive between 5 and 50 registrations in total over the next years. 9.3.1. Full description of the "Endpoint Type" Registration Parameter An endpoint registering at an RD can describe itself with endpoint types, similar to how resources are described with Resource Types in [RFC6690]. An endpoint type is expressed as a string, which can be either a URI or one of the values defined in the Endpoint Type sub- registry. Endpoint types can be passed in the "et" query parameter as part of extra-attrs at the Registration step, are shown on endpoint lookups using the "et" target attribute, and can be filtered for using "et" as a search criterion in resource and endpoint lookup. Multiple endpoint types are given as separate query parameters or link attributes. Note that Endpoint Type differs from Resource Type in that it uses multiple attributes rather than space separated values. As a result, Resource Directory implementations automatically support correct filtering in the lookup interfaces from the rules for unknown endpoint attributes. 9.4. "Endpoint Type" (et=) RD Parameter values This specification establishes a new sub-registry under "CoRE Parameters" called '"Endpoint Type" (et=) RD Parameter values'. The registry properties (required policy, requirements, template) are identical to those of the Resource Type parameters in [RFC6690], in short: The review policy is IETF Review for values starting with "core", and Specification Required for others. The requirements to be enforced are: o The values MUST be related to the purpose described in Section 9.3.1. o The registered values MUST conform to the ABNF reg-rel-type definition of [RFC6690] and MUST NOT be a URI. Shelby, et al. Expires June 23, 2019 [Page 46] Internet-Draft CoRE Resource Directory December 2018 o It is recommended to use the period "." character for segmentation. The registry initially contains one value: o "core.rd-group": An application group as described in Appendix A. 9.5. Multicast Address Registration IANA has assigned the following multicast addresses for use by CoAP nodes: IPv4 - "all CoRE resource directories" address, from the "IPv4 Multicast Address Space Registry" equal to "All CoAP Nodes", 224.0.1.187. As the address is used for discovery that may span beyond a single network, it has come from the Internetwork Control Block (224.0.1.x, RFC 5771). IPv6 - "all CoRE resource directories" address MCD1 (suggestions FF0X::FE), from the "IPv6 Multicast Address Space Registry", in the "Variable Scope Multicast Addresses" space (RFC 3307). Note that there is a distinct multicast address for each scope that interested CoAP nodes should listen to; CoAP needs the Link-Local and Site-Local scopes only. 10. Examples Two examples are presented: a Lighting Installation example in Section 10.1 and a LWM2M example in Section 10.2. 10.1. Lighting Installation This example shows a simplified lighting installation which makes use of the Resource Directory (RD) with a CoAP interface to facilitate the installation and start-up of the application code in the lights and sensors. In particular, the example leads to the definition of a group and the enabling of the corresponding multicast address as described in Appendix A. No conclusions must be drawn on the realization of actual installation or naming procedures, because the example only "emphasizes" some of the issues that may influence the use of the RD and does not pretend to be normative. 10.1.1. Installation Characteristics The example assumes that the installation is managed. That means that a Commissioning Tool (CT) is used to authorize the addition of nodes, name them, and name their services. The CT can be connected to the installation in many ways: the CT can be part of the Shelby, et al. Expires June 23, 2019 [Page 47] Internet-Draft CoRE Resource Directory December 2018 installation network, connected by WiFi to the installation network, or connected via GPRS link, or other method. It is assumed that there are two naming authorities for the installation: (1) the network manager that is responsible for the correct operation of the network and the connected interfaces, and (2) the lighting manager that is responsible for the correct functioning of networked lights and sensors. The result is the existence of two naming schemes coming from the two managing entities. The example installation consists of one presence sensor, and two luminaries, luminary1 and luminary2, each with their own wireless interface. Each luminary contains three lamps: left, right and middle. Each luminary is accessible through one endpoint. For each lamp a resource exists to modify the settings of a lamp in a luminary. The purpose of the installation is that the presence sensor notifies the presence of persons to a group of lamps. The group of lamps consists of: middle and left lamps of luminary1 and right lamp of luminary2. Before commissioning by the lighting manager, the network is installed and access to the interfaces is proven to work by the network manager. At the moment of installation, the network under installation is not necessarily connected to the DNS infra structure. Therefore, SLAAC IPv6 addresses are assigned to CT, RD, luminaries and sensor shown in Table 3 below: +--------------------+----------------+ | Name | IPv6 address | +--------------------+----------------+ | luminary1 | 2001:db8:4::1 | | luminary2 | 2001:db8:4::2 | | Presence sensor | 2001:db8:4::3 | | Resource directory | 2001:db8:4::ff | +--------------------+----------------+ Table 3: interface SLAAC addresses In Section 10.1.2 the use of resource directory during installation is presented. Shelby, et al. Expires June 23, 2019 [Page 48] Internet-Draft CoRE Resource Directory December 2018 10.1.2. RD entries It is assumed that access to the DNS infrastructure is not always possible during installation. Therefore, the SLAAC addresses are used in this section. For discovery, the resource types (rt) of the devices are important. The lamps in the luminaries have rt: light, and the presence sensor has rt: p-sensor. The endpoints have names which are relevant to the light installation manager. In this case luminary1, luminary2, and the presence sensor are located in room 2-4-015, where luminary1 is located at the window and luminary2 and the presence sensor are located at the door. The endpoint names reflect this physical location. The middle, left and right lamps are accessed via path /light/middle, /light/left, and /light/right respectively. The identifiers relevant to the Resource Directory are shown in Table 4 below: +----------------+------------------+---------------+---------------+ | Name | endpoint | resource path | resource type | +----------------+------------------+---------------+---------------+ | luminary1 | lm_R2-4-015_wndw | /light/left | light | | luminary1 | lm_R2-4-015_wndw | /light/middle | light | | luminary1 | lm_R2-4-015_wndw | /light/right | light | | luminary2 | lm_R2-4-015_door | /light/left | light | | luminary2 | lm_R2-4-015_door | /light/middle | light | | luminary2 | lm_R2-4-015_door | /light/right | light | | Presence | ps_R2-4-015_door | /ps | p-sensor | | sensor | | | | +----------------+------------------+---------------+---------------+ Table 4: Resource Directory identifiers It is assumed that the CT knows the RD's address, and has performed URI discovery on it that returned a response like the one in the Section 5.2 example. The CT inserts the endpoints of the luminaries and the sensor in the RD using the registration base URI parameter (base) to specify the interface address: Shelby, et al. Expires June 23, 2019 [Page 49] Internet-Draft CoRE Resource Directory December 2018 Req: POST coap://[2001:db8:4::ff]/rd ?ep=lm_R2-4-015_wndw&base=coap://[2001:db8:4::1]&d=R2-4-015 Payload: </light/left>;rt="light", </light/middle>;rt="light", </light/right>;rt="light" Res: 2.01 Created Location-Path: /rd/4521 Req: POST coap://[2001:db8:4::ff]/rd ?ep=lm_R2-4-015_door&base=coap://[2001:db8:4::2]&d=R2-4-015 Payload: </light/left>;rt="light", </light/middle>;rt="light", </light/right>;rt="light" Res: 2.01 Created Location-Path: /rd/4522 Req: POST coap://[2001:db8:4::ff]/rd ?ep=ps_R2-4-015_door&base=coap://[2001:db8:4::3]d&d=R2-4-015 Payload: </ps>;rt="p-sensor" Res: 2.01 Created Location-Path: /rd/4523 The sector name d=R2-4-015 has been added for an efficient lookup because filtering on "ep" name is more awkward. The same sector name is communicated to the two luminaries and the presence sensor by the CT. The group is specified in the RD. The base parameter is set to the site-local multicast address allocated to the group. In the POST in the example below, the resources supported by all group members are published. Req: POST coap://[2001:db8:4::ff]/rd ?ep=grp_R2-4-015&et=core.rd-group&base=coap://[ff05::1] Payload: </light/left>;rt="light", </light/middle>;rt="light", </light/right>;rt="light" Res: 2.01 Created Location-Path: /rd/501 Shelby, et al. Expires June 23, 2019 [Page 50] Internet-Draft CoRE Resource Directory December 2018 After the filling of the RD by the CT, the application in the luminaries can learn to which groups they belong, and enable their interface for the multicast address. The luminary, knowing its sector and being configured to join any group containing lights, searches for candidate groups and joins them: Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep ?d=R2-4-015&et=core.rd-group&rt=light Res: 2.05 Content </rd/501>;ep="grp_R2-4-015";et="core.rd-group"; base="coap://[ff05::1]";rt="core.rd-ep" From the returned base parameter value, the luminary learns the multicast address of the multicast group. Alternatively, the CT can communicate the multicast address directly to the luminaries by using the "coap-group" resource specified in [RFC7390]. Req: POST coap://[2001:db8:4::1]/coap-group Content-Format: application/coap-group+json Payload: { "a": "[ff05::1]", "n": "grp_R2-4-015"} Res: 2.01 Created Location-Path: /coap-group/1 Dependent on the situation, only the address, "a", or the name, "n", is specified in the coap-group resource. The presence sensor can learn the presence of groups that support resources with rt=light in its own sector by sending the same request, as used by the luminary. The presence sensor learns the multicast address to use for sending messages to the luminaries. 10.2. OMA Lightweight M2M (LWM2M) Example This example shows how the OMA LWM2M specification makes use of Resource Directory (RD). OMA LWM2M is a profile for device services based on CoAP(OMA Name Authority). LWM2M defines a simple object model and a number of abstract interfaces and operations for device management and device service enablement. Shelby, et al. Expires June 23, 2019 [Page 51] Internet-Draft CoRE Resource Directory December 2018 An LWM2M server is an instance of an LWM2M middleware service layer, containing a Resource Directory along with other LWM2M interfaces defined by the LWM2M specification. CoRE Resource Directory (RD) is used to provide the LWM2M Registration interface. LWM2M does not provide for registration sectors and does not currently use the rd-lookup interface. The LWM2M specification describes a set of interfaces and a resource model used between a LWM2M device and an LWM2M server. Other interfaces, proxies, and applications are currently out of scope for LWM2M. The location of the LWM2M Server and RD URI path is provided by the LWM2M Bootstrap process, so no dynamic discovery of the RD is used. LWM2M Servers and endpoints are not required to implement the /.well- known/core resource. 10.2.1. The LWM2M Object Model The OMA LWM2M object model is based on a simple 2 level class hierarchy consisting of Objects and Resources. An LWM2M Resource is a REST endpoint, allowed to be a single value or an array of values of the same data type. An LWM2M Object is a resource template and container type that encapsulates a set of related resources. An LWM2M Object represents a specific type of information source; for example, there is a LWM2M Device Management object that represents a network connection, containing resources that represent individual properties like radio signal strength. Since there may potentially be more than one of a given type object, for example more than one network connection, LWM2M defines instances of objects that contain the resources that represent a specific physical thing. The URI template for LWM2M consists of a base URI followed by Object, Instance, and Resource IDs: {/base-uri}{/object-id}{/object-instance}{/resource-id}{/resource- instance} The five variables given here are strings. base-uri can also have the special value "undefined" (sometimes called "null" in RFC 6570). Shelby, et al. Expires June 23, 2019 [Page 52] Internet-Draft CoRE Resource Directory December 2018 Each of the variables object-instance, resource-id, and resource- instance can be the special value "undefined" only if the values behind it in this sequence also are "undefined". As a special case, object-instance can be "empty" (which is different from "undefined") if resource-id is not "undefined". base-uri := Base URI for LWM2M resources or "undefined" for default (empty) base URI object-id := OMNA (OMA Name Authority) registered object ID (0-65535) object-instance := Object instance identifier (0-65535) or "undefined"/"empty" (see above)) to refer to all instances of an object ID resource-id := OMNA (OMA Name Authority) registered resource ID (0-65535) or "undefined" to refer to all resources within an instance resource-instance := Resource instance identifier or "undefined" to refer to single instance of a resource LWM2M IDs are 16 bit unsigned integers represented in decimal (no leading zeroes except for the value 0) by URI format strings. For example, a LWM2M URI might be: /1/0/1 The base uri is empty, the Object ID is 1, the instance ID is 0, the resource ID is 1, and the resource instance is "undefined". This example URI points to internal resource 1, which represents the registration lifetime configured, in instance 0 of a type 1 object (LWM2M Server Object). 10.2.2. LWM2M Register Endpoint LWM2M defines a registration interface based on the REST API, described in Section 5. The RD registration URI path of the LWM2M Resource Directory is specified to be "/rd". LWM2M endpoints register object IDs, for example </1>, to indicate that a particular object type is supported, and register object instances, for example </1/0>, to indicate that a particular instance of that object type exists. Resources within the LWM2M object instance are not registered with the RD, but may be discovered by reading the resource links from the object instance using GET with a CoAP Content-Format of application/ link-format. Resources may also be read as a structured object by Shelby, et al. Expires June 23, 2019 [Page 53] Internet-Draft CoRE Resource Directory December 2018 performing a GET to the object instance with a Content-Format of senml+json. When an LWM2M object or instance is registered, this indicates to the LWM2M server that the object and its resources are available for management and service enablement (REST API) operations. LWM2M endpoints may use the following RD registration parameters as defined in Table 2 : ep - Endpoint Name lt - registration lifetime Endpoint Name, Lifetime, and LWM2M Version are mandatory parameters for the register operation, all other registration parameters are optional. Additional optional LWM2M registration parameters are defined: +-----------+-------+-------------------------------+---------------+ | Name | Query | Validity | Description | +-----------+-------+-------------------------------+---------------+ | Binding | b | {"U",UQ","S","SQ","US","UQS"} | Available | | Mode | | | Protocols | | | | | | | LWM2M | ver | 1.0 | Spec Version | | Version | | | | | | | | | | SMS | sms | | MSISDN | | Number | | | | +-----------+-------+-------------------------------+---------------+ Table 5: LWM2M Additional Registration Parameters The following RD registration parameters are not currently specified for use in LWM2M: et - Endpoint Type base - Registration Base URI The endpoint registration must include a payload containing links to all supported objects and existing object instances, optionally including the appropriate link-format relations. Here is an example LWM2M registration payload: </1>,</1/0>,</3/0>,</5> Shelby, et al. Expires June 23, 2019 [Page 54] Internet-Draft CoRE Resource Directory December 2018 This link format payload indicates that object ID 1 (LWM2M Server Object) is supported, with a single instance 0 existing, object ID 3 (LWM2M Device object) is supported, with a single instance 0 existing, and object 5 (LWM2M Firmware Object) is supported, with no existing instances. 10.2.3. LWM2M Update Endpoint Registration The LwM2M update is really very similar to the registration update as described in Section 5.4.1, with the only difference that there are more parameters defined and available. All the parameters listed in that section are also available with the initial registration but are all optional: lt - Registration Lifetime b - Protocol Binding sms - MSISDN link payload - new or modified links A Registration update is also specified to be used to update the LWM2M server whenever the endpoint's UDP port or IP address are changed. 10.2.4. LWM2M De-Register Endpoint LWM2M allows for de-registration using the delete method on the returned location from the initial registration operation. LWM2M de- registration proceeds as described in Section 5.4.2. 11. Acknowledgments Oscar Novo, Srdjan Krco, Szymon Sasin, Kerry Lynn, Esko Dijk, Anders Brandt, Matthieu Vial, Jim Schaad, Mohit Sethi, Hauke Petersen, Hannes Tschofenig, Sampo Ukkola, Linyi Tian, and Jan Newmarch have provided helpful comments, discussions and ideas to improve and shape this document. Zach would also like to thank his colleagues from the EU FP7 SENSEI project, where many of the resource directory concepts were originally developed. 12. Changelog changes from -17 to -18 o Rather than re-specifying link format (Modernized Link Format), describe a Limited Link Format that's the uncontested subset of Link Format o Acknowledging the -17 version as part of the draft Shelby, et al. Expires June 23, 2019 [Page 55] Internet-Draft CoRE Resource Directory December 2018 o Move "Read endpoint links" operation to future specification like PATCH o Demote links-json to an informative reference, and removed them from exchange examples o Add note on unusability of link-local IP addresses, and describe mitigation. o Reshuffling of sections: Move additional operations and endpoint lookup back from appendix, and groups into one o Lookup interface tightened to not imply applicability for non link-format lookups (as those can have vastly different views on link cardinality) o Simple registration: Change sequence of GET and POST-response, ensuring unsuccessful registrations are reported as such, and suggest how devices that would have required the inverse behavior can still cope with it. o Abstract and introduction reworded to avoid the impression that resources are stored in full in the RD o Simplify the rules governing when a registration resource can or must be changed. o Drop a figure that has become useless due to the changes of and -13 and -17 o Wording consistency fixes: Use "Registrations" and "target attributes" o Fix incorrect use of content negotiation in discovery interface description (Content-Format -> Accept) o State that the base attribute value is part of endpoint lookup even when implicit in the registration o Update references from RFC5988 to its update RFC8288 o Remove appendix on protocol-negotiation (which had a note to be removed before publication) changes from -16 to -17 (Note that -17 is published as a direct follow-up to -16, containing a single change to be discussed at IETF103) Shelby, et al. Expires June 23, 2019 [Page 56] Internet-Draft CoRE Resource Directory December 2018 o Removed groups that are enumerations of registrations and have dedicated mechanism o Add groups that are enumerations of shared resources and are a special case of endpoint registrations changes from -15 to -16 o Recommend a common set of resources for members of a group o Clarified use of multicast group in lighting example o Add note on concurrent registrations from one EP being possible but not expected o Refresh web examples appendix to reflect current use of Modernized Link Format o Add examples of URIs where Modernized Link Format matters o Editorial changes changes from -14 to -15 o Rewrite of section "Security policies" o Clarify that the "base" parameter text applies both to relative references both in anchor and href o Renamed "Registree-EP" to Registrant-EP" o Talk of "relative references" and "URIs" rather than "relative" and "absolute" URIs. (The concept of "absolute URIs" of [RFC3986] is not needed in RD). o Fixed examples o Editorial changes changes from -13 to -14 o Rename "registration context" to "registration base URI" (and "con" to "base") and "domain" to "sector" (where the abbreviation "d" stays for compatibility reasons) o Introduced resource types core.rd-ep and core.rd-gp Shelby, et al. Expires June 23, 2019 [Page 57] Internet-Draft CoRE Resource Directory December 2018 o Registration management moved to appendix A, including endpoint and group lookup o Minor editorial changes * PATCH/iPATCH is clearly deferred to another document * Recommend against query / fragment identifier in con= * Interface description lists are described as illustrative * Rewording of Simple Registration o Simple registration carries no error information and succeeds immediately (previously, sequence was unspecified) o Lookup: href are matched against resolved values (previously, this was unspecified) o Lookup: lt are not exposed any more o con/base: Paths are allowed o Registration resource locations can not have query or fragment parts o Default life time extended to 25 hours o clarified registration update rules o lt-value semantics for lookup clarified. o added template for simple registration changes from -12 to -13 o Added "all resource directory" nodes MC address o Clarified observation behavior o version identification o example rt= and et= values o domain from figure 2 o more explanatory text Shelby, et al. Expires June 23, 2019 [Page 58] Internet-Draft CoRE Resource Directory December 2018 o endpoints of a groups hosted by different RD o resolve RFC6690-vs-8288 resolution ambiguities: * require registered links not to be relative when using anchor * return absolute URIs in resource lookup changes from -11 to -12 o added Content Model section, including ER diagram o removed domain lookup interface; domains are now plain attributes of groups and endpoints o updated chapter "Finding a Resource Directory"; now distinguishes configuration-provided, network-provided and heuristic sources o improved text on: atomicity, idempotency, lookup with multiple parameters, endpoint removal, simple registration o updated LWM2M description o clarified where relative references are resolved, and how context and anchor interact o new appendix on the interaction with RFCs 6690, 5988 and 3986 o lookup interface: group and endpoint lookup return group and registration resources as link targets o lookup interface: search parameters work the same across all entities o removed all methods that modify links in an existing registration (POST with payload, PATCH and iPATCH) o removed plurality definition (was only needed for link modification) o enhanced IANA registry text o state that lookup resources can be observable o More examples and improved text changes from -09 to -10 Shelby, et al. Expires June 23, 2019 [Page 59] Internet-Draft CoRE Resource Directory December 2018 o removed "ins" and "exp" link-format extensions. o removed all text concerning DNS-SD. o removed inconsistency in RDAO text. o suggestions taken over from various sources o replaced "Function Set" with "REST API", "base URI", "base path" o moved simple registration to registration section changes from -08 to -09 o clarified the "example use" of the base RD resource values /rd, /rd-lookup, and /rd-group. o changed "ins" ABNF notation. o various editorial improvements, including in examples o clarifications for RDAO changes from -07 to -08 o removed link target value returned from domain and group lookup types o Maximum length of domain parameter 63 bytes for consistency with group o removed option for simple POST of link data, don't require a .well-known/core resource to accept POST data and handle it in a special way; we already have /rd for that o add IPv6 ND Option for discovery of an RD o clarify group configuration section 6.1 that endpoints must be registered before including them in a group o removed all superfluous client-server diagrams o simplified lighting example o introduced Commissioning Tool o RD-Look-up text is extended. Shelby, et al. Expires June 23, 2019 [Page 60] Internet-Draft CoRE Resource Directory December 2018 changes from -06 to -07 o added text in the discovery section to allow content format hints to be exposed in the discovery link attributes o editorial updates to section 9 o update author information o minor text corrections Changes from -05 to -06 o added note that the PATCH section is contingent on the progress of the PATCH method changes from -04 to -05 o added Update Endpoint Links using PATCH o http access made explicit in interface specification o Added http examples Changes from -03 to -04: o Added http response codes o Clarified endpoint name usage o Add application/link-format+cbor content-format Changes from -02 to -03: o Added an example for lighting and DNS integration o Added an example for RD use in OMA LWM2M o Added Read Links operation for link inspection by endpoints o Expanded DNS-SD section o Added draft authors Peter van der Stok and Michael Koster Changes from -01 to -02: o Added a catalogue use case. Shelby, et al. Expires June 23, 2019 [Page 61] Internet-Draft CoRE Resource Directory December 2018 o Changed the registration update to a POST with optional link format payload. Removed the endpoint type update from the update. o Additional examples section added for more complex use cases. o New DNS-SD mapping section. o Added text on endpoint identification and authentication. o Error code 4.04 added to Registration Update and Delete requests. o Made 63 bytes a SHOULD rather than a MUST for endpoint name and resource type parameters. Changes from -00 to -01: o Removed the ETag validation feature. o Place holder for the DNS-SD mapping section. o Explicitly disabled GET or POST on returned Location. o New registry for RD parameters. o Added support for the JSON Link Format. o Added reference to the Groupcomm WG draft. Changes from -05 to WG Document -00: o Updated the version and date. Changes from -04 to -05: o Restricted Update to parameter updates. o Added pagination support for the Lookup interface. o Minor editing, bug fixes and reference updates. o Added group support. o Changed rt to et for the registration and update interface. Changes from -03 to -04: o Added the ins= parameter back for the DNS-SD mapping. Shelby, et al. Expires June 23, 2019 [Page 62] Internet-Draft CoRE Resource Directory December 2018 o Integrated the Simple Directory Discovery from Carsten. o Editorial improvements. o Fixed the use of ETags. o Fixed tickets 383 and 372 Changes from -02 to -03: o Changed the endpoint name back to a single registration parameter ep= and removed the h= and ins= parameters. o Updated REST interface descriptions to use RFC6570 URI Template format. o Introduced an improved RD Lookup design as its own function set. o Improved the security considerations section. o Made the POST registration interface idempotent by requiring the ep= parameter to be present. Changes from -01 to -02: o Added a terminology section. o Changed the inclusion of an ETag in registration or update to a MAY. o Added the concept of an RD Domain and a registration parameter for it. o Recommended the Location returned from a registration to be stable, allowing for endpoint and Domain information to be changed during updates. o Changed the lookup interface to accept endpoint and Domain as query string parameters to control the scope of a lookup. 13. References 13.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. Shelby, et al. Expires June 23, 2019 [Page 63] Internet-Draft CoRE Resource Directory December 2018 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>. [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., and D. Orchard, "URI Template", RFC 6570, DOI 10.17487/RFC6570, March 2012, <https://www.rfc-editor.org/info/rfc6570>. [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, <https://www.rfc-editor.org/info/rfc6690>. [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, <https://www.rfc-editor.org/info/rfc6763>. [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>. 13.2. Informative References [ER] Chen, P., "The entity-relationship model---toward a unified view of data", ACM Transactions on Database Systems Vol. 1, pp. 9-36, DOI 10.1145/320434.320440, March 1976. [I-D.arkko-core-dev-urn] Arkko, J., Jennings, C., and Z. Shelby, "Uniform Resource Names for Device Identifiers", draft-arkko-core-dev-urn-05 (work in progress), October 2017. [I-D.bormann-t2trg-rel-impl] Bormann, C., "impl-info: A link relation type for disclosing implementation information", draft-bormann- t2trg-rel-impl-00 (work in progress), January 2018. [I-D.hartke-t2trg-coral] Hartke, K., "The Constrained RESTful Application Language (CoRAL)", draft-hartke-t2trg-coral-06 (work in progress), October 2018. Shelby, et al. Expires June 23, 2019 [Page 64] Internet-Draft CoRE Resource Directory December 2018 [I-D.ietf-ace-oauth-authz] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-17 (work in progress), November 2018. [I-D.ietf-anima-bootstrapping-keyinfra] Pritikin, M., Richardson, M., Behringer, M., Bjarnason, S., and K. Watsen, "Bootstrapping Remote Secure Key Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- keyinfra-17 (work in progress), November 2018. [I-D.ietf-core-links-json] Li, K., Rahman, A., and C. Bormann, "Representing Constrained RESTful Environments (CoRE) Link Format in JSON and CBOR", draft-ietf-core-links-json-10 (work in progress), February 2018. [I-D.silverajan-core-coap-protocol-negotiation] Silverajan, B. and M. Ocak, "CoAP Protocol Negotiation", draft-silverajan-core-coap-protocol-negotiation-09 (work in progress), July 2018. [RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C. Bormann, "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)", RFC 6775, DOI 10.17487/RFC6775, November 2012, <https://www.rfc-editor.org/info/rfc6775>. [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing IPv6 Zone Identifiers in Address Literals and Uniform Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874, February 2013, <https://www.rfc-editor.org/info/rfc6874>. [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <https://www.rfc-editor.org/info/rfc7230>. [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, <https://www.rfc-editor.org/info/rfc7252>. Shelby, et al. Expires June 23, 2019 [Page 65] Internet-Draft CoRE Resource Directory December 2018 [RFC7390] Rahman, A., Ed. and E. Dijk, Ed., "Group Communication for the Constrained Application Protocol (CoAP)", RFC 7390, DOI 10.17487/RFC7390, October 2014, <https://www.rfc-editor.org/info/rfc7390>. [RFC7641] Hartke, K., "Observing Resources in the Constrained Application Protocol (CoAP)", RFC 7641, DOI 10.17487/RFC7641, September 2015, <https://www.rfc-editor.org/info/rfc7641>. [RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, <https://www.rfc-editor.org/info/rfc8132>. [RFC8288] Nottingham, M., "Web Linking", RFC 8288, DOI 10.17487/RFC8288, October 2017, <https://www.rfc-editor.org/info/rfc8288>. [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, May 2018, <https://www.rfc-editor.org/info/rfc8392>. Appendix A. Groups Registration and Lookup The RD-Groups usage pattern allows announcing application groups inside a Resource Directory. Groups are represented by endpoint registrations. Their base address is a multicast address, and they SHOULD be entered with the endpoint type "core.rd-group". The endpoint name can also be referred to as a group name in this context. The registration is inserted into the RD by a Commissioning Tool, which might also be known as a group manager here. It performs third party registration and registration updates. The links it registers SHOULD be available on all members that join the group. Depending on the application, members that lack some resource MAY be permissible if requests to them fail gracefully. The following example shows a CT registering a group with the name "lights" which provides two resources. The directory resource path /rd is an example RD location discovered in a request similar to Figure 5. Shelby, et al. Expires June 23, 2019 [Page 66] Internet-Draft CoRE Resource Directory December 2018 Req: POST coap://rd.example.com/rd?ep=lights&et=core.rd-group &base=coap://[ff35:30:2001:db8::1] Content-Format: 40 Payload: </light>;rt="light";if="core.a", </color-temperature>;if="core.p";u="K" Res: 2.01 Created Location-Path: /rd/12 In this example, the group manager can easily permit devices that have no writable color-temperature to join, as they would still respond to brightness changing commands. Had the group instead contained a single resource that sets brightness and color temperature atomically, endpoints would need to support both properties. The resources of a group can be looked up like any other resource, and the group registrations (along with any additional registration parameters) can be looked up using the endpoint lookup interface. The following example shows a client performing and endpoint lookup for all groups. Req: GET /rd-lookup/ep?et=core.rd-group Res: 2.01 Content Payload: </rd/501>;ep="GRP_R2-4-015";et="core.rd-group"; base="coap://[ff05::1]", </rd/12>;ep=lights&et=core.rd-group; base="coap://[ff35:30:2001:db8::1]";rt="core.rd-ep" The following example shows a client performing a lookup of all resources of all endpoints (groups) with et=core.rd-group. Req: GET /rd-lookup/res?et=core.rd-group <coap://[ff35:30:2001:db8::1]/light>;rt="light";if="core.a"; et="core.rd-group";anchor="coap://[ff35:30:2001:db8::1]", <coap://[ff35:30:2001:db8::1]/color-temperature>;if="core.p";u="K"; et="core.rd-group"; anchor="coap://[ff35:30:2001:db8::1]" Shelby, et al. Expires June 23, 2019 [Page 67] Internet-Draft CoRE Resource Directory December 2018 Appendix B. Web links and the Resource Directory Understanding the semantics of a link-format document and its URI references is a journey through different documents ([RFC3986] defining URIs, [RFC6690] defining link-format documents based on [RFC8288] which defines link headers, and [RFC7252] providing the transport). This appendix summarizes the mechanisms and semantics at play from an entry in ".well-known/core" to a resource lookup. This text is primarily aimed at people entering the field of Constrained Restful Environments from applications that previously did not use web mechanisms. The explanation of the steps makes some shortcuts in the more confusing details of [RFC6690], which are justified as all examples being in Limited Link Format. B.1. A simple example Let's start this example with a very simple host, "2001:db8:f0::1". A client that follows classical CoAP Discovery ([RFC7252] Section 7), sends the following multicast request to learn about neighbours supporting resources with resource-type "temperature". The client sends a link-local multicast: GET coap://[ff02::fd]:5683/.well-known/core?rt=temperature RES 2.05 Content </temp>;rt=temperature;ct=0 where the response is sent by the server, "[2001:db8:f0::1]:5683". While the client - on the practical or implementation side - can just go ahead and create a new request to "[2001:db8:f0::1]:5683" with Uri-Path: "temp", the full resolution steps for insertion into and retrieval from the RD without any shortcuts are: B.1.1. Resolving the URIs The client parses the single returned record. The link's target (sometimes called "href") is ""/temp"", which is a relative URI that needs resolving. The base URI <coap://[ff02::fd]:5683/.well-known/ core> is used to resolve the reference /temp against. The Base URI of the requested resource can be composed from the header options of the CoAP GET request by following the steps of Shelby, et al. Expires June 23, 2019 [Page 68] Internet-Draft CoRE Resource Directory December 2018 [RFC7252] section 6.5 (with an addition at the end of 8.2) into ""coap://[2001:db8:f0::1]/.well-known/core"". Because ""/temp"" starts with a single slash, the record's target is resolved by replacing the path ""/.well-known/core"" from the Base URI (section 5.2 [RFC3986]) with the relative target URI ""/temp"" into ""coap://[2001:db8:f0::1]/temp"". B.1.2. Interpreting attributes and relations Some more information but the record's target can be obtained from the payload: the resource type of the target is "temperature", and its content type is text/plain (ct=0). A relation in a web link is a three-part statement that specifies a named relation between the so-called "context resource" and the target resource, like "_This page_ has _its table of contents_ at _/ toc.html_". In link format documents, there is an implicit "host relation" specified with default parameter: rel="hosts". In our example, the context resource of the link is the URI specified in the GET request "coap:://[2001:db8:f0::1]/.well-known/core". A full English expression of the "host relation" is: '"coap://[2001:db8:f0::1]/.well-known/core" is hosting the resource "coap://[2001:db8:f0::1]/temp", which is of the resource type "temperature" and can be accessed using the text/plain content format.' B.2. A slightly more complex example Omitting the "rt=temperature" filter, the discovery query would have given some more records in the payload: GET coap://[ff02::fd]:5683/.well-known/core RES 2.05 Content </temp>;rt=temperature;ct=0, </light>;rt=light-lux;ct=0, </t>;anchor="/sensors/temp";rel=alternate, <http://www.example.com/sensors/t123>;anchor="/sensors/temp"; rel="describedby" Parsing the third record, the client encounters the "anchor" parameter. It is a URI relative to the Base URI of the request and is thus resolved to ""coap://[2001:db8:f0::1]/sensors/temp"". That is the context resource of the link, so the "rel" statement is not about the target and the Base URI any more, but about the target and Shelby, et al. Expires June 23, 2019 [Page 69] Internet-Draft CoRE Resource Directory December 2018 the resolved URI. Thus, the third record could be read as ""coap://[2001:db8:f0::1]/sensors/temp" has an alternate representation at "coap://[2001:db8:f0::1]/t"". Following the same resolution steps, the fourth record can be read as ""coap://[2001:db8:f0::1]/sensors/temp" is described by "http://www.example.com/sensors/t123"". B.3. Enter the Resource Directory The resource directory tries to carry the semantics obtainable by classical CoAP discovery over to the resource lookup interface as faithfully as possible. For the following queries, we will assume that the simple host has used Simple Registration to register at the resource directory that was announced to it, sending this request from its UDP port "[2001:db8:f0::1]:6553": POST coap://[2001:db8:f01::ff]/.well-known/core?ep=simple-host1 The resource directory would have accepted the registration, and queried the simple host's ".well-known/core" by itself. As a result, the host is registered as an endpoint in the RD with the name "simple-host1". The registration is active for 90000 seconds, and the endpoint registration Base URI is ""coap://[2001:db8:f0::1]"" following the resolution steps described in Appendix B.1.1. It should be remarked that the Base URI constructed that way always yields a URI of the form: scheme://authority without path suffix. If the client now queries the RD as it would previously have issued a multicast request, it would go through the RD discovery steps by fetching "coap://[2001:db8:f0::ff]/.well-known/core?rt=core.rd- lookup-res", obtain "coap://[2001:db8:f0::ff]/rd-lookup/res" as the resource lookup endpoint, and issue a request to "coap://[2001:db8:f0::ff]/rd-lookup/res?rt=temperature" to receive the following data: <coap://[2001:db8:f0::1]/temp>;rt=temperature;ct=0; anchor="coap://[2001:db8:f0::1]" This is not _literally_ the same response that it would have received from a multicast request, but it contains the equivalent statement: '"coap://[2001:db8:f0::1]" is hosting the resource "coap://[2001:db8:f0::1]/temp", which is of the resource type "temperature" and can be accessed using the text/plain content format.' Shelby, et al. Expires June 23, 2019 [Page 70] Internet-Draft CoRE Resource Directory December 2018 (The difference is whether "/" or "/.well-known/core" hosts the resources, which does not matter in this application; if it did, the endpoint would have been more explicit. Actually, /.well-known/core does NOT host the resource but stores a URI reference to the resource.) To complete the examples, the client could also query all resources hosted at the endpoint with the known endpoint name "simple-host1". A request to "coap://[2001:db8:f0::ff]/rd-lookup/res?ep=simple-host1" would return <coap://[2001:db8:f0::1]/temp>;rt=temperature;ct=0; anchor="coap://[2001:db8:f0::1]", <coap://[2001:db8:f0::1]/light>;rt=light-lux;ct=0; anchor="coap://[2001:db8:f0::1]", <coap://[2001:db8:f0::1]/t>; anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=alternate, <http://www.example.com/sensors/t123>; anchor="coap://[2001:db8:f0::1]/sensors/temp";rel="describedby" All the target and anchor references are already in absolute form there, which don't need to be resolved any further. Had the simple host done an equivalent full registration with a base= parameter (e.g. "?ep=simple-host1&base=coap+tcp://simple- host1.example.com"), that context would have been used to resolve the relative anchor values instead, giving <coap+tcp://simple-host1.example.com/temp>;rt=temperature;ct=0; anchor="coap+tcp://simple-host1.example.com" and analogous records. B.4. A note on differences between link-format and Link headers While link-format and Link headers look very similar and are based on the same model of typed links, there are some differences between [RFC6690] and [RFC8288], which are dealt with differently: o "Resolving the target against the anchor": [RFC6690] Section 2.1 states that the anchor of a link is used as the Base URI against which the term inside the angle brackets (the target) is resolved, falling back to the resource's URI with paths stripped off (its "Origin"). In contrast to that, [RFC8288] Section B.2 describes that the anchor is immaterial to the resolution of the target reference. Shelby, et al. Expires June 23, 2019 [Page 71] Internet-Draft CoRE Resource Directory December 2018 RFC6690, in the same section, also states that absent anchors set the context of the link to the target's URI with its path stripped off, while according to [RFC8288] Section 3.2, the context is the resource's base URI. The rules introduced in Appendix C ensure that an RD does not need to deal with those differences when processing input data. Lookup results are required to be absolute references for the same reason. o There is no percent encoding in link-format documents. A link-format document is a UTF-8 encoded string of Unicode characters and does not have percent encoding, while Link headers are practically ASCII strings that use percent encoding for non- ASCII characters, stating the encoding explicitly when required. For example, while a Link header in a page about a Swedish city might read "Link: </temperature/Malm%C3%B6>;rel="live-environment-data"" a link-format document from the same source might describe the link as "</temperature/Malmoe>;rel="live-environment-data"" Parsers and producers of link-format and header data need to be aware of this difference. Appendix C. Limited Link Format The CoRE Link Format as described in [RFC6690] has been interpreted differently by implementers, and a strict implementation rules out some use cases of a Resource Directory (e.g. base values with path components). This appendix describes a subset of link format documents called Limited Link Format. The rules herein are not very limiting in practice - all examples in RFC6690, and all deployments the authors are aware of already stick to them - but ease the implementation of resource directory servers. It is applicable to representations in the application/link-format media type, and any other media types that inherit [RFC6690] Section 2.1. Shelby, et al. Expires June 23, 2019 [Page 72] Internet-Draft CoRE Resource Directory December 2018 A link format representation is in Limited Link format if, for each link in it, the following applies: o All URI references either follow the URI or the path-absolute ABNF rule of RFC3986 (i.e. target and anchor each either start with a scheme or with a single slash), o if the anchor reference starts with a scheme, the target reference starts with a scheme as well (i.e. relative references in target cannot be used when the anchor is a full URI), and o the application does not care whether links without an explicitly given anchor have the origin's "/" or "/.well-known/core" resource as their link context. Authors' Addresses Zach Shelby ARM 150 Rose Orchard San Jose 95134 USA Phone: +1-408-203-9434 Email: zach.shelby@arm.com Michael Koster SmartThings 665 Clyde Avenue Mountain View 94043 USA Phone: +1-707-502-5136 Email: Michael.Koster@smartthings.com Carsten Bormann Universitaet Bremen TZI Postfach 330440 Bremen D-28359 Germany Phone: +49-421-218-63921 Email: cabo@tzi.org Shelby, et al. Expires June 23, 2019 [Page 73] Internet-Draft CoRE Resource Directory December 2018 Peter van der Stok consultant Phone: +31-492474673 (Netherlands), +33-966015248 (France) Email: consultancy@vanderstok.org URI: www.vanderstok.org Christian Amsuess (editor) Hollandstr. 12/4 1020 Austria Phone: +43-664-9790639 Email: christian@amsuess.com Shelby, et al. Expires June 23, 2019 [Page 74]