Using onion routing with CoAP

1.1. Components overview

This document introduces separate mechanisms that in combination enable setups similar to how Tor is used for anonymous web access. Some of the mechanisms need no new protocol components, but merely describe which existing steps are used to obtain the desired results.¶

• A client can use EDHOC to establish a unilaterally authenticated OSCORE context with proxies (see Section 3.1).¶
• A server can use EDHOC to establish a unilaterally authenticated OSCORE context to establish a reverse proxy address (see Section 3.2).¶
• A discovery mechanism for proxies (see Section 3.3).¶
• A naming and discovery mechanism for hidden services (see Section 3.4).¶

Note that these mechanisms should be largely independent: A server that does not intend to hide its position can still advertise a cryptographic name at its real network coordinates, and thus be available both to clients that do hide their location (even if their proxies do not work as “exit nodes” in Tor terminology) and to clients on a local network.¶

Figure 1 illustrates an example topology, and Figure 2 illustrates a cross-section of the OSCORE layers along one path.¶

3.1. Client proxy chain

A client can pick one or more proxies to hide its position in the network.¶

Without OSCORE proxies, only one proxy hop can be chosen, because the CoAP requests contains at most two addresses: The address in the IP header, and the address in the Uri-Host option. With the mechanisms introduced in [I-D.tiloca-core-oscore-capable-proxies], CoAP request can contain a Uri-Host option in each layer of OSCORE, effectively building a source routing chain.¶

To build the chain, the client first chooses its first proxy hop, and runs EDHOC to establish an OSCORE context. In this process, the proxy authenticates with its long-term credentials, whereas the client uses an ephemeral key (a plain CWT Cliams Set, [RFC8392]). The process can take as little as one round-trip per proxy; when message 3 of EDHOC is sent along with the OSCORE message (see [I-D.ietf-core-oscore-edhoc]) that contains the next hop’s message 1,¶

Once one proxy context is established, EDHOC can be run through that proxy with the next proxy, until a chain of sufficient length has been established. Care has to be taken to never use one of the later proxies with any chain other than the chain through which the connection was established, for otherwise the client can be deanonymized mor easily.¶

When forwarding messages, every forward proxy strips off a layer of OSCORE from the request, and adds one to the response.¶

Possible optimizations:¶

• Can EDHOC be run without transmitting two public keys (G_X and G_I) for the client? (I.e., Can G_X be re-used as G_I without harm to EDHOC (likely not), and how would that be communicated?)¶

• For hops that are only ever used with a single next-hop, as is typical with all but the first proxy (see guidance below): Can default values for Proxy-Scheme and Uri-Host be communicated during EDHOC, values that would later be elided? Otherwise, every request would contain explicit addresses of the full chain. If taken to the extreme, this might be setting up a SCHC context that also compresses parts of the OSCORE option, where the client tells each proxy what the KID used with the next proxy is, and uses the same sender sequence number for the hops. (This has own security considerations; might be necessary to apply offsets, at which point it gets overly complex).¶

  Effectively, setting a default value for Proxy-Scheme and Uri-Host makes that (originally forward) proxy a reverse proxy.¶

3.2. Server proxy chain

A server can pick one or more proxies to hide its position in the network.¶

Unlike forward proxies, which are configured per request, this requires a dedicated mechanism.¶

TBD: This document does not yet specify such a mechanism, but may draw upon the reverse proxy request of Section 2 of [I-D.amsuess-core-resource-directory-extensions].¶

When forwarding messages, every reverse proxy adds a layer of OSCORE to the request, and removes one from the response.¶

3.3. Proxy discovery

A mechanism for discovering forward proxies is already described in [I-D.ietf-core-transport-indication]; discovery of reverse proxies suitable for servers will depend on the precise mechanism used.¶

Both proxies’ discovery process may need to be augmented with metadata that indicates whether the proxy is willing to proxy to arbitrary locations on the Internet, or merely to hidden peers. That distinction in forwrd proxies would be similar to how Tor distinguishes relay and exit nodes. In reverse proxies, there is an analogous distinction that is not so much based on policy but rather on the structure of the authority component used by that reverse proxy: If the name is resolvable on regular CoAP stacks (i.e., DNS can resolve it to a global IP address), then regular CoAP clients can use the introduction address as an entry point. It is still up to the hidden server’s policy to decide whether to allow access that is merely protected by the chain of hidden proxies, but not end-to-end. Note that the server will be unable to tell whether the client used just one layer of EDHOC and OSCORE to reach the introduction point, or has built its own client chain -- the former is merely a client proxy chain of zero length.¶

Along with discovering the addresses of proxies, a well-maintained Tor-like network would provide authentication information for them. This would allow participants to trust that the proxy chain they are building is not all controlled by a single entity, but have been around independently for some time.¶

TBD: Such a service is not specified yet.¶

3.4. Naming and name resolution

The mechanisms discussed in [I-D.amsuess-t2trg-rdlink] can be used by hidden services to come up with names for their services. (That document will need to be updated to use mechanisms from [I-D.ietf-core-transport-indication]). Unlike described there, they would not enter their network address into the distributed directory, but the address of their most remote reverse proxy (the introduction point).¶

Along with the service’s public key (that is announced as part of the name), the published record may also include the public key of the introduction point, as that will allow the client to establish an extra layer with the introduction point. TBD: The benefits of this layer are yet unclear, as is whether this needs to be a layer of OSCORE, or whether the mechanisms of [I-D.selander-lake-authz] could be used to roll that into the end-to-end establishment. (Likely, an extra layer is needed, for even if that mechanism is used for some kind of encrypted origin indication, the later OSOCRE phase will need some origin indication at the introduction point to distinguish multiple hidden services behind the introduction point in such a way that an observer of the introduction’s ingress point can not tell which services are being used).¶

3.5. Establishing TLS connections between proxies

Proxy-to-proxy requests, which are the majority of transmitted request, are transmitted between unconstrained devices across the Internet. As such, protecting those connections with an extra layer of TLS (as specified in [RFC8323]) is desirable, because¶

• it profits from TCP's flow control,¶
• it hides more request metadata (even though none of the metadata visible at this point should be linkable to the server or the client, with the exception of message length), and¶
• it allows requests to be mixed across MTU and thus to hide their length and number (provided there is sufficient traffic on the link to ensure that multiple messages are processed within one Nagle interval).¶

[ TBD: Explore whether coercing traffic through specific pairs of nodes instead of random node pairings would make sense. If it is dangerous, maybe servers might pair up on their own to ensure that it is hard to monitor their ingress and egress traffic for correlation. ]¶

A challenge in establishing TLS connections on that link is that proxies are advertised with EDHOC credentials in the network’s discovery area. The tools of [I-D.tschofenig-tls-cwt] may help bridging that gap.¶

3.6. Other tricks

TBD. Current ideas:¶

• For increased privacy, it may make sense to spool requests and responses in proxies for "as long as practical". Those setting up the proxy may indicate that in the security context. While it increases the proxy's memory requirements a lot to keep several seconds of traffic around, it is not expected that these proxies will be operating at network capacity limits.¶
• Add chatter between proxies. With the stark contrast between constrained device bandwidths and Internet bandwidths, this can be tolerable.¶
• Access point assistance: While all of this is aimed at constrained devices as defined in [RFC7228], devices of Class 1 may not be capable of using the full proxy discovery service or setting up security contexts with all the hops in the chain. Instead, they may only provide end-to-end encryption, and use a service provided by a local node (e.g. the border router in a 6LoWPAN network [RFC8138]) to set up the hops. Such a setup can also be used to defer policy decisions to the network, which may decide to advertise its own address as an introduction point, or use a suitable length of reverse proxies.¶
• The introduction point would be the only suitable location to place a caching proxy when [I-D.amsuess-core-cachable-oscore] is used. As the server is be aware that cacheable OSCORE is used, it can select a reverse proxy that was advertised with caching capabilities (with that metadatum still TBD).¶

3.7. Overhead and optimizations

TBD. Main points:¶

• Establishing a default Uri-Host likely gives most savings.¶
• For intermediate hops, using a shorter AEAD tag might be an option.¶