wakaama
wakaama copied to clipboard
eclipse-wakaama
Support for Mbed TLS?
I was wondering whether there is interest in supporting Mbed TLS in Wakaama. Has someone been working on an integration already?
I do not know Mbed TLS, but a quick glance make me think that is for tcp, is that correct? As far as I know there is only coap and udp support in wakaama andsupport for DTLS using tinyDTLS. Is there any specific features that you need in Mbed TLS that is missing in tinyDTLS?
@tuve it's supporting DTLS too: https://tls.mbed.org/kb/how-to/dtls-tutorial
I think the main problem with tinyDTLs is overall lack of maintenance and 1.3 and fullfledge PKI support. Also the lack of TLS support in TinyDTLs can be a problem, for example if you use HTTPS for your FOTA you will need an extra lib for TCP TLS.
Maybe we should look into support that then. To my knowledge there isn't anybody currently looking into this.
I already used mbedtls with wakaama. I think the question should be if tinydtls and/or mbedtls should be part of the wakaama core implementation in the future. tinydtls is currently only used in the examples and is not part of the core wakaama library.
Good question. Even though I think you should never opt out of using dtls, I don't think it should be part of the core but rather referenced as a submodule as it is done now with tinydtls. But maybe this also should include the option of using mbed tls. Any thoughts on this?
From a security point of view this is not ideal. Everyone who doesn't use the examples implements their own security layer. So these changes tend not to be pushed back directly. In addition, the implementations are copied and this leads to errors that could be avoided. If this is not taken into account, it is of course not a problem.
Yes, that is a concern. Does anyone have any figures on the memory footprint of tinydtls and mbed tls, both compiled code and runtime?
@LukasKarel You mentioned that you have used Wakaama with Mbed TLS. Is that code somewhere in a branch or so?
@tuve Regarding a comparison between Mbed TLS and TinyDTLS. I don't have that data but the answer will heavily depend on the details of the comparison. The feature set is different between the two stacks. The biggest contributor to code size in TLS/DTLS stacks, in general, is the crypto itself -- not the TLS protocol. I have data to support this observation in https://arxiv.org/pdf/2011.12035.pdf (see Figure 8 and Figure 9).
@LukasKarel You mentioned that you have used Wakaama with Mbed TLS. Is that code somewhere in a branch or so?
These repos are unfortunately not publicly available. But it should be pretty straight forward to implement a running prototype based on the current examples. Maybe I have some old files around and could create a working draft later this week.
@tuve I have never worked with tinydtls but mbedtls is highly configureable. Supported algorithms could be configured on compile time and therefore should reduce the footprint. Same is possible for buffer sizes to reduce heap usage for example.
@hannestschofenig correct me if I'm wrong but It seems to me that mbedTLS also brings Connection ID which is a great feature for LWM2M, correct ?
These repos are unfortunately not publicly available. But it should be pretty straight forward to implement a running prototype based on the current examples. Maybe I have some old files around and could create a working draft later this week.
About integrating mbedTLS, I think providing an example could be a good start.
I think the question should be if tinydtls and/or mbedtls should be part of the wakaama core implementation in the future.
From a security point of view this is not ideal. Everyone who doesn't use the examples implements their own security layer. So these changes tend not to be pushed back directly. In addition, the implementations are copied and this leads to errors that could be avoided.
Very good question but not so easy to decide. I guess it depends on :
- the scope wanted for the project
- how much it is easy to make it part of core library but also to make it possible to use other TLS/DTLS library (if we still want to do that).
- how much it is compatible with https://github.com/eclipse/wakaama/issues/494
Personally, I have no answer but I feel this are good questions for Wakaama Committers and Community.
These repos are unfortunately not publicly available. But it should be pretty straight forward to implement a running prototype based on the current examples. Maybe I have some old files around and could create a working draft later this week.
About integrating mbedTLS, I think providing an example could be a good start.
I provided a sample but keep in mind, it is only a sample.
My opinion: Before thinking about integrating DTLS into wakaama (even multiple libraries), I would discuss the possibility to use wakaama with different CoAP libraries/or even a MQTT/HTTP library and try to seperate the layers.
I think separation and layering in general is a better approach. Especially if we want to support anything other than CoAP, as it is right now I think that would be quite hard.
Yes, Mbed TLS provides CID support for DTLS 1.2.
Be careful, if you use it! You must use the right IANA code-point for the extension, depending on which version of the DTLS 1.2 CID draft you are want to use, or you must use, because it's the only implemented in the mbedtls version you are using. At least, if you want to use it with Californium or Leshan.
mbedTLS - Update DTLS CID implementation to comply with the "final" draft
I have updated the Mbed TLS CID implementation: https://github.com/ARMmbed/mbedtls/pull/5061