Thiago Macieira <thiago.macieira at intel.com> writes: > Hello all > > This doubt came up when discussing the IPv6 stack and sockets, when John, > Sachin and I were talking. > > Is there such a thing as security over multicast?
This depends on your security objectives (see below). > When reading RFC 7252, it says in section 8.1 Multicast / Messaging layer: > >> At the time of writing, multicast messages can only be carried in UDP >> not in DTLS. This means that the security modes defined for CoAP in >> this document are not applicable to multicast. > > Is that still true? Pretty much. The IETF WG DICE once had been chartered (among other things) to modify the DTLS record layer to use it for datagrams carried over IP multicast but has suspended that activity because there was no consensus on whether or not the drawbacks are acceptable.[0] (The proposal under discussion at that time was [1].) [0] http://www.ietf.org/mail-archive/web/dtls-iot/current/msg00349.html [1] https://tools.ietf.org/html/draft-kumar-dice-multicast-security > And if that is so, do we have a workaround for it? Or must all OIC discovery > packets be sent unencrypted? > > And if they are sent unencrypted, can we still send them to the CoAP secure > port (5684), to signify we would like to receive a secure reply on the > sender's port? The first byte of the CoAP header has been designed such that it can be distinguished easily from the first byte of a DTLS message, but to avoid confusion the authors recommend no to do multiplexing of encrypted/non-encrypted CoAP traffic on the same port, IIRC. Gr??e Olaf
