Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Constrained Application Protocol
open-in-new
<h2 id="specification">Specification</h2> <p>The core of the protocol is specified in <a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc7252">7252</a>. Various extensions have been proposed, particularly: </p> <ul><li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc7641">7641</a> (2015) Observing Resources in the Constrained Application Protocol</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc7959">7959</a> (2016) Block-Wise Transfers in the Constrained Application Protocol (CoAP)</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc8323">8323</a> (2018) CoAP (Constrained Application Protocol) over TCP, TLS, and <a href="/facts/WebSocket/NcQrqpnv">WebSockets</a></li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc8974">8974</a> (2021) Extended Tokens and Stateless Clients in the Constrained Application Protocol (CoAP)</li></ul> <h2 id="message-formats">Message formats</h2> <p>CoAP makes use of two message types, requests and responses, using a simple, binary header format. CoAP is by default bound to <a href="/facts/User_Datagram_Protocol/dxLU0D6q">UDP</a> and optionally to <a href="/facts/DTLS/WxzxdITB">DTLS</a>, providing a high level of communications security. When bound to UDP, the entire message <i>must</i> fit within a single datagram. When used with <a href="/facts/6LoWPAN/7nGl64Ev">6LoWPAN</a> as defined in RFC 4944, messages <i>should</i> fit into a single <a href="/facts/IEEE_802.15.4/PH0j6uVX">IEEE 802.15.4</a> frame to minimize fragmentation. </p><p>The smallest CoAP message is 4 bytes in length, if the token, options and payload fields are omitted, i.e. if it only consists of the CoAP header. The header is followed by the token value (0 to 8 bytes) which may be followed by a list of options in an optimized type–length–value format. Any bytes after the header, token and options (if any) are considered the message payload, which is prefixed by the one-byte "payload marker" (0xFF). The length of the payload is implied by the datagram length. </p> CoAP Message<table><tbody><tr><th><a href="/facts/Octet_(computing)/dqCHsuUF">Octet</a> offset</th><th></th><th colspan="8">0</th><th colspan="8">1</th><th colspan="8">2</th><th colspan="8">3</th></tr><tr><th></th><th><a href="/facts/Bit_(computing)/S972NSaD">Bit</a> offset</th><th>0</th><th>1</th><th>2</th><th>3</th><th>4</th><th>5</th><th>6</th><th>7</th><th>8</th><th>9</th><th>10</th><th>11</th><th>12</th><th>13</th><th>14</th><th>15</th><th>16</th><th>17</th><th>18</th><th>19</th><th>20</th><th>21</th><th>22</th><th>23</th><th>24</th><th>25</th><th>26</th><th>27</th><th>28</th><th>29</th><th>30</th><th>31</th></tr><tr><th>4</th><th>32</th><td colspan="2">ver</td><td colspan="2">type</td><td colspan="4">token length</td><td colspan="8">request/response code</td><td colspan="16">message ID</td></tr><tr><th>8</th><th>64</th><td colspan="32" rowspan="2">token (0–8 bytes)</td></tr><tr><th>12</th><th>96</th></tr><tr><th>16</th><th>128</th><td colspan="32">options (if available)</td></tr><tr><th>20</th><th>160</th><td>1</td><td>1</td><td>1</td><td>1</td><td>1</td><td>1</td><td>1</td><td>1</td><td colspan="24">payload (if available)</td></tr></tbody></table> <h3>CoAP Fixed-Size Header</h3> <p>The first 4 bytes are mandatory in all CoAP datagrams, they constitute the fixed-size header. </p><p> These fields can be extracted from these 4 bytes in C via these macros:</p>#define COAP_HEADER_VERSION(data) ( (0xC0 & (data)[0]) >> 6 ) #define COAP_HEADER_TYPE(data) ( (0x30 & (data)[0]) >> 4 ) #define COAP_HEADER_TKL(data) ( (0x0F & (data)[0]) >> 0 ) #define COAP_HEADER_CLASS(data) ( ((data)[1] >> 5) & 0x07 ) #define COAP_HEADER_CODE(data) ( ((data)[1] >> 0) & 0x1F ) #define COAP_HEADER_MID(data) ( ((data)[2] << 8) | (data)[3] ) <h4>Version (ver) (2 bits)</h4> Indicates the CoAP version number. <h4>Type (2 bits)</h4> This describes the datagram's message type for the two message type context of Request and Response. <ul><li>Request <ul><li>0 : Confirmable : This message expects a corresponding acknowledgement message.</li> <li>1 : Non-confirmable : This message does not expect a confirmation message.</li></ul></li> <li>Response <ul><li>2 : Acknowledgement : This message is a response that acknowledge a confirmable message</li> <li>3 : Reset : This message indicates that it had received a message but could not process it.</li></ul></li></ul> <h4>Token length (4 bits)</h4> Indicates the length of the variable-length Token field, which may be 0–8 bytes in length. <h4>Request/response code (8 bits)</h4> <table><tbody><tr><th>0</th><th>1</th><th>2</th><th>3</th><th>4</th><th>5</th><th>6</th><th>7</th></tr><tr><td colspan="3">Class</td><td colspan="5">Code</td></tr></tbody></table> <p>The three most significant bits form a number known as the "class", which is analogous to the <a href="/facts/List_of_HTTP_status_codes/nTtX2f6r">class of HTTP status codes</a>. The five least significant bits form a code that communicates further detail about the request or response. The entire code is typically communicated in the form class.code . </p><p>You can find the latest CoAP request/response codes at <a href="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#codes">[1]</a>, though the below list gives some examples: </p> <ul><li>Method: 0.XX <ol><li>EMPTY</li><li>GET</li><li>POST</li><li>PUT</li><li>DELETE</li><li>FETCH</li><li>PATCH</li><li>iPATCH</li></ol></li> <li>Success: 2.XX <ol><li>Created</li><li>Deleted</li><li>Valid</li><li>Changed</li><li>Content</li><li>Continue</li></ol></li> <li>Client Error: 4.XX <ol><li>Bad Request</li><li>Unauthorized</li><li>Bad Option</li><li>Forbidden</li><li>Not Found</li><li>Method Not Allowed</li><li>Not Acceptable</li><li>Request Entity Incomplete</li><li>Conflict</li><li>Precondition Failed</li><li>Request Entity Too Large</li><li>Unsupported Content-Format</li></ol></li> <li>Server error: 5.XX <ol><li>Internal server error</li><li>Not implemented</li><li>Bad gateway</li><li>Service unavailable</li><li>Gateway timeout</li><li>Proxying not supported</li></ol></li> <li>Signaling Codes: 7.XX <ol><li>Unassigned</li><li>CSM</li><li>Ping</li><li>Pong</li><li>Release</li><li>Abort</li></ol></li></ul> <h4>Message ID (16 bits)</h4> Used to detect message duplication and to match messages of type acknowledgement/reset to messages of type confirmable/non-confirmable. <h3>Token</h3> <p>Every request carries a token (but it may be zero length) whose value was generated by the client. The server must echo every token value without any modification back to the client in the corresponding response. It is intended for use as a client-local identifier to match requests and responses, especially for concurrent requests. </p><p>Matching requests and responses is not done with the message ID because a response may be sent in a different message than the acknowledgement (which uses the message ID for matching). For example, this could be done to prevent retransmissions if obtaining the result takes some time. Such a detached response is called "separate response". In contrast, transmitting the response directly in the acknowledgement is called "piggybacked response" which is expected to be preferred for efficiency reasons. </p> <h3>Option</h3> Option Format<table><tbody><tr><th colspan="8">Bit position</th></tr><tr><th>0</th><th>1</th><th>2</th><th>3</th><th>4</th><th>5</th><th>6</th><th>7</th></tr><tr><td colspan="4">Option delta</td><td colspan="4">Option length</td></tr><tr><td colspan="8">Option delta extended (none, 8 bits, 16 bits)</td></tr><tr><td colspan="8">Option length extended (none, 8 bits, 16 bits)</td></tr><tr><td colspan="8">Option value</td></tr></tbody></table> <p>Option delta: </p> <ul><li>0 to 12: For delta between 0 and 12: Represents the exact delta value between the last option ID and the desired option ID, with no option delta extended value</li> <li>13: For delta from 13 to 268: Option delta extended is an 8-bit value that represents the option delta value minus 13</li> <li>14: For delta from 269 to 65,804: Option delta extended is a 16-bit value that represents the option delta value minus 269</li> <li>15: Reserved for payload marker, where the option delta and option length are set together as 0xFF.</li></ul> <p>Option length: </p> <ul><li>0 to 12: For option length between 0 and 12: Represents the exact length value, with no option length extended value</li> <li>13: For option length from 13 to 268: Option length extended is an 8-bit value that represents the option length value minus 13</li> <li>14: For option length from 269 to 65,804: Option length extended is a 16-bit value that represents the option length value minus 269</li> <li>15: Reserved for future use. It is an error for the option length field to be set to 0xFF.</li></ul> <p>Option value: </p> <ul><li>Size of option value field is defined by option length value in bytes.</li> <li>Semantic and format this field depends on the respective option.</li></ul> <h2 id="active-protocol-implementations">Active protocol implementations</h2> <table><tbody><tr><th>Name</th><th>Programming Language</th><th>Implemented CoAP version</th><th>Client/Server</th><th>Implemented CoAP features</th><th>License</th><th>Link</th></tr><tr><td>coap</td><td>Dart</td><td>RFC 7252</td><td>Client</td><td>Blockwise Transfers, Observe, Multicast, Proxying (partial)</td><td>MIT</td><td><a href="https://github.com/shamblett/coap">https://github.com/shamblett/coap</a></td></tr><tr><td>aiocoap</td><td>Python 3</td><td>RFC 7252, RFC 7641, RFC 7959, RFC 8323, RFC 7967, RFC 8132, RFC 9176, RFC 8613, RFC 9528</td><td>Client + Server</td><td>Blockwise Transfers, Observe (partial)</td><td>MIT</td><td><a href="https://pypi.python.org/pypi/aiocoap">https://pypi.python.org/pypi/aiocoap</a></td></tr><tr><td>Californium</td><td>Java</td><td>RFC 7252, RFC 7641, RFC 7959</td><td>Client + Server</td><td>Observe, Blockwise Transfers, Multicast (since 2.x), DTLS (+ DTLS 1.2 Connection ID)</td><td>EPL+EDL</td><td><a href="https://www.eclipse.org/californium">https://www.eclipse.org/californium</a> <a href="https://github.com/eclipse/californium">https://github.com/eclipse/californium</a></td></tr><tr><td>CoAP implementation for Go</td><td><a href="/facts/Go_(programming_language)/oWlsmAFJ">Go</a></td><td>RFC 7252</td><td>Client + Server</td><td>Core + Draft Subscribe</td><td>MIT</td><td><a href="https://github.com/dustin/go-coap">https://github.com/dustin/go-coap</a></td></tr><tr><td>CoAPSharp</td><td>C#, .NET</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Observe, Block, RD</td><td>MIT</td><td><a href="http://www.coapsharp.com">http://www.coapsharp.com</a> <a href="https://github.com/FemtomaxInc/coapsharp">https://github.com/FemtomaxInc/coapsharp</a></td></tr><tr><td>FreeCoAP</td><td>C</td><td>RFC 7252</td><td>Client + Server + HTTP/CoAP Proxy</td><td>Core, DTLS, Blockwise Transfers</td><td>BSD</td><td><a href="https://github.com/keith-cullen/FreeCoAP">https://github.com/keith-cullen/FreeCoAP</a></td></tr><tr><td>java-coap</td><td>Java</td><td>RFC 7252, RFC 7641, RFC 7959, RFC 8323</td><td>Client + Server</td><td></td><td>Apache License 2.0</td><td><a href="https://github.com/PelionIoT/java-coap">https://github.com/PelionIoT/java-coap</a></td></tr><tr><td>libcoap</td><td>C</td><td>RFC 7252, RFC 7390, RFC 7641, RFC 7959, RFC 7967, RFC 8132, RFC 8323, RFC 8516, RFC 8613, RFC 8768, RFC 8974, RFC 9175, RFC 9177</td><td>Client + Server</td><td>Core, Observe, Multicast, Blockwise Transfers, Patch/Fetch, OSCORE, (D)TLS</td><td>BSD/GPL</td><td><a href="https://github.com/obgm/libcoap">https://github.com/obgm/libcoap</a></td></tr><tr><td>libcoapy</td><td>Python</td><td colspan="3">same support as libcoap</td><td>MIT</td><td><a href="https://github.com/anyc/libcoapy">https://github.com/anyc/libcoapy</a></td></tr><tr><td>lobaro-coap</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td>Observe, Blockwise Transfers</td><td>MIT</td><td><a href="http://www.lobaro.com/lobaro-coap">http://www.lobaro.com/lobaro-coap</a></td></tr><tr><td>microCoAPy</td><td>MicroPython</td><td>RFC 7252</td><td>Client + Server</td><td>Core</td><td>Apache License 2.0</td><td><a href="https://github.com/insighio/microCoAPy">https://github.com/insighio/microCoAPy</a></td></tr><tr><td>nanoCoAP</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Blockwise Transfers, DTLS</td><td>LGPL</td><td><a href="https://api.riot-os.org/group__net__nanocoap.html">https://api.riot-os.org/group__net__nanocoap.html</a></td></tr><tr><td>node-coap</td><td>Javascript</td><td>RFC 7252,<p>RFC 7641, RFC 7959</p></td><td>Client + Server</td><td>Core, Observe, Block</td><td>MIT</td><td><a href="https://github.com/mcollina/node-coap">https://github.com/mcollina/node-coap</a></td></tr><tr><td>Qt CoAP</td><td>C++</td><td>RFC 7252</td><td>Client</td><td>Core, Observe, Blockwise Transfers</td><td>GPL, Commercial</td><td><a href="https://doc.qt.io/qt-6/qtcoap-index.html">https://doc.qt.io/qt-6/qtcoap-index.html</a></td></tr><tr><td>coap-rs</td><td>Rust</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Multicast, Observe option, <i>Too Many Requests</i> Response Code</td><td>MIT</td><td><a href="https://github.com/Covertness/coap-rs">https://github.com/Covertness/coap-rs</a><p><a href="https://docs.rs/coap/">https://docs.rs/coap/</a></p></td></tr></tbody></table> <h2 id="proxy-implementations">Proxy implementations</h2> <p>There exist <a href="/facts/Proxy_server/ArhwQE74">proxy</a> implementations which provide <a href="/facts/Forward_proxy/ArhwQE74">forward</a> or <a href="/facts/Reverse_proxy/bN4HFUEC">reverse</a> proxy functionality for the CoAP protocol and also implementations which translate between protocols like HTTP and CoAP. </p><p>The following projects provide proxy functionality: </p> <ul><li><a href="http://telecom.dei.unipd.it/pages/read/90/">Squid 3.1.9 with transparent HTTP-CoAP mapping module</a></li> <li><a href="https://code.google.com/p/jcoap/">jcoap Proxy</a></li> <li><a href="https://github.com/eclipse/californium/tree/master/californium-proxy2">Californium cf-proxy2</a></li> <li><a href="https://github.com/Tanganelli/CoAPthon">CoAPthon</a></li> <li><a href="https://github.com/keith-cullen/FreeCoAP">FreeCoAP</a></li> <li><a href="https://github.com/obgm/libcoap">libcoap</a></li></ul> <h2 id="projects-using-coap">Projects using CoAP</h2> <table><tbody><tr><th>Name</th><th>Programming Language</th><th>Implemented CoAP version</th><th>Client/Server</th><th>Implemented CoAP features</th><th>License</th><th>Link</th></tr><tr><td>CoAP Shell</td><td>Java</td><td>RFC 7252</td><td>Client</td><td>Observe, Blockwise Transfers, DTLS</td><td>Apache License 2.0</td><td><a href="https://github.com/tzolov/coap-shell">https://github.com/tzolov/coap-shell</a></td></tr><tr><td>Copper</td><td>JavaScript (Browser Plugin)</td><td>RFC 7252</td><td>Client</td><td>Observe, Blockwise Transfers</td><td>3-clause BSD</td><td><a href="https://github.com/mkovatsc/Copper">https://github.com/mkovatsc/Copper</a> <a href="https://addons.mozilla.org/firefox/addon/copper-270430/">https://addons.mozilla.org/firefox/addon/copper-270430/</a>[<i>permanent dead link</i>]</td></tr></tbody></table> <h2 id="inactive-protocol-implementations">Inactive protocol implementations</h2> <table><tbody><tr><th>Name</th><th>Programming Language</th><th>Implemented CoAP version</th><th>Client/Server</th><th>Implemented CoAP features</th><th>License</th><th>Link</th></tr><tr><td>cantcoap</td><td>C++/C</td><td>RFC 7252</td><td>Client + Server</td><td></td><td>BSD</td><td><a href="https://github.com/staropram/cantcoap">https://github.com/staropram/cantcoap</a></td></tr><tr><td>Canopus</td><td><a href="/facts/Go_(programming_language)/oWlsmAFJ">Go</a></td><td>RFC 7252</td><td>Client + Server</td><td>Core</td><td>Apache License 2.0</td><td><a href="https://github.com/zubairhamed/canopus">https://github.com/zubairhamed/canopus</a></td></tr><tr><td>Go-CoAP</td><td><a href="/facts/Go_(programming_language)/oWlsmAFJ">Go</a></td><td>RFC 7252, RFC 8232, RFC 7641, RFC 7959</td><td>Client + Server</td><td>Core, Observe, Blockwise, Multicast, TCP/TLS</td><td>Apache License 2.0</td><td><a href="https://github.com/plgd-dev/go-coap">https://github.com/plgd-dev/go-coap</a></td></tr><tr><td>CoAP.NET</td><td>C#</td><td>RFC 7252, coap-13, coap-08, coap-03</td><td>Client + Server</td><td>Core, Observe, Blockwise Transfers</td><td>3-clause BSD</td><td><a href="https://github.com/smeshlink/CoAP.NET">https://github.com/smeshlink/CoAP.NET</a></td></tr><tr><td>CoAPthon</td><td>Python</td><td>RFC 7252</td><td>Client + Server + Forward Proxy + Reverse Proxy</td><td>Observe, Multicast server discovery, CoRE Link Format parsing, Block-wise</td><td>MIT</td><td><a href="https://github.com/Tanganelli/CoAPthon">https://github.com/Tanganelli/CoAPthon</a></td></tr><tr><td>eCoAP</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td>Core</td><td>MIT</td><td><a href="https://gitlab.com/jobol/ecoap">https://gitlab.com/jobol/ecoap</a></td></tr><tr><td>Erbium for Contiki</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td>Observe, Blockwise Transfers</td><td>3-clause BSD</td><td><a href="http://www.contiki-os.org/">http://www.contiki-os.org/</a> (er-rest-example)</td></tr><tr><td>guile-coap</td><td>Guile</td><td>RFC 7252, RFC 8323</td><td>Client + Server</td><td></td><td>GPL-3.0-or-later</td><td><a href="https://codeberg.org/eris/guile-coap">https://codeberg.org/eris/guile-coap</a></td></tr><tr><td>iCoAP</td><td>Objective-C</td><td>RFC 7252</td><td>Client</td><td>Core, Observe, Blockwise Transfers</td><td>MIT</td><td><a href="https://github.com/stuffrabbit/iCoAP">https://github.com/stuffrabbit/iCoAP</a></td></tr><tr><td>jCoAP</td><td>Java</td><td>RFC 7252</td><td>Client + Server</td><td>Observe, Blockwise Transfers</td><td>Apache License 2.0</td><td><a href="https://code.google.com/p/jcoap/">https://code.google.com/p/jcoap/</a></td></tr><tr><td>LibNyoci</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Observe, Block, DTLS</td><td>MIT</td><td><a href="https://github.com/darconeous/libnyoci">https://github.com/darconeous/libnyoci</a></td></tr><tr><td>microcoap</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td></td><td>MIT</td><td><a href="https://github.com/1248/microcoap">https://github.com/1248/microcoap</a></td></tr><tr><td>nCoap</td><td>Java</td><td>RFC 7252</td><td>Client + Server</td><td>Observe, Blockwise Transfers, CoRE Link Format, <a href="https://tools.ietf.org/html/draft-kleine-core-coap-endpoint-id-01">Endpoint-ID-Draft</a></td><td>BSD</td><td><a href="https://github.com/okleine/nCoAP">https://github.com/okleine/nCoAP</a></td></tr><tr><td>Ruby coap</td><td>Ruby</td><td>RFC 7252</td><td>Client + Server (david)</td><td>Core, Observe, Block, RD</td><td>MIT, GPL</td><td><a href="https://github.com/nning/coap">https://github.com/nning/coap</a><a href="https://github.com/nning/david">https://github.com/nning/david</a></td></tr><tr><td>Sensinode C Device Library</td><td>C</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Observe, Block, RD</td><td>Commercial</td><td><a href="https://silver.arm.com/browse/SEN00">https://silver.arm.com/browse/SEN00</a></td></tr><tr><td>Sensinode Java Device Library</td><td>Java SE</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Observe, Block, RD</td><td>Commercial</td><td><a href="https://silver.arm.com/browse/SEN00">https://silver.arm.com/browse/SEN00</a></td></tr><tr><td>Sensinode NanoService Platform</td><td>Java SE</td><td>RFC 7252</td><td>Cloud Server</td><td>Core, Observe, Block, RD</td><td>Commercial</td><td><a href="https://silver.arm.com/browse/SEN00">https://silver.arm.com/browse/SEN00</a></td></tr><tr><td>SwiftCoAP</td><td>Swift</td><td>RFC 7252</td><td>Client + Server</td><td>Core, Observe, Blockwise Transfers</td><td>MIT</td><td><a href="https://github.com/stuffrabbit/SwiftCoAP">https://github.com/stuffrabbit/SwiftCoAP</a></td></tr><tr><td>TinyOS CoapBlip</td><td>nesC/C</td><td>coap-13</td><td>Client + Server</td><td>Observe, Blockwise Transfers</td><td>BSD</td><td><a href="https://web.archive.org/web/20130312140509/http://docs.tinyos.net/tinywiki/index.php/CoAP">https://web.archive.org/web/20130312140509/http://docs.tinyos.net/tinywiki/index.php/CoAP</a></td></tr><tr><td>txThings</td><td>Python (Twisted)</td><td>RFC 7252</td><td>Client + Server</td><td>Blockwise Transfers, Observe (partial)</td><td>MIT</td><td><a href="https://github.com/mwasilak/txThings/">https://github.com/mwasilak/txThings/</a></td></tr><tr><td>YaCoAP</td><td>C</td><td></td><td></td><td></td><td>MIT</td><td><a href="https://github.com/RIOT-Makers/YaCoAP">https://github.com/RIOT-Makers/YaCoAP</a></td></tr></tbody></table> <h2 id="coap-group-communication">CoAP group communication</h2> <p>In many CoAP application domains it is essential to have the ability to address several CoAP resources as a group, instead of addressing each resource individually (e.g. to turn on all the CoAP-enabled lights in a room with a single CoAP request triggered by toggling the light switch). To address this need, the IETF has developed an optional extension for CoAP in the form of an experimental RFC: Group Communication for CoAP - RFC 7390<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> This extension relies on IP multicast to deliver the CoAP request to all group members. The use of multicast has certain benefits such as reducing the number of packets needed to deliver the request to the members. However, multicast also has its limitations such as poor reliability and being cache-unfriendly. An alternative method for CoAP group communication that uses unicasts instead of multicasts relies on having an intermediary where the groups are created. Clients send their group requests to the intermediary, which in turn sends individual unicast requests to the group members, collects the replies from them, and sends back an aggregated reply to the client.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> <h2 id="security">Security</h2> <p>CoAP defines four security modes:<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> </p> <ul><li>NoSec, where <a href="/facts/DTLS/WxzxdITB">DTLS</a> is disabled</li> <li>PreSharedKey, where DTLS is enabled, there is a list of pre-shared keys, and each key includes a list of which nodes it can be used to communicate with. Devices must support the AES cipher suite.</li> <li>RawPublicKey, where DTLS is enabled and the device uses an asymmetric key pair without a certificate, which is validated out of band. Devices must support the AES cipher suite and Elliptic Curve algorithms for key exchange.</li> <li>Certificate, where DTLS is enabled and the device uses <a href="/facts/X.509/rs0JuYDd">X.509</a> certificates for validation.</li></ul> <p>Research has been conducted on optimizing DTLS by implementing security associates as CoAP resources rather than using DTLS as a security wrapper for CoAP traffic. This research has indicated that improvements of up to 6.5 times none optimized implementations.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p><p>In addition to DTLS, RFC8613<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> defines the Object Security for Constrained RESTful Environments (OSCORE) protocol which provides security for CoAP at the application layer. </p> <h2 id="security-issues">Security issues</h2> <p>Although the protocol standard includes provisions for mitigating the threat of <a href="/facts/DDoS/6nkoK02J">DDoS</a> amplification attacks,<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> these provisions are not implemented in practice,<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> resulting in the presence of over 580,000 targets primarily located in China and attacks up to 320 Gbit/s.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Internet_of_Things/rwwGAxn3">Internet of Things</a></li> <li><a href="/facts/OMA_LWM2M/Mx9y7Ewf">OMA Lightweight M2M</a></li> <li><a href="/facts/Web_of_Things/ak4Bn1cA">Web of Things</a></li> <li><a href="/facts/Static_Context_Header_Compression/e27KoIkc">Static Context Header Compression (SCHC)</a></li></ul> <h2 id="external-links">External links</h2> Wikimedia Commons has media related to SSL and TLS. <ul><li><a href="https://datatracker.ietf.org/doc/html/rfc7252">RFC 7252 "The Constrained Application Protocol (CoAP)"</a></li> <li><a href="http://coap.me/">coap.me</a> – CoAP test server run by <a href="/facts/University_of_Bremen/jAAw3zTl">University of Bremen</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>RFC 7252, Constrained Application Protocol (CoAP) <a href="https://tools.ietf.org/html/rfc7252" target="_blank">https://tools.ietf.org/html/rfc7252</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"Integrating Wireless Sensor Networks with the Web Archived 2017-08-30 at the Wayback Machine" , Walter, Colitti 2011 <a href="http://hinrg.cs.jhu.edu/joomla/images/stories/IPSN_2011_koliti.pdf" target="_blank">http://hinrg.cs.jhu.edu/joomla/images/stories/IPSN_2011_koliti.pdf</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>RFC 7390, Group Communication for CoAP <a href="https://tools.ietf.org/html/rfc7390" target="_blank">https://tools.ietf.org/html/rfc7390</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Flexible Unicast-Based Group Communication for CoAP-Enabled Devices" , Ishaq, I.; Hoebeke, J.; Van den Abeele, F.; Rossey, J.; Moerman, I.; Demeester, P. Sensors 2014 <a href="http://www.mdpi.com/1424-8220/14/6/9833/htm" target="_blank">http://www.mdpi.com/1424-8220/14/6/9833/htm</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>RFC 7252, Constrained Application Protocol (CoAP) <a href="https://tools.ietf.org/html/rfc7252" target="_blank">https://tools.ietf.org/html/rfc7252</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Capossele, Angelo; Cervo, Valerio; De Cicco, Gianluca; Petrioli, Chiara (June 2015). "Security as a CoAP resource: An optimized DTLS implementation for the IoT". 2015 IEEE International Conference on Communications (ICC). pp. 529–554. doi:10.1109/ICC.2015.7248379. ISBN 978-1-4673-6432-4. S2CID 12568959. {{cite book}}: |journal= ignored (help) <a href="978-1-4673-6432-4" target="_blank">978-1-4673-6432-4</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Palombini, Francesca; Seitz, Ludwig; Selander, Goeran; Mattsson, John (2019). "Object Security for Constrained RESTful Environments (OSCORE)". tools.ietf.org. doi:10.17487/RFC8613. S2CID 58380874. Retrieved 2021-05-07. <a href="https://tools.ietf.org/html/rfc8613.html" target="_blank">https://tools.ietf.org/html/rfc8613.html</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"TLS 1.3 is going to save us all, and other reasons why IoT is still insecure", Dani Grant, 2017-12-24 <a href="https://blog.cloudflare.com/why-iot-is-insecure/" target="_blank">https://blog.cloudflare.com/why-iot-is-insecure/</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"When Machines Can't Talk: Security and Privacy Issues of Machine-to-Machine Data Protocols", Federico Maggi and Rainer Vosseler, 2018-12-06 <a href="https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Maggi-When-Machines-Cant-Talk-wp.pdf" target="_blank">https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Maggi-When-Machines-Cant-Talk-wp.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"The CoAP protocol is the next big thing for DDoS attacks", Catalin Cimpanu, 2018-12-05 <a href="https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/" target="_blank">https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> </ol>