Constrained Application Protocol

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Constrained Application Protocol (CoAP) is a specialized Internet Application Protocol for constrained devices, as defined in RFC 7252. It enables those constrained devices called "nodes" to communicate with the wider Internet using similar protocols. CoAP is designed for use between devices on the same constrained network (e.g., low-power, lossy networks), between devices and general nodes on the Internet, and between devices on different constrained networks both joined by an internet. CoAP is also being used via other mechanisms, such as SMS on mobile communication networks.

CoAP is a service layer protocol that is intended for use in resource-constrained internet devices, such as wireless sensor network nodes. CoAP is designed to easily translate to HTTP for simplified integration with the web, while also meeting specialized requirements such as multicast support, very low overhead, and simplicity.[1][2] Multicast, low overhead, and simplicity are extremely important for Internet of Things (IoT) and Machine-to-Machine (M2M) devices, which tend to be deeply embedded and have much less memory and power supply than traditional internet devices have. Therefore, efficiency is very important. CoAP can run on most devices that support UDP or a UDP analogue.

The Internet Engineering Task Force (IETF) Constrained RESTful Environments Working Group (CoRE) has done the major standardization work for this protocol. In order to make the protocol suitable to IoT and M2M applications, various new functionalities have been added. The core of the protocol is specified in RFC 7252; important extensions are in various stages of the standardization process.


The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation. [1]

The CoRE group has designed CoAP with the following features in mind:

  • Overhead and parsing complexity.
  • URI and content-type support.
  • Support for the discovery of resources provided by known CoAP services.
  • Simple subscription for a resource, and resulting push notifications.
  • Simple caching based on max-age.

The mapping of CoAP with HTTP is also defined, allowing proxies to be built providing access to CoAP resources via HTTP in a uniform way.[3]

With the introduction of CoAP, a complete networking stack of open-standard protocols that are suitable for constrained devices and environments becomes available.[4]

From the architecture point of view, the CoAP server will be installed on the end node, which could be a sensor. On the other hand, the CoAP client should be installed on the controller, which manages several end nodes.

Registration of the meanings behind CoAP Code, Options and Content Type is handled by IANA, shown in [2]

Message formats[edit]

The smallest CoAP message is 4 bytes in length, if omitting Token, Options and Payload. CoAP makes use of two message types, requests and responses, using a simple, binary, base header format. The base header may be followed by options in an optimized Type-Length-Value format. CoAP is by default bound to UDP and optionally to DTLS, providing a high level of communications security.

Any bytes after the headers in the packet are considered the message body. The length of the message body is implied by the datagram length. When bound to UDP, the entire message MUST fit within a single datagram. When used with 6LoWPAN as defined in RFC 4944, messages SHOULD fit into a single IEEE 802.15.4 frame to minimize fragmentation.

CoAP Header
Offsets Octet 0 1 2 3
Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
4 32 VER Type Token Length CoAP Request/Response Code Message ID
8 64 Token (0 - 8 bytes)
12 96
16 128 Options (If Available)
20 160 1 1 1 1 1 1 1 1 Payload (If Available)
Version (VER) (2 bits)
Indicates the CoAP version number.
Type (2 bits)
Indicates if this message is of type Confirmable (0), Non-confirmable (1), Acknowledgement (2), or Reset (3)
Token Length (4 bits)
Indicates the length of the variable-length Token field, which may be 0-8 bytes in length.
CoAP Request/Response Code (8 bits)

The three most significant bits form a number known as the "class", which is analogous to the class of HTTP status codes. The five least significant bits form a code that communicates further detail about the request or response. The entire code is typically communicated in the form class.code . You can find the latest CoAP request/response codes at [3], though the below list gives some examples:

    1. Method: 0.XX
      1. EMPTY
      2. GET
      3. POST
      4. PUT
      5. DELETE
      6. FETCH
      7. PATCH
      8. iPATCH
    2. Success : 2.XX
      1. Created
      2. Deleted
      3. Valid
      4. Changed
      5. Content
      6. Continue
    1. Client Error : 4.XX
      1. Bad Request
      2. Unauthorized
      3. Bad Option
      4. Forbidden
      5. Not Found
      6. Method Not Allowed
      7. Not Acceptable
      8. Request Entity Incomplete
      9. Conflict
      10. Precondition Failed
      11. Request Entity Too Large
      12. Unsupported Content-Format
    1. Server Error : 5.XX
      1. Internal Server Error
      2. Not Implemented
      3. Bad Gateway
      4. Service Unavailable
      5. Gateway Timeout
      6. Proxying Not Supported
    2. Signaling Codes : 7.XX
      1. Unassigned
      2. CSM
      3. Ping
      4. Pong
      5. Release
      6. Abort
Message ID (16 bits)
Used to detect message duplication and to match messages of type Acknowledgement/Reset to messages of type Confirmable/Non-confirmable.

You can easily extract the information from the fixed header in C via these macros:

#define COAP_HEADER_VERSION(data)  ( (0xC0 & data[0])>>6    )
#define COAP_HEADER_TYPE(data)     ( (0x30 & data[0])>>4    )
#define COAP_HEADER_TKL(data)      ( (0x0F & data[0])>>0    )
#define COAP_HEADER_CLASS(data)    ( ((data[1]>>5)&0x07)    )
#define COAP_HEADER_CODE(data)     ( ((data[1]>>0)&0x1F)    )
#define COAP_HEADER_MID(data)      ( (data[2]<<8)|(data[3]) )


Name Programming Language Implemented CoAP version Client/Server Implemented CoAP features License Link
aiocoap Python 3 RFC 7252 Client + Server Blockwise Transfers, Observe (partial) MIT
Californium Java RFC 7252 Client + Server Observe, Blockwise Transfers, DTLS EPL+EDL
cantcoap C++/C RFC 7252 Client + Server BSD
Canopus Go RFC 7252 Client + Server Core Apache License 2.0
CoAP implementation for Go Go RFC 7252 Client + Server Core + Draft Subscribe MIT
CoAP.NET C# RFC 7252, coap-13, coap-08, coap-03 Client + Server Core, Observe, Blockwise Transfers 3-clause BSD
CoAPSharp C#, .NET RFC 7252 Client + Server Core, Observe, Block, RD LGPL
CoAPthon Python RFC 7252 Client + Server + Forward Proxy + Reverse Proxy Observe, Multicast server discovery, CoRE Link Format parsing, Block-wise MIT
CoAP Shell Java RFC 7252 Client Observe, Blockwise Transfers, DTLS Apache License 2.0
Copper JavaScript (Browser Plugin) RFC 7252 Client Observe, Blockwise Transfers 3-clause BSD
eCoAP C RFC 7252 Client + Server Core MIT
Erbium for Contiki C RFC 7252 Client + Server Observe, Blockwise Transfers 3-clause BSD (er-rest-example)
iCoAP Objective-C RFC 7252 Client Core, Observe, Blockwise Transfers MIT
jCoAP Java RFC 7252 Client + Server Observe, Blockwise Transfers Apache License 2.0
libcoap C RFC 7252 Client + Server Observe, Blockwise Transfers, DTLS BSD/GPL
LibNyoci C RFC 7252 Client + Server Core, Observe, Block, DTLS MIT
lobaro-coap C RFC 7252 Client + Server Observe, Blockwise Transfers MIT
microcoap C RFC 7252 Client + Server MIT
nCoap Java RFC 7252 Client + Server Observe, Blockwise Transfers, CoRE Link Format, Endpoint-ID-Draft BSD
node-coap Javascript RFC 7252 Client + Server Core, Observe, Block MIT
Ruby coap Ruby RFC 7252 Client + Server (david) Core, Observe, Block, RD MIT, GPL
Sensinode C Device Library C RFC 7252 Client + Server Core, Observe, Block, RD Commercial
Sensinode Java Device Library Java SE RFC 7252 Client + Server Core, Observe, Block, RD Commercial
Sensinode NanoService Platform Java SE RFC 7252 Cloud Server Core, Observe, Block, RD Commercial
SwiftCoAP Swift RFC 7252 Client + Server Core, Observe, Blockwise Transfers MIT
TinyOS CoapBlip nesC/C coap-13 Client + Server Observe, Blockwise Transfers BSD
txThings Python (Twisted) RFC 7252 Client + Server Blockwise Transfers, Observe (partial) MIT
FreeCoAP C RFC 7252 Client + Server + HTTP/CoAP Proxy Core, DTLS, Blockwise Transfers BSD
coap-rs Rust RFC 7252 Client + Server MIT

Proxy implementations[edit]

CoAP group communication[edit]

In many CoAP application domains it is essential to have the ability to address several CoAP resources as a group, instead of addressing each resource individually (e.g. to turn on all the CoAP-enabled lights in a room with a single CoAP request triggered by toggling the light switch). To address this need, the IETF has developed an optional extension for CoAP in the form of an experimental RFC: Group Communication for CoAP - RFC 7390[5] This extension relies on IP multicast to deliver the CoAP request to all group members. The use of multicast has certain benefits such as reducing the number of packets needed to deliver the request to the members. However, multicast also has its limitations such as poor reliability and being cache-unfriendly. An alternative method for CoAP group communication that uses unicasts instead of multicasts relies on having an intermediary where the groups are created. Clients send their group requests to the intermediary, which in turn sends individual unicast requests to the group members, collects the replies from them, and sends back an aggregated reply to the client.[6]

Security issues[edit]

Although the protocol standard includes provisions for mitigating the threat of DDoS amplification attacks[7], these provisions are not implemented in practice[8], resulting in the presence of over 580,000 targets primarily located in China and attacks up to 320Gbps[9].

See also[edit]


External links[edit]